Enterprise Risk Management

This Enterprise Risk Management (ERM) Framework outlines guidelines and procedures for managing, monitoring, and improving risk management practices at the University of San Francisco (USF). It embraces a proactive approach to risk management, emphasizing the importance of understanding the uncertainties that affect our objectives while focusing on our most important risks. 

Although risk-taking is often necessary to achieve our objectives, we will manage that risk by using this framework to gain a more comprehensive understanding of the threats and opportunities that we face as an educational institution. This understanding will guide our decision-making, helping us succeed and remain resilient as we manage internal and external risks. Effectively navigating uncertainty will strengthen our performance while creating and preserving value.

This framework aligns with the International Standards Organization (ISO) 31000:2018, Risk Management Principles and Guidelines. The ISO framework is globally recognized and respected and is utilized by a wide variety of public and private organizations. 

Risk Owners, Enterprise Risk Committee members, and Treatment Owners can access the Enterprise Risk Management (ERM) site at: https://erm.quickbase.com.  To access the site, enter your email, and then log in using your USFCA credentials.

Open All

USF’s Board of Trustees and President are committed to cultivating an environment that supports innovative, risk-informed decision-making as we work together to achieve our objectives.

The Vice President and Chief Financial Officer is accountable for implementing this framework and working collaboratively with the Enterprise Risk Committee and Director of Risk Management to provide updates to the Board of Trustees and President on the progress of the ERM program.

The Director of Risk Management is responsible for cultivating and promoting a culture that values and actively practices ERM.

Vice Presidents are responsible for reviewing, approving, and attesting to understanding the risks that have been identified by the risk owner/s in their area.

The Provost, Deans, Department Heads, and Faculty are expected to incorporate the ERM process into decision-making and operational processes. Existing and new risk management activities at USF will align with this framework.

 

Risk Culture and Governance

The Board of Trustees and the President are responsible for:

  • Receiving quarterly confirmation from the Director of Risk Management that the ERM framework continues to be implemented and that key risks are identified, prioritized, and treated in accordance with this ERM framework; 
  • Assisting the Enterprise Risk Committee with establishing USF’s risk-taking view, prioritizing risks, and validating expectations; and
  • Approving the allocation of resources necessary to implement and sustain an effective ERM program.
  • Supporting a risk-aware culture.

The Vice President and Chief Financial Officer is responsible for:

  • Dedicating resources that support and enable the practical implementation of this ERM framework across the organization;
  • Allocating resources that have been dedicated to support and enable the practical implementation of this ERM framework across USF;
  • Working with the Board of Trustees and President to establish USF’s view of risk-taking; and
  • Promoting a risk-aware culture.

The Enterprise Risk Committee is responsible for:

  • Evaluating risk management processes for efficiency and effectiveness;
  • Approval of the recommendations of the Director of Risk Management; 
  • Reviewing, evaluating, finalizing, and approving the recommendations of the Director of Risk Management;
  • Reviewing and approving USF’s risk register (periodically or as needed); 
  • Reviewing the appropriateness of USF’s risk management treatment plans;
  • Communicating ERM information, recommendations, and decisions; and
  • Fostering a risk-aware culture.

The Enterprise Risk Committee Working Group is responsible for:

  • Evaluating risk management processes for efficiency and effectiveness;
  • Reviewing, evaluating, and finalizing the recommendations of the Director of Risk Management; 
  • Reviewing USF’s risk register (periodically or as needed); 
  • Reviewing the appropriateness of USF’s risk management treatment plans;
  • Communicating ERM information and recommendations to the Enterprise Risk Committee; 
  • Fostering a risk-aware culture.

The Director of Risk Management is responsible for:

  • Providing leadership on the design and implementation of this ERM framework;
  • Supporting the implementation of this ERM framework;
  • Providing tools, guidance and industry best practices to apply this ERM framework;
  • Monitoring and reporting on risks, and advising risk owners on risk treatment strategies;
  • Maintaining an USF-wide risk register;
  • Generating recommendations to address risks and gaps, and providing them to the Enterprise Risk Committee, Vice President and Chief Financial Officer, the President, and the Board of Trustees as appropriate;
  • Leading and coordinating ERM efforts in coordination with the risk owners, Vice Presidents and departments;
  • Facilitating training, risk assessments, and workshops;
  • Serving as an ERM consultant to employees and departments; 
  • Ensuring that this ERM framework becomes embedded in all business activities; and
  • Developing and maintaining a risk-aware culture.

