POLICY #13.11
SUBJECT: Enterprise Risk Management Committee
I. PURPOSE
The purpose of this Policy is to be pursuant to Administrative Rule R37-1. This Policy establishes the Southern Utah University (91ɬÂþ) Enterprise Risk Management Committee, which serves a dual role in protecting and advancing the mission and vision of the University by fostering an institution-wide culture of risk and opportunity awareness. The Committee provides a structured, consistent, and continuous process for the early and proactive identification and reporting of material risks and opportunities to the President. In addition, the Committee will have a role in the data security efforts and initiatives of the University.
IV. POLICY
- The Committee’s charge is as follows:
- Review and update the methods and procedures necessary to identify, evaluate, prioritize, and manage risks;
- Ensure the University’s risk management process considers operational, compliance, financial, cyber, reputational, and strategic risks;
- Develop methods to identify trends and emerging risks and appropriately assign responsibility for managing and monitoring new risks;
- Notify campus of insurance policy coverage, exclusions, and changes;
- Create a culture of risk awareness where all 91ɬÂþ employees understand and consider risk factors in decision-making;
- Ensure that all 91ɬÂþ employees are aware of the risks related to their roles and activities and understand their responsibilities for identifying, managing, and reporting on risk and opportunities in a systematic and timely way;
- Provide best practice information, education, training, and facilitation of resources to the University community.
- Improve the efficiency and effectiveness of institutional risk management efforts.
- Provide the University community with a common language, framework, and set of procedures for identifying, assessing, responding to, and reporting on risk posed in new and ongoing endeavors across the organization’s entire range of assets and operations;
- Provide enterprise-level coordination of existing institutional functions for identifying, assessing, and reporting risk;
- Integrate risk ownership and management activities at all levels of the institution;
- Where possible, use and strengthen existing management processes, reporting and approval channels, and organizational structures;
- Establish and maintain an institutional risk register that allows for the tracking and reporting of risk trends and of risk response plans;
- Review the effectiveness of risk management practices regularly.
- Increase capacity for 91ɬÂþ employees to identify and seize opportunities to meet the University’s strategic goals by facilitating greater transparency and openness regarding risk.
- Manage the University's information security program, including establishing priorities and policies:
- Establish information security controls within the University based on data security best practices and applicable frameworks;
- Conduct regular risk assessments to identify trends and changes in the threat landscape, and make recommendations for additional controls or modifications to existing controls;
- Review data security incidents and make recommendations for adjustments;
- Oversee compliance with applicable laws and regulations (e.g., GLBA, GDPR, PCI, HIPAA, etc.);
- Oversee any subcommittees created to address items in Section IV.A.8.d. above (e.g., PCI Committee);
- Implement formal data classification activities, including identifying sensitive data, assigning appropriate data classification levels, and determining appropriate controls for each classification level.
- Reporting
- The committee will provide an annual risk and opportunity report to the University President.
- Membership
- The committee is a standing committee of the University to be comprised of the following members:
- Vice President of Operations, Chair
- Assistant Vice President Enterprise Risk Management, Compliance, and Safety, Co-Chair
- CFO, Vice President of Finance
- Vice President for Student Affairs, or designee
- Provost, or designee
- Vice President of Community Outreach and Engagement
- Athletic Director, or designee
- University General Counsel, or designee
- Assistant Vice President for Facilities Management, or designee
- Assistant Provost (Leadership Development and Compliance)
- Associate Provost
- Associate Vice President for Enrollment Management
- Director of Internal Audit
- Chief Information Officer
- Director of IT Security
- Assistant Vice President of Human Resources
- Chief of Police
- Assistant Vice President of Business Services
- Assistant Vice President for Finance
- Executive Director for 91ɬÂþ Aviation, or designee
- Director of Emergency Management and Safety
- Director of Campus Compliance Services
- Assistant Vice President of Marketing Communications
- The committee is a standing committee of the University to be comprised of the following members:
- The committee will have authority to create sub-committees and appoint Risk Committee members, or others, to those committees as warranted to address areas of particular risk or concern. These sub-committees will report to the Enterprise Risk Management Committee annually. The Enterprise Risk Management Committee also recognizes existing college, school, division, or department level safety committees and will ensure a coordinated risk management effort between all parties.
- The committee will meet quarterly at a minimum. Meeting minutes will be provided to the State of Utah Division of Risk Management.
VI. QUESTIONS/RESPONSIBLE OFFICE
The responsible office for this Policy is the Vice President for Operations. For questions about this Policy, contact the Office of Enterprise Risk Management.
VII. POLICY ADOPTION AND AMENDMENT DATES
Date Approved: December 4, 2013
Amended: July 19, 2018; March 19, 2024 (non-substantive amendment)