Q: What is the difference between traditional risk management and enterprise risk management?
A: “Traditional risk management took responsibility for hazard risk, typically arranging for risk transfer. ERM identifies operational, financial, and strategic risks in addition to hazard risks; develops an understanding of their relationships; and evaluates the potential effect of the risk portfolio on an organization’s ability to achieve its objectives. ERM seeks to optimize a risk management strategy that is integrated into the entire organization.” (The Institutes, 2012).
Traditional risk management has to do with how we prevent the loss. Enterprise risk management is more of a holistic view. It helps break down the silos and looks at risks that are internal and external. In ERM everyone is a risk manager, so everyone has to own their specific risks.
Q: Who is a risk owner?
A: “An individual accountable for the identification, assessment, treatment and monitoring of risks in a specific environment” (The Institutes, 2012).
Q: What is the purpose of a risk assessment and what are you using this information for?
A: The goal of a risk assessment is to identify risks that the University faces as a whole, and afterward to analyze and report the risks to the board, make decisions on how to treat the risks and ultimately monitor them.
Q: Are there certain standards you want to measure against in the risk assessment?
A: We will not be measuring against any standard right now. The current risk assessments will determine our baseline risks and in the next round of risk assessments, we will measure against those baseline measurements. So in essence, we are setting our own standards right now.
Q: Will anything I say be repeated?
A: All statements will be de-identified and presented in summary format to CGU leadership. All notes are kept in a secure network drive and only the risk management team have access to that drive. We take confidentiality very seriously and if we feel that even after we summarize the notes, they can still be traced back to you, we will work to ensure that we reword them appropriately so the message is communicated, but not diluted.
Q: Why do we have an office of ERM? Why now and not before?
A: The new chair of CGU’s audit committee mandated the new ERM program after noticing several issues around the University that could have been prevented had a formal program been in place.
Q: Do any of the other Claremont Colleges have an ERM program?
A: Claremont University Consortium has an ERM program, but the remaining colleges aren’t doing anything formal at this time.
Q: What types of risk is the University concerned about?
A: While we often associate risk with financial matters, e.g. investments, insurance, loss prevention, there are many types of risk. The University broadly defines risk as any issue that could impact the University’s ability to meet its business objectives. In other words, risk applies to many different aspects of our work.
Specifically, the University is concerned with five risk areas.
- Compliance – Compliance risks involves violation of either federal or state laws and regulations. For example, not adhering to the Fair Labor Standards Act requirements.
- Financial – Financial risks involve loss of assets. For example, personal use of the PCard.
- Operational – Operational risks involve interruption or cessation of business activities. For example, loss of utilities.
- Life Safety – Life safety risks involves personal injury or death. For example, a sports injury.
- Reputational – Reputational risks involve tarnishing the University’s name. For example, negative press releases.