The Risk Management Process

The risk management processof identifying, analyzing, evaluating, and ultimately responding to and
monitoring risks and opportunitiesis at the heart of enterprise risk management. Extending this process across an
entire organization, looking at both upside and downside risk, and considering risk in the context of strategy is
what differentiates ERM from traditional risk management.
The context and the risk assessment steps (identification, analysis, and evaluation) form the basis for decisionmaking about which risks or opportunities are priorities, what the appropriate response should be, and how resources
should be allocated to manage the risk or opportunity in a way that best supports the organizations strategy. The
risk response step involves deciding on and planning for the best way to treat or modify the risk, and implementing
that plan. Monitoring and reporting on the status of risks and their management and communication and consultation
with stakeholders take place throughout the risk management process.

1. Context
The purpose of establishing the context for risk assessment is to set the stage for risk identification. Since a risk
is any issue (positive or negative) that may impact an organizations ability to achieve its objectives, defining the
organizations objectives is a prerequisite to identifying risk.
The context for risk assessment at UVM includes:

UVM's mission, vision, and strategic goals and objectives, as stated in the University Strategic Plan

College, School, Division, or departmental strategic goals or objectives

Major initiatives planned or underway

Critical activities, functions, or services

The external context, including stakeholder perceptions and expectations and relevant social, cultural,
political, financial, technological, economic, legal/regulatory, or competitive factors

2. Identification
The purpose of the risk identification step is to generate a comprehensive list of risks based on those events that
might create, enhance, prevent, degrade, accelerate, or delay the achievement of objectives (ISO 31000, 2009). The
risk identification process focuses on enterprise-level risks and opportunities that have the potential to impact the
strategic objectives of either the institution or one of its major units (Colleges, Schools, or Divisions), or represent a
systemic risk throughout the institution. The risk identification process should yield both potential negative events that
could impede the attainment of strategic goals as well as positive opportunities that could advance the institutions
progress toward its vision and goals.

3. Analysis
The purpose of risk analysis is to develop an understanding of the risk or opportunity in order to inform evaluation and
decision of whether a response is required.

Risks and opportunities are analyzed in terms of their overall risk category (see table below); their potential impact,
were the event to occur; the estimated likelihood of the events occurrence; and whether the issue overall presents
more risk or more opportunity to the institution.
UVM rates the potential impact of a risk or opportunity on a scale of 1 to 6, with 6 being the most severe. Likelihood is
rated on a scale of 1 to 3, with 3 being the most likely. The impact and likelihood scores are multiplied to produce an
initial risk score for each risk or opportunity. For example, a risk with an estimated impact of 3-Substantial and an
estimated likelihood of 2-Medium would receive an initial risk score of 6. UVM's impact and likelihood rating scales
are available in the Guide to Risk Assessment & Response.

UVM's Risk Categories

Category
Compliance &
Privacy

Description
Risks or opportunities related to violations of federal, state or local law, regulation, or University policy, that
creates exposure to fines, penalties, lawsuits, reduced future funding, imposed compliance settlements,
agency scrutiny, injury, etc.
Risks or opportunities related to physical assets or financial resources, such as: tuition, government support,

Financial

gifts, research funding, endowment, budget, accounting and reporting, investments, credit rating, fraud, cash
management, insurance, audit, financial exigency plan, long-term debt, deferred maintenance

Hazard, Safety,
or Legal Liability

Risks or opportunities related to legal liability (negligence), injury, damage, or health and safety of the
campus population or the environment, including impacts caused by accidental or unintentional acts, errors
or omissions, and external events such as natural disasters.
Risks or opportunities related to investing in, maintaining, and supporting a quality workforce, such as:

Human Capital

recruitment, retention, morale, compensation & benefits, change management, workforce knowledge, skills,
and abilities, unionization, employment practices

Operational

Risks or opportunities related to management of day-to-day University programs, processes, activities, and
facilities, and the effective, efficient, and prudent use of the Universitys resources
Impacts related to UVM's ability to achieve its strategic goals and objectives, including competitive market

Strategic

risks, and risks related to mission, mission, values, strategic goals; diversity; academic quality; research;
student experience; business model; market positioning; enrollment management; ethical conduct;
accreditation

*Note: UVM recognizes that many institutions of higher education use another category: reputational risk. In UVMs
view, however, a significant event in any of the above risk categories has the potential to impact the institutions
reputation. UVM therefore does not classify reputational risks separately, and instead considers reputational impacts
in assessing impact.

4. Evaluation
The purpose of risk evaluation is to make a decision, based on the results of the risk analysis, about which risks and
opportunities require a response and about the priorities for response implementation.
Each risk or opportunitys risk score (the product of impact X likelihood) will determine where it falls on UVMs risk
and opportunity heat map and what level of institutional review each risk or opportunity will receive.

Risks and opportunities scoring 1-3 are retained at the unit level and managed by the responsible official.

Risks and opportunities scoring 4-9 are included on the institutions risk register, reviewed by the ERMAC
and PACERM, and overseen by the responsible official.

Risks and opportunities scoring 10-18 are included in the risk portfolio, reviewed by the ERMAC, PACERM,
and President, overseen by the PACERM, and discussed with the Board of Trustees.

UVM's Risk & Opportunity Heat Map

5. Response
The purpose of risk response is to determine how to modify or manage the risk or opportunity. Risk response is a
cyclical process of assessing the response, determining whether residual risk levels (after response) are acceptable,
developing a new response if necessary, and assessing the response again. There are several standard options for
risk response, but they are not mutually exclusive; they can be used in combination. A decision can be to not respond
to the risk or opportunity other than maintaining existing management or control activities.
Risk response typically includes one or more of the following actions:
1.

Avoiding the risk (e.g., by changing or ceasing certain behaviors, activities, or programs)

2.

Mitigating the impact or likelihood of the risk through methods such as implementation of pre-loss planning,
allocation of additional resources, changes to policy or procedure, education and training, operational
controls or changes, organizational changes, monitoring, executive controls, or audit controls

3.

Transferring the risk to an outside entity or mitigating through contractual transfer

4.

Accepting the risk no action is taken to affect the likelihood of the risk occurring or the impact of the risk
because the results of a negative outcome are acceptable within existing operating parameters and the
institutions risk tolerance

5.

Financially funding the risk through commercial insurance, captive insurance, self-funded reserves, or
budget contingencies.

Opportunity response typically involves one or more of the following actions:

1.

Enhancing the opportunity by seeking to increase the probability and/or the impact of the opportunity in
order to maximize the benefit to the project.

2.

Exploiting the opportunity by seeking to make the opportunity definitely happen (i.e. increase probability to
100%). Aggressive measures are taken which seek to ensure that the benefits from this opportunity are
realized by the project.

3.

Ignoring the opportunity by taking no active measures to deal with the opportunity; adopting a reactive
approach without taking explicit actions.

4.

Sharing or transferring the opportunity by seeking a partner able to manage the opportunity that can
maximize the chance of it happening and/or increase the potential benefits. This will involve sharing any
upside in the same way as transfer involves passing penalties.