Office of Audit, Risk, and Compliance

Enterprise Risk Management (ERM)

The Office of Audit, Risk, and Compliance (OARC) provides oversight of the enterprise risk management (ERM) program by creating and maintaining the framework to effectively identify, assess, and manage risk within the university.


The purpose of the ERM program is to strengthen the university’s ability to achieve its mission and strategic objectives. This is done by effectively managing key risks and seizing opportunities related to the achievement of strategic objectives. In this context, risk encompasses both negative events (“downside risk”) and opportunities (“upside risk”). The goal of the ERM program within the OARC is to:


  • Obtain a holistic view of the most critical risks to the achievement of Virginia Tech’s mission and objectives
  • Create a risk-aware culture, including the management of risks to an appropriate level of risk tolerance
  • Improve focus and perspective on both internal and external risks and opportunities, including emerging risks and value drivers
  • Enhance decision making and alignment with strategic goals
  • Improve efficiency and optimized allocation of resources through risk prioritization

ERM Program Benefits -

Optimizing Balance Between Value Creation and Value Protection

Who is Involved?

The ERM program is implemented as a collaborative effort at various levels of the organization as described below:


ERM Committee (Executive Staff+)

The President’s Executive Staff+ serves as the ERM Committee. Executive Staff will help set the university’s risk appetite, contribute to the assessment of risks along with risk mitigation plans, and provide guidance on how to report key risks to the Board of Visitors Compliance, Audit, and Risk Committee. Executive Staff incorporates information from the ERM program in strategic decision making and to effectively allocate resources.


Risk Advisory Committee (PLT)

The President’s Leadership Team (PLT) serves as the Risk Advisory Committee. This group reviews the risks identified individually by senior leaders and further prioritize and assess the risks to identify the university’s top strategic risks. Throughout the year, members seek to identify risks in their areas of operation and bring them to the PLT for evaluation in light of higher education or industry trends and national regulatory indicators. Also, this group ensures appropriate ownership and accountability of risks including development of risk mitigation plans.


Overview of the ERM Process

Organizational Objectives

01 | Strategic objectives to accomplish the university’s vision need to be identified so that discussions are focused on key risks. OARC collaborates with the Vice President for Strategic Affairs to document the strategic objectives, which should be well-defined and concise.



Identify and assess risks

02 | OARC facilitates discussions with senior leaders and their management team to identify the most significant potential events or risks that could impact Virginia Tech’s ability to achieve its objectives.



03 |  Risks will be categorized into one of three levels of altitude. Virginia Tech’s ERM program focuses on systemic and existential risks and institutional risks.


  • Systemic and existential risks. These are uncontrollable risks that impact all of higher education and what many institutions refer to as “business model” risks.
  • Institutional risks are idiosyncratic to an organization and are generally caused by the inability to fulfill an institutional objective.
  • Unit-level risks, the third category, are also idiosyncratic to an organization but generally relate to an existing, broken process.


04 | Risks will be further categorized as:

  • Strategic – high-level goals aligned with the mission
  • Financial – protection of assets
  • Compliance – adherence to laws and regulations
  • Operational – ongoing management processes
  • Reputation (overlays all categories)


05 | Risks are prioritized and assessed by the senior leader’s management teams based on the likelihood of occurrence, significance of impact, and velocity (speed of onset).


06 | OARC compiles the risk assessment results from each senior leader for review and input by the President’s Leadership Team (PLT). The PLT will further prioritize and assess the risks to identify the university’s top risks, to be approved by the President's Executive Staff and ultimately adopted by the President.



monitor and manage

07 | The top risks in each category (strategic, financial, compliance, and operations) will be reviewed further to identify the risk owner, related business processes, and monitoring efforts for the university’s top 30 key risks.



Reporting and awareness

08 | Board engagement focuses on the top strategic risks categorized as systemic and existential risks and institutional risks.

For questions regarding the ERM program, please contact Sharon Kurek,

Executive Director of Audit, Risk, and Compliance at (540) 231-5883

Office of Audit, Risk, and Compliance | Virginia Tech  |  (540) 231-5883 |  North End Center, Suite 3200, Virginia Tech  | MC 0328 |  Blacksburg, Virginia