About Enterprise Risk Management

The Ohio State University is ranked among the best public universities in the United States by major institutional rankings and is a best-in-class operation. Likewise, the Office of Enterprise Risk Management must perform at the best-in-class level for the university to advance its mission.  We provide quality service to the Ohio State community.

Overview and Background

Enterprise Risk Management

Enterprise Risk Management (“ERM”) is defined by the Committee of Sponsoring Organizations (“COSO”) as "a process, effected by an entity's board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives." COSO (pdf) was adopted by the regents in 1996.  This process takes into account an organization’s strategic goals as well as its operational goals including an understanding of the current internal control environment.

In 2013, the Board of Trustees concluded that the university should take a more holistic view of risk management across the entire organization.  To execute the Board’s vision, the Enterprise Risk Management (ERM) program and the University Risk Management Committee (URMC) were created.

The objectives of the University Risk Management (URM) Committee are as follows:

• To create a robust risk and governance culture by improving the university’s ability to proactively identify, assess, prioritize and mitigate risk.
• To support the decision-making processes of the Board of Trustees and university leaders by providing appropriate tools to assess risk quantitatively and qualitatively.
• To support existing strategic and budget planning processes, and
• To build a university-wide risk management program that supports the university’s land-grant mission and strategic goals.

President’s Cabinet

The President’s Cabinet oversees the work of the Committee.  The Committee provides regular reports to the Cabinet on university risk management, particularly regarding the university’s strategic risks. 

Implementing Enterprise Risk Management 

University Risk Assessment           

• Uses a consistent approach to identify and rate all key risks across the university in order to support university decision-making, budgeting and strategic planning process

Assesses risks through a consistent methodology by

• Identification and organization of risks into risk categories;
• Rating of each risk in an uncontrolled state, for its “inherent” risk rating;
• Rating of each risk’s current controls to determine the remaining or “residual” risk rating; and
• A qualitative assessment of each top risk based on both external and internal factors;
• Reflecting external changes (e.g., economic, regulatory) to university strategy and operations and adverse impacts (e.g., litigation, audit findings); and
• Is conducted annually by the ORM and the Office of University Compliance and Integrity (“Compliance”).