Enterprise Risk Management Definitions & Common Terms


Adaptability: A factor considered when prioritizing risks, adaptability is the capacity of the University to adjust or respond to a particular risk event. 

Asset: A resource with economic value owned or controlled by the University or another stakeholder with the expectation that it will provide a future benefit. 


Complexity: A factor considered when prioritizing risks, complexity is the scope and nature of a risk to the University’s success. For example, changing demographics in terms of the number of new college applicants is a complex risk to the University’s achievement of its enrollment objectives. The risk is broad in scope and affects many parts of the University system.    

Continuous Risk Cycle: An approach to enterprise risk management of an ongoing structured process for identification, prioritization, mitigation, management, and monitoring of risks and analysis of opportunities. 

Control: A process effected by our Board, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to identified risks. Actions or activities that minimize the frequency or severity of conditions or events that threaten the objectives of the institution (see also mitigation activities). 

Consequence: The effect upon the institution when a risk becomes a reality. The institution has no ability to directly manage a consequence but can manage the cause-based events that lead to the consequence. 

COSO: The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is an organization that develops widely adopted guidelines for businesses to evaluate internal controls, risk management, and fraud deterrence. COSO is made up of the following professional associations: American Institute of Certified Public Accountants, Financial Executives International, American Accounting Association, Institute of Internal Auditors, and Institute of Management Accountants. 

Cost of Risk: The financial impact on the institution from undertaking activities with uncertain outcomes. The cost of managing risks and incurring losses. 

Credible Challenge: The method used by oversight groups to hold management accountable by being actively engaged, asking thoughtful questions that elicit necessary facts, and exercising independent judgement.


Emerging Risk: A new or unforeseen risk that the University has not yet contemplated. The potential harm, loss, or opportunity is not fully known.

Enterprise Risk Management (ERM): An integrated approach to assessing and addressing all risks that threaten the achievement of the organization's strategic objectives. The purpose of ERM is to understand, prioritize, and develop action plans to maximize benefits and mitigate top risks. The ERM framework enables management, working without silos, to collaboratively identify, assess, and manage future risks and opportunities individually and across the organization. Also known as holistic, strategic, or integrated risk management.


  • is central to an organization's strategic management
  • is focused on identifying and treating risks
  • adds maximum sustainable value to all activities
  • increases probability of success and minimizes probability of failure
  • is continuous; integrated with strategic planning and plan implementation
  • integrated with organizational culture and led by senior management
  • assigns responsibility throughout the organization; in each job description

Enterprise-Wide Risk Assessment: Evaluation of primary risk based on impact, likelihood, and control effectiveness that uses input from Risk Owners from across the institution. 

Event: An incident or occurrence, from sources internal or external to the institution, that affect the achievement of objectives.


Framework: A framework is a real or conceptual structure intended to serve as a support or guide for the building of something that expands the structure into something useful.


Impact and Likelihood: Result or effect of a risk and the possibility that it will occur. There may be a range of possible impacts associated with an event. The impact can affect financials, mission & operations, safety & wellbeing, regulatory & legal, or reputation. We use a scale of 1 to 5.

Inherent Risk: The risk to an entity in the absence of any actions the institution might take to alter either the risk’s likelihood or impact.

Internal Environment: Encompasses the tone of the institution and sets the basis for how risk is viewed and addressed. This includes risk management philosophy and risk appetite, integrity and ethical values, and the environment in which the organization operates.


Key Risk: A risk recognized by management as having the potential to significantly impact the University’s achievement of its objectives.


Mitigating Activities: The controls, tools, or other mechanisms employed to manage each risk, taking into account people, processes, technologies, and governance.

Mitigation Plan: A documented plan to prepare for and lessen the effects of risks to the University’s achievement of its objectives. The plan will include current and planned controls/risk reduction efforts. 

Metrics: Measuring the effectiveness and/or success of risk mitigation strategies.

Monitoring Activities: The activities currently in place to evaluate the effectiveness of mitigation measures for each key risk.


