Governance & Culture


The Enterprise Risk Management (ERM) function receives oversight from the Board of Regents and the Executive Oversight Compliance Committee (EOCC). Please see the EOCC description on the ERM Framework page. The ERM team works with management across the University system to identify, assess, and respond to risks. The ERM team is housed in Health, Safety, and Risk Management under the Senior Vice President for Finance and Operations.

Board of Regents

Inform and endorse the University's risk profile and prioritize activities. Set the tone by promoting the value of creating a risk-aware community, lead discussions through the lens of risk management where appropriate and provide external expertise to analysis and discussion.

Executive Leadership

Inform and approve risk profile, set priorities, serve as institutional risk owners, empower teams to proactively manage risks.

Operational Management

Consult and inform on institutional risk profile, develop mitigation strategies and key performance indicators, serve as operational risk leads, implement risk mitigation strategies and work plans.

What is a Risk?

Simply stated, risk is uncertainty. Risk is anything that may impact the University’s ability to accomplish its mission, goals, and objectives, either positively or negatively. Risks include potential events such as the outage of a key software system, changing regulations affecting the University, an emergency on campus, or a multitude of other events. The severity of a risk is measured in terms of its impact and likelihood as visually represented in the example risk heat map below. Breaking risks down into standardized components allows the University to better prioritize and manage risks through the creation of a consistent portfolio view of the many risks facing the University. See more information on scoring and prioritizing risks in the Resources and Tools section.

Example risk heat map with likelihood on the X axis and Impact on the Y axis.
Example risk with Likelihood and Impact scores of 3.5 each on a 5-point scale.

What is Risk Management?

Risk management is the principles, framework, and processes for managing risk effectively. Risk management involves identifying and understanding risks and using appropriate strategies to respond to them. The Committee of Sponsoring Organizations (COSO) defines enterprise risk management as “a process, effected by an entity’s board of directors, management, and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” 

What is Risk Culture?

Risk culture is the normal and typical behavior of individuals and groups within an organization that determines how they identify, understand, discuss, and act on the risks of the organization.

Every organization has a risk culture whether cognizant of it or not. Culture is the driving force behind the success of an organization’s enterprise risk management function. University of Minnesota leadership is committed maintaining to a proactive risk culture as expressed in the University’s strategic plan. The University has the goal to enhance risk management through innovative technology and processes

Why is Risk Culture Important?

A strong risk culture provides:

  • Increased level of risk awareness across the University system, including an awareness of the types of risks, drivers, controls, and mitigating factors.
  • Better decision making when the impact of uncertainty is considered.
  • Stronger ability to adapt to a changing environment.
  • Positive perception of the value that sound risk information can contribute to University success.

When You Identify Risks

No matter what we do as leaders, faculty, or staff at the University, there is no guarantee of success. We should regularly consider these questions:

What is my goal?

Consider the short-term and long-term goals of your group and the University. It’s helpful to consider the University’s mission and MPact 2025 strategic plan and how those objectives cascade down to you and your group. How does your group contribute to the achievement of the system-wide goals?

What could keep me and my team from achieving our goals?

Falling short of a goal can result from many factors or events both internal and external to the University. These are your risks. Remember, risk represents uncertainty so risk can be negative or positive. A risk event may occur that provides an opportunity. 

What are the possible outcomes?

Look for the worst-case, best-case, most-likely scenarios, and possibilities in-between.

How robust are the assumptions underlying my plans?

Assumptions should remain valid under changing circumstances.

Are there any unrecognized correlations among the risk drivers?

Consider relationships among risk drivers. Risk drivers are the causes or sources of risk such as market conditions, regulatory changes, or climate change. 

Most importantly, "Is my response enough or should I plan an additional response?"

You can respond to the risks you’ve identified by reducing the likelihood or impact through controls, by transferring the risk though insurance, by accepting the risk if its minor, or by avoiding the activity giving risk to the risk all together.  A proactive and risk-aware response will increase the likelihood you achieve your goal!

Calculate a Risk Score

A risk score is a useful measure of the risk your department and the risk University may be exposed to. Calculating a risk score is very helpful in prioritizing the many risks facing any particular group. Please see the Calculate Risk Score table under Resources & Tools.