About Enterprise Risk Management


Risk is uncertainty, caused by internal and/or external factors with the potential to impact (either positively or negatively) UC’s ability to achieve its Strategic Direction. Enterprise Risk Management is simply a process to deal with that uncertainty, comprised of four (4) major steps:

1. Risk Identification
2. Risk Analysis/Evaluation
3. Risk Treatment
4. Risk Monitoring

Managing risk is part of all activities associated with the university, and affects every department/unit and person. In that way, we consider Everyone a Risk Manager!


  • ERM prioritizes response and action to the risks that have the most impact on the university and its mission. The mitigation of these risks saves money, time, reputation and lives.
  • ERM is a cyclical process that continuously improves the university’s management of current and emerging risks.
  • ERM engages the entire university and promotes communication across departments.
  • What keeps you up at night? What gets you up in the morning?” ERM helps address these questions and provides peace of mind.



Managing risk is an integral part of governance and assists the university in setting strategy, achieving objectives and making informed decisions.  UC’s leadership has shown tremendous support for the ERM program:




The purpose of risk identification is to find, recognize, and describe risks (uncertainties) that might help or deter UC in achieving its objectives. We categorize risks into five (5) main categories:

  • Reputational - How are we protecting UC’s brand and reputation?
  • Strategic - How are we meeting UC’s strategic and long-term goals?
  • Operational - How can we provide superior service to the students we serve?
  • Financial - How can minimize costs and maximize our return on investments?
  • Compliance - How can we ensure we meet legal and regulatory requirements?



The purpose risk analysis and evaluation is to understand the nature and characteristics of the risk, in order to support decisions about additional action that may be required. 



The purpose of risk treatment is to select and implement options for addressing the risk, balancing achievement of objectives and costs, effort or other potential disadvantages.  



The purpose of monitoring and review is to assure and improve the quality and effectiveness of the risk management process’ design, implementation and outcomes. The results of monitoring is incorporated throughout the university’s performance management and reporting activities.



Throughout the risk management process, communication is the most important component. Open discourse between colleagues, administration, students and the Department of Enterprise Risk Management is what allows the university to identify, analyze, mitigate and monitor the risks.