Risk is uncertainty that might result in a negative outcome or an opportunity. ERM is a disciplined process to identify, assess, respond to and report on key risks/opportunities – with the objective of advancing the organizational mission.
Enterprise Risk Management at Yale is a continuous cycle, revolving around a risk-aware culture and sound risk management governance. Every Yale faculty, staff and student is a steward of the University and has the responsibility to identify and manage the risks associated with his/her activities. Risk owners are responsible for the identification and assessment of risks in their areas, and deciding whether to accept, avoid, transfer or mitigate the identified risk. Risk controls/mitigation step involves defining how the risk response is to be accomplished. Monitoring and reporting allows for the tracking of the effectiveness of the response plan. Appropriate metrics may range from highly quantitative measures to qualitative judgments to achievement of milestones. The Office of ERM is happy to work with risk owners to help design an appropriate set of metrics. Assurance involves the independent challenge of the ERM output, including comprehensiveness of the risk identification, adequacy and effectiveness of controls, and reporting. While internal and external audit typically provide assurance, at Yale, other units (e.g., compliance, EHS, risk) may play an assurance role as well.