What is ERM?

Enterprise Risk Management ("ERM") is a process designed to anticipate and analyze potential opportunities and threats that could affect the achievement of the University's objectives. This process is integral to the management and future direction of the University, and should be structured, consistent, and continuous across the entire organization. ERM includes identifying, assessing, deciding on responses to, and reporting on strategic, human capital, compliance, operational, financial, and hazard-related exposures. These exposures include both "risks" that might hinder UVM's attainment of its strategic goals, and "opportunities" that could help the University achieve its strategic goals.


How do I report a risk?

If it is an emergency, dial 911. If it is not an emergency, report the issue either to your supervisor or the relevant office at UVM. If you are not sure where to report or if you want to report anonymously, reports can be made using UVM’s Compliance & Ethics HelpLine.


Why did UVM implement ERM?

UVM began implementing an ERM program in 2008 following the recommendations of an external audit report. The report determined that UVM had inadequate internal controls to manage and mitigate its institutional risk. A follow-up audit by a second agency concurred with initial audit recommendations, noting that ERM was a “best practice." (Read more about the history of ERM's program.) Both UVM's senior leadership and its Board of Trustees' Audit Committee saw the value of taking an institution-wide view of risk to help UVM achieve strategic goals, lessen uncertainty, and maintain a competitive advantage.


How can ERM be beneficial to UVM?

There are many ways that an effective and efficient ERM program can benefit any organization. They include:

  • Supporting the achievement of strategic objectives
  • Enhancing institutional decision-making
  • Creating a “risk-aware” culture across the organization
  • Reducing operational surprises and losses
  • Being prepared to act on acceptable opportunities
  • Assuring greater business continuity
  • Improving deployment of capital by aligning risk and resources with strategic objectives
  • Bridging departmental silos while drawing on the expertise of highly skilled individual managers


Does ERM replace the University's existing management activities?

No. ERM aims to enhance, not replace, UVM's normal management processes by providing a comprehensive view and consistent analysis of institutional risks and opportunities to inform management decisions.


What do you mean by opportunity or “upside risk”?

While we tend to think of "risks" as negative events, the ERM process is also designed to help an organization think about the "happy surprises", “good catches”, or opportunities that could also present themselves and which would help, as opposed to hinder, the achievement of strategic goals. One example of such an opportunity at UVM was the closure of Trinity College and the opportunity for UVM to acquire the Trinity campus. The ERM process encourages thinking about such possibilities and "what if" scenarios in advance, so that if the opportunity does in fact present itself, the organization has already thought through the issue and is poised to move quickly.

It is also true that many activities, initiatives, and uncertainties can have both positive ("upside") and negative ("downside") impacts. This is similar to weighing the "pros and cons" of an issue. The risk assessment process seeks to consider both sides of how a risk could affect the institution's ability to achieve its strategic goals.


How does enterprise risk management differ from traditional risk management?

Historically, the traditional risk management function has tended to focus on safety, hazard-related, and legal liability issues such as fire prevention, insurance, and workplace safety. ERM both expands and elevates the risk management focus to consider the potential impact of all types of risks (strategic, human capital, compliance, financial, and operational issues, in addition to safety, hazard-related, and legal liability exposures) across the entire organization and examines risks in the context of strategic objectives. ERM is also unique in looking at the upside potential of uncertainties as well as the downside (i.e., potential losses or damages). Finally, ERM is not a stand-alone process. It is meant to enhance and be integrated with management processes such as strategic planning and budgeting.


What is the relationship between ERM and the other offices at UVM that deal with risk, such as Compliance & Privacy Services or Risk Management & Safety?

Again, because ERM does not replace UVM's normal management processes, UVM offices and departments with expertise in a specific area will continue to play their important roles in helping the institution to manage different types of risk. ERM plays a coordinating role in collecting risk information from across the University and ensuring that it is analyzed and presented to senior decision-makers in a consistent way. To support this coordination and collaboration, the Governance, Risk and Compliance Group (GRCG), which is comprised of leaders in governance, risk, and compliance (GRC) areas, meets regularly to ensure this integration and collaboration between areas.