UMS risk register rates deferred maintenance, cybersecurity as top concerns; staff propose quarterly reporting
May 08, 2026 | University of Maine System UMS Board of Trustees, Public Universities, School Districts, Maine
This article was created by AI summarizing key points discussed. AI makes mistakes, so for full details and context, please refer to the video of the full meeting. Please report any errors so we can fix them. Report an error »
The University of Maine System Audit Committee heard a system‑level enterprise risk briefing in which the director of risk and safety management said the register shows a moderate but concentrated risk posture and recommended more frequent reporting by risk owners.
"My overall assessment is that the University of Maine system's risk profile is moderate but manageable," said Nate Anaya, the system's director of risk and safety management. He said deferred maintenance and long‑term capital deficits (R20) hold the highest score in the register and warrant prioritized attention.
Anaya described the register methodology—severity and probability multiplied to create a prioritization score—and said R20 scored 16, the highest possible under the model. He said two other risks, data breach/cyber incident and improper foreign influence affecting research, sit in a high‑priority tier below deferred maintenance. A broad mid‑tier cluster of risks spans facilities, strategic compliance, student success and finance.
Existing mitigation strategies noted in the briefing include capital planning, facility audits, business continuity planning, cyber monitoring and encryption, OSHA training, and insurance purchases. Anaya said the risk office is expanding facility inspections, program audits and post‑injury investigations and has added an emergency preparedness and planning manager to support systemwide planning and exercises.
Trustees pressed how federal funding uncertainty is reflected in the register. Anaya said the register is updated periodically and that quarterly risk owner updates would help ensure the register captures rapid changes in the federal funding landscape that could affect capital planning and grant availability.
The briefing concluded with recommendations that management provide periodic updates on the highest‑tier risks, report current scores and barriers to reduction, and move toward clearer residual‑risk language in reporting to governance.
What happens next: risk and safety management will expand inspection and audit activity, provide more frequent reports on the highest‑scored risks, and coordinate quarterly updates from risk owners to keep the register current for governance review.
"My overall assessment is that the University of Maine system's risk profile is moderate but manageable," said Nate Anaya, the system's director of risk and safety management. He said deferred maintenance and long‑term capital deficits (R20) hold the highest score in the register and warrant prioritized attention.
Anaya described the register methodology—severity and probability multiplied to create a prioritization score—and said R20 scored 16, the highest possible under the model. He said two other risks, data breach/cyber incident and improper foreign influence affecting research, sit in a high‑priority tier below deferred maintenance. A broad mid‑tier cluster of risks spans facilities, strategic compliance, student success and finance.
Existing mitigation strategies noted in the briefing include capital planning, facility audits, business continuity planning, cyber monitoring and encryption, OSHA training, and insurance purchases. Anaya said the risk office is expanding facility inspections, program audits and post‑injury investigations and has added an emergency preparedness and planning manager to support systemwide planning and exercises.
Trustees pressed how federal funding uncertainty is reflected in the register. Anaya said the register is updated periodically and that quarterly risk owner updates would help ensure the register captures rapid changes in the federal funding landscape that could affect capital planning and grant availability.
The briefing concluded with recommendations that management provide periodic updates on the highest‑tier risks, report current scores and barriers to reduction, and move toward clearer residual‑risk language in reporting to governance.
What happens next: risk and safety management will expand inspection and audit activity, provide more frequent reports on the highest‑scored risks, and coordinate quarterly updates from risk owners to keep the register current for governance review.
View the Full Meeting & All Its Details
This article offers just a summary. Unlock complete video, transcripts, and insights as a Founder Member.
✓
Watch full, unedited meeting videos
✓
Search every word spoken in unlimited transcripts
✓
AI summaries & real-time alerts (all government levels)
✓
Permanent access to expanding government content
30-day money-back guarantee
