Enterprise Risk Management

The Enterprise Risk Management (ERM) Office helps the UT System proactively identify, assess and mitigate risks that could impact its mission, operations and reputation. Through a structured approach, ERM enhances decision-making, ensures compliance and fosters long-term resilience.

What is ERM?

ERM is a strategic, university-wide approach to proactively identifying and managing risks, ensuring that UT is prepared for financial, operational, compliance and reputational challenges. 

  • Proactive Risk Assessment – Identifying potential risks before they become issues. 
  • Strategic Decision Support – Providing leadership with data-driven risk insights. 
  • Compliance & Governance – Ensuring adherence to policies, regulations and best practices. 

How ERM Protects UT

ERM supports UT by:

    • Enhancing Compliance and Accountability – Aligning with state, federal and industry regulations.
    • Safeguarding University Assets – Protecting financial, physical and digital resources.
    • Fostering a Culture of Risk Awareness – Empowering leadership to make informed decisions.

UT’s ERM Process

UT’s ERM process follows three key phases: Risk Assessment, Risk Response and Monitoring & Reporting. 

ERM Process graphic
  1. Phase I: Risk Assessment – Defines the organizational context and identifies potential risks and opportunities that impact strategic goals. Risks are analyzed based on their likelihood and impact, followed by evaluation to determine appropriate response strategies. 
  2. Phase II: Risk Response – Assigns responsibility for managing key risks and opportunities. Leaders designate accountable teams, develop action plans and ensure risks are addressed effectively. 
  3. Phase III: Monitoring and Reporting – Tracks the implementation of response plans and measures their effectiveness. Regular reporting ensures transparency and alignment with UT’s strategic objectives. 

ERM Resources

A set of materials for implementing UT’s ERM Process.

ERM Guidebook and Activities

ERM Guidebook—Phase I Risk Assessment (PDF): A guide that can be used to learn more about the individual steps in a risk assessment. This document can also be used as a self-paced guide for groups who want to implement a risk assessment on their own.

ERM Phase I Risk Assessment—Activity 1—Identify Threats and Opportunities (.xlsx): An Excel workbook that accompanies Activity 1 in the ERM Guidebook—Phase I Risk Assessment.

ERM Phase I Risk Assessment—Activity 2—Analyze Threats and Opportunities (.xlsx): An Excel workbook that accompanies Activity 2 in the ERM Guidebook—Phase I Risk Assessment.

ERM Phase I Risk Assessment—Activity 3—Evaluate for Risk Response (.xlsx): An Excel workbook that accompanies Activity 3 in the ERM Guidebook—Phase I Risk Assessment.

Template (.xlsx): An Excel template for summarizing the Phase I Risk Assessment.

ERM Guidebook—Phase II Risk Response (PDF): A guide that can be used to learn more about the individual steps necessary to responding to identified risks. This document can also be used as a self-paced guide for groups who want to implement a risk assessment on their own.

ERM Phase II Risk Response—Activity 1—Assign Responsibilities (.xlsx): An Excel workbook that accompanies Activity 1 in the ERM Guidebook—Phase II Risk Response.

ERM Phase II Risk Response—Activity 2—Action Plans (.xlsx): An Excel workbook that accompanies Activity 2 in the ERM Guidebook—Phase II Risk Response.

ERM Guidebook—Phase III Monitoring and Communicating (PDF): A guide that can be used to learn more about the monitoring response/action plans and communicating the results to interested stakeholders. This document can also be used as a self-paced guide for groups who want to implement a risk assessment on their own.

UT Financial Integrity Act Annual Assurances Reports

A state statute, the Financial Integrity Act of 1983 (Tennessee Code Annotated §9-18-104), requires all higher education institutions to annually assess risks and submit an assurances report to the commissioner of finance and administration and the comptroller of the treasury. The assurances report must contain an attestation by the president that risks were identified and addressed. The university’s enterprise risk officer keeps detailed records of risk management activities, while the attestation report provides an overview.