Enterprise Risk Management
Enterprise Risk Management (ERM) is a process applied strategically across the University to identify potential events that may adversely affect the entity and to manage the risks associated with those events.
The ERM process consists of:
- Identifying major activities, processes, and functions after reviewing missions, goals, and objectives.
- Categorizing and prioritizing the major activities.
- Identifying and assessing risks and building risks portfolios.
- Receive input from representatives within the University.
- Prioritize and rank those risks identified as to potential impact and probability of occurrence while considering the day-to-day activities to control risk.
- Identifying risk mitigation strategies.
- Review mitigating activities performed for all risks while focusing on how we deal with those risks ranked highest.
- Review mitigation where two or more parties (groups) are identified as responsible.
- Evaluate the effectiveness of current mitigation and identify any gaps.
- Evaluate whether resources and mitigating strategies are appropriately allocated based on the level of risk and desired level of effectiveness.
- Review the monitoring and executive management reporting.
- Identify who is responsible for monitoring that the mitigating activity is effectively managing the risk and being performed as planned.
Additionally, the process will involve performing status/follow-up reviews.
- Review executive management reporting and communication.
- Assess the efficiency and effectiveness of mitigation, monitoring, and communication.
Risk, Impact, and Probability
A risk is any event or action that adversely impacts the University’s ability to achieve its objectives. For the purposes of ERM, risk can be found in six categories:
- Strategic – events that affect the University’s ability to achieve its goals and objectives, including competitive and market factors.
- Compliance – events that affect compliance with laws and regulations, including safety and environmental issues, litigation, and conflicts of interest.
- Operational – events that affect ongoing management processes and procedures.
- Technological – events that affect the electronic information flow and communications, including electronic commerce, storage, disaster recovery, interfaces, development cycle, etc.
- Financial – events that affect profitability and efficiency, including loss of assets, and technology risks.
- Reputational – events that affect the reputation and public perception of the University, including political issues and negative occurrences on-campus.
Risk is assessed on two dimensions: the impact of the risk and the likelihood of the event occurring.
The impact of a risk is defined by the outcome and consequences should an event occur. The definition varies somewhat for each organizational area according to its individual risk appetite, but traditionally falls within the following guidelines:
- High – consequences include termination of business area or program, significant injury or loss of life, termination of funding, significant financial loss/cost (including legal liability), and criminal penalties.
- Medium – consequences include inefficiencies and extra workloads, fines, minor injuries or property loss.
- Low – consequences have little or no effect on the organization; include warnings and/or reprimands with no other actions taken.
The scale for determining the probability or likelihood that an event will occur are defined as:
- High – happens frequently, occurs often, and is common or predictable.
- Medium – happens infrequently, sometimes occurs, or is unpredictable.
- Low – seldom happens, infrequent, rare, or has not happened before.
Conducting a Risk Assessment
University Risk and Compliance can conduct a risk assessment at the area, unit, department, or division level. This will involve a series of meetings and activities.
In the initial meeting, we will discuss risk assessment concepts and the assessment process we follow at Texas A&M University. At the conclusion of the initial meeting, you will be asked to review and update, if necessary, your organization’s mission, strategic plan, and/or goals. Then while considering the major functions and responsibilities of your organization, your personnel will be asked to submit to us a list of events and/or actions that would prevent the organization from accomplishing your mission, strategic objectives, and/or goals. We will take the information provided from this exercise, create risk wording, and accumulate your risks according to major functions or strategic objectives.
During the second meeting, we will use our assessment tools to guide your staff through a systematic ranking of each of your risks. At the conclusion of the second meeting, we will provide you with a color coded spreadsheet that sorts your risks from highest to lowest. You will be asked to identify the activities and/or processes your organization follows to address each of the risks. We will provide you with a spreadsheet that prescribes the content and format for each mitigation. We can assist you in understanding mitigation identification.
After mitigation documentation is complete, we will review them and suggest where controls may be enhanced to adequately protect your organization from the risks identified. Since operating environments and personnel change as time passes, mitigating procedures can be forgotten or become outdated. You are advised to perform periodic reviews of your mitigations to ensure they are being followed and working as intended. We can assist you with your review(s).
For a more detailed explanation read the Steps to Perform a Risk Assessment.
Request a Risk Assessment from the Office of Risk, Ethics and Compliance