Welcome to Enterprise Risk Management at the University of Wisconsin System Administration.

Please see the ERM Handbook for an overview of ERM and our goals and objectives.

More Information

ERM Process

The steps below represents the basic structure and process used by the University of Wisconsin System to establish an enterprise risk management structure.  A more detailed description of each step in the process follows.

  1. Institution ERM Orientation to establish goals and objectives as well as define common terms.
  2. One on one interviews senor staff identify perceptions of risk, and any pre-existing risk reports are reviewed and identified risks are compiled.
  3. Risk surveys are sent to direct reports of senior management.
  4. Surveys collect risks identified from a cross functional group of operational level management.
  5. Campus Workshops
  6. Campus Working Group synthesizes all Risks identified to date and discusses and assesses new risks. Output report is ready for management review.
  7. Core Working Group reviews and delivers report of priority risks to Chancellor
  8. Chancellor/ Risk Council informs Campus Core or Working Group of Decisions on recommended risks.

 ERM Orientation

  1. Institution ERM Orientation to establish goals and objectives as well as define common terms.

The orientation involves the presentation and discussion of various topics to develop a foundation for understanding ERM and a review of the project components.  Orientation topics include an overview of ERM and its distinction from traditional risk management, ERM in higher education, critical components of the ERM process, risk identification and validation, risk mitigation and ownership, and ERM sustainability.  Participation in the orientation session involves a cross-functional representation of campus staff, preferably assembled by a senior administrative champion.

Participants in orientations at UW pilot campuses have included representatives of the following positions:

  • Chancellor
  • V. C. Campus Life/Dean of Students
  • V.C. Administrative Services
  • Vice Chancellor, Student Affairs
  • Associate Vice Chancellor, Faculty & Academic Affairs
  • Associate VC Academic Affairs & Outreach
  • Asst. Chancellor for University Advancement
  • Asst. VC Enrollment Management
  • Asst. VC Chief Information Officer
  • Asst. to the Chancellor for Affirmative Action and Equal OpportunityProvost/V.C. & Dean of Faculties
  • Dean of Students
  • Dean(s), Assistant, and Associate Dean(s)
  • Director, Admissions
  • Director, Alumni Relations
  • Director, Athletics
  • Director, Counseling Center
  • Director, Environmental Health & Safety
  • Director, Facilities, Planning and Management
  • Director, Financial Aid
  • Director, Financial Services
  • Director, Human Resources
  • Director, International Education
  • Director, Library
  • Director, Protective Services
  • Director, Resident Life
  • Director, Safety and Risk Management
  • Director, Student Health Center
  • Director, Student Rec. & Wellness Center
  • Director, Center for Students w/Disabilities
  • Executive Director, Integrated Marketing & Communications
  • Executive Director, University Center
  • Interim Director, Center for Academic Support & Diversity
  • Interim Director of Academic Support Services
  • Interim Director of Academic Assessment
  • President, Faculty Senate
  • Department Chair
  • FacultyInternal Auditor
  • Controller
  • Bursar
  • Registrar
  • Student Leadership Coordinator
  • Outreach Program Manager
  • Budget and Policy Analyst
  • Student Government Representatives

Risk Identification

  1. One on one interviews senor staff identify perceptions of risk, and any pre-existing risk reports are reviewed and identified risks are compiled.
  2. Risk surveys are sent to direct reports of senior management.
  3. Surveys collect risks identified from a cross functional group of operational level management.

Risk identification involves telephone interviews with senior-level staff to help develop a preliminary, high-level risk list for the institution. Senior staff who have participated in this step include:

  • Chancellor
  • Vice Chancellor for Administration and Finance
  • VC, Administrative Services
  • Vice Chancellor of Administrative Affairs
  • Vice Chancellor of Student Affairs
  • Vice Chancellor for Campus Life & Dean of Students
  • Associate Vice Chancellor for Academic Affairs Provost
  • Interim Provost
  • Director – Budget
  • Athletic Director
  • Internal Auditor
  • Director of Risk Management
  • Payroll and Benefits Specialist
  • Student Association President

The number of interviews conducted at a specific campus ranges from four to six individuals.

A second means for identifying risks is to survey many of the direct reports of those interviewed.  Staff who have participated in the survey process have included many of the same individuals who were involved in the ERM orientation session.  Institutions have typically surveyed between 20 and 30 individuals.

Risk Validation

  1. Campus Workshops
  2. Campus Working Group synthesizes all Risks identified to date and discusses and assesses new risks. Output report is ready for management review.
  3. Core Working Group reviews and delivers report of priority risks to Chancellor
  4. Chancellor/ Risk Council informs Campus Core or Working Group of Decisions on recommended risks.

Involves a workshop comprised of a cross-functional representation of institution staff to validate identified risks, as well as identify and validate any new risks.  Risks are validated based on their likelihood of occurring within 36 months and on their anticipated impact, as defined by a materiality matrix.  Likelihood is assessed on a four-point scale.

