University of Wisconsin System Enterprise Risk Management Process

The chart below represents the basic structure and process used by the University of Wisconsin System to establish an enterprise risk management structure.  A more detailed description of each step in the process follows.

step 1

step 2.1 plus symbol step 2.2

step 3

step 4

step 5

step 7

step 8

 ERM Orientation

step 1

The orientation involves the presentation and discussion of various topics to develop a foundation for understanding ERM and a review of the project components.  Orientation topics include an overview of ERM and its distinction from traditional risk management, ERM in higher education, critical components of the ERM process, risk identification and validation, risk mitigation and ownership, and ERM sustainability.  Participation in the orientation session involves a cross-functional representation of campus staff, preferably assembled by a senior administrative champion.

Participants in orientations at UW pilot campuses have included representatives of the following positions:

  • Chancellor
  • V. C. Campus Life/Dean of Students
  • V.C. Administrative Services
  • Vice Chancellor, Student Affairs
  • Associate Vice Chancellor, Faculty & Academic Affairs
  • Associate VC Academic Affairs & Outreach
  • Asst. Chancellor for University Advancement
  • Asst. VC Enrollment Management
  • Asst. VC Chief Information Officer
  • Asst. to the Chancellor for Affirmative Action and Equal OpportunityProvost/V.C. & Dean of Faculties
  • Dean of Students
  • Dean(s), Assistant, and Associate Dean(s)
  • Director, Admissions
  • Director, Alumni Relations
  • Director, Athletics
  • Director, Counseling Center
  • Director, Environmental Health & Safety
  • Director, Facilities, Planning and Management
  • Director, Financial Aid
  • Director, Financial Services
  • Director, Human Resources
  • Director, International Education
  • Director, Library
  • Director, Protective Services
  • Director, Resident Life
  • Director, Safety and Risk Management
  • Director, Student Health Center
  • Director, Student Rec. & Wellness Center
  • Director, Center for Students w/Disabilities
  • Executive Director, Integrated Marketing & Communications
  • Executive Director, University Center
  • Interim Director, Center for Academic Support & Diversity
  • Interim Director of Academic Support Services
  • Interim Director of Academic Assessment
  • President, Faculty Senate
  • Department Chair
  • FacultyInternal Auditor
  • Controller
  • Bursar
  • Registrar
  • Student Leadership Coordinator
  • Outreach Program Manager
  • Budget and Policy Analyst
  • Student Government Representatives

Risk Identification

step 2.1 plus symbol step 2.2

step 3

step 4

Risk identification involves telephone interviews with senior-level staff to help develop a preliminary, high-level risk list for the institution. Senior staff who have participated in this step include:

  • Chancellor
  • Vice Chancellor for Administration and Finance
  • VC, Administrative Services
  • Vice Chancellor of Administrative Affairs
  • Vice Chancellor of Student Affairs
  • Vice Chancellor for Campus Life & Dean of Students
  • Associate Vice Chancellor for Academic Affairs Provost
  • Interim Provost
  • Director – Budget
  • Athletic Director
  • Internal Auditor
  • Director of Risk Management
  • Payroll and Benefits Specialist
  • Student Association President

The number of interviews conducted at a specific campus ranges from four to six individuals.

A second means for identifying risks is to survey many of the direct reports of those interviewed.  Staff who have participated in the survey process have included many of the same individuals who were involved in the ERM orientation session.  Institutions have typically surveyed between 20 and 30 individuals.

Risk Validation

step 5

step 6

step 7

step 8

Involves a workshop comprised of a cross-functional representation of institution staff to validate identified risks, as well as identify and validate any new risks.  Risks are validated based on their likelihood of occurring within 36 months and on their anticipated impact, as defined by a materiality matrix.  Likelihood is assessed on a four-point scale.

Likelihood (L) Scale:

  • 1 = Low – Possible but unlikely to occur; remote (less than 10%)
  • 2 = Moderate – Moderate risk of occurrence; maybe (between 10-50%)
  • 3 = Probable – Likely to occur (between 50-75%)
  • 4 = Almost Certain – Very likely to occur in immediate future (greater than 75% chance)

Materiality can be defined as a specific reference point used to categorize the magnitude of the impact of a Risk.  Materiality is used to categorize risks from different parts of the organization to allow for detailed, cross-functional discussion, with the levels ranging from low to extreme.  An illustration of a materiality matrix can be found here: Materiality Matrix.

By combining the consensus perception regarding a risks likelihood of occurring and its impact, the risk can be mapped relative to other risks.  Often referred to as a Heat Map, a map of identified risks allows an organization to begin the process of determining which risks merit efforts to mitigate and which risks can be retained at their present level of perceived likelihood and impact.

Sample Inherent Risk Map (Heat Map)

To better determine which risks may require efforts to mitigate, an assessment of existing controls is necessary.

Types of controls are:

  • Rule-based – Policy, process, or standard.
  • Management Control – Responsibility for control is assigned to a specific person or function within the organization.
  • Compliance-based – Rule-based or Management Control, where adherence is verified.
  • Physical Control – Barrier, mechanical, or computer control.
  • Risk Culture – Tone at the top for managing risk.

The more controls the better a risk may be managed.  However, in an environment of reduced resources, more controls are often unrealistic.  Controls, much like risk likelihood and impact, can be assessed on a scale from weak to strong.

By combining the current perception of a risks likelihood and impact with existing controls, the necessary information is available to begin prioritizing an organization’s response to their current risk profile.

Risk Response

Following risk validation, risks are placed in one of two categories – Risk Retention or Risk Mitigation:


Risk retention simply means that a risk is accepted at this time and current controls are retained, maintained, and monitored.


If a risk or threat is unacceptable and cannot be placed in risk retention, additional mitigation activities are developed. The risks are prioritized and programs, processes, or physical  investments are identified that will control an event’s impact and/or likelihood to a level which brings it into risk retention.  Techniques may include finding a way to avoid the risk, transferring a risk through mechanisms such as insurance or outsourcing, or employing one or more of the risk controls previously mentioned.

Risk Ownership:

For risks identified as requiring risk mitigation activities to bring them into risk retention, a risk owner is identified.
A risk owner is the individual who will take the lead in developing a mitigation activity plan. Typically, the risk owner will operate with direct support from the Risk Council and the business unit/senior management and will be able to call on others with specialized skills throughout the organization.  In addition to this lead role in the development and execution of the mitigation activity plan, the risk owner will be responsible for communicating progress to the Risk Council and senior management.

ERM Risk Mitigation Process

The following lists the process through which an identified risk would follow once it is selected for Risk Mitigation:

  1. Risks are identified as requiring additional mitigation efforts.
  2. Campus ERM Working Group discusses risk (risks above a specific level) and decide if they agree additional mitigation is required.
  3. Campus ERM Working Group presents risk to campus Risk Council for confirmation. Risk is confirmed.
  4. Risk is confirmed for a risk mitigation initiative. Recommended risk owner is identified.
  5. Risk Council confirms and assigns/notifies risk owner
  6. Risk owner identifies team members and develops risk mitigation plan.
  7. Risk Council reviews risk mitigation plan and determines if it will accomplish desired objectives.
  8. Risk Council consolidates risk mitigation plan reports and communicates as part of budget strategic planning cycle. If not accepted, the risk mitigation plan is sent back to risk owner for further development of Risk Council for further
  9. clarification.
  10. Risk Mitigation plan is implemented.

A flow chart of the above steps can be found on page 21 in the ERM Handbook.