The Executive Director of the Office of Audit, Risk and Compliance (OARC) is responsible for facilitation of institutional risk assessments and heat maps owned by senior leaders. Risk is the potential that a chosen action or activity (including the choice of inaction) will lead to an undesirable outcome or may not enable the achievement of a desired outcome.
Duke uses a modified COSO model for enterprise risk management. COSO is the Committee of Sponsoring Organizations of the Treadway Commission. The COSO Enterprise Risk Management – Integrated Framework is a commonly used model to assist organizations in identifying risks, determining acceptable risk tolerances, mitigating, and managing risks. For more information, see the COSO website.
Annually, OARC proposes the enterprise risk management process for approval by the Risk and Compliance Steering Committee and the Audit, Risk and Compliance Committee of the Board of Trustees. Risks fall into four categories:
- Strategic. These are high-level goals aligned with and supporting the mission of the university.
- Operating. This relates to the effective and efficient use of resources.
- Financial. This area relates to the reliability of reporting to internal and external constituents.
- Compliance. These relate to adherence with various federal, state, and/or other regulatory requirements.
Strategic Risks and Compliance Risks
Strategic risks and compliance risks are evaluated annually and reported to the Audit, Risk and Compliance Committee of the Duke University Board of Trustees. Risk assessment is an important component of an effective compliance program and the process and institutional compliance risks are reviewed annually.
Operational and Financial Risks
Operational and financial risks are assessed every other year and reported to the Risk and Compliance Steering Committee. Operating risks include:
- student and employees
- facility and information technology
For information regarding insurance coverage and risk, please contact: