Enterprise Risk Management is a decision support process, engaging and assisting all employees in managing risk to optimally create and preserve value.
The following is a foundation for Managing Risk on campus.
Understanding Types of Risk
All Risks have altitudes, and all risks have owners. Different types of risk are assessed using a multi-step process. Each risk identified is placed in a risk categories and then assessed. A risk can span more than one category due to its potential impact on the University.
- Compliance Risks are created by failing to follow federal, state, or local laws, regulations or University policy that safeguards Binghamton University from legal exposure to fines, penalties, lawsuits, reduced future funding, imposed compliance settlements, more regulatory and audit agency scrutiny, injury, or negative publicity (e.g., ethics, business conduct, fraud, contract, labor laws, and regulation).
- Operational Risks may affect on-going day‐to‐day management processes (e.g., customer service, supply chain, people, culture, information technology, business continuity, fraud, and corporate physical security).
- Financial Risks may result in loss of assets or financial resources (e.g., planning and resource allocation, treasury, financial reporting, tax, investor relations, fraud).
- Strategic Risks may affect an organization's ability to achieve its goals and objectives. They are often identified by senior management as part of strategic planning and review activities (e.g., business model, vision and direction, brand and marketing, investments, and market dynamics). Can include Mega-Risks (large‐scale external risks that can impact human health, the environment, or society - generally too large and too complex to be managed or mitigated by a single entity).
- Reputational Risks may affect the University's reputation, public perception, etc.). All risks can have a reputational component so this factor is considered when analyzing the severity of the risk
In summary, failing to manage any category of risks can damage public image or reputation. Image and reputation can be improved by capturing a potential opportunity.
The ERM Risk Assessment
Binghamton University is committed to identifying and managing risks in a proactive manner. As such, the University implemented ERM to establish a systematic organization-wide approach to identify risks and mitigation strategies.
ERM is an on-going process designed to identify and manage potential risks that may
adversely affect the University's ability to achieve its objectives. ERM assesses
and documents actions to be taken to identify, assess, mitigate, and monitor risks
that negatively impact the achievement of the University's mission, strategic plan
goals, and/or continuing operational
programs. Our risk assessment process includes these steps:
- Review the unit's mission, vision, goals, objectives and/or strategic plan and any major activities and/or functions.
- Identify and analyze risks. Consider the risk's consequence and the probability of occurrence. Establish ownership of each risk.
- Identify the significant controls and mitigating activities. Document evidence of mitigating activity and the designated accountable person/position.
- Rank the risks, considering both the potential impact/consequence and probability/likelihood of the event occurring.
- Review the overall effectiveness of the mitigating, monitoring and/or reporting processes in managing the highest ranked risks. Develop action plans and implement new mitigating activities/strategies to enhance effectiveness, as needed. Document the monitoring and reporting processes for transparency, such as supervisory reviews, management oversight, communication flow, and assurances gained by management that risks are effectively managed through accountability.
- On a periodic basis re-assess and update the risk assessment.
Resource: Performing a Risk Assessment
The ERM process is University-wide with risk assessments performed as a whole and for major functions and units throughout the campus (i.e., vice presidents, deans, directors, etc.). This is a multi-directional and iterative process in which almost any component can and does influence another.