The context and the risk assessment steps (identification, analysis, and evaluation) form the basis for decision-making about which risks or opportunities are priorities, what the appropriate response should be, and how resources should be allocated to manage the risk or opportunity in a way that best supports the organization’s strategy. The risk response step involves deciding on and planning for the best way to “treat” or modify the risk, and implementing that plan. Monitoring and reporting on the status of risks and their management and communication and consultation with stakeholders take place throughout the risk management process.
Risk Management Process graphic
1 - Context: April
Understand organizational objectives and external and internal environment
Participants: Director of Compliance Services/Chief Privacy Officer, Governance, Risk and Compliance Group (GRCG which includes the DCS/CPO, Dir. Environmental Health & Safety, Chief Information Officer, General Counsel, Information Security Officer, Dir. Risk Management, Chief Internal Auditor)
The purpose of establishing the context for risk assessment is to set the stage for risk identification. Since a “risk” is any issue (positive or negative) that may impact an organization’s ability to achieve its objectives, defining the organization’s objectives is a prerequisite to identifying risk.
The context for risk assessment at UVM includes:
- UVM's mission, vision, and strategic goals and objectives, as stated in Amplifying our Impact
- College, school, division, unit, or departmental strategic goals or objectives
- Major initiatives planned or underway
- Critical activities, functions, or services
- The external context, including stakeholder perceptions and expectations and relevant social, cultural, political, financial, technological, economic, legal/regulatory, or competitive factors
Deliverables: Process Kick-Off memo from DCS/CPO: initiating risk assessment
2 - Identify: May to July
Find, Recognize, and describe risks and opportunities. Write a risk report.
The purpose of the risk identification step is to “generate a comprehensive list of risks based on those events that might create, enhance, prevent, degrade, accelerate, or delay the achievement of objectives” (ISO 31000, 2009). As programs mature, a greater focus is placed on creating and protecting value as the key driver of risk management and features other related principles such as continual improvement, the inclusion of stakeholders, being customized to the organization and consideration of human and cultural factors (ISO 31000, 2018).
The risk identification process focuses on “enterprise-level” risks and opportunities that have the potential to impact the strategic objectives of either the institution or one of its major units (colleges, schools, departments, or divisions), or represent a systemic risk throughout the institution. The risk identification process should yield both potential negative events that could impede the attainment of strategic goals as well as positive opportunities that could advance the institution’s progress toward its vision and goals.
Deliverables: Interview notes, preliminary risk inventory (PRI)
3 - Analyze: August to October
Understand and determine nature/level of a risk or opportunity. Determine the risk or opportunity's potential impact or likelihood.
Participants: Responsible officials, Governance, Risk and Compliance Group (GRCG), Enterprise Risk Management and Operational Compliance Committee (ERMOCC)
The purpose of risk analysis is to develop an understanding of the risk or opportunity to inform evaluation and decision of whether a response is required.
Risks and opportunities are analyzed in terms of their overall risk category (see table below); their potential impact, were the event to occur; the estimated likelihood of the event’s occurrence; and whether the issue overall presents more risk or more opportunity to the institution.
UVM rates the potential impact of a risk or opportunity on a scale of 1 to 6, with 6 being the most severe. Likelihood is rated on a scale of 1 to 3, with 3 being the most likely. The impact and likelihood scores are multiplied to produce an initial risk score for each risk or opportunity. For example, a risk with an estimated impact of 3-Substantial and an estimated likelihood of 2-Medium would receive an initial risk score of 6. UVM's impact and likelihood rating scales and examples are available in the “Guide to Risk Assessment & Response (PDF).”
|Compliance & Privacy||Risks or opportunities related to violations of federal, state or local law, regulation, or University policy, that creates exposure to fines, penalties, lawsuits, reduced future funding, imposed compliance settlements, agency scrutiny, injury, etc.|
|Financial||Risks or opportunities related to physical assets or financial resources, such as: tuition, government support, gifts, research funding, endowment, budget, accounting and reporting, investments, credit rating, fraud, cash management, insurance, audit, financial exigency plan, long-term debt, deferred maintenance.|
|Hazard, Safety, or Legal Liability||Risks or opportunities related to legal liability (negligence), injury, damage, or health and safety of the campus population or the environment, including impacts caused by accidental or unintentional acts, errors or omissions, and external events such as natural disasters.|
|Human Capital||Risks or opportunities related to investing in, maintaining, and supporting a quality workforce, such as: recruitment, retention, morale, compensation & benefits, change management, workforce knowledge, skills, and abilities, unionization, employment practices.|
|Operational||Risks or opportunities related to management of day-to-day University programs, processes, activities, and facilities, and the effective, efficient, and prudent use of the University’s resources|
|Strategic||Impacts related to UVM's ability to achieve its strategic imperatives, including competitive market risks, and risks related to mission, mission, values, strategic goals; diversity; academic quality; research; student experience; business model; market positioning; enrollment management; ethical conduct; accreditation|
*Note: UVM recognizes that many institutions of higher education use another category: “reputational risk.” In UVM’s view, however, a significant event in any of the above risk categories has the potential to impact the institution’s reputation. UVM therefore does not classify reputational risks separately, and instead considers reputational impacts in assessing impact.
