Skip to main content

UCF Enterprise Risk Management Program

Risk is defined by ISO-31000 as “the effect of uncertainty on objectives.” Enterprise risk management is a holistic approach to managing risks that can impact the successful execution of the university’s mission and objectives.

The goal of the UCF enterprise risk management (ERM) program is to provide a systematic approach to identify and manage various types of risk, regardless of the origin. Risks can include those affecting the whole of higher education, risks specific to the UCF, or risks related to certain units and processes. A robust ERM program will benefit UCF by:

UCF has a mission and vision that provide the basis for decision-making. Strategy and goals are developed to support the university’s mission and vision, but the development and execution come with risks. ERM establishes a framework for effective decision-making regarding the pursuit of strategies, initiatives, and programs including a mechanism to discuss when strategies are not aligned with the university’s mission and vision

The university is faced with a myriad of risks. Sometimes the impacts of those risks are localized to one area, but the impacts are often felt across various departments. It is important to consider risk from an enterprise perspective to understand how actions taken can affect other departments and partners. An ERM program provides the vehicle to identify, discuss, and manage risks at an entity level to ensure actions taken represent the best option for the university.

UCF, as is the case with many other entities, has finite resources and innumerable needs. Every unmet need represents a risk. The university must have a way to prioritize which risks should be addressed with the set number of resources available. ERM provides key information to focus university resources on critical risks with the potential for the most substantial impact. Additionally, ERM creates a mechanism to escalate risks when broader management and resources are needed.

The landscape of higher education continues to evolve and change. New opportunities and challenges are identified almost daily. The university’s continued viability is contingent on its ability to anticipate and respond to change. An effective ERM program helps identify factors that represent not just risk, but change, and how that change could impact performance and necessitate a shift in strategy.

Risk Categories

Risks related to adherence to federal and state laws and regulations, local municipal laws, case law, accreditation standards, university policies and procedures, and contractual obligations, including contractual agreements, employment contracts, and collective bargaining agreements.

Risks related to injury, damage, or health and safety of the campus population, including impacts caused by accidental or unintentional acts, errors or omissions, or external events such as natural disasters.

Risks related to the university’s financial position and resources including tuition, government support, gifts, research funding, endowment, budgeting, accounting and reporting, investments, credit rating, fraud, cash management, long-term debt, etc.

Risks related to people, processes, and technology systems including efficient and effective use of university resources.

Risks related to the achievement of UCF’s strategy include the development and execution of business plans and initiatives, change and disruption management, competition, adaptation, innovation, etc.

ISO-31000

ISO-31000 is the only international standard on the practice of risk management. The best-practice guidelines provide principles, a framework, and a process for managing risk, which it defines as “the effect of uncertainty on objectives.” The standard is flexible and can be customized to any organization, including public entities and institutions of higher education. The UCF ERM Program is based upon this international standard.

A flower-like diagram with 'Value Creation and Protection' at the center, surrounded by interlocking circles.

Value Creation and Protection

Integration across the organization, a structured and thorough approach, customization to specific needs, inclusivity, adaptability, reliance on the best information, acknowledgment of human factors, and a focus on continual improvement. Together, these principles ensure a balanced and effective way to create and safeguard value.

A circular process diagram showing stages of a framework, including Integration, Design, Implementation, Evaluation, and Improvement, connected in a loop.

Leadership and Commitment

Integration, Design, Implementation, Evaluation, and Improvement. These elements represent how strong leadership and commitment drive the entire process, ensuring each step is connected and continuously refined for success.

A comprehensive process diagram for risk assessment. It includes steps such as Risk Identification, Risk Analysis, Risk Evaluation, Risk Treatment, with monitoring and review steps in a feedback loop. The process is connected to Scope, Context, and Communication.

Risk Assessment

The image shows the process of “Risk Assessment,” with key components in a continuous cycle. At the core, risk assessment involves Risk Identification, Risk Analysis, and Risk Evaluation. Surrounding this are supporting processes: defining the Scope, Context, and Criteria, Communication and Consultation, Monitoring and Review, and Recording and Reporting. Finally, Risk Treatment is applied based on the evaluation, completing the risk management process.

Program Plan

Program Guide

Board of Trustees Audit & Compliance Committee Charter

Have questions?