Implementation of ERM requires action and responsibility at all levels of the institution, as summarized below:

Board of Trustees

  • Provide oversight to ensure that management has implemented an effective system to identify, assess, manage, respond to, and monitor risks to the institution and its strategic objectives.
  •  Understand and assess the risks inherent in the University’s strategy, and encourage management to pursue prudent risk to generate sustainable performance and value.
  • Understand the key drivers of success for the institution, and be knowledgeable about business management, governance, and emerging risks that may affect the institution.
  • Work with management to establish and annually review the institution’s risk philosophy.
  • Review risk information provided by management and the Audit Committee, including ERM annual report, institutional risk portfolio, and reports on the status of risk response.
  • Collaborate and actively engage with management in discussions of risk, especially regarding philosophy, interaction and aggregation of risks, and underlying assumptions.
  • Define the role of the full Board vs. its standing or other committees with regard to risk oversight.
  • Understand and assess risks associated with Board decisions and key strategies identified by the Board.
  • Provide for an appropriate culture of risk awareness across the University; monitor critical alignments of people, strategy, risk, controls, compliance, and incentives.

Board of Trustees Audit Committee

  • Represent the Board of Trustees in providing oversight of the University’s ERM practices.
  • Work with management to understand and agree on the types, frequency, and format of risk information that the Board will review.
  • Review risk information prior to its presentation to the full Board, including ERM annual report, institutional risk portfolio, and reports on the status of risk response.
  • Receive quarterly reports on enterprise risks and the status of risk response.
  • On behalf of the full Board, periodically assess the Board of Trustees’ risk oversight process.


  • Lead the setting of strategic objectives for the institution.
  • Inspire and foster cultural change in support of ERM as a value and best practice for the institution.
  • Lead management discussions with the Board of Trustees regarding institutional strategy and risk philosophy.
  • Review and approve recommendations from the PACERM (taking into consideration accompanying independent assessments from non-voting PACERM members) regarding the development and implementation of the ERM program; ERM policy; institutional risk philosophy; institutional risks or opportunities with sufficient impact on the University’s strategic objectives to warrant development of risk response plans; and proposed response plans for these risks.
  • Review and approve risk information and ERM progress reports prior to their submittal to the Audit Committee or full Board of Trustees.

President’s Advisory Committee on ERM (PACERM)

  • Provide broad management perspective on institutional risk and opportunity and ensure engagement in ERM at the senior executive level.
  • Oversee the development and implementation of an ERM program at UVM that continuously manages risks across the institution.
  • Recommend draft institutional risk philosophy to the President for discussion with the Board of Trustees.
  • Develop draft ERM policy for review and approval by the President.
  • Charge, appoint, and oversee the work of an ERM Advisory Committee (ERMAC). The President’s Advisory Committee may choose to delegate to the Chief Risk Officer certain authority and responsibilities for day-to-day direction of the ERM Advisory Committee.
  • Review, validate, and/or revise the institutional risk inventory and portfolio prepared by the ERMAC.
  • Refer newly identified risk issues or new initiatives that may pose risk to the responsible official or ERMAC for further assessment and development of recommendations as necessary.
  • PACERM co-chairs periodically review the institutional risk portfolio with vice presidents, deans, and other senior officials, and with governance groups (when needed).
  • Make recommendations to the President regarding which risks or opportunities sufficiently impact the University’s strategic objectives to warrant development of enterprise-level response plans to manage those risks or opportunities and/or reporting to the Board of Trustees.
  • Assign key institutional risks to responsible officials for development of a written proposal for risk response.
  • Review proposed risk response plans for highest-level risks and align such plans with the University’s risk philosophy, strategic objectives, and budgetary resources.
  • Review quarterly and annual draft ERM progress reports to the Audit Committee or full BoT before they go to the President for final approval.

Provost and Senior Vice President

  • As the University’s chief budget officer, ensure that risks associated with achieving the university’s strategic goals are captured in the annual budget planning process.
  • As the University’s chief academic officer, advise on risk and opportunities related to the University’s academic mission.

Chief Risk Officer (CRO)

  • Responsible and accountable to the President for overseeing the development, implementation, and fostering of a collaborative, campus-wide approach to ERM at the University.
  • Promote the consistent use of risk management and ownership of risk at all levels of the institution.
  • Build a risk-aware culture, including appropriate education and training.
  • Lead the institution’s processes for identifying, analyzing, evaluating, responding to and controlling, monitoring, and reporting on key risks.
  • Submit risk information for review on a regular basis to the Board Audit Committee and the full Board of Trustees.
  • As the Responsible Official for the University’s ERM policy, oversee its development and review by the PACERM and approval by the President.

