SUU ERM Framework

The SUU Enterprise Risk Management Framework outlines the Risk/Opportunity Assessment process for the identification, assessment, mitigation and monitoring of risks and opportunities. It also outlines the communication and collaboration process for achieving a culture of risk management at all levels of the University.

Establishing an ERM Culture at SUU

At SUU, EVERYONE is a Risk Manager (ERM). Every SUU faculty, staff and student is a steward of the University and has the responsibility to identify and manage the risks associated with their activities. The flow chart and descriptions below describe the collaboration process and identify roles and responsibilities at each level of the University.

Flowchart: management, working, and operation level all connect to assurance level. Eache of those levels reports up to senior management level.

Oversight of Management Response Plans

Consists of the Enterprise Risk Management Committee

Roles and Responsibilities 
  • Provide a broad management perspective on institutional risk and opportunity and ensure engagement in Enterprise Risk Management at the senior management level, including identification of the University’s risk tolerance and culture. 
  • Oversee the development and implementation of the ERM program at SUU that continuously manages risks across the institution.
  • Recommend draft institutional risk philosophy to the President for discussion with the Board of Trustees.
  • Develop draft ERM policy for review and approval by the President.
  • Identify risks and opportunities, using a variety of appropriate techniques (e.g. SWOT analysis, brainstorming, etc.).
  • Prepare annually for review by the President an institutional registry and portfolio of risks and opportunities having the greatest potential impact on the University’s objectives.
  • Oversee the University Compliance Program and review, validate, and/or revise the Compliance Matrix and compliance risk assessment prepared by the University Compliance Committee
  • Refer newly identified risk issues or new initiatives that may pose risk to the Working Level for further assessment and development of recommendations as necessary.
  • Review the institutional risk portfolio with Operational Level (when needed).
  • Make recommendations to the President regarding which risks or opportunities sufficiently impact the University’s strategic objectives to warrant development of enterprise-level response plans to manage those risks or opportunities and/or reporting to the Board of Trustees.
  • Assign key institutional risks to Responsible Officials within the ERM Committee or Working Level for the development of Management Response Plans.
  • Review proposed management response plans for highest-level risks and align such plans with the University’s risk philosophy, strategic objectives, and budgetary resources.
  • Coordinate with the Assurance Level to ensure Management Response Plans are effectively mitigating risk and enhancing opportunity at all levels of the institution.
  • Review quarterly and annual draft ERM progress reports to the Audit Committee or full Board of Trustees before they go to the President for final approval.
  • Assist in the development and maintenance of the University’s ERM procedures and protocols.
  • Assist in addressing functional, cultural, and departmental barriers to managing risks.

Development of Management Response Plans

Consists of a Responsible Official, Task Force, or Risk Management Subcommittee that have the expertise to address a specific risk. Click here for a list of Working Level groups (TBD). 

Roles and Responsibilities 

  • Focused on specific risk/opportunity areas and the development of Management Response Plans
  • Provide support to the Operational Level as needed. 
  • Act as a technical resource of subject matter experts, participating in education, training, communication, and awareness building of ERM at SUU.

Examples of Working Level Groups include: 

  • Compliance Committee 
  • University Health & Safety Committee 
  • Accessibility Task Force 
  • Behavioral Assessment Team 
  • Crisis Policy Group and Emergency Response Team

Implementation of Management Response Plans

Consists of Deans, Department Chairs, Directors, Supervisors, Faculty, Staff, Students, etc. 

Roles and Responsibilities 

  • Align department objectives with the University's strategic plan.
  • Ensure that all applicable risk management policy requirements and risk response plans are implemented in their respective areas. 
  • In conjunction with the Assurance Level, complete Operational Level risk assessments and Management Response Plans annually. 
  • Report emerging risks to the Assurance, Working, or Management Levels.

Assurance of Management Response Plan Effectiveness

The Risk Assurance Group (RAG) consists of the Office of Enterprise Risk Management, the Office of Internal Audit, and the Office of Legal Affairs 

  • Provide risk management support to the Management, Working, and Operational Levels on best practices and risk management techniques. 
  • Conduct Operational Level risk assessments to evaluate Management Response Plan effectiveness.
  • Refer Operational Level to Working Level Responsible Official(s) for support with non-compliant controls where appropriate. 
  • Report emerging risks to the Management Level and provide recommendations for remediations. 
  • The Group meets quarterly in order to ensure continual coordination and communication among these various functions and offices, each of whom play a role in helping the institution to manage risk. 
  • Outside of the ERM process, the RAG members continue to provide independent counsel, consultation, advice, reports, assessments, and assurance in accordance with their role and responsibilities.

SUU Risk/Opportunity Assessment Process

The primary focus of the ERM program is the completion of an annual institution-wide risk assessment using the Risk/Opportunity Assessment Process shown below, which consists of seven steps: (1) establishing the context, and (2-4) conducting the risk assessment which includes identifying, analyzing, evaluating, and (5) responding to risks and opportunities, (6) monitoring and updating the status, and (7) reporting on those that could materially affect the institution or a department. The context and assessment steps help decision-makers choose which risks or opportunities are priorities, what the appropriate response should be, and what resources should be allocated to manage the risk or opportunity in a way that best supports the organization’s strategy. The response step involves deciding on and planning for the best way to “treat” or modify the risk or opportunity, and implement that plan. 


The risk assessment process begins in January and ends in December of each calendar year (CY), which results in an updated University Risk-Opportunity Portfolio and Register.

SUU’s Annual Risk-Opportunity Assessment Process

Risk Assessment process throughout the year, contact for explanation and details

Legend: ERM = Enterprise Risk Manager, ERMC = Enterprise Risk Management Committee, MRP = Management Response Plan, PRI = Preliminary Risk Inventory, RAG = Risk Assurance Group, RO = Responsible Official