Enterprise Risk Management Framework

Risk is uncertainty that might result in a negative outcome or an opportunity.  ERM is a disciplined process to identify, assess, respond to and report on key risks/opportunities – with the objective of advancing the organizational mission.  

Risk Management Framework

Enterprise Risk Management at Yale is a continuous cycle, revolving around a risk-aware culture and sound risk management governance.  Every Yale faculty, staff and student is a steward of the University and has the responsibility to identify and manage the risks associated with his/her activities.  Risk owners are responsible for the identification and assessment of risks in their areas, and deciding whether to accept, avoid, transfer or mitigate the identified risk.  Risk controls/mitigation step involves defining how the risk response is to be accomplished.  Monitoring and reporting allows for the tracking of the effectiveness of the response plan.  Appropriate metrics may range from highly quantitative measures to qualitative judgments to achievement of milestones.  The Office of ERM is happy to work with risk owners to help design an appropriate set of metrics.  Assurance involves the independent challenge of the ERM output, including comprehensiveness of the risk identification, adequacy and effectiveness of controls, and reporting.  While internal and external audit typically provide assurance, at Yale, other units (e.g., compliance, EHS, risk) may play an assurance role as well. 

Risk Assessment Criteria

Yale uses the following attributes to evaluate risks.


  • High: many threat sources; mitigation strategies ineffective
  • Medium: many threat sources; existing strategies mitigate risk
  • Low: minimal threat sources; mitigation strategies prevent occurrence


Response Costs

  • High: costly loss of major assets, significant use of unbudgeted resources
  • Medium: significant damage to assets, use of both budgeted and unbudgeted resources
  • Low: response can be accomplished within budgets


  • High: sweeping changes affecting multiple departments
  • Medium: minor changes affecting multiple departments, or significant changes in a single department
  • Low: minor changes in few or a single department


  • High: significant negative organized external reaction, event noted on a national scale
  • Medium: significant external reaction but not organized
  • Low: Only a small constituency or interest group takes note

Faculty/Staff/Student Experience

  • High: strategic goals halted, may result in serious injury or death
  • Medium: strategic goals impeded, may result in injury
  • Low: strategic goals delayed, faculty/staff/students inconvenienced


  • High: lawsuit/claim/investigation probable, significant chance of liability/fines
  • Medium: lawsuit/claim/investigation possible, moderate chance of liability/fines
  • Low: lawsuit/claim/investigation possible, unlikely to result in liability/fines


  • Sudden: develops immediately or within a few days/weeks
  • Approaching:  several weeks to 3 to 9 months until occurrence
  • Slow Onset:  greater than 9 months until occurrence


  • Long: more than 1 year
  • Moderate: 6 to 12 months
  • Short: Less than 6 months

The risk assessment criteria are also applicable to a unit-specific risk assessment program; the Office of ERM would be glad to assist you. 

For each of its highlighted risk/opportunity areas, Yale has risk owners, risk process owners, and programs or new initiatives to address the issues.  Monitoring, reporting and management oversight of these key issues is ongoing.  The Audit Committee of the Yale Corporation annually reviews the ERM program, and oversight of the key risk issues is undertaken by management and, in some cases, the cognizant Corporation Committee.