Office of Audit, Risk, and Compliance
Enterprise Risk Management (ERM)
The Office of Audit, Risk, and Compliance (OARC) provides oversight of the enterprise risk management (ERM) program by creating and maintaining the framework to effectively identify, assess, and manage risk within the university.
The purpose of the ERM program is to strengthen the university’s ability to achieve its mission and strategic objectives. This is done by effectively managing key risks and seizing opportunities related to the achievement of strategic objectives. In this context, risk encompasses both negative events (“downside risk”) and opportunities (“upside risk”). The goal of the ERM program within the OARC is to:
ERM Program Benefits -
Optimizing Balance Between Value Creation and Value Protection
Who is Involved?
The ERM program is implemented as a collaborative effort at various levels of the organization as described below:
ERM Committee (Executive Staff+)
The President’s Executive Staff+ serves as the ERM Committee. Executive Staff will help set the university’s risk appetite, contribute to the assessment of risks along with risk mitigation plans, and provide guidance on how to report key risks to the Board of Visitors Compliance, Audit, and Risk Committee. Executive Staff incorporates information from the ERM program in strategic decision making and to effectively allocate resources.
Risk Advisory Committee (PLT)
The President’s Leadership Team (PLT) serves as the Risk Advisory Committee. This group reviews the risks identified individually by senior leaders and further prioritize and assess the risks to identify the university’s top strategic risks. Throughout the year, members seek to identify risks in their areas of operation and bring them to the PLT for evaluation in light of higher education or industry trends and national regulatory indicators. Also, this group ensures appropriate ownership and accountability of risks including development of risk mitigation plans.
Overview of the ERM Process
01 | Strategic objectives to accomplish the university’s vision need to be identified so that discussions are focused on key risks. OARC collaborates with the Vice President for Strategic Affairs to document the strategic objectives, which should be well-defined and concise.
Identify and assess risks
02 | OARC facilitates discussions with senior leaders and their management team to identify the most significant potential events or risks that could impact Virginia Tech’s ability to achieve its objectives.
03 | Risks will be categorized into one of three levels of altitude. Virginia Tech’s ERM program focuses on systemic and existential risks and institutional risks.
04 | Risks will be further categorized as:
05 | Risks are prioritized and assessed by the senior leader’s management teams based on the likelihood of occurrence, significance of impact, and velocity (speed of onset).
06 | OARC compiles the risk assessment results from each senior leader for review and input by the President’s Leadership Team (PLT). The PLT will further prioritize and assess the risks to identify the university’s top risks, to be approved by the President's Executive Staff and ultimately adopted by the President.
monitor and manage
07 | The top risks in each category (strategic, financial, compliance, and operations) will be reviewed further to identify the risk owner, related business processes, and monitoring efforts for the university’s top 30 key risks.
Reporting and awareness
08 | Board engagement focuses on the top strategic risks categorized as systemic and existential risks and institutional risks.
For questions regarding the ERM program, please contact Sharon Kurek,
Executive Director of Audit, Risk, and Compliance at (540) 231-5883
Office of Audit, Risk, and Compliance | Virginia Tech
email@example.com | (540) 231-5883 | North End Center, Suite 3200, Virginia Tech | MC 0328 | Blacksburg, Virginia