Risk Assessment

The annual risk assessment is a is a collaborative undertaking by UW Internal Audit and UW Risk Management and serves as an important piece of the Enterprise Risk Management framework. It provides leadership and other risk owners information regarding threats and opportunities that might affect the achievement of strategic goals. The results also contribute toward keeping the risk register current. The results of an annual risk assessment can be meaningful for various levels of the University as it has the potential to identify threats and diagnose the current state of strategic goal achievement.

There is a tendency to view risk assessment and risk management as an effort to identify compliance issues that can be solved by drawing up lots of rules and making sure that all employees follow them. Many such rules are sensible and do reduce some risks that could severely damage the University. But rules-based risk management will not diminish either the likelihood or the impact of major threats to the strategic vision.

The Enterprise Risk Management Advisory Committee (ERMAC) has reviewed this report to evaluate areas of vulnerability. The committee has used this report to update, formulate and prioritize ERM focused projects and/or recommendations for the coming year. Internal Audit will also use information in this report to create a risk-based audit plan and make necessary adjustments to the internal audit program.

Section 2010 – Planning – 2010.A1 of the International Standards issued by the International
Professional Practices Framework (IPPF) state: The internal audit activity's plan of engagements
must be based on a documented risk assessment, undertaken at least annually. The input of senior
management and the board must be considered in this process.
This standard:
o Makes the best use of limited resources
o Improves ability to impact the organization
o Generates buy-in from management
o Assists with maintaining value

Audit universe – a list of auditable entities, processes, systems, and activities within the University including an evaluation of risk based on predetermined factors. As such, the audit universe is determined and updated based on assessed risks, information from the risk register, past audits, and emerging risks

Compliance risk – situations related to compliance with laws, regulations, rules, policies, and
procedures; ability to enforce physical and data security protocol

Enterprise Risk Management (ERM) – describes a broader approach to managing risk. It is the coordinated activities to direct and control an organization with regard to risk.

• It defines risk as the effect of uncertainty on objectives. It, therefore, ties the management of risk to what is most important to the organization. This uncertainty about outcomes can be either positive or negative.

• The responsibility for managing risk is spread across the organization to those who have accountability and authority – risk owners.

• It is an approach to managing all of an organization’s key business risks and opportunities with the intent of maximizing the shareholder value [or stakeholder satisfaction].

• Major Risk Categories: Strategic, Financial, Operational, Compliance, Reputational.

Financial risk – situations related to budgetary challenges and financial deficits

Operational risk – situations related to systems, processes, and procedures to prevent errors, waste, misuse

Reputational risk – situations related to public perception, political issues, fraud, etc.

Risk - the threat that an event, action, or non-action will adversely affect UW’s ability to achieve its objectives and execute its strategies successfully

Risk assessment – overall process or method of identifying, analyzing, and evaluating hazards and risk factors that have the potential to cause harm

Risk register – a tool in risk management and project management used to list potential risks to an organization and used to recognize potential issues that can derail intended outcomes for the University of Wyoming

Strategic risk – situations related to the University’s ability to achieve its overall goals and objectives including the ability to hire and retain competent personnel, and/or the ability to attract and retain students

• UW has a strong vision for ERM implementation with the introduction of key aspects of the framework to senior leaders and trustees in Year 0 (2020), a launch of Year 1 actions/activities (2021), and plans to build upon the ERM foundation in years to come.

• A more comprehensive approach to identifying and managing our institutional risks helps us maintain our credibility with stakeholders (elected officials, parents, donors, students, alumni, accreditation bodies, rating agencies, etc.).

• By addressing our risks proactively and avoiding negative consequences (many of which have a huge financial penalty aspect), we keep scarce resources intact for uninterrupted application toward UW’s strategic objectives.

• Our goal is not risk elimination, but rather risk awareness and solid controls to help us avoid damaging consequences of unnecessary risk

exposure associated with our activities.

19 members from all areas of the university plus additional subject matter experts/advisors
Reviews the annual risk assessment report to evaluate areas of vulnerability and update/formulate/prioritize ERM focused projects and/or recommendations for the upcoming year
Meets regularly and has a growing university “best practices” reference library

2021 Risk Assessment Report

2022 Risk Assessment Report

2023 Risk Assessment Report

Contact Us

Internal Audit Department

Old Main 415

1000 E. University Ave

Laramie, WY 82071-2000

Phone: 307-766-2385