01.240 Risk Management Policy

Chancellor

 Revised June 2025; Established June 2014

UNC Code, Section 502 Chancellors of Constituent Institutions; UNCW 02.100 Protocol for Establishing Policies and Procedures

• The UNC Policy Manual
• ERM Webpage
• UNCW Policies
• Board of Trustees Audit, Risk and Compliance Committee Charter
• UNCW Strategic Plan

Provost and Vice Chancellor for Academic Affairs; Vice Chancellor for Business Affairs; Vice Chancellor for Student Affairs; Office of the General Counsel; Office of Internal Audit and Office of Enterprise Risk Management

This policy shall be reviewed every three to five years.

---

Policy Details:

1. Purpose
   
   The Risk Management Policy serves as a statement of the overall UNCW risk management goals and focus. It is intended to help ensure a consistent approach to risk management throughout the university.
   
   
2. Scope
   
   This policy addresses Enterprise Risk Management and applies to the entire university community. Each member of the university community has a role to play in risk identification and management through the integration of risk management and planning processes and the embedding of risk management processes into management activities. This policy is not intended to replace a centralized compliance function or outline specific procedures as they evolve with time and circumstance. Some of the more pertinent procedures can be found on the ERM webpage.
   
   
3. Standard(s)
   
   Enterprise risk is managed with procedures and tools consistent with industry best practices including, but not limited to the International Organization for Standardization’s ISO 31000: Risk Management Principles and Guidelines, and the Committee of Sponsoring Organizations of the Roadway Commission’s (COSO) Enterprise Risk Management Framework.
   
   
4. Policy

   1. Approach to Risk Management

      1. ISO 31000 States that:

         1. All organizations exist to achieve their objectives.

         2. An organization’s objectives are affected by internal and external events and “environmental” conditions, causing uncertainty with regard to their achievement.

         3. The effect of this uncertainty on an organization’s objectives is defined as “risk”.

      2. UNCW’s approach to risk management reflects an understanding of the institution and its context. UNCW’s framework for managing risk is based on risks that have the potential to significantly affect the university's mission, strategies and goals. 

   2. UNCW Principles for Effective Risk Management (found in ISO 31000)

      • Creates and protects value.

      • Is an integral part of all organizational processes.

      • Is part of decision making.

      • Explicitly addresses uncertainty.

      • Is systematic, structured and timely.

      • Is based on the best available information.

      • Is tailored.

      • Takes human and cultural factors into account.

      • Is transparent and inclusive.

      • Is dynamic, iterative and responsive to change.

      • Facilitates continual improvement of the organization.

   3. Key Outcomes

      1. The institution has a current understanding of the major risks it faces with the potential to impede achievement of its strategic objectives.

      2. Risk management and awareness is integrated at all levels of the organization.

      3. The institution’s risks are within its risk criteria.

   4. Responsibilities

      1. The Board of Trustees provides risk oversight through the Audit, Risk and Compliance Committee as outlined in the UNCW Audit, Risk and Compliance Committee Charter. In order to support the board in this regard, its members are kept informed of ERM’s regular processes designed to manage enterprise risk within our risk criteria and provide reasonable assurance regarding achievement of university objectives.

      2. The Chancellor is responsible to the Board of Trustees for enforcing this policy and submitting related updates and reports as needed.

      3. The ERM Steering Committee is comprised of the Provost and Vice Chancellor for Academic Affairs, the Vice Chancellor for Business Affairs, the Vice Chancellor for Student Affairs, the General Counsel, and the Chief Audit Officer with support from the ERM Coordinator and other staff as required. The ERM Steering Committee meets as needed and is charged with guiding the advancement of Enterprise Risk Management, providing its programs and the ERM Advisory Committee with direction and assessing ongoing performance. The ERM Steering Committee reviews and approves ERM presentations to the Audit, Risk and Compliance Committee of the Board of Trustees and assists in the evaluation of any comments or questions the Board may have. The ERM Steering Committee assesses progress toward optimal risk treatment of identified enterprise risks and recommends changes in course as needed.

      4. The Chancellor and the ERM Steering Committee have delegated authority to the ERM Coordinator to implement this policy. The ERM Coordinator develops the Enterprise Risk Management Program for the university, applying best practices, the standards mentioned above and other industry guidance. In order to foster a risk management culture, the ERM Coordinator is available for consultation and discussion relative to issues of enterprise risk as well as forwarding those issues to appropriate leadership.

         The ERM Coordinator chairs the ERM Advisory Committee and works with committee members and executive sponsors to collaborate on a holistic approach to evaluate university risks and select optimal risk responses, including mitigation. The ERM Coordinator is therefore tasked with ensuring that key risk management processes such as risk assessments are performed with the cooperation of the larger campus community.

         The ERM Coordinator promotes risk awareness programs throughout all sectors of the university and provides support to university leadership in defining, maintaining, and educating university stakeholders through the development or procurement of best-practice-related or instructional literature.

      5. The ERM Advisory Committee meets at least quarterly, and members are drawn from various representative university operations to serve as liaisons to the areas they represent. Committee members actively work on analysis, identification, and evaluation of risks as well as associated risk treatments, with oversight provided by Executive Sponsors. The ERM Advisory Committee shares responsibility for providing a common-sense framework within which to manage risks as an integral part of all organizational processes.

      6. Executive Sponsors for risk areas are typically members of the Chancellor's cabinet and are empowered to cross-divisionally guide the work involved in managing university risks.  Executive Sponsors have the authority to identify and manage risks as well as the commitment to make the necessary resources available to assist those accountable for risk treatment. 

5.  Risk Assessment Processes

   1. Risk Identification and the analysis of appropriate responses are not the sole purview of any single office or function.  They depend on active engagement of faculty, staff, and administration at all levels.  By embedding risk awareness into daily operations and strategic planning, we foster a culture of accountability and foresight.  This collective effort ensures that risks are identified early, assessed thoroughly, and addressed proactively - supporting the university's mission and safeguarding its long-term resilience.  

   2. Risk Analysis is performed on qualitative and quantitative data derived from risk assessments, stakeholder interviews, relevant external events and UNCW’s risk events and near-misses. Risk analysis should result in robust indicators that provide adequate data to recognize shifts in internal and industry risk patterns when they are most valuable, during the development and implementation phases of important strategic initiatives.

   3. Risk Evaluation is intended to inform decision-making regarding risk treatment and employs the results of risk analysis. This is primarily accomplished through periodic comparison of current risk ratings with previous ones as well as looking at actual losses in context. Further analysis is often deemed necessary before risk treatment decisions can be made.

6. Risk Treatment (including mitigation):
   
   Risk treatment involves continuous improvement through the use of appropriate measures to modify risk exposure and undertake the review and subsequent modification of processes, systems and resources. Risk treatment processes are cyclical in nature in that they involve the formulation of treatment measures, the evaluation of their efficacy, the generation of new measures as necessary and the subsequent assessment of the new measures. Risk treatment planning is undertaken at regular intervals for all risk areas.  Risk treatment decisions shall balance the costs and efforts of implementation against the anticipated benefits, taking into account legal, regulatory, and institutional obligations, while reorganizing that certain risks - despite low probability - may warrant mitigation due to their potentially severe consequences.