Objective

To comply with the Tennessee State Financial Integrity Act of 1983 by performing a risk assessment in accordance with the guidelines established by the Committee of Sponsoring Organizations (COSO) Enterprise Risk Management (ERM) framework. Manage risks to the university mission by establishing risk mitigation plans and monitoring key risk indicators and responding to protect the university from threats and capitalize on opportunities.

Scope

This procedure is applicable to all colleges and campuses of University of Tennessee Health Science Center.

Roles

The Executive Vice Chancellor/Chief Operating Officer is responsible for:

• Ensuring compliance with federal and state law.
• Communicate results of the risk assessment to university leadership.

Campus Safety is responsible for:

• Coordinating a risk assessment in accordance with the COSO framework.
• Compiling risk assessment results to share with the university.
• Compiling monitoring data from work units with risk mitigation plans.

University work units are responsible for:

• Complying with this procedure by performing a risk assessment
• Developing and implementing risk mitigation plans
• Identifying a Responsible Official for specific risk mitigation plans.
• Tracking and reporting Key Risk Indicator (KRI) metrics to Campus Safety.
• Revising mitigation plans as necessary in response to the risk climate and mitigation plan performance.

The Responsible Official for a risk mitigation plan is responsible for:

• Implementation of the risk mitigation plan.
• Monitoring Key Risk Indicators.
• Annual reporting of Key Risk Indicators to work unit leadership and Campus Safety.

Definitions

Committee of Sponsoring Organizations (COSO): Organization dedicated to providing a structured approach for understanding and managing risks across all levels and functions of an organization.

Enterprise Risk Management (ERM): A top down, leadership driven process for helping organizations to identify, assess and manage risks that could impact their ability to achieve strategic objectives.

Key Risk Indicator (KRI): Metrics used to monitor and measure and organization’s exposure to potential risks.

Responsible Official: Individual within a work unit responsible for the implementation, monitoring and communication of a risk mitigation plan.

Risk Assessment: A process of identifying, analyzing and evaluating risks.

Procedure

1. Key work units within the university (Finance and Administration work units, colleges, Office of Research) must perform a risk assessment to identify and evaluate risks (threats and opportunities) to the university’s mission.
2. Top risks identified in the risk assessment must have a mitigation plan established to control or minimize the impact of that risk.
3. A Responsible Official must be identified for each mitigation plan. This individual is responsible for plan implementation and monitoring.
4. Key Risk Indicators must be identified to evaluate the performance of the risk mitigation plan.
5. The Responsible Official must collect and report Key Risk Indicators annually to Campus Safety.
6. Work units must perform and revisit the risk assessment annually to identify emerging risks and re-evaluate the assessment of risks that had previously been identified.

Penalties/Disciplinary Action for Non-Compliance

Non-compliance with state regulations may result in fines or other penalties.

Responsible Official & Additional Contacts

Subject Matter	Office Name	Telephone Number	Email/Web Address
Policy Clarification and Interpretation	Campus Safety and Emergency Management	(901) 448-6114	safety@uthsc.edu
Policy Training	Campus Safety and Emergency Management	(901) 448-6114	safety@uthsc.edu

Related Policies/Guidance Documents

The University of Tennessee Risk Management and Control Activities, Calendar Year 2022