What is Enterprise Risk Management?
Enterprise Risk Management (ERM) is a process applied strategically across the University to identify potential events that may adversely affect the entity and to manage the risks associated with those events. Essentially it is balancing those risks and the ability of the University to continue to fulfill the critical missions of teaching, research, and outreach.
Learn more about Enterprise Risk Management in an article authored by OREC Assoc. VP, Peggy Zapalac "Enterprise Risk Management - What is it and how do you implement it?"
ERM Governance at Texas A&M
Texas A&M University's commitment to identify and manage risks in a proactive manner is formalized in Standard Administrative Procedure 03.01.01.M1.01 - Enterprise Risk Management. The procedure identifies roles and responsibilities, and required elements of a risk assessment for university units.
What is risk?
A risk is any event or action that adversely impacts the University’s ability to achieve its objectives. For the purposes of ERM, risk can be found in six categories:
- Strategic – events that affect the University’s ability to achieve its goals and objectives, including competitive and market factors.
- Compliance – events that affect compliance with laws and regulations, including safety and environmental issues, litigation, and conflicts of interest.
- Operational – events that affect ongoing management processes and procedures.
- Technological - events that affect the electronic information flow and communications, including electronic commerce, storage, disaster recovery, interfaces, development cycle, etc.
- Financial – events that affect profitability and efficiency, including loss of assets, and technology risks.
- Reputational – events that affect the reputation and public perception of the University, including political issues and negative occurrences on-campus.
Risk is assessed on two dimensions: the impact of the risk and the likelihood of the event occurring.
The impact of a risk is defined by the outcome and consequences should an event occur. The definition varies somewhat for each organizational area according to its individual risk appetite, but traditionally falls within the following guidelines:
- High – consequences include termination of business area or program, significant injury or loss of life, termination of funding, significant financial loss/cost (including legal liability), and criminal penalties.
- Medium – consequences include inefficiencies and extra workloads, fines, minor injuries or property loss.
- Low – consequences have little or no effect on the organization; include warnings and/or reprimands with no other actions taken.
The scale for determining the probability or likelihood that an event will occur are defined as:
- High – happens frequently, occurs often, and is common or predictable.
- Medium – happens infrequently, sometimes occurs, or is unpredictable.
- Low – seldom happens, infrequent, rare, or has not happened before.
Conducting a Risk Assessment
University Risk and Compliance can conduct a risk assessment at the area, unit, department, or division level. This will involve a series of meetings and activities.
In the initial meeting, we will discuss risk assessment concepts and the assessment process we follow at Texas A&M University. At the conclusion of the initial meeting, you will be asked to review and update, if necessary, your organization’s mission, strategic plan, and/or goals. Then while considering the major functions and responsibilities of your organization, your personnel will be asked to submit to us a list of events and/or actions that would prevent the organization from accomplishing your mission, strategic objectives, and/or goals. We will take the information provided from this exercise, create risk wording, and accumulate your risks according to major functions or strategic objectives.
During the second meeting, we will use our assessment tools to guide your staff through a systematic ranking of each of your risks. At the conclusion of the second meeting, we will provide you with a color coded spreadsheet that sorts your risks from highest to lowest. You will be asked to identify the activities and/or processes your organization follows to address each of the risks. We will provide you with a spreadsheet that prescribes the content and format for each mitigation. We can assist you in understanding mitigation identification.
After mitigation documentation is complete, we will review them and suggest where controls may be enhanced to adequately protect your organization from the risks identified. Since operating environments and personnel change as time passes, mitigating procedures can be forgotten or become outdated. You are advised to perform periodic reviews of your mitigations to ensure they are being followed and working as intended. We can assist you with your review(s).
For a more detailed explanation read the Steps to Perform a Risk Assessment.