NACUBO: National Association of College and University of Business Officers.


Opportunity: The possibility that an event will occur and positively affect the achievement of objectives.


Persistence: A factor considered when prioritizing risks, persistence is the amount of time a risk event impacts the University. For example, if a high-profile scandal occurred, the negative news coverage and impact on the University’s reputation could continue for some time.

Process: A set of linked tasks that are controlled by a common set of policies and procedures and generate a common set of risks.


Recovery: A factor considered when prioritizing risks, recovery is the capacity of the University to return to a functioning state. This excludes the time aspect as considered in “Persistence”. For example, could the University continue to function after a natural disaster?

Residual Risk: The remaining risk after management has taken action to alter the risk’s likelihood or impact.

Risk: COSO defines risk as “the possibility that events will occur and affect the achievement of strategy and business objectives.” Simply stated, risk is uncertainty. Risk is anything that may impact the University’s ability to accomplish its mission, goals, and objectives, either positively or negatively. The severity of a risk is measured by its impact and likelihood. 

Risk Acceptance: The decision to accept the consequences, impact, and likelihood of a risk. No action is taken to affect risk likelihood or impact.

Risk Analysis: Identifying, describing, and estimating risks, and developing a risk profile.

Risk Appetite: The level of risk that the University is willing to accept in pursuit of its objectives. University risk appetite is defined by the University using Risk Appetite Statements. These statements help the University make risk-informed decisions with regard to the allocation of resources, controls, and impact of other parts of the institution. 

Risk Assessment: The consideration of the extent to which potential events have an impact on the achievement of objectives. The assessment is done from two perspectives: impact and likelihood. It includes positive and negative impacts and potential events. 

Risk Driver: The cause of underlying uncertainty that influences whether or not key objectives will be achieved. These are the root causes or sources of risk. Examples include market conditions, technical issues, regulatory changes, and climate change. 

Risk Level: The risk level can be incidental, minor, moderate, major, or extreme. Each enterprise risk has a risk level based on the impact, likelihood, and velocity ranking of the risk. The risk level provides the basis for prioritization and action.

Risk Management: Risk management is the principles, framework, and processes for managing risk effectively. Risk management involves identifying and understanding risks and using appropriate strategies to respond to them.

Risk Owner: The University leader who is ultimately responsible for ensuring a specific risk is managed appropriately. There may be multiple personnel who have direct responsibility for, or oversight of, actives to manage each identified risk, and who collaborate with the accountable risk owner in his/her risk management efforts. 

Risk Portfolio: A list of risks identified and evaluated by the institution (also called a Risk Register) that represents our risk environment at a certain time. The risk portfolio is used by senior leaders in strategic decision making and in allocating resources. 

Risk Response: Leadership’s response or action in response to an identified risk. There are different approaches including:

  • Avoidance – do not participate in the conditions that allow the risk to exist.
  • Reduction/Mitigation – minimize the probability of the risk occurring and/or the likelihood that it will occur.
  • Transfer – share or transfer the risk with another entity through insurance contracts.
  • Acceptance – acknowledge the existence of the risk but take no action.

Risk Sharing: Reducing risk likelihood or impact by transferring or otherwise sharing a portion of the risk, often through insurance arrangements. 

Risk Tolerance: When compared to Risk Appetite, Risk Tolerance is more granular. According to COSO, Risk Tolerance reflects the acceptable variation in outcomes related to specific performance measures linked to objectives the entity seeks to achieve. 


Silo: Describes divisions, departments or other groups and individuals in the institution that tend to act in isolation.

Sub-Risk: A specific risk within an enterprise risk area. Sub-risks are generally concerns, issues and obstacles to achieving the objectives of a certain operating unit.


Traditional Risk Management: Original form of risk management focusing on insurable losses and/or specific functional areas of an organization.


URMIA: University Risk Management and Insurance Association.


Velocity: Risk velocity measures how fast an exposure can impact the University. It is the time that passes between the occurrence of an event and the point at which the University first feels its effects.