What is Enterprise Risk Management (ERM)?
Enterprise risk management is a comprehensive, on-going approach to identifying, evaluating, and managing real or perceived risk, as well as evaluating opportunities that align with the university's mission and institutional strategies.
How do you define risk?
There are many definitions. The National Association of College and University Business Officers define risk as "any issue that impacts an organization's ability to meet its objectives. Five types of risk include: strategic, financial, operational, compliance and reputational." (2001)
What is the Enterprise Risk Management Council?
In Fall, 2010 President Allen appointed individuals from across campus, to work together to develop strategies to assist the university in better recognizing risk, evaluating opportunities, identifying concerns, and assisting with or identifying strategies to mitigate risk. The Council meets regularly and provides updates to the president and others, as appropriate, with regard to activities and action steps members have identified or initiated.
Who does the Council report to?
The ERM Council reports to the president of the university.
How does ERM relate to our sister institutions in Iowa?
The Board of Regents, State of Iowa has directed that ERM processes are important and should be strengthened at all institutions governed by the Regents. UNI will collaborate with the University of Iowa and Iowa State University as we develop our ERM processes.
What does the ERM Council do?
The Council engages in ongoing assessment of risk on the campus and periodic risk assessment meetings may be initiated. The Council will also identify and share resource with the campus, participate in comprehensive policy review and assist in development of new policies when appropriate. In addition, any member of the campus may contact the Council to discuss any thoughts he/she has regarding questions of risk or areas of concern.
What is the goal of the ERM Council?
Over time the vision of the Council is to develop a campus culture of risk awareness, whereby decision makers are informed and assisted by a comprehensive, open and thorough review of the applicable opportunities and risks. "Unless and until each departmental group is actively incorporating "what if?" risk management questions into their long-range planning and decision making, ERM is not yet a complete reality on campus." (ERM in Higher Education, URMIA, 2007).
Why have we undertaken this effort at UNI?
Currently, UNI has a distributed model for risk management. There are designated positions within some departments and divisions that focus on risk management. In addition it is the expectation that each manager/department head takes responsibility for understanding that he/she must act in accordance with policies and procedures that are in place and/or applicable to mitigate risk. However, to provide a more comprehensive review of risk and opportunity within the university, the ERM Council was appointed to provide a more broadly based overview.
How is ERM different from what we do now?
Currently, analysis of risk or opportunities too often focuses on the effects on individual departments/areas. A comprehensive ERM process places greater emphasis on looking at risk as it affects the institution as a whole, in addition to individual departments or areas. The true measure of risk cannot be determined unless we have a culture in place where each situation is evaluated with respect to affects across the institution as a whole. ERM in Higher Education (URMIA, 2007) states " Instead of having only a few personnel dedicated to managing traditional risks on campus, ERM engages everyone at the institution in the management of those risks for which they are responsible."
What is the difference between the ERM Council activities and Internal Audit activities?
The ERM process and Internal Audit function will complement one another as both are focused on assessing and managing risk. The ERM process will identify a number of risks on campus and work with individuals and departments to address such items. An internal audit is scheduled on a separate, independent basis and may be conducted to monitor compliance, evaluate and analyze specific risks or provide review relative to mitigating the risks for the department or program area.