Enterprise Risk Management
What is ERM?
And why does UC need it?
Enterprise Risk Management (ERM) is defined by the Committee of Sponsoring Organizations (COSO) as "a process, effected by an entity's board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives." COSO (pdf) was adopted by the regents in 1996.
The COSO ERM framework provides a common lexicon of terminology, and provides clear direction and guidance for implementing enterprise risk management. The framework requires that organizations examine their complete portfolio of risks, consider how those individual risks interrelate, and that management develops an appropriate risk mitigation approach to address these risks in a manner that is consistent with their long term strategy and overall risk appetite.
ERM aims to measure an institution's achievement of four primary objectives:
- Strategic - High level goals that are aligned with and support the institution's mission
- Operational - Ongoing management process and daily activities of the organization
- Financial Reporting- Protection of institution's assets and quality of financial reporting
- Compliance - The institution's adherence to applicable laws and regulations
Within each of these four objectives, there are eight interrelated components:
- Internal Environment - The general culture, values, and environment in which an institution operates. (e.g. - Tone at the top)
- Objective Setting - The process management uses to set its strategic goals and objectives. Established the organization's risk appetite and risk tolerance
- Event Identification - Identifying events that influence strategy and objectives, or could affect an institution's ability to achieve its objectives
- Risk Assessment - Assessment of the impact and likelihood of events, and a prioritization of related risks
- Risk Response - Determining how management will respond to the risks an institution faces. Will they avoid the risk, share the risk, or mitigate the risk through updated practices and policies?
- Control Activities - Represent policies and procedures that an institution implements to address these risks
- Information and Communication - Practices that ensure that the right information is communicated at the right time to the right people
- Monitoring - Consists of ongoing evaluations to ensure controls are functioning as designed, and taking corrective action to enhance control activities if needed
Why is ERM relevant in the higher education environment?
Like organizations within the private sector, the UC system operates in an inherently risky environment. Risks include financial risk, operating risk, strategic risk, regulatory risk, environmental risk, reputational risk, political risk, and a whole host of other types of risk. Managing this portfolio of risks is especially important to help ensure the university can continue to serve the university's faculty, staff and students. By strategically managing risk, we can reduce the chance of loss, create greater financial stability, and protect our resources so we can continue our mission of supporting teaching, research and public service.