Enterprise Risk Management

Purpose

In an effort to reduce the cost of risk at the University, ORM, with the support and guidance of the Office of Finance and Administrative Services (FAS), is seeking to identify and mitigate potential risks throughout the University using the ERM process.

What is ERM?

Risk must be identified as the chance of something meaningful happening that will have an impact on the University, either positive or negative. ERM is the commitment to managing risk as an integral component of an entity’s operations in order to maximize opportunities and minimize setbacks to the entity’s mission strategies, and objectives. More specifically, ERM links the effects of risk to the overall institutional strategy and influences decisions made at every level. With ERM, an institution can achieve a continuous cycle of improvement throughout its operations. At its most powerful, ERM reassures the governing board that the institutions uses solid procedures that advances its goals and minimizes unnecessary costs, reputational damage, and other adverse consequences.

LSU ERM Framework and Process

ORM has defined ERM according to the institution’s interpretation of the Committee of Sponsoring Organizations (COSO) model, creating an LSU-tailored definition for implementation (an ERM framework diagram can be seen  below).

ORM views ERM as integrating risk discussions into strategic deliberations, and identifying the interrelations of risk factors across activities.  Specific characteristics of ERM include:

  • Assessing risk in context of strategic objectives;
  • Viewing risk holistically, not functionally; and
  • Covering all risk types: compliance, operations, financial, strategic, and mega.

In summary, the LSU ERM process is not intended to replace what already works well across the University.

LSU ERM is intended to strengthen existing efforts by providing:

  • a central risk focus;
  • access to useful information, such as websites, newsletters;
  • simple but effective tools (e.g., risk maps, metrics, self‐assessment approaches);and
  • opportunities for leaders and subject matter experts to deliberate on risk, integrity, and compliance issues.

Diagram: Integrated Risk Management

ERM not only employs the Risk Management staff who manage the institution’s traditional risk and insurance policies, but also all University staff that have responsibility for risk within their respective departments and organizations.  In order to implement LSU ERM, the Office of Risk Management has adopted the integrated framework below.  As can be seen from the three-dimensional diagram above, five types of risk will be assessed at all levels of the University using the ERM eight step process. The LSU Environment is the level of the University at which an ERM analysis is being performed. The Risk Categories as seen above are broad categories found in the COSO model that apply to the functions of the University. Each risk identified in this analysis will be placed in one of the following risk categories and then assessed. It is important to note that a risk can be placed in more than one category depending on its potential impact on the University or entity.

Compliance Risks are risks created by failing to follow federal, state, or local laws, regulations or University policy that safeguards LSU or its members from legal exposure to fines, penalties, lawsuits, reduced future funding, imposed compliance settlements, more regulatory and audit agency scrutiny, injury, or negative publicity (e.g., ethics, business conduct, fraud, contract, labor laws, and regulation).

Operations Risks are risks that may affect on-going day‐to‐day management processes (e.g., customer service, supply chain, people, culture, information technology, business continuity, and corporate physical security).

Financial Risks are risks that may result in loss of assets or financial resources (e.g., planning and resource allocation, treasury, financial reporting, tax, investor relations, mergers and acquisitions).

Strategic Risks are risks that may affect an organization’s ability to achieve its goals or objectives. They are often identified by senior management as part of strategic planning and review activities (e.g., business model, vision and direction, brand and marketing, pricing, strategic investments, and market dynamics).

Mega Risks are large‐scale external risks, or mega‐trends that can impact human health, a business sector, the environment, or societies. Mega risks are generally too large and too complex to be managed or mitigated by any single entity. No one really ‘owns’ the problem. Mega risks are typically addressed by monitoring their impact on strategic objectives.

In summary, failing to manage any category of risks can damage public image or reputation. Image and reputation can be improved by capturing a potential opportunity.