Enterprise Risk Management - The University of Tulsa
University Compliance and Risk Management

Enterprise Risk Management

About Risk Management at TU

Enterprise Risk Management is led by Matt Warren, Vice President and Chief Compliance Officer. The role of ERM is to provide the governance, framework, and guidance to assist and support campus leadership and stakeholders in identifying events that have the potential to impact the TU community both positively and negatively, and to manage risks associated with those events.

The goals are to support organizational resiliency with a risk-conscious culture that aligns to the strategic mission and values of the university. This is achieved by enabling the understanding of actual risks and their criticality through the development of effective and efficient mitigation planning, and the proactive identification and management of emerging risks to prevent future issues.

For more information, pleases email compliance@utulsa.edu.

Defining Enterprise Risk Management (ERM)

ERM is a business-continuous process, led by senior leadership, that extends the concepts of risk management and includes:

  • Identifying risks across the entire enterprise;
  • Assessing the impact of risks to the operations and mission;
  • Developing and practicing response of mitigation plans;
  • Monitoring the identified risks, holding the risk owner accountable, and consistently scanning for emerging risks.

Definition and Scope of Risk

A risk is defined as any event or action that impacts the organization’s ability to achieve its objectives, both positive and negative. In support of this definition, ERM addresses risks and opportunities that may have an impact on CMU’s strategic goals and objectives. As such, ERM looks across the entire institution using a forward-thinking approach and open communication. ERM also examines potential risks and opportunities outside of the institution that could have an impact including but not limited to peer institutions, higher education as a whole, and Carnegie Mellon specifically, as well as regional, national, and global risks that have the potential to impact both higher education and Carnegie Mellon. ERM examines risk from these perspectives to capitalize on thought leadership, identify lessons learned, and benchmark upon best practices. ERM  examines potential risks and opportunities based upon the following risk categories:

Life / Health Safety
Risks or opportunities related to injury, damage, or health and safety of the campus population, including impacts caused by accidental or unintentional acts, errors or omissions, and external events such as natural disasters.

Financial
Risks or opportunities related to physical assets or financial resources, such as: tuition, government support, gifts, research funding, endowment, budget, accounting and reporting, investments, credit rating, fraud, cash management, insurance, audit, financial exigency plan, long-term debt, etc.

Mission
Risks or opportunities related to TU’s mission to transform the educational experience for students, to cultivate a transformative community, and to impact society in a transformative way – regionally, nationally, and globally.

Operational
Risks or opportunities related to management of day-to-day university programs, functions, activities, facilities, infrastructure (including technology) and the efficient, effective and prudent use of university resources.

Compliance / Legal
Risks or opportunities related to violations of federal laws and regulations, state laws and regulations, local municipal laws, case law, accreditation standards, university policies and procedures, and contractual obligations, including contractual agreements, employment contracts, and collective bargaining agreements.

Risk Identification and Prioritization

One of the simplest ways in which a risk or an opportunity can be identified is by asking the question, “What keeps you up at night?” Appreciating that this can result in a multitude of different answers, risks and opportunities can be framed by thinking about topics that have the potential to have an impact on the institution’s strategic goals and objectives. Issues present within the university, the geographical region, peer universities, the higher educational landscape, or throughout the nation and world could all have the potential to have such impact. Risks are identified through open, transparent, and collaborative communication, and are initially identified as inherent or perceived risks. It is not until a risk is assessed further to determine if it could have both the likelihood and severity of affecting the university either positively or negatively.

Industry thought leadership and expertise pertaining to both enterprise risk and higher education can be excellent resources in understanding the risk landscape. These resources offer best practices that may help to proactively expedite the escalation of emerging risks that would have the potential to affect the institution. External audit firms, The Chronicle of Higher Education, and other professional organizations are such valued resources.

Risk Response and Management Actions

For risks identified, prioritized, and assessed, a response and management action plan is captured by Risk Management in collaboration with the Crisis Management and Emergency Operations Team. The purpose is to provide awareness and transparency to university leadership of the actions being taken to ensure that risks outside of the university’s appetite are managed to reduce the likelihood and severity of occurrence. Additionally, for risks that are outside of the university’s capability to effectively manage due to internal and/or external factors, this provides an opportunity for any residual risks to be highlighted. Risk responses may include one or several the following:

Risk Acceptance with Further Monitoring
The risk and current mitigation activities are within the risk appetite of the university and will continue to be monitored for any changes.

Additional Mitigation
The risk and current mitigation activities are outside of the risk appetite of the university, and will undergo further mitigation and control activities until the risk demonstrates improvement with a reduction in potential likelihood and severity of occurrence

Risk Transfer
The risk and current mitigation activities are outside of the risk appetite of the university, and will be transferred to a third party for additional management to lessen the burden of the likelihood and severity of occurrence.

Risk Avoidance
The risk and current mitigation activities are outside of the risk appetite of the university, and will be avoided by discontinuing the activities that are resulting in the increasing likelihood and severity of occurrence.

Employee Training and Education

The University requires employees complete training each year and offers many online training modules to foster professional development. To access the training click the link and sign in, then you will see the Training Library on the left side of your screen.
> Employees Vector Portal