Implementation of ERM requires action and responsibility at all levels of the institution, as summarized below:

Board of Trustees

  • Provide oversight to ensure that management has implemented an effective system to identify, assess, manage, respond to, and monitor risks to the institution and its strategic objectives.
  • Understand and assess the risks inherent in the University’s strategy, and encourage management to pursue prudent risk to generate sustainable performance and value.
  • Understand the key drivers of success for the institution, and be knowledgeable about business management, governance, and emerging risks that may affect the institution.
  • Work with management to establish and routinely and regularly (at least biennially) review the institution’s risk philosophy.
  • Review risk information provided by management and the Audit Committee, including ERM biennial assessment reports and interim status reports, institutional risk portfolio, and reports on the status of risk response.
  • Collaborate and actively engage with management in discussions of risk, especially regarding philosophy, interaction and aggregation of risks, and underlying assumptions.
  • Define the role of the full Board vs. its standing or other committees about risk oversight.
  • Understand and assess risks associated with Board decisions and key strategies identified by the Board.
  • Provide for an appropriate culture of risk awareness across the University; monitor critical alignments of people, strategy, risk, controls, compliance, and incentives.

Board of Trustees Audit Committee

  • Represent the Board of Trustees in providing oversight of the University’s ERM practices.
  • Work with management to understand and agree on the types, frequency, and format of risk information that the Board will review.
  • Review risk information prior to its presentation to the full Board, including ERM biennial assessment reports and interim status reports, institutional risk portfolio, and reports on the status of risk response.
  • At each Audit Committee meeting, receive reports on enterprise risks and the status of risk response.
  • On behalf of the full Board, periodically assess the Board of Trustees’ risk oversight process.

President

  • Lead the setting of strategic objectives for the institution.
  • Inspire and foster cultural change in support of ERM as a value and best practice for the institution.
  • Lead management discussions with the Board of Trustees regarding institutional strategy and risk philosophy.
  • Review and approve recommendations from the PACERM (taking into consideration accompanying independent assessments from non-voting PACERM members) regarding the development and implementation of the ERM program; ERM policy; institutional risk philosophy; institutional risks or opportunities with sufficient impact on the University’s strategic objectives to warrant development of risk response plans; and proposed response plans for these risks.
  • Review and approve risk information and ERM progress reports prior to their submittal to the Audit Committee or full Board of Trustees.

President’s Advisory Committee on ERM (PACERM)

  • Provide broad management perspective on institutional risk and opportunity and ensure engagement in ERM at the senior executive level.
  • Oversee the development and implementation of an ERM program at UVM that continuously manages risks across the institution.
  • Biennially, review the institutional risk philosophy and provide draft updates to the President for discussion with the Board of Trustees.
  • Develop and review according to current policy review schedule an ERM policy for review and approval by the President.
  • Charge, appoint, and oversee the work of an ERM and Operational Compliance Committee (ERMOCC).
  • Delegate to the Director of Compliance Services and Chief Privacy Officer certain authority and responsibilities for day-to-day direction of the ERMOCC.
  • Review, validate, and/or revise the institutional risk inventory and portfolio prepared by the ERMOCC.
  • Refer newly identified risk issues or new initiatives that may pose risk to the responsible official or ERMOCC for further assessment and development of recommendations as necessary.
  • PACERM co-chairs periodically review the institutional risk portfolio with vice presidents, deans, chief officers, and other senior officials, and with governance groups (when needed).
  • Make recommendations to the President regarding which risks or opportunities sufficiently impact the University’s strategic objectives to warrant development of enterprise-level response plans to manage those risks or opportunities and/or reporting to the Board of Trustees.
  • Recommend assignments of key institutional risks to responsible officials (ROs) for development of a written proposal for risk response for President approval.
  • Review proposed risk response plans for highest-level risks and align such plans with the University’s risk philosophy, strategic objectives, and budgetary resources.
  • Review draft ERM progress reports to the Audit Committee or full Board of Trustees before they go to the President for final approval.

