About Enterprise Risk Management

What is Enterprise Risk Management?

Enterprise Risk Management (ERM) is a discipline that attempts to manage all institutional risks. An institutional risk is defined by the International Standards Organization (“ISO”) under ISO31000, as “any issue that impacts an organization’s ability to meet its objectives.” While this definition is intentionally broad, it should be noted UC’s ERM program views  “risk” as both adverse impact and opportunities. 

UC’s ERM program is spearheaded by the Chief Risk Officer and engages key leadership, as well as the UC Board of Trustees.  It is important to note, however, risk management works best where there is engagement at all levels in the university.

This image depicts UC's ERM goverance structure (a pyramid) with the Audit & Risk Management Committee of the Board at the top, ERM Executive Committee, then ERM Risk Council, which includes two subcommittees Risk Review and Communications.


Risk assessment is simply a process to evaluate and prioritize risk. After listing all the potential risks, each risk is scored against a common criteria:

  • Likelihood -- How likely is it that this will occur at UC?
  • Impact -- How bad (or good) will it be if it does?  

The Risk Assessment Template is available to any department/unit seeking to take a first step in better understanding and managing the risks affecting its area.  Ideally, the university would utilize the same scoring system as indicated in the template, so that a common framework and language can be applied.  

As illustrated in the graphic below, our team can provide consultation on any element of the risk management process, as well as for special projects.

This image depicts the ERM process adapted from ISO 31000.  In short, the process includes the following steps: risk identification, analysis, evaluation, mitigation and finally monitoring.