The UNC Policy Manual


Adopted 03/04/16


University Enterprise Risk Management and Compliance


I.             Purpose.  This policy directs the president to establish and oversee enterprise risk management and compliance processes for the University of North Carolina.


II.            Definitions.  For purposes of this policy:


A.                  “Chancellor” means the administrative and executive head of a constituent institution of the University of North Carolina, as described in Section 502 of The Code.


B.                  “Constituent institution” means one of the 17 degree/diploma-granting institutions that comprise the University of North Carolina.


C.                  “President” means the chief administrative and executive officer of the University of North Carolina, as described in Section 501 of The Code.


D.                  “Senior officer” means an individual who reports to the president in a senior officer position as designated by the Board of Governors, and who exercises University-wide responsibilities to assist the president and the Board of Governors in administering the affairs and executing the policies of the University of North Carolina.


E.            “University” means the University of North Carolina, a body politic and corporate defined as a single public multi-campus University composed of 17 diverse constituent institutions and other educational, research, and public service organizations.


III.           Establishment and Oversight of Enterprise Risk Management and Compliance Processes.  The Board of Governors monitors system-wide risk and compliance through the Committee on Audit, Risk Management and Compliance (CARMC).  The president, with assistance from the chief audit officer of the University, the senior vice president and general counsel of the University, and other senior officers and staff, shall establish and oversee University-wide processes to address enterprise risk management, including risks related to compliance with laws and ethical standards at the system level, and to complement and support the risk management and compliance processes and activities of the constituent institutions.


A.                  The system-wide processes should include components focused on the following:


1.                   Developing, implementing, evaluating, and monitoring a University system-wide enterprise risk management process;


2.                   Promoting the establishment of and collaboration among the risk management, ethics, and compliance programs at the constituent institutions;


3.                   Advising, assisting, and supporting the constituent institution risk management and compliance processes, and providing other advice and counsel for these purposes;


4.                   Promoting a culture that supports board goals for risk management and compliance;


5.                   Promoting a uniform approach to measuring the University resources expended on regulatory compliance;


6.                   Supporting training and educational efforts;


7.                   Providing regular reports to the board’s CARMC;


8.                   Referring matters to the chancellors of the constituent institutions, the president’s staff, or other University officers, divisions, and units, as appropriate; and


9.                   Performing such other duties as directed by the president.


B.                  Subject to the direction of the president, each constituent institution shall establish an enterprise risk management process that aligns with the institution’s programs, activities, and management systems and that supports the institution’s strategic and other goals.  The enterprise risk management processes established at each constituent institution shall include components and appropriate procedures for:


1.                   Identifying risks that impact the constituent institution’s goals;


2.                   Developing plans to monitor and mitigate risks;


3.                   Providing periodic updates to the chancellor and the board of trustees; and


4.                   Reporting significant enterprise risks to the president and, with the president’s guidance, to the Board of Governors.


IV.          Other Matters


A.                  Effective Date.  This policy shall be effective March 4, 2016, upon adoption by the Board of Governors.


B.                  Regulations and Guidelines.  This policy shall be implemented and applied in accordance with such regulations and guidelines as may be adopted by the president.