Deliverables: DRAFT risk-opportunity register, portfolio, & PRI. Recommend ROs for each risk/opportunity.
4 - Evaluate: November to January
Review existing mitigation strategies & determine whether the risk or opportunity is acceptable, confirm impact & likelihood, prioritize risks.
Participants: Responsible Officials, DCS/CPO, President’s Advisory Committee on Enterprise Risk Management (PACERM), President
The purpose of risk evaluation is to make a decision, based on the results of the risk analysis, about which risks and opportunities require a response and about the priorities for response implementation.
Each risk or opportunity’s risk score (the product of impact X likelihood) will determine where it falls on UVM’s risk and opportunity “heat map” and what level of institutional review each risk or opportunity will receive.
- Risks and opportunities scoring 1-3 are documented on the preliminary risk inventory (PRI), are retained at the unit level and managed by the responsible official.
- Risks and opportunities scoring 4-9 are included on the institution’s risk register, reviewed by the ERMOCC and PACERM, and overseen by the responsible official.
- Risks and opportunities scoring 10-18 are included in the risk portfolio, reviewed by the ERMOCC, PACERM, and President, overseen by the PACERM, and communicated to the Board of Trustees.
Likelihood scale: 1-Low, 2-Medium, 3-High
Risk Impact: 1-Minor, 2-Moderate, 3-Substantial, 4-Serious, 5-Severe, 6-Business-Critical
Opportunity Impact: 1-Minor, 2-Moderate, 3-Substantial, 4-Serious, 5-Major, 6-Transformative
Risk and Opportunity Scoring: Likelihood vs. Impact Comparison
- •Preliminary Risk Inventory (PRI) - total score 1-3 with likelihood from 1-3 and impact from 1-3
- Institutional Risk Register - total score 4-9 with likelihood from 1-3 and impact from 4-6
- Area of Senior Management Focus: Institutional Risk Portfolio - total score 10-18 with likelihood from 2-3 and impact from 4-6
Risk Evaluation Process graphic
Deliverables: Final risk-opportunity. portfolio & heat map
Action: Get President's approval
5 - Respond: Year Round
Modify the risk by mitigating, avoiding, transferring, or accepting the risk or pursue opportunity.
Participants: Responsible Officials, Director of Compliance/Chief Privacy Officer (DCS/CPO)
The purpose of risk response is to determine how to modify or manage the risk or opportunity. Risk response is a cyclical process of assessing the response, determining whether residual risk levels (after response) are acceptable, developing a new response if necessary, and assessing the response again. There are several standard options for risk response, but they are not mutually exclusive; they can be used in combination. A decision can be to not respond to the risk or opportunity other than maintaining existing management or control activities.
Risk response typically includes one or more of the following actions:
Avoiding the risk (e.g., by changing or ceasing certain behaviors, activities, or programs)
- Mitigating the impact or likelihood of the risk through methods such as implementation of pre-loss planning, allocation of additional resources, changes to policy or procedure, education and training, operational controls or changes, organizational changes, monitoring, executive controls, or audit controls.
- Transferring the risk to an outside entity or mitigating through contractual transfer.
- Accepting the risk – no action is taken to affect the likelihood of the risk occurring or the impact of the risk because the results of a negative outcome are acceptable within existing operating parameters and the institution’s risk tolerance.
- Funding the risk through commercial insurance, captive insurance, self-funded reserves, or budget contingencies.
Opportunity response typically involves one or more of the following actions:
- Enhancing the opportunity by seeking to increase the probability and/or the impact of the opportunity to maximize the benefit to the project.
- Exploiting the opportunity by seeking to make the opportunity definitely happen (i.e. increase probability to 100%). Aggressive measures are taken which seek to ensure that the benefits from this opportunity are realized by the project.
- Ignoring the opportunity by taking no active measures to deal with the opportunity. Instead, adopting a reactive approach without taking explicit actions.
- Sharing or transferring the opportunity by seeking a partner able to manage the opportunity that can maximize the chance of it happening and/or increase the potential benefits. This will involve sharing any upside in the same way as transfer involves passing penalties.
Deliverables: November to January - develop and implement MRPs for portfolio-level risks & opportunities.
Actions: Get President's approval
6 - Monitor: Year Round
Continually check and update status of risk to identify change from the response level required or expected.
Participants: Board of Trustees, President, Responsible Officials, Director of Compliance/Chief Privacy Officer, Governance, Risk and Compliance Group (GRCG)
7 - Report & Communicate: Year Round
Participants: Responsible Officials, Director of Compliance/Chief Privacy Officer (DCS/CPO), Governance, Risk and Compliance Group (GRCG)
Deliverables: Brief MRPs & Heat Map to President & BOT committees biennially. Provide an interim status update to the President and BOT on the off-year. DCS/CPO presents to the Audit Committee and the Committee of the Whole annually in February. ROs brief their assigned committee based on the committee’s published annual schedule/BOT work plans.