Likelihood (L) Scale:

  • 1 = Low – Possible but unlikely to occur; remote (less than 10%)
  • 2 = Moderate – Moderate risk of occurrence; maybe (between 10-50%)
  • 3 = Probable – Likely to occur (between 50-75%)
  • 4 = Almost Certain – Very likely to occur in immediate future (greater than 75% chance)

Materiality can be defined as a specific reference point used to categorize the magnitude of the impact of a Risk.  Materiality is used to categorize risks from different parts of the organization to allow for detailed, cross-functional discussion, with the levels ranging from low to extreme.  An illustration of a materiality matrix can be found here: Materiality Matrix

By combining the consensus perception regarding a risks likelihood of occurring and its impact, the risk can be mapped relative to other risks.  Often referred to as a Heat Map, a map of identified risks allows an organization to begin the process of determining which risks merit efforts to mitigate and which risks can be retained at their present level of perceived likelihood and impact.

Sample Inherent Risk Map (Heat Map)

To better determine which risks may require efforts to mitigate, an assessment of existing controls is necessary.

Types of controls are:

  • Rule-based – Policy, process, or standard.
  • Management Control – Responsibility for control is assigned to a specific person or function within the organization.
  • Compliance-based – Rule-based or Management Control, where adherence is verified.
  • Physical Control – Barrier, mechanical, or computer control.
  • Risk Culture – Tone at the top for managing risk.

The more controls the better a risk may be managed.  However, in an environment of reduced resources, more controls are often unrealistic.  Controls, much like risk likelihood and impact, can be assessed on a scale from weak to strong.

By combining the current perception of a risks likelihood and impact with existing controls, the necessary information is available to begin prioritizing an organization’s response to their current risk profile.

Risk Response

Following risk validation, risks are placed in one of two categories – Risk Retention or Risk Mitigation:

Retention

Risk retention simply means that a risk is accepted at this time and current controls are retained, maintained, and monitored.

Mitigation

If a risk or threat is unacceptable and cannot be placed in risk retention, additional mitigation activities are developed. The risks are prioritized and programs, processes, or physical  investments are identified that will control an event’s impact and/or likelihood to a level which brings it into risk retention.  Techniques may include finding a way to avoid the risk, transferring a risk through mechanisms such as insurance or outsourcing, or employing one or more of the risk controls previously mentioned.

Risk Ownership

For risks identified as requiring risk mitigation activities to bring them into risk retention, a risk owner is identified.
A risk owner is the individual who will take the lead in developing a mitigation activity plan. Typically, the risk owner will operate with direct support from the Risk Council and the business unit/senior management and will be able to call on others with specialized skills throughout the organization.  In addition to this lead role in the development and execution of the mitigation activity plan, the risk owner will be responsible for communicating progress to the Risk Council and senior management.

ERM Risk Mitigation Process

The following lists the process through which an identified risk would follow once it is selected for Risk Mitigation:

  1. Risks are identified as requiring additional mitigation efforts.
  2. Campus ERM Working Group discusses risk (risks above a specific level) and decide if they agree additional mitigation is required.
  3. Campus ERM Working Group presents risk to campus Risk Council for confirmation. Risk is confirmed.
  4. Risk is confirmed for a risk mitigation initiative. Recommended risk owner is identified.
  5. Risk Council confirms and assigns/notifies risk owner
  6. Risk owner identifies team members and develops risk mitigation plan.
  7. Risk Council reviews risk mitigation plan and determines if it will accomplish desired objectives.
  8. Risk Council consolidates risk mitigation plan reports and communicates as part of budget strategic planning cycle. If not accepted, the risk mitigation plan is sent back to risk owner for further development of Risk Council for further
  9. clarification.
  10. Risk Mitigation plan is implemented.

Achievements and Lessons Learned

Project Status

This project is on hiatus due to other pressing issues.

As of November 2012, ERM Workshops have been conducted at seven UW System universities:  UW-Oshkosh, UW-Superior, UW-Whitewater, UW-Parkside, UW-River Falls, UW- Platteville, and UW-Milwaukee.  One follow up workshop was conducted at UW-Superior to update their Risk List.

A core ERM team has been operational at UWSA since the inception of the project in the late spring of 2009.  The core team is comprised of staff from Administrative Services/Safety and Loss Prevention, Program Review and Audit, Legal Counsel, and Academic Affairs.

Lessons Learned

An ERM orientation session prior to the interviews, questionnaires, and voting workshop is critical for faculty and staff to understand ERM concepts and think more deliberately about the risks they may be facing.

Efficient scheduling of the orientation and workshop is critical to a smooth implementation

Initial implementation workshops need to be scheduled during the academic year if faculty, staff and students are going to be included in the process. Mid-semester seems to work best.

To allow for good discussion in the workshop, no more than 25 people should be involved.

Splitting the voting workshops into two half-day sessions is a more effective use of staff time.  Workshop participants weary of the voting process if this is conducted in one 8-hour timeframe.

Feedback of workshop results to campus participants should be completed within a one month timeframe.

Originally a debriefing session was conducted to help UW institutions launch their Risk Councils using the new heat maps and risk lists.  At the follow up workshop with UW-Superior they requested they leave with a list of their top risks, in addition to the new full risk list.  That process is now the new standard for UW institutions.   By the end of a workshop a UW institution has both a fully ranked risk list and a short list of the top risks they can address.

To keep Risk Lists and Heat Maps current the Core Working Group estimates they should be updated every 18-24 months through a follow up risk assessment and validation session.

ERM Resources

ERM Whitepapers

ERM at Institutions of Higher Education

  • UW System
    • UW-Platteville- Spring 2012
    • UW-River Falls- Fall 2011
    • UW-Parkside- Fall 2010
    • UW-Whitewater- 2010
    • UW-Oshkosh- 2009
    • UW-Superior- 2009
  • Around the Country