INDEX A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Budget and Planning

Enterprise Risk Management (ERM) at Iowa State University

Background

In a broad sense, risk is any issue or event that affects an organization's ability to meet its objectives. Historically, risk has been viewed as something to be avoided or eliminated with only a negative outcome on an organization. However, there is now increasing awareness that successfully managing risk leads to a competitive advantage and can maximize stakeholder value. In addition, it is more evident now that risks are interconnected across an organization and traditional silo approaches to managing these risks are becoming less effective. Organizations must systematically share risk and internal control knowledge across their functions and departments to obtain best practices.

Enterprise risk management is a coordinated approach to measuring, managing and monitoring risks that affect the achievement of the organization's strategic and financial objectives. The enterprise risk management approach commonly categorizes risks as strategic, operational, financial, compliance and reputational.

Philosophy

For Iowa State University to optimize the benefits of managing risk and pursuing opportunities, the university must embed an enterprise-wide, risk management culture into all of its activities. This embedded enterprise risk management culture will help ensure that decisions will be well informed and aligned with the university's strategies and risk tolerance.

Structure

Iowa State's Enterprise Risk Management activities will primarily focus on the risks associated with eight functional areas:

  • Physical Plant
  • Finance and Investment
  • Human Resources
  • Health and Safety
  • Student Affairs
  • Academic and Research
  • Information Technology
  • External Affairs

The Enterprise Risk Management Executive Committee will provide broad oversight and final decision making for the university's risk management activities and will continuously assess the university's enterprise risk management strategies to ensure alignment with institutional strategic objectives.

The Enterprise Risk Management Steering Committee is a standing committee whose membership is appointed by the Executive Vice President and Provost. The Committee will collaborate with representatives of the university community to identify, assess and prioritize risks and forward higher priority risks to the Executive Vice President and Provost and the Enterprise Risk Management Executive Committee. The Committee will be charged with:

  • Educating the university community on the benefits of managing risk and the opportunities that risk presents
  • Establishing campus-wide methodologies for identifying and prioritizing risks
  • Designing a comprehensive and common-sense approach to manage risks across the entire organization
  • Routinely monitoring risk and advising the Executive Vice President and Provost on all matters related to risk management

Implementation

Implementing an Enterprise Risk Management program at the university will involve the following components:

  • Defining the Culture - Determining how risk is viewed and incorporated into the institution's culture, tone and values
  • Setting Objectives - Setting goals and objectives that align with the institution's mission and its appetite for risk
  • Identifying the Risk of Events - Identifying risk that may impact the institution's ability to achieve objectives
  • Assessing the Identified Risk - Analyzing the probability and impact of the risk
  • Establishing a Response to the Risk - Determining the level of response to a risk:
    • Accept - When the impact and probability is low, accept the risk
    • Control - When there is a high probability of a risk, but its impact is low, ensure appropriation controls are in place
    • Share - When there is high impact, but low probability, share the risk with others
    • Mitigate - When both the probability and impact are high, design controls and process to reduce the exposure to loss
  • Establishing Controls - Establishing policies and procedures to help ensure that the institution responds to risks as intended
  • Providing Information - Collecting and providing access to information to assist in monitoring activities
  • Monitoring Activities - Ensuring that the policies and procedures have been carried out as intended
  • Communicating - Routinely communicating the university's progress and status of objectives