About Risk Management
The mission of the Office of Risk Management (“ORM”) is to create a risk and governance culture by improving the University’s capability to proactively identify, assess, prioritize, and mitigate risk; support existing strategic and budget planning processes; and build a foundation for a University-wide risk management program that supports the land-grant mission of our great University.
How We Do It
Enterprise Risk Management
Enterprise Risk Management (“ERM”) is defined by the Committee of Sponsoring Organizations (“COSO”) as "a process, effected by an entity's board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives." COSO (pdf) was adopted by the regents in 1996. This process takes into account an organization’s strategic goals as well as its operational goals including an understanding of the current internal control environment.
Implementing Enterprise Risk Management
- University Risk Assessment
- Uses a consistent approach to identify and rate all key risks across the University in order to support University decision-making, budgeting and strategic planning process;
- Assesses risks through a consistent methodology
- identification and organization of risks into risk categories;
- the rating of each risk in an uncontrolled state, for its “inherent” risk rating;
- the rating of each risk’s current controls to determine the remaining or “residual” risk rating; and
- a qualitative assessment of each top risk based on both external and internal factors;
- Reflects external changes (e.g., economic, regulatory) to University strategy and operations and adverse impacts (e.g., litigation, audit findings); and
- Is conducted annually by the ORM and the Office of University Compliance and Integrity (“Compliance”).