Vice Presidents are responsible for:

  • Applying this ERM framework to decisions and business processes;
  • Adhering to industry best practices, USF’s policies, all local, state and federal regulations, and reporting to the Director of Risk Management any inconsistency that may threaten USF’s achievement of its mission or objectives;
  • Ensuring that risks for which they are responsible are reported timely, monitored, reviewed and approved; 
  • Assigning risk owners; and
  • Supporting a risk-aware culture.

Risk Owners are responsible for:

  • Providing information on assigned risks and initial risk ratings;
  • Providing input on current risk treatment strategies and giving recommendations for any needed modifications;
  • Providing information to the Director of Risk Management and their area Vice President as requested;
  • Adding new risks (as they emerge) to the risk register; and
  • Monitoring assigned risks and ensuring that appropriate plans of action are implemented.

All Staff/Faculty are responsible for:

  • Proactively identifying, documenting and escalating risks and opportunities;
  • Being aware of USF’s organizational risks as well as all applicable departmental risks; and
  • Applying USF’s ERM resources (tools and guidance).

Effective ERM involves identifying, describing, assessing, and prioritizing the risks that can affect our organizational objectives.

Risk Management and Controls

USF will apply the ERM program to its processes and decisions as we think, plan, execute, measure, monitor and report on our work as shown in Figure 1.

Risks connected to USF’s strategic plan will be identified through periodic reviews of the strategic plan and/or as new risks are appropriately assessed, prioritized and managed. Operational and project risks are consistently managed at all levels of the organization including program management, review and reporting activities, and service delivery.


Figure 1- How a risk is escalated using the ERM Process

All risks should be appropriately managed. However, some risks merit special attention, as their impact moves from an individual department to an organizational level. When such risks are identified, they are reported and acted upon. This intensified reporting and action is what is referred to as an “escalation” of the risk. Figure 1 above provides a visual representation of how risks are identified, assessed and escalated. As noted in Step 2 of the chart, managers will assess the risk, develop a treatment, and then report the risk to the Director of Risk Management.  As noted in Step 4 of the chart, the Enterprise Risk Committee is responsible for determining which risks should be reported to the VP of Business and Finance for potential management at an organizational level. If the VP of Business and Finance determines that the risk should be escalated for management at an organizational level, the VP of Business and Finance will report the risk to the Board of Trustees.

Resource requirements associated with this ERM process will be presented, considered and approved annually as a part of USF’s annual budget process.

USF’s ERM approach will align with its strategic priorities and objectives in an effort to:

  • Establish and track performance expectations for this ERM program;
  • Track improvement in USF’s management practices; and
  • Monitor and track performance on the management of organizational risks.

Continuous Improvement

The ERM program and risk governance structure will be continuously improved by following industry best practices and obtaining stakeholder feedback. This feedback will be used to inform and adapt USF’s risk management approach so that it remains effective, efficient, and valuable. The Director of Risk Management will be responsible for keeping the program and risk governance structure updated according to this process.

From ISO/ANSI/ASSE 31000:2018 Risk Management Principles and Guidelines
 

Figure 2- ISO 31000

Provost: Eileen Fung
Director of Risk Management: Melissa Diaz
VP and CFO: Stacy Daher
General Counsel & Acting Senior VP: Donna Davis
VP, Student Life: Shannon Gary
VP of Operations: Julie Orio
VP for Strategic Enrollment Management: Eric Groves
Interim VP, Development: Jayme Burke
VP, Information Technology and Chief Innovation Officer: Opiner Bawa
Interim VP, Marketing Communications: Anneliese Mauch
 

Enterprise Risk Committee Working Group

Director of Risk Management: Melissa Diaz
AVP, Tax Compliance, Internal Audit, & Payroll Services: Dom Daher
AVP, Human Resources: Diane Nelson
AVP, Accounting & Business Services: Desmond Dair