The ERM Program
ISO provides principles, framework and a process for managing any form of risk in a systematic, transparent and credible manner. The ERM program is committed to:
- developing a more risk aware culture through training and education.
- advising and assisting risk owners in identifying and assessing their risks and controls.
- assisting University leadership and risk owners in the monitoring of risks and controls.
A printable version of the UofSC ERM Policy [pdf] is available.
In accordance with the ISO 31000 standard, the university maintains an ERM policy. The policy provides direction for ERM implementation, lends credibility to the program and demonstrates the university’s commitment to the ERM process.
This policy has been established to ensure appropriate identification and evaluation of risks associated with all University activities and to ensure that these risks are managed at an appropriate and acceptable level. All University community members must understand and take responsibility for managing risks associated with activities within their span of control. In an effort to assist in the appropriate management of University risks, an Enterprise Risk Management (ERM) process will be developed, implemented and continuously improved at all relevant levels and functions of the organization in accordance with International Organization for Standardization (ISO) 31000-2018 “Risk Management - Guidelines”.
- Risk: the University faces internal and external influences that make it uncertain whether we will achieve our objectives. The effect that this uncertainty has on our objectives is called “risk” and can be either positive or negative.
- Enterprise Risk Management: a coordinated activity of identifying, evaluating, controlling and monitoring University risks with the purpose of creating and protecting value.
- ISO: International Organization for Standardization. The ISO standard provides a common approach to managing any type of risk and can be applied to any activity.
- Risk Owner: an individual, department, college, school, etc. who has been notified and assigned accountability and authority to manage a risk.
- Risk Identification: the process of finding, recognizing and describing risks that might help or prevent the University from achieving its objectives.
- Risk Register: a listing of identified risks used to track and evaluate risks associated with University activities.
- Risk Evaluation: the process of determining if a risk is acceptable to the University and where additional action is required.
- Risk Control: a measure that maintains and/or modifies a University risk.
- The University’s Enterprise Risk Management Oversight Committee integrates the ERM process into all aspects of the University’s mission including, governance, strategic planning, reporting, values and culture.
- The University has appointed an Enterprise Risk Manager who will facilitate the development, implementation and continual improvement of the ERM organizational structure and process. The Enterprise Risk Manager will communicate, consult and provide training to Risk Owners when implementing the ERM process, thereby raising awareness of the need for risk management.
- The Enterprise Risk Management Oversight Committee, in conjunction with the Enterprise Risk Manager, will establish a central Risk Register that will be used to identify and evaluate risks and their controls. Through the Risk Register, the committee monitors and evaluates existing and emerging risks, and implemented controls and action plans established to meet risk management objectives.
- In conjunction with the Enterprise Risk Manager, Risk Owners will be responsible for identifying and evaluating risks, developing and implementing action plans to control significant risks, and reporting risk management performance to the Enterprise Risk Management Oversight Committee.
- Risk Owners will effectively and efficiently manage risks at known and acceptable levels through the ERM process and will consider legal compliance as an absolute minimum.
A robust reporting structure provides a sound backbone for the ERM program through representation of key risk owners in the identification, evaluation and control of risks arising from University activities.
The ERM Executive Oversight committee provides a top-down approach in identifiying significant risks to the organization. The oversight committee reviews risk data submitted by the senior committees, subcommittees and individual risk areas and amends the risk data based on their experience and expertise. Members of the oversight committee include senior University leadership and representation from other University offices and programs.
The ERM subcommittees and individual risk areas take a bottom-up approach in identifying strategic, operational, hazard, financial and reputational risks. Identified risks are reported to senior level committees which review, consolidate and select specific risks for more detailed reporting to the Executive Oversight committee.
This top-down and bottom-up approach promotes a collaborative, cohesive and robust ERM process. Increased collaboration improves the University’s risk management culture, provides a comprehensive view of risks, enhances the identification of risks and allows risk prioritization.
The University has established a documented process to determine which risks are most significant, identify controls and monitor risks. Get details about the ERM process pathway below.