The Institute of Internal Auditors defines Enterprise Risk Management as "a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, that is designed to identify potential events that may affect the entity, manage risk to be within its risk appetite, and provide reasonable assurance regarding the achievement of entity objectives."
The ERM framework is geared towards achieving an entity’s objectives, set forth in four categories:
- Strategic - high-level goals, aligned with and supporting its mission
- Operations - effective and efficient use of its resources
- Reporting - reliability of reporting
- Compliance - compliance with applicable laws and regulations
Because objectives relating to reliability of reporting and compliance with laws and regulations are within the entity’s control, ERM can be expected to provide reasonable assurance of achieving those objectives. Achievement of strategic and operations objectives is subject to external events not always within the entity’s control. Accordingly, for these objectives, ERM can provide reasonable assurance that management and the board in its oversight role are made aware, in a timely manner, of the extent to which the entity is moving toward achievement of the objectives.
A risk assessment is the identification and analysis of relevant risks in relation to the achievement of an organization's objectives, for the purpose of determining how those risks should be managed. Risk assessment implies an initial determination of operating objectives, then a systematic identification of those things that could prevent each objective from being attained. In other words, it's an analysis of “what could go wrong”.
Not all risks are equal. Some are more likely than others to occur, and some will have a greater impact than others if they occur. So, once risks are identified, their probability and significance must be assessed. Finally, having identified and assessed risk, management must decide how to deal with it. In some cases, the decision may be to control it; in others, it may be to accept it.
As a good business practice, the risk assessment process is ongoing. Internal and external threats constantly develop, presenting new hazards to the organization. "Change" itself is a risk, and management must continually adapt its policies and procedures to manage its changing risks to a comfortable level. Each operating unit at the University faces its own challenges and risks and must assess how it will manage its risks to meet its objectives. A good internal control system can mitigate those risks.
A risk assessment:
- Allows an entity to understand the extent to which potential events might impact objectives.
- Assesses risks from two perspectives:
- Employs a combination of both qualitative and quantitative risk assessment methodologies.
- Relates time horizons to objective horizons.
- Assesses risk on both an inherent and a residual basis.
The risk assessment process itself is an opportunity for management and directors to look at their operations, determine the areas of significant risk, and evaluate what actions can be taken to minimize the risk and enhance the effectiveness and efficiency of the operation, while following applicable laws and regulations. This risk assessment and internal control evaluation can be integrated into a Department's or Area's strategic planning process and program review. As noted, the risk assessment process is ongoing and does not necessarily end with submission of an annual Risk Evaluation. Although the formal process may be complete, managers should make themselves continually aware of potential risks.