Enterprise Risk Management
Texas A&M University is committed to identifying and managing risks in a proactive manner. As such, Texas A&M University implemented Enterprise Risk Management (ERM) to establish a systematic organization-wide approach to identify risks and mitigation strategies.
ERM is an on-going process designed to identify and manage potential risks that may adversely affect the University’s ability to achieve its objectives. ERM assesses and documents actions to be taken by the University to identify, mitigate, and monitor risks that negatively impact the achievement of the University’s mission, strategic plan goals, and/or continuing operational programs. The University’s ERM process includes 1) identifying and ranking the University’s residual risks after frontline controls and processes have been applied, and 2) documenting and reviewing mitigation activities.
Risk, Compliance & Advisory Services (RCAS) manages the University’s ERM with an annual risk assessments performed for the University as a whole. RCAS may assist major functions and units throughout the University who wish to perform their own internal assessment.
Review ERM Common Risk Language and Definitions.
See Texas A&M System Policy 24.01 – Risk Management, Section 7 for ERM governance.
The ERM process consists of:
- Identifying major activities, processes, and functions after reviewing missions, goals, and objectives.
- Categorizing and prioritizing the major activities.
- Identifying and assessing risks and building risks portfolios.
- Receive input from representatives within the University.
- Prioritize and rank those risks identified as to potential impact and probability of occurrence while considering the day-to-day activities to control risk.
- Identifying risk mitigation strategies.
- Review mitigating activities performed for all risks while focusing on how we deal with those risks ranked highest.
- Review mitigation where two or more parties (groups) are identified as responsible.
- Evaluate the effectiveness of current mitigation and identify any gaps.
- Evaluate whether resources and mitigating strategies are appropriately allocated based on the level of risk and desired level of effectiveness.
- Review the monitoring and executive management reporting.
- Identify who is responsible for monitoring that the mitigating activity is effectively managing the risk and being performed as planned.
Additionally, the process will involve performing status/follow-up reviews.
- Review executive management reporting and communication.
- Assess the efficiency and effectiveness of mitigation, monitoring, and communication.
Risk Definition and Ranking Criteria for Impact and Probability
A risk is any event or action that adversely impacts the University’s ability to achieve its objectives. For the purposes of ERM, risk can be found in six categories:
- Strategic – events that affect the University’s ability to achieve its goals and objectives, including competitive and market factors.
- Compliance – events that affect compliance with laws and regulations, including safety and environmental issues, litigation, and conflicts of interest.
- Operational – events that affect ongoing management processes and procedures.
- Technological – events that affect the electronic information flow and communications, including electronic commerce, storage, disaster recovery, interfaces, development cycle, etc.
- Financial – events that affect profitability and efficiency, including loss of assets, and technology risks.
- Reputational – events that affect the reputation and public perception of the University, including political issues and negative occurrences on-campus.
Risk is assessed on two dimensions: the impact of the risk and the likelihood of the event occurring.
The impact of a risk is defined by the outcome and consequences should an event occur. The definition varies somewhat for each organizational area according to its individual risk appetite, but traditionally falls within the following guidelines:
- High – consequences include termination of business area or program, significant injury or loss of life, termination of funding, significant financial loss/cost (including legal liability), and criminal penalties.
- Medium – consequences include inefficiencies and extra workloads, fines, minor injuries or property loss.
- Low – consequences have little or no effect on the organization; include warnings and/or reprimands with no other actions taken.
The scale for determining the probability or likelihood that an event will occur are defined as:
- High – happens frequently, occurs often, and is common or predictable.
- Medium – happens infrequently, sometimes occurs, or is unpredictable.
- Low – seldom happens, infrequent, rare, or has not happened before.
For a more detailed explanation read the Steps to Perform a Risk Assessment.