ERM at Indiana University
On this page:
- IU ERM
- Risk Areas and Subareas
- Enterprise Risk vs. Risk
- Risk Types, Risk Areas & subareas, & Risk Owners
- Inherent Risk
- Velocity & Speed of Occurrence
- Heat Maps & Risk Response
- Residual Risk
Indiana University’s enterprise risk management (ERM) is applied in strategy and across activities. It enables management to identify, assess and manage risks during times of uncertainty. ERM also supports value creation and preservation by:
- providing alignment of risk appetite and strategy;
- linking risk with growth and return;
- enhancing risk response decisions;
- minimizing operational surprises and losses;
- identifying and managing cross-enterprise risks;
- providing integrated responses to multiple risks;
- seizing opportunities; and
- rationalizing capital.
In doing so, the ERM framework effectively navigates through uncertainty and associated risks while enhancing opportunities and the university’s capacity to build value. This includes the recognition of inherent risks and opportunities, enabling management to consider data and information relative to both internal and external environments while deploying appropriate resources and activity modification for evolving conditions. Thus, value is maximized through optimal balance and growth in university strategy and objectives while maintaining efficiency and effectiveness. IU's initial strategy and structure can be found in the attachments section of this webpage.
IU's ERM program divides the university into several Risk Areas. A Risk Area is a business function component of the university that contains several concentrated Subareas. By splitting up the university into Risk Areas, the ERM program is better able to identify and assess Risks native to those business functions, as well as cross-functional Risks. A leader, or several leaders, is designated to each Risk Area. Those designees are known as Risk Owners. Risk Owners are intimately familiar with the business functions of that area, its influence on achieving university objectives and any current or potential Risks affecting those objectives.
By using Risk Areas, the ERM program reduces the scope of risk analysis and increases process efficiency and effectiveness. In addition, the appropriate personnel's involvement is exercised, and the focus of the analysis can concentrate on the alignment to the university's strategic goals and objectives by assessing threats and exploiting potential opportunities.
Please see a list of Indiana University's Risk Areas and Subareas here.
Indiana University acknowledges two types of risks: those labeled as an “enterprise risk” and those labeled as a “risk”. Enterprise risks represent those conditions or actions that could substantially impair the university’s ability to achieve its objectives or execute its strategies; whereas risks represent conditions or actions that could negatively impact the departments/schools/units’ objectives and day-to-day activities.
With all enterprise risk activities, it's vital to focus on the university's objectives; focusing on enterprise risks and risks that do not impact an objective or strategy could deter focus and efforts that would otherwise benefit the university in it's mission.
Risks are linked to the area, and subarea, where the potential for damage can occur, as well as the type of categorical risk they are associated with. At Indiana University, five categories of risk types are utilized.
- Compliance- relating to the university's compliance with applicable laws, regulations, policies, and accreditations
- Financial- relating to the university's financial sustainability and growth
- Operational- relating to th effective and efficient use of university resources
- Reputational- relating to the widespread belief that the university has a particular habit or characteristic
- Strategic- relating to high-level goals and objectives, aligned with and supporting the university's mission and vision
In addition, Indiana University’s Enterprise Risk Management Committee (ERMC) recognizes twenty (20) Risk areas with several subareas.
Risk subareas may extend to multiple Risk Areas, just as Risk Areas may have multiple Risk Owners. Risk Owners are the individuals responsible for ensuring the risk is properly managed and monitored. At IU, a Risk Owner (or Owners) is defined for each Risk Area and each risk.
Inventories are developed and maintained for the recording of all identified details of an ERM area. At Indiana University, we process five (5) inventories: events, risks, controls, opportunities, and objectives. By collecting this information in an inventory format, we can optimize their analyses and plans for how risks are treated.
The risk to an entity in the absence of any actions management might take to alter either the risk’s likelihood or impact is considered inherent risk. Inherent risk is often demonstrated through the risk rating methodology, which includes impact, likelihood, and velocity.
Velocity and speed of occurrence measure how the momentum of a risk can quickly, or slowly, cause its full impact. Similar to the domino effect, it’s beneficial to know what the extent of the damage can be, and just how quickly that damage will occur. The speed of occurrence takes three items into account: the speed of onset, the speed of impact, and the speed of reaction.
The speed of onset is the time it takes for a risk to impact the university (e.g., the time between the occurrence and when the university first feels its effects).
The speed of impact is the time it takes for a risk to reach full impact to the university (e.g., the time between occurrence and when the university feels the full extent of its effects).
The speed of reaction is the time it takes for the university to control the risk (e.g., the time between the occurrence and when the university completely mitigates or controls the risk).
When all three are taken into account, an accurate portrait of a risk’s velocity is clear. Velocity is accounted for when reviewing risks so that the potential for blindside impact is minimized. Principally, the university utilizes velocity in the prioritization of risks and opportunities.
Heat maps are used to place risks on a scatter plot based on their impact, likelihood, and velocity. This allows decision-makers the ability to quickly identify what risks are most threatening, as well as track the progress of reducing those risks over specific periods of time. Heat maps can also display movement between inherent risk scores and residual risk scores. In other words, what is the risk without any activities to mitigate the risk vs. what the risk is when controls are in place.
Risk response is the selection of avoidance, acceptance, reduction, or sharing of a risk, and developing a set of actions to align risks with the university’s risk appetite and tolerances.
Residual risk is the remaining potential risk or loss after risk responses are applied. Risk responses rarely eliminate a risk entirely, and that remaining risk remains with the university.