Safety Services
Sections
In this section
Safety Services

436 Mrak Hall
Davis, CA 95616

 
Personal tools

ERM Glossary

Audit Cycles: (definition from the University of Minnesota) Audit coverage of departments on regular cycles based on its risk assessments. For example:

    • High-risk departments are scheduled to receive audit coverage every three years
    • Above-average risk departments are scheduled to receive audit coverage every four years
    • Moderate risk departments are scheduled to receive audit coverage every six years
    • Low-risk departments are scheduled to receive audit coverage every eight years.

Audit Department Risk Assessment: (definition from the University of Minnesota) An Internal Auditor might employ a formalized risk assessment methodology in selecting departments for inclusion in an annual audit plan. The assessment measures a department’s overall risk relative to other college or university departments. The risk factors considered in a department’s assessment may include:

    • Level of sponsored and non-sponsored revenues and expenditures
    • Impact of unit/process on other institutional activities
    • Significant system development or process change
    • Regulatory compliance issues
    • Pending or potential litigation issues
    • Organizational change/turnover
    • Known or perceived control concerns

Audit history: Based on the outcome of the assessment, individual departments are categorized into one of four risk levels: high, above average, moderate, or low risk. A rating of “high risk” does not necessarily mean a department is perceived to have control problems, but rather is a reflection of the criticality or impact of the department to the institution’s mission.

Chief Risk Officer (CRO): A senior manager with day-to-day oversight of enterprise risk management.

COSO (definitions from COSO):  The Committee of Sponsoring Organizations (COSO) Treadway Commission is a voluntary private sector organization. It is dedicated to helping improve the quality of financial reporting through business ethics, effective external controls, and corporate governance.

According to COSO, the three primary objectives of an internal control system are to “ensure efficient and effective operations, provide accurate financial reporting, and comply with laws and regulations.”

It is sponsored by the five major financial professional associations in the United States: the American Accounting Association, the American Institute of Certified Public Accountants, the Financial Executives Institute, the Institute of Internal Auditors, and the Institute of Management Accountants.

COSO provides a model to achieve its recommended internal control process that includes:

    • Evaluating the effectiveness of existing internal controls
    • Identifying high risk/reward areas, including disclosing risks that could adversely effect the institution
    • Determining the appropriate level of controls to better manage the risks
    • Comparing the current situation with target goals
    • Implementing procedures to minimize risks
    • Ensuring that reporting and documentation can pass scrutiny by third party evaluators
    • Communicating improvements to employees and training employees to report deficiencies to management
    • Establish and implement a formalized monitoring process and establish a mechanism to ensure continuous improvement.

Cost-of-Risk: The financial impact of an organization from undertaking activities with an uncertain outcome and includes such factors as the cost of managing those risks, financially transferring the liabilities, and sustaining any uninsured losses. Common Cost-of-Risk Measurements or Risk Ratings are:

    • Frequency
    • Severity
    • Cost to mitigate
    • Total cost-of-risk
    • Degree of uncertainty
    • Benefits to the institution
    • Financial value
    • Institutional enhancement

Enterprise Risk Management (ERM): An integrated approach to assessing and managing all risks that threaten a college or university’s ability to achieve its strategic objectives. The purpose of ERM is to understand, prioritize, and develop action plans to maximize benefits and mitigate risks of greatest concern to the institution. The ERM framework enables management to work collaboratively to identify, assess, and manage existing and future risks that are integrated across campus in various ways, also known as holistic, strategic, or integrated risk management. ERM:

    • Is central to an institution’s strategic planning and management
    • Is focused on identifying and treating risks of all types
    • Adds maximum sustainable value to all activities
    • Increases probability of success and minimizes probability of failure
    • Is continuous; integrated with strategic planning and plan implementation
    • Is integrated with organizational culture and led by senior management
    • Assigns responsibility throughout the organization in each position description

Financial Benchmarks:

    • Primary Reserve Ratio: Illustrates how long an institution can survive if it were to totally shut down.
    • Net Operating Revenue Ratio: Determines whether the institution operates in a surplus or deficit.
    • Return on net assets ratio: rate of effective deployment of resources; net income divided by net assets
    • Viability ratio: Ability to meet debt obligations with expendable assets.

All of these calculations take into consideration the historical costs-of-risk. What they don’t do is expose any gaps in coverage or other protections.

Impact: Result or effect of an event. The impact of an event can be positive or negative relative to the entity’s strategic objectives, and there can be a range of possible impacts associated with any single event.

Inherent Risk: The risk to the college or university in the absence of any actions management might take to otherwise alter the likelihood the risk could result in an event with a negative impact.

Internal Environment: Encompasses the culture of a college or university and sets the basis for how risks are viewed and managed, including risk management philosophy, risk appetite, integrity and ethical values, and the overall environment in which the organization operates.

Likelihood: The possibility that a given event will occur.

Loss Control: The technique of minimizing the severity of loss or the impact of any negative event once it occurs.

Metrics: The means in which to measure the effectiveness and/or success of risk mitigation strategies.

Opportunity: The possibility that an event will occur that will have a positive impact on the institution and the achievement of its strategic objectives.

Performance Assessment: (definition from Protiviti’s Guide to Enterprise Risk Management)

The retrospective activity applied to evaluate the performance of a unit, a process or a function against a pre-determined target or standard over a state period of time.

