SUU Seal (for official use only)
Print Friendly and PDF

POLICY #13.11 
SUBJECT: Risk Management Committee


The purpose of this Policy is to be pursuant to Administrative Rule R37-1. This Policy establishes the Southern Utah University (SUU) Risk Management Committee, which serves a dual role in protecting and advancing the mission and vision of the University by fostering an institution-wide culture of risk and opportunity awareness. The Committee provides a structured, consistent, and continuous process for the early and proactive identification and reporting of material risks and opportunities to the President’s Cabinet. In addition, the Committee will have a role in the data security efforts and initiatives of the University.


  1. Utah Administrative Rule R37 Government Operations, Risk Management




  1. The Committee’s charge is as follows:
    1. Review and update the methods and procedures necessary to identify, evaluate, prioritize, and manage risks;
    2. Ensure the University’s risk management process considers operational, compliance, financial, cyber, reputational, and strategic risks;
    3. Develop methods to identify trends and emerging risks and appropriately assign responsibility for managing and monitoring new risks;
    4. Notify campus of insurance policy coverage, exclusions, and changes;
    5. Create a culture of risk awareness where all SUU employees understand and consider risk factors in decision-making;
      1. Ensure that all SUU employees are aware of the risks related to their roles and activities and understand their responsibilities for identifying, managing, and reporting on risk and opportunities in a systematic and timely way;
      2. Provide best practice information, education, training, and facilitation of resources to the University community.
    6. Improve the efficiency and effectiveness of institutional risk management efforts.
      1. Provide the University community with a common language, framework, and set of procedures for identifying, assessing, responding to, and reporting on risk posed in new and ongoing endeavors across the organization’s entire range of assets and operations;
      2. Provide enterprise-level coordination of existing institutional functions for identifying, assessing, and reporting risk;
      3. Integrate risk ownership and management activities at all levels of the institution;
      4. Where possible, use and strengthen existing management processes, reporting and approval channels, and organizational structures;
      5. Establish and maintain an institutional risk register that allows for the tracking and reporting of risk trends and of risk response plans;
      6. Review the effectiveness of risk management practices regularly.
    7. Increase capacity for SUU employees to identify and seize opportunities to meet the University’s strategic goals by facilitating greater transparency and openness regarding risk.
    8. Manage the University's information security program, including establishing priorities and policies:
      1. Establish information security controls within the University based on data security best practices and applicable frameworks;
      2. Conduct regular risk assessments to identify trends and changes in the threat landscape, and make recommendations for additional controls or modifications to existing controls;
      3. Review data security incidents and make recommendations for adjustments;
      4. Oversee compliance with applicable laws and regulations (e.g., GLBA, GDPR, PCI, HIPAA, etc.);
      5. Oversee any subcommittees created to address items in Section IV.A.8.d. above (e.g., PCI Committee);
      6. Implement formal data classification activities, including identifying sensitive data, assigning appropriate data classification levels, and determining appropriate controls for each classification level.
  2. Reporting
    1. The committee will provide an annual risk report to the President’s Cabinet.
  3. Membership
    1. The committee is a standing committee of the University to be comprised of the following members:
      1. Vice President for Finance and Administration, Chair
      2. Vice President for Student Affairs, or designee
      3. Provost, or designee
      4. University General Counsel, or designee
      5. Director of Safety and Risk Management
      6. Assistant Vice President for Facilities Management, or designee
      7. Director of Internal Audit
      8. Chief Information Officer
      9. Director of IT Security
      10. Director of Human Resources
      11. Chief of Campus Public Safety and Emergency Manager
      12. Director of Purchasing
      13. Assistant VP for Finance
      14. Executive Director for SUU Aviation, or designee
      15. Athletic Director, or designee
      16. Executive Director of Marketing
  4. The committee will have authority to create sub-committees and appoint Risk Committee members, or others, to those committees as warranted to address areas of particular risk or concern. These sub-committees will report to the Risk Management Committee annually. The Risk Management Committee also recognizes existing college, school, division, or department level safety committees and will ensure a coordinated risk management effort between all parties.
  5. The committee will meet quarterly at a minimum. Meeting minutes will be provided to the State of Utah Division of Risk Management.




The responsible office for this Policy is the Vice President for Finance and Administration. For questions about this Policy, contact the Office of Enterprise Risk Management.


Date Approved: December 4, 2013

Amended: July 19, 2018