ERM Policy

In accordance with the ISO 31000 standard, the University maintains an ERM policy.  The policy provides direction for ERM implementation, lends credibility to the program, and demonstrates the University’s commitment to the ERM process.

I. Policy
This policy has been established to ensure appropriate identification and evaluation of risks associated with all University activities and to ensure that these risks are managed at an appropriate and acceptable level. All University community members must understand and take responsibility for managing risks associated with activities within their span of control. In an effort to assist in the appropriate management of University risks, an Enterprise Risk Management (ERM) process will be developed, implemented and continuously improved at all relevant levels and functions of the organization in accordance with International Standards Organization (ISO) 31000-2009 “Risk Management – Principles and Guidelines”.

A. Definitions:
1.  Risk: the University faces internal and external factors that make it uncertain if and when we will achieve our objectives. The effect that this uncertainty has on our objectives is called “risk” and can be either positive or negative.
2.  Enterprise Risk Management: the process of identifying, evaluating, controlling and monitoring University risks.
3.  ISO: International Standards Organization. ISO provides an ERM guidance standard that provides the principles and guidelines for managing any form of risk in a systematic, transparent and credible manner.
4.  Risk Owner: an individual, department, college, school, etc. who has been notified and assigned accountability and authority to manage a risk.
5.  Risk Identification: the process of finding, recognizing and describing risks associated with University activities.
6.  Risk Register: a listing of identified risks used to track and evaluate risks associated with University activities.
7.  Risk Evaluation: the process of determining if a risk is acceptable to the University.
8.  Risk Control: the process of modifying, managing and/or exploiting a University risk.

II. Procedure

1. The University’s Enterprise Risk Management Oversight Committee integrates the ERM process into all aspects of the University’s mission including, governance, strategic planning, reporting, values and culture.
2. The University has appointed an Enterprise Risk Manager who will facilitate the development, implementation and continual improvement of the ERM process. The Enterprise Risk Manager will communicate, consult and provide training to Risk Owners when implementing the ERM process, thereby raising awareness of the need for risk management.
3. The Enterprise Risk Management Oversight Committee, in conjunction with the Enterprise Risk Manager, will establish a central Risk Register that will be used to document and evaluate risks and their controls. Through the Risk Register, the committee monitors and evaluates existing and emerging risks, implemented controls and action plans established to meet risk management objectives.
4. Risk Owners will effectively and efficiently manage risks at known and acceptable levels through the ERM process and will consider legal compliance as an absolute minimum.
5. In conjunction with the Enterprise Risk Manager, Risk Owners will be responsible for developing and implementing action plans to control significant risks and reporting risk management performance to the Enterprise Risk Management Oversight Committee.

Click here for a printable version of the University’s ERM Policy.