Collaborative/Enterprise Risk Management (C/ERM)
Conceptually and in practice, C/ERM engages all University staff that have responsibility for managing risk within their departments and organizations.
We follow the framework below as a foundation for Managing Risk on campus.
Types of Risk
All Risks have altitudes, and all risks have owners. Different types of risk are assessed using a traditional eight step process. Risk Categories are found in the COSO (coso.org/) model that apply to the functions of the University. Each risk identified is placed in one of the risk categories and then assessed. A risk can span more than one category due to its potential impact on the University.
• Compliance Risks are created by failing to follow federal, state, or local laws, regulations or University
policy that safeguards Binghamton University from legal exposure to fines, penalties,
lawsuits, reduced future funding, imposed compliance settlements, more regulatory
and audit agency scrutiny, injury, or negative publicity (e.g., ethics, business conduct,
fraud, contract, labor laws, and regulation).
• Operations Risks may affect on-going day‐to‐day management processes (e.g., customer service, supply chain, people, culture, information technology, business continuity, fraud, and corporate physical security).
• Financial Risks may result in loss of assets or financial resources (e.g., planning and resource allocation, treasury, financial reporting, tax, investor relations, fraud).
• Strategic Risks may affect an organization's ability to achieve its goals and objectives. They are often identified by senior management as part of strategic planning and review activities (e.g., business model, vision and direction, brand and marketing, investments, and market dynamics). Can include Mega-Risks (large‐scale external risks that can impact human health, the environment, or society - generally too large and too complex to be managed or mitigated by a single entity).
• Reputational Risks may affect the University's reputation, public perception, etc.)
In summary, failing to manage any category of risks can damage public image or reputation. Image and reputation can be improved by capturing a potential opportunity.
Components of a Collaborative Risk Management Process
Traditional enterprise risk management comprises eight interrelated components, derived from the way management operates the University and are integrated with the management process. These components are:
• Internal Environment – The internal environment encompasses the tone of the University, and sets the basis
for how we view and address risk, including philosophy and risk appetite, integrity
and ethical values, and the operational environment.
• Objective Setting – Objectives must exist before management can identify potential events affecting their achievement. Successful risk management ensures that management has a process in place to set objectives and these align with and support the University's mission and are consistent with our risk appetite.
• Event Identification – Internal and external events affecting achievement of our objectives must be identified, distinguishing between risks and opportunities.
Opportunities are channeled back to management's strategy or objective-setting processes.
• Risk Assessment – Risks are analyzed, considering likelihood - impact - velocity, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis.
• Risk Response – Management selects risk responses – avoiding, accepting, reducing, or sharing risk – developing a set of actions to align risks with our risk tolerances and risk appetite.
• Control Activities – Policies and procedures are established and implemented to help ensure responses are effectively carried out.
• Information and Communication – Relevant information is identified, captured, and communicated in a form and time frame that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity.
• Monitoring – The entirety of risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.
Collaborative risk management is not a serial process, where one component affects only the next. It is a multi-directional and iterative process in which almost any component can and does influence another.(source: http://www.coso.org/documents/coso_erm_executivesummary.pdf)