Enterprise Risk Management

This Enterprise Risk Management program at USF embraces a proactive approach to managing risk, emphasizing the importance of understanding the uncertainties that affect our objectives, while focusing attention on our most important risks. Through this process, ERM establishes a program structure that engages functional leaders across the campus to identify and prioritize risks. Additionally, leadership is provided the information they need to identify and prioritize risks, and improve decision making.

Although risk-taking is often necessary to achieve our objectives, we will manage that risk by using the ERM process to gain a more comprehensive understanding of the threats and opportunities that we face as an educational institution. This understanding will guide our decision-making, making us successful and resilient as we manage internal and external risks. Effectively navigating uncertainty will strengthen our performance while creating and preserving value.

USF utilizes the International Standards Organization (ISO) 31000:2018 framework, Risk Management Principles and Guidelines. The ISO framework is globally recognized and respected and is utilized by a wide variety of public and private organizations. ISO defines risk as “the effect of uncertainty on objectives.”

Open All

USF’s Board of Trustees is committed to cultivating an environment that supports innovative, risk-informed decision-making as we work together to achieve our objectives.

The VP of Business and Finance is accountable for implementing the ERM program and working collaboratively with the Enterprise Risk Committee and Director of Risk Management to provide updates to the Board of Trustees on the progress of the ERM program.

The Director of Risk Management is responsible for cultivating and promoting a culture that values and actively practices ERM.

The Provost, Deans, Department Heads, and Faculty are expected to incorporate the ERM process into decision-making and operational processes. Existing and new risk management activities at USF will align with the ERM program.

Risk Culture and Governance

The Board of Trustees is responsible for:

  • Receiving annual confirmation from the VP of Business and Finance that the ERM program continues to be implemented and that key risks are identified, prioritized; and
  • Assisting the Enterprise Risk Committee with establishing USF’s risk-taking view, prioritizing risks, and validating expectations; and
  • Approving the allocation of resources necessary to implement and sustain an effective ERM program.
  • Supporting a risk-aware culture.

The VP of Business and Finance is responsible for:

  • Dedicating resources that support and enable the practical implementation of this ERM program across the organization;
  • Allocating resources that have been dedicated to support and enable the practical implementation of this ERM program across USF;
  • Working with the Board of Trustees to establish USF’s view of risk taking; and
  • Promoting a risk-aware culture.

 

The Enterprise Risk Committee is responsible for:

  • Evaluating risk management processes for efficiency and effectiveness;
  • Approval of the recommendations of the Director of Risk Management; 
  • Reviewing, evaluating and finalizing the recommendations of the Director of Risk Management ;
  • Reviewing and approving USF’s risk register (periodically or as needed); 
  • Reviewing the appropriateness of USF’s risk management treatment plans;
  • Communicating ERM information, recommendations, and decisions; and
  • Fostering a risk-aware culture.

 

The Director of Risk Management is responsible for:

  • Providing leadership on the design and implementation of the ERM program;
  • Supporting the implementation of the ERM program;
  • Providing tools, guidance and industry best practices to apply the ERM program;
  • Monitoring and reporting on risks, and advising risk owners on risk treatment strategies;
  • Maintaining an USF-wide risk register;
  • Generating recommendations to address risks and gaps, and providing them to the Enterprise Risk Committee, VP of Business and Finance, and the Board of Trustees as appropriate;
  • Leading and coordinating ERM efforts in coordination with the risk owners and departments;
  • Facilitating training, risk assessments, and workshops;
  • Serving as an ERM consultant to employees and departments; 
  • Ensuring that the ERM program becomes embedded in all business activities; and
  • Developing and maintaining a risk-aware culture.

 

Department/College/School Heads are responsible for:

  • Applying the ERM program to decisions and business processes;
  • Adhering to industry best practices, USF’s policies, all local, state and federal regulations, and reporting to the Director of Risk Management any inconsistency that may threaten USF’s achievement of its mission or objectives;
  • Ensuring that risks for which they are responsible are monitored and timely reported; 
  • Assigning risk owners; and
  • Supporting a risk-aware culture.

 

Risk Owners are responsible for:

  • Providing information on assigned risks and initial risk ratings;
  • Providing input on current risk treatment strategies and giving recommendations for any needed modifications;
  • Providing information to the Director of Risk Management as requested; and
  • Monitoring assigned risks and ensuring that appropriate plans of action are implemented.

 

All Staff/Faculty are responsible for:

  • Proactively identifying, documenting and escalating risks and opportunities;
  • Being aware of USF’s organizational risks as well as all applicable departmental risks; and
  • Applying USF’s ERM resources (tools and guidance).

Effective ERM involves identifying, describing, assessing, and prioritizing the risks that can affect our organizational objectives.

 

Risk Management and Controls


USF will apply the ERM program to its processes and decisions as we think, plan, execute, measure, monitor and report on our work as shown in Figure 1.

Risks connected to USF’s strategic plan will be identified through periodic reviews of the strategic plan and/or as new risks are appropriately assessed, prioritized and managed. Operational and project risks are consistently managed at all levels of the organization including program management, review and reporting activities, and service delivery.


Figure 3. How a risk is escalated using the ERM Framework with the following steps in descending order: Employee identifies a risk and report it to their manager. Manager and employees asses the risk and develop treatents; manager assigns a risk owner and reports the risk to the Director of Risk Management. The Director of Risk Management determines if the risk should be managed organizationally and, if so, advises the Enterprise Risk Committee. The Enterprise Risk Committee reviews the risk and the recommendation of the Director of Risk Management and decides if escalation to the Board of Trustees is necessary.

Figure 1- How a risk is escalated using the ERM Process

All risks should be appropriately managed. However, some risks merit special attention, as their impact moves from an individual department to an organizational level. When such risks are identified, they are reported and acted upon. This intensified reporting and action is what is referred to as an “escalation” of the risk. Figure 1 above provides a visual representation of how risks are identified, assessed and escalated. As noted in Step 2 of the chart, managers will assess the risk, develop a treatment, and then report the risk to the Director of Risk Management.  As noted in Step 4 of the chart, the Enterprise Risk Committee is responsible for determining which risks should be reported to the VP of Business and Finance for potential management at an organizational level. If the VP of Business and Finance determines that the risk should be escalated for management at an organizational level, the VP of Business and Finance will report the risk to the Board of Trustees.

Resource requirements associated with this ERM process will be presented, considered and approved annually as a part of USF’s annual budget process.

USF’s ERM approach will align with its strategic priorities and objectives in an effort to:

  • Establish and track performance expectations for this ERM program;
  • Track improvement in USF’s management practices; and
  • Monitor and track performance on the management of organizational risks.

Continuous Improvement

The ERM program and risk governance structure will be continuously improved by following industry best practices and obtaining stakeholder feedback. This feedback will be used to inform and adapt USF’s risk management approach so that it remains effective, efficient, and valuable. The Director of Risk Management will be responsible for keeping the program and risk governance structure updated according to this process.

 

From ISO/ANSI/ASSE 31000:2018 Risk Management Principles and Guidelines
 

Figure 2- ISO 31000


 

 

Provost: Eileen Fung
Director of Risk Management: Melissa Diaz
Internal Audit: Dom Daher
VP, Business and Finance: Charlie Cross
General Counsel & Acting Senior VP: Donna Davis
AVP, Human Resources: Diane Nelson
VP, Student Life: Shannon Gary
VP of Operations: Julie Orio