Enterprise Risk Management Process 

The risk identification process is the first step in managing risks. It involves identifying potential risks that may impact an organization’s objectives, operations or stakeholders. The risk identification process includes the following processes. 
 

• Establish the Context - Before starting the risk identification process, it is important to establish the context by defining the scope of the risk assessment, identifying relevant stakeholders, and clarifying the university’s objectives and risk appetite. 
• Brainstorm Potential Risks - The next step is to brainstorm potential risks that could impact the organization. This can be done through various methods, such as conducting interviews, holding workshops or reviewing historical data. Involving stakeholders from different parts of the organization is important to ensuring a comprehensive list of potential risks. 
• Categorize Risks - After identifying potential risks, they should be categorized by type or source. Common categories of risks include strategic, financial, legal, operational, compliance, and reputational risks.

The risk identification process is a continuous process that should be reviewed and updated regularly to ensure that new risks are identified, and existing risks are appropriately managed. By identifying potential risks and assessing their likelihood and impact, organizations can develop effective risk management strategies to protect their objectives and stakeholders

The goal of the risk assessment phase is to understand what problems or opportunities a risk might cause and determine the magnitude of the risk for prioritization in a later step. When assessing and rating risks, the following factors are considered. 
 

• Likelihood - measures the probability of a risk event occurring. 
• Impact - measures the potential consequences of a risk event. 
• Velocity - measures how quickly a risk event can materialize and cause harm. 
• Preparedness - measures the organization’s level of preparedness to handle the risk. 

After assessing the factors of each risk, risks can be prioritized by assigning a risk rating score. Applying the risk prioritization process allows administrators to ensure that they are allocating resources to the most significant risks and taking appropriate measures to protect mission objectives. 
 
The next step is prioritizing risks based on their importance to the university’s objectives. This helps determine which risks require immediate attention and which can be managed over the long term. To rank the priority of risks, risk rankings (scores) are assigned using the assessment criteria for impact, likelihood, velocity and preparedness. 
 
The following is one methodology that can be used for rating risks: 
Likelihood x Impact x Velocity x Preparedness = Risk Score 
 
The risk rating formula is used to calculate a numerical score for each identified risk, which is then used to prioritize risks and determine the appropriate risk management strategies. Risks with higher scores are typically given priority attention and resources for risk management and mitigation efforts.

Various strategies can be used for managing identified risks. Establishing policies, procedures and controls enables the university to keep identified risks within acceptable ranges. A risk management plan should be developed for each risk that outlines the specific strategies and actions that will be taken to mitigate the risk. The plans define roles and responsibilities for risk mitigation, establish timelines for completion, and identify resource requirements. Common strategies for managing or mitigating enterprise risks include:
 

• Acceptance - Accepting the risk and its consequences, either because the risk is too difficult or too expensive to manage or mitigate, or because the potential benefits outweigh the potential consequences. 
• Avoidance - Avoiding the risk entirely by not engaging in the activity that could result in the risk. 
• Reduction - Reducing the likelihood or impact of the risk by implementing risk management controls or safeguards. This may involve implementing security measures, redundancy systems, or establishing policies, procedures, or guidelines. 
• Transfer - Transferring to or sharing the risk with another party, such as through insurance or outsourcing to a third-party provider. 
• Exploitation - Actively seeking opportunities to take advantage of the positive aspects of a risk, such as a new market opportunity or emerging technology.

 
Each strategy has advantages and disadvantages, and the appropriate strategy depends on the nature and context of the risk. A combination of strategies can be used to effectively manage risks. It is important to regularly review and update risk mitigation strategies for effectiveness and relevance.

Implementing risk mitigation strategies involves taking action to reduce the likelihood or impact of identified risks that could negatively impact the university’s objectives. This may involve implementing new policies, procedures, guidelines, controls, or modifying existing ones. Communication and training are essential for effective implementation of selected risk mitigation strategies.  
 
Stakeholders should be informed about the strategies as well as their roles and responsibilities in the implementation process. Training may also be necessary to ensure stakeholders have the necessary skills and knowledge to implement the mitigation strategies effectively.

ERM is an ongoing process of collecting and assessing information from internal and external sources from all parts of the organization. Regularly monitoring and reviewing the effectiveness of implemented mitigation strategies ensure that they remain effective and relevant. Adjustments should be made as necessary based on changes in the risk environment, university priorities, or other factors. ERM reporting informs the university’s day-to-day decision-making by helping administrators and the Board of Trustees identify risks facing their institutions.