Enterprise Risk Management
Texas A&M University is committed to identifying and managing risks in a proactive manner. As such, Texas A&M University implemented Enterprise Risk Management (ERM) to establish a systematic organization-wide approach to identify risks and mitigation strategies.
ERM is an on-going process designed to identify and manage potential risks that may adversely affect the University’s ability to achieve its objectives. ERM assesses and documents actions to be taken by the University to identify, mitigate, and monitor risks that negatively impact the achievement of the University’s mission, strategic plan goals, and/or continuing operational programs. The University’s ERM process includes 1) identifying and ranking the University’s residual risks after frontline controls and processes have been applied, and 2) documenting and reviewing mitigation activities.
Risk, Compliance & Advisory Services (RCAS) manages the University’s ERM with an annual risk assessments performed for the University as a whole. RCAS may assist major functions and units throughout the University who wish to perform their own internal assessment.
Review ERM Common Risk Language and Definitions.
See Texas A&M System Policy 24.01 – Risk Management, Section 7 for ERM governance.
Our Process
The ERM process consists of:
- Identifying major activities, processes, and functions after reviewing missions, goals, and objectives.
- Categorizing and prioritizing the major activities.
- Identifying and assessing risks and building risks portfolios.
- Receive input from representatives within the University.
- Prioritize and rank those risks identified as to potential impact and probability of occurrence while considering the day-to-day activities to control risk.
- Identifying risk mitigation strategies.
- Review mitigating activities performed for all risks while focusing on how we deal with those risks ranked highest.
- Review mitigation where two or more parties (groups) are identified as responsible.
- Evaluate the effectiveness of current mitigation and identify any gaps.
- Evaluate whether resources and mitigating strategies are appropriately allocated based on the level of risk and desired level of effectiveness.
- Review the monitoring and executive management reporting.
- Identify who is responsible for monitoring that the mitigating activity is effectively managing the risk and being performed as planned.
Additionally, the process will involve performing status/follow-up reviews.
- Review executive management reporting and communication.
- Assess the efficiency and effectiveness of mitigation, monitoring, and communication.
Risk Definition and Ranking Criteria for Impact and Probability
For a more detailed explanation read the Steps to Perform a Risk Assessment.