Provost and Senior Vice President

  • As the University’s chief academic officer, advise on risk and opportunities related to the University’s academic mission.
  • Co-Chair the PACERM.

Vice President for Finance and Administration

  • As the University’s chief budget officer, ensure that risks associated with achieving the university’s strategic goals are captured in the annual budget planning process.

Chief Safety and Compliance Officer

  • Serve as the Chief Risk Officer for the University.
  • As the head of the Division of Safety and Compliance, advise on risk and opportunities related to campus safety and liability risks.
  • Co-Chair the PACERM.

Director of Compliance and Chief Privacy Officer

  • Responsible and accountable to the President for overseeing the development, implementation, and fostering of a collaborative, campus-wide approach to ERM at the University and for embedding ERM in the University’s governance, risk, and compliance (GRC) programs.
  • Promote the consistent use of risk management and ownership of risk at all levels of the institution.
  • Build a risk-aware culture, including appropriate education and training.
  • Lead the institution’s processes for identifying, analyzing, evaluating, responding to, and controlling, monitoring, and reporting on key risks.
  • Submit risk information for review on a regular basis to the Board Audit Committee and the full Board of Trustees.
  • Oversee UVM’s ERM Policy development and review by the PACERM and approval by the Responsible Official who is the President.
  • Provide counsel on compliance and privacy matters.
  • Ensure that relevant compliance and privacy perspectives are represented in reports to the PACERM, ERMOCC and to the University’s senior management.
  • Work with ERMOCC and the Director of Risk Management & Safety on risks that are both compliance and key risks.

General Counsel

  • Legal counsel to the PACERM.
  • Prepare for the President an independent assessment of PACERM reports/recommendations from the legal perspective.
  • As the University’s chief legal counsel, advise on risks and opportunities related to governance, legal, and compliance (GRC) risk.

Chief Internal Auditor

  • Non-voting, ex officio member of the PACERM, providing independent consultation and advice.
  • Provide assurance to the Board of Trustees and the President on the effectiveness of the risk management process, including the evaluation, reporting, and management of key risks.
  • Consult and advise on identifying and responding to risks and on the effectiveness of the risk assessment process.

Senior Management (Vice Presidents, Deans, Vice Provosts and Chief Officers)

  • Demonstrate full commitment to ERM as a value and best practice.
  • Support the President, DCS/CPO, and PACERM in creating the appropriate internal environment and institutional culture for ERM.
  • Through an interview process, biennially identify risks and opportunities that may affect the achievement of University objectives.
  • Through a survey process, on the off-cycle year, review risks and opportunities and provide feedback regarding any off-cycle updates that are warranted.
  • As responsible officials, (ROs), assess and manage institutional risks under the oversight of the President, DCS/CPO, PACERM, and the Board of Trustees; may make presentations to the PACERM or Board of Trustee committees upon request.
  • Assess and manage unit-level risks within unit-level plans, budgets, and resources.
  • Include a discussion of risks and opportunities relevant to the mission of their unit or the University, as well as the status of any response to such risks or opportunities, in their annual workplan and budget submission.

ERM and Operational Compliance Committee (ERMOCC)

  • ERM Roles & Responsibilities:
    • Support and advise the PACERM and DCS/CPO.
    • Identify risks and opportunities, using a variety of appropriate techniques (e.g., interviews of senior management, SWOT analysis, brainstorming, etc.).
    • Review and validate or revise selected risk assessments prepared by ERM support staff, department heads, responsible officials, the Department of Risk Management & Safety, or others.
    • Prepare biennially for review by the PACERM a University risk register that includes an assessment of the risks’ and opportunities’ impact and likelihood.
    • Prepare biennially for review by the PACERM an institutional risk portfolio of risks and opportunities having the greatest potential impact on the University’s objectives.
    • Prepare and submit to the PACERM a draft biennial ERM assessment report.
    • Prepare and submit to the PACERM a draft interim status report for the off-cycle year.
    • Assess and develop recommendations for newly identified risks, opportunities, or initiatives as requested by the PACERM.
    • Assist in developing risk response plans and monitoring risk responses, and advise responsible officials.
    •  Act as a technical resource of subject matter experts, participating in education, training, communication, and awareness building of ERM at UVM.
    • Assist in the development and maintenance of the University’s ERM procedures and protocols ("Guide to Risk Assessment and Response (PDF)").
    • Assist in addressing functional, cultural, and departmental barriers to managing risks.
  • Compliance Roles & Responsibilities
    • Serve as subject matters experts in compliance and privacy activities.
    • Maintain awareness of compliance trends, University risks and emerging areas affecting the University in their areas of expertise.
    • At least annually, review the ERMOCC Charter, the University’s Code of Conduct and Ethical Standards, and other key supporting compliance program documents and comment on same.  Recommend, as appropriate, changes to the ERMOCC Charter and/or the compliance program.
    • At least once every three years, review the University’s Privacy Policy and recommend, as appropriate, changes to the privacy program.
    • Assist the Director in establishing a framework for identifying, prioritizing and managing compliance risks.  Provide input into the development of the annual compliance work plan.
    • Serve as an ambassador for the compliance program, assisting the Director in promoting and embedding a culture of compliance throughout the University.
    • Assist in overcoming obstacles to compliance and provide input on compliance requirements and processes in order to streamline and minimize duplication between functions.
    • Review and, as appropriate, provide comments to responsible officials, regarding new and updated compliance-related policies, procedures, and guidelines.
    • Review the results of internal and external compliance reviews and participate in corrective action plan design/development as appropriate.
    • Review and recommend compliance training activities and programs in order to reduce the risk of compliance violations.

Governance, Risk and Compliance Group (GRCG)

  • Provides continual coordination and communication among the governance, risk and compliance functions of the University. Each of these functions play a role in helping the institution manage risk. GRC areas include legal, compliance, information technology, risk management (insurance/claims), environmental health & safety, and internal audit.
  • Identifies potential risk areas for assessment, coordinates workplans, and coordinates communications about institutional risks and opportunities.
  • Outside of the ERM process, the GRCG members continue to provide independent counsel, consultation, advice, reports, assessments, and assurance in accordance with their role, responsibilities, and/or charters.

Director of Environmental Health and Safety

  • Tri-chair of ERMOCC.
  • Provide technical support to the PACERM, and ERMOCC.
  • Work with ERMOCC to develop and deliver ERM training and education material for all audiences and to conduct risk assessment workshops and interviews.
  • With ERMOCC, create and support the use of tools and processes to identify, analyze, evaluate, respond to, and report on risks and ensure the consistent implementation of UVM’s ERM program across the institution.
  • Assist in the development of risk response plans and advise risk owners.

Director of Risk Management

  • Non-voting staff support to PACERM.
  • Tri-chair of ERMOCC.
  • Provide technical support to the PACERM, and ERMOCC.
  • Work with ERMOCC to develop and deliver ERM training and education material for all audiences and to conduct risk assessment workshops and interviews.
  • With ERMOCC, create and support the use of tools and processes to identify, analyze, evaluate, respond to, and report on risks and ensure the consistent implementation of UVM’s ERM program across the institution.
  • Assist in the development of risk response plans and advise risk owners.
  • Manage institutional risk register.

Department Chairs and Administrative Unit Managers

  • Ensure that all risks in their areas of operations are identified and managed appropriately.
  • Conduct local-level assessment of risks or opportunities at least annually (concurrent with the annual strategic risk assessment) and incidentally as issues arise.
  • Develop and implement risk response plans.

Individual Employees

Each UVM employee should understand:

  • The risks that relate to their roles and their activities
  • How the management of risk relates to the success of the institution
  • How the management of risk helps them to achieve their own goals and objectives
  • Their accountability for particular risks and how they can manage them
  • How they can contribute to continuous improvement of risk management
  • That risk management is a key part of the organization’s culture, and
  • The need to report in a systematic and timely way to senior management any perceived new or emerging risks and any near misses/good catches or failures of existing control measures within the parameters agreed.