Residual Risk: The risk that remains after the institution has employed risk strategies/mitigation.

a) The combination of the probability of an event and its consequences. Risk is inherent in all types of undertaking and may carry the potential for benefit or be a threat to success.

b) The opportunities, uncertainties, threats, and barriers to which a college or university must respond in order to achieve its objectives.

Risk Acceptance: Occurs when no action is taken to affect a risk’s likelihood from developing into an event resulting in a negative impact on the institution.

Risk Analysis: Identifying and describing risks and estimating the impact of each on the institution, and developing corresponding risk profile.

Risk Appetite (definition from COSO): An organization’s tolerance for risk. The broad amount of risk a college or university is willing to accept in pursuit of its mission or vision. The measurement of risk appetite may be evaluated qualitatively or quantitatively.

Risk Assessment: Determining the impact of an identified risk on the institution. Risks are assessed on an inherent and residual basis.

Risk Assessment Activities:

    • Risk identification—the qualitative determination of significant risks that can potentially impact the institution’s achievement of its financial and/or strategic objectives. This is often done through structured interviews of key personnel by internal or external experts.
    • Risk prioritization—the ranking of risks on scale, such as frequency and/or severity (See Risk Mapping).

Risk Assessment Tools: Instruments designed to assist colleges and universities in assessing and evaluating risks in order to make more informed decisions.

Risk Avoidance: Avoiding the activities giving rise to risk.

Risk Categories:

    • External: Exposure to uncertainty affecting the community (ies) served by the college or university.
    • Financial: Exposure to uncertainty regarding the management and control of the finances of the institution.
    • Hazard: Exposure to loss arising from damage to property or from tortious acts; typically includes the perils covered by insurance.
    • Human Resources: Exposure to uncertainty related to compliance with personnel policies and procedures, employee morale, and organizational culture.
    • Legal/Regulatory Compliance: Exposure to uncertainty related to laws, statutes, and administrative regulations that govern how colleges and universities operate.
    • Operational: Exposure to uncertainty related to day-to-day business activities.
    • Reputational: Exposure to uncertainty related to brand, perceived value, organizational status, and public perception and trust.
    • Strategic: Exposure to uncertainty related to long-term policy directions of the institution—the “big picture” risks.

Risk Control: The technique of minimizing the frequency or severity of potential losses through training, safety procedures, and engineering and security measures.

Risk Evaluation: Comparing the results of estimating risks to the significance of the risks to decide whether to accept and manage them, transfer them by means such as insurance, a combination of the two, or eliminate the risks all together.

Risk Financing: The mechanisms for funding risk mitigation strategies and/or funding the financial consequences of risk; i. e., insurance or the financial; consequences of uninsured risks.

Risk Identification: The qualitative and, whenever possible, the quantitative determination of risks that are material; i.e., that potentially can impact the achievement of the institution’s strategic objectives.

Risk Mapping: The visual representation of risks which have been identified through a risk assessment exercise in a way that easily allows priority ranking of them. This representation often takes the form of a two-dimensional grid with probability on one axis and impact on the other axis. The risks that fall in the high probability/high impact quadrant are given priority risk management attention.

Risk Mitigation: Actions which reduce a risk or its consequences (see Risk Strategies).

Risk Portfolio: A list of risks identified and evaluated by a college or university (also called Risk Register) that represent a portfolio of risks at a certain time.

Risk Prioritization: The ranking of material risks on an appropriate scale, such as frequency and/or severity (see also Risk Mapping).

Risk Profile: The use of a tool or system to rate and/or prioritize a series of risks.

Risk Reduction: Action taken to reduce risk likelihood or impact, or both of frequency or severity of potential losses. May include risk transfer, engineering, fire protection, and/or safety inspections.

Risk Response: Management selection of risk avoidance, acceptance, reduction, or sharing risk, and developing a set of actions to align risks with the institution’s risk appetite and tolerances.

Risk Reporting: Distribution of information on risks to internal and/or external stakeholders.

Risk Sharing: Reducing risk likelihood or impact by transferring some or otherwise sharing a portion of the risk.

Risk Strategies: Possible responses to risk situations such as avoidance, acceptance, sharing, and reduction.

Risk Tolerance: The acceptable level of risk relative to the achievement of an objective.

Risk Treatment: The process of selecting and implementing measures to modify the risk.

Sarbanes-Oxley Act: The Sarbanes-Oxley Act of 2002, commonly referred to as “SOX” or “SarBox,” is an amendment to the Federal Securities Exchange Act of 1934. It is intended to prevent auditors from providing specific non-audit services, including actuarial services, to their SEC-regulated audit clients. There are five major components of the amendment that are of specific interest for higher education. They include sections on 1) transparency of financial reports, 2) corporate disclosure, 3) board independence, 4) accountability, and 5) development of ethical operating standards. Although the Act includes requirements that apply to publicly held companies only, some higher education trustees believe that some or all of these components are essential to good practices for colleges and universities.

Silo: Divisions, departments, or other groups and individuals on campus that tend to act in isolation from one another.

Traditional Risk Management: Original form of risk management, focusing primarily on insurable hazard risks.

*All definitions were courtesy of ERM in Higher Education