The University of Minnesota Audit and Compliance Committee on an October 2025 agenda heard an annual enterprise risk management update from Catherine Bonnison, associate vice president for health, safety and risk management, who said the program, adopted in 2022, is now focusing deeper reviews on research, reputation and student experience.

Bonnison told the committee that the enterprise risk management (ERM) program aims to aggregate risk work across the university's five campuses, surface enterprise-wide themes and support governance decisions tied to the university's strategic roadmap. "Enterprise risk management is fairly new to the University of Minnesota," Bonnison said. "We adopted one in 2022. So it's a new program. We're kind of getting our legs underneath us, and you'll hear a lot about that today."

The nut of the update was the executive oversight committee's selection of three topics for deeper review in 2025 6: research, reputation and student experience. Bonnison said those areas were chosen to examine whether risks are increasing or decreasing, how tolerant the university is of those risks and whether mitigation actions are effective.

Committee members were shown national and peer comparisons, including work with the Big Ten ERM consortium and reviewers such as United Educators. Bonnison said the university's risk profile broadly aligns with peers; the only Big Ten discrepancy she noted was third-party management appearing as a higher priority for some peers than it is currently at the University of Minnesota. She also highlighted that some themes '1ike artificial intelligence and climate-related weather events 'are emerging topics to monitor even if they did not appear at the top of the university's initial risk-profile rankings.

Bonnison described how past deep dives have led to mitigation steps. She cited last year's work on leadership, facilities and crisis management and described concrete responses: the Office of Human Resources created a leadership talent framework to standardize onboarding expectations across campuses; finance has pursued multilayered approaches to fund ongoing facilities maintenance. "When we do the risk profile, one of the deliverables that comes out of it is to have discussions with our executive leadership to say what are two or three risks we want to really deep dive," Bonnison said.

Committee members asked about cadence and metrics. Bonnison said the program currently prepares an annual institutional risk profile and that part of the committee's work will be to determine whether annual updates and the present governance structure are the right pace and audience. She noted the team is working to align ERM products with the university's strategic roadmap and to refine governance for oversight of the risk structure.

Bonnison said operational next steps include improving public-facing materials, training and outreach; coordinating with administration on governance changes; and updating the institutional risk profile. She also told the committee the broader industry risk report (United Educators) for 2025 had not been released at the time of the meeting but was expected in January or February and could be available by the committee's April update.

The committee did not take formal votes on these items; the ERM update was presented for oversight and discussion. Members asked for continued reporting as the program aligns its governance and its deliverables with the strategic roadmap.

Looking ahead, Bonnison said the ERM team will continue to monitor emerging risks, refine metrics for whether mitigation actions are effective, and work with senior leaders to prioritize follow-up work.