General Counsel

  • Legal counsel to the PACERM
  • Prepare for the President an independent assessment of PACERM reports/recommendations from the legal perspective.
  • As the University’s chief legal counsel, advise on risks and opportunities related to governance, legal, and compliance risk.

Director of Compliance Services and Chief Privacy Officer

  • Non-voting, ex officio member of the PACERM, providing counsel on compliance and privacy matters
  • Prepare for the President an independent assessment of PACERM reports/recommendations from the compliance and privacy perspectives.
  • Evaluate and provide reports on compliance and privacy risks to the University’s senior management and ERMAC.
  • Work with ERMAC and the Director of Risk Management & Safety on risks that are both compliance and key risks.

Chief Internal Auditor

  • Non-voting, ex officio member of the PACERM, providing independent consultation and advice
  • Provide assurance to the Board of Trustees and the President on the effectiveness of the risk management process, including the evaluation, reporting, and management of key risks.
  • Consult and advise on identifying and responding to risks and on the effectiveness of the risk assessment process.

Senior Management (Vice Presidents, Deans, and Separate Directors)

  • Demonstrate full commitment to ERM as a value and best practice.
  • Support the President, CRO, and PACERM in creating the appropriate internal environment and institutional culture for ERM.
  • Through an interview process, annually identify risks and opportunities that may affect the achievement of University objectives.
  • As responsible officials, assess and manage institutional risks under the oversight of the President, CRO, PACERM, and the Board of Trustees; may make presentations to the PACERM or Board of Trustee committees upon request.
  • Assess and manage unit-level risks within unit-level plans, budgets, and resources.
  • Include a discussion of risks and opportunities relevant to the mission of their unit or the University, as well as the status of any response to such risks or opportunities, in their annual workplan and budget submission.

ERM Advisory Committee (ERMAC)

  • Support and advise the PACERM and CRO.
  • Identify risks and opportunities, using a variety of appropriate techniques (e.g., interviews of senior management, SWOT analysis, brainstorming, etc.).
  • Review and validate or revise selected risk assessments prepared by ERM support staff, department heads, responsible officials, the Department of Risk Management & Safety, or others.
  • Prepare annually for review by the PACERM a University risk register that includes an assessment of the risks’ and opportunities’ impact and likelihood.
  • Prepare annually for review by the PACERM an institutional risk portfolio of risks and opportunities having the greatest potential impact on the University’s objectives.
  • Prepare and submit to the PACERM a draft ERM annual report.
  • Assess and develop recommendations for newly identified risks, opportunities, or initiatives as requested by the PACERM.
  • Assist in developing risk response plans and monitoring risk responses, and advise responsible officials.
  •  Act as a technical resource of subject matter experts, participating in education, training, communication, and awareness building of ERM at UVM.
  • Assist in the development and maintenance of the University’s ERM procedures and protocols (“ERM Program Guide”).
  • Assist in addressing functional, cultural, and departmental barriers to managing risks.

Director of Risk Management and Safety, Chief Risk Officer

  • Non-voting staff support to PACERM.
  • Co-chairs of ERMAC.
  • Provide technical support to the PACERM, and ERMAC.
  • Work with ERMAC to develop and deliver ERM training and education material for all audiences and to conduct risk assessment workshops and interviews.
  • With ERMAC, create and support the use of tools and processes to identify, analyze, evaluate, respond to, and report on risks and ensure the consistent implementation of UVM’s ERM program across the institution.
  • Assist in the development of risk response plans and advise risk owners.
  • Manage institutional risk register.

Department Chairs and Administrative Unit Managers

  • Ensure that all risks in their areas of operations are identified and managed appropriately.
  • Conduct local-level assessment of risks or opportunities at least annually (concurrent with the annual strategic risk assessment) and incidentally as issues arise.
  • Develop and implement risk response plans.

Individual Employees

Each UVM employee should understand:

  • The risks that relate to their roles and their activities
  • How the management of risk relates to the success of the institution
  • How the management of risk helps them to achieve their own goals and objectives
  • Their accountability for particular risks and how they can manage them
  • How they can contribute to continuous improvement of risk management
  • That risk management is a key part of the organization’s culture, and
  • The need to report in a systematic and timely way to senior management any perceived new or emerging risks and any near misses or failures of existing control measures within the parameters agreed.