10,000 Risk Assessments Later: What a Decade of Integrated Risk Management Taught Us

Building an effective Integrated Risk Management (IRM) program in a large, decentralized institution requires more than a single team or tool: it depends on coordination, trust, and scalable processes. This session explores how the University of Florida evolved its cybersecurity risk assessment and IRM practices over the past decade to support thousands of systems across diverse academic and administrative units. Attendees will learn how UF’s cybersecurity risk analysts conduct risk assessments using a combination of security control surveys, vendor engagement, third-party audits, and a distributed network of departmental IT staff designated as Information Security Managers. The session will also highlight the role of domain risk partners—including Privacy, Compliance, Procurement, the Institutional Review Board, and General Counsel—in creating shared ownership of risk decisions. The presentation will examine UF’s approach to integrating risk assessment into procurement workflows, enabling early identification of technology purchases, reuse of existing assessments, and verification of participation across distributed units. Drawing on lessons learned from multiple iterations of the program, the session will discuss how processes were adjusted to improve effectiveness and reduce institutional burden. Attendees will leave with practical ideas for designing, refining, and scaling IRM processes in complex organizations.