UVM’s original framework for ERM was based on ISO 31000:2009, an international standard published in 2009. In 2018, the standard was updated to form ISO 31000:2018. The 2018 version was simplified to make it easier to understand. It was also created in a way that makes it easier to apply to different industries and it recognizes that risks are going to change over time. For example, when the 2009 standard was developed, cybersecurity and political risks were not thought of in the same way they are today. According to the International Organization for Standardization (ISO), “ISO 31000:2018 delivers a clearer, shorter and more concise guide that will help organizations use risk management principles to improve planning and make better decisions.”

The new framework provides a simpler foundation and organizational arrangement for designing, implementing, monitoring, reviewing, and continually improving risk management throughout the University.

ERM visual framework


explaination of graphic above -

ERM Principles

ISO-31000: 2018 includes 8 principles that are required elements of an effective and efficient risk management framework. These core concepts are:

  • Integrated
  • Structured and Comprehensive
  • Customized
  • Inclusive
  • Dynamic
  • Best Available Information
  • Human and Cultural Factors
  • Continual Improvement

At UVM, we use these principles to inform both the framework and the process.

ERM Framework

Regardless of the structure of an organization, all ERM frameworks using ISO-31000: 2018 include these five activities which are designed to demonstrate leadership and commitment to the ERM process. They are:

  • Design
  • Implementation
  • Evaluation
  • Improvement

We use this framework to inform our process.

ERM Process

A sound and mature process is designed to enable the university to assess existing and emerging risks, evaluate the risks, and reduce the impact of the risks taking into consideration the risk appetite of the institution. The following steps are included in UVM’s process:

  • Risk scope, context, and criteria
  • Risk identification
  • Risk analysis
  • Risk evaluation
  • Risk treatment
  • Communication and Consultation
  • Recording and Reporting
  • Monitor and Review

We continually evaluate and improve the process utilizing both the principles and the framework.