The Institute of Internal Auditors defines Enterprise Risk Management as "a process, effected by an entity’s board of directors, management and other personnel,
applied in strategy setting and across the enterprise, that is designed to identify
potential events that may affect the entity, manage risk to be within its risk appetite,
and provide reasonable assurance regarding the achievement of entity objectives."
The ERM framework is geared towards achieving an entity’s objectives, set forth in four categories:
- Strategic - high-level goals, aligned with and supporting its mission
- Operations - effective and efficient use of its resources
- Reporting - reliability of reporting
- Compliance - compliance with applicable laws and regulations
Because objectives relating to reliability of reporting and compliance with laws and
regulations are within the entity’s control, ERM can be expected to provide reasonable
assurance of achieving those objectives. Achievement of strategic and operations objectives
is subject to external events not always within the entity’s control. Accordingly,
for these objectives, ERM can provide reasonable assurance that management and the
board in its oversight role are made aware, in a timely manner, of the extent to which
the entity is moving toward achievement of the objectives.
A risk assessment is the identification and analysis of relevant risks in relation
to the achievement of an organization's objectives, for the purpose of determining
how those risks should be managed. Risk assessment implies an initial determination
of operating objectives, then a systematic identification of those things that could
prevent each objective from being attained. In other words, it's an analysis of “what
could go wrong”.
Not all risks are equal. Some are more likely than others to occur, and some will
have a greater impact than others if they occur. So, once risks are identified, their
probability and significance must be assessed. Finally, having identified and assessed
risk, management must decide how to deal with it. In some cases, the decision may
be to control it; in others, it may be to accept it.
As a good business practice, the risk assessment process is ongoing. Internal and
external threats constantly develop, presenting new hazards to the organization. "Change"
itself is a risk, and management must continually adapt its policies and procedures
to manage its changing risks to a comfortable level. Each operating unit at the University
faces its own challenges and risks and must assess how it will manage its risks to
meet its objectives. A good internal control system can mitigate those risks.
A risk assessment:
- Allows an entity to understand the extent to which potential events might impact objectives.
- Assesses risks from two perspectives:
- Employs a combination of both qualitative and quantitative risk assessment methodologies.
- Relates time horizons to objective horizons.
- Assesses risk on both an inherent and a residual basis.
The risk assessment process itself is an opportunity for management and directors
to look at their operations, determine the areas of significant risk, and evaluate
what actions can be taken to minimize the risk and enhance the effectiveness and efficiency
of the operation, while following applicable laws and regulations. This risk assessment
and internal control evaluation can be integrated into a Department's or Area's strategic
planning process and program review. As noted, the risk assessment process is ongoing
and does not necessarily end with submission of an annual Risk Evaluation. Although
the formal process may be complete, managers should make themselves continually aware
of potential risks.