Stanford
Office of the Chief Risk Officer

ERM FAQs

1.  What is risk?

The possibility that an event will occur and adversely affect the achievement of an organization’s objectives.  

2.  What kinds of risk does the University manage?

The University manages a variety of risks, such as regulatory, compliance, environmental, strategic, healthcare, student-related, research-related, campus-related, financial, operating and reputational risks. 

3.  What is Enterprise Risk Management (ERM)?

Enterprise Risk Management is a continuous business process, led by senior leadership, that extends the concepts of risk management, and includes identifying, assessing, mitigating and monitoring risks to the organization.

What ERM Is and Is Not

4.  Why is ERM relevant in the higher education environment?

ERM is relevant in the higher education environment to help ensure that:

  • The organization can fulfill its mission and vision of supporting teaching, research, patient care and public service, while protecting the institution’s resources.

  • The University can continue to serve meaningfully and effectively its students, faculty, staff, patients/human subjects, donors and the public. 

5.  What are the key phases in Stanford’s ERM process?

The key phases in Stanford’s ERM process are:

  • Identification

  • Assessment

  • Mitigation/Management

  • Monitoring and Communication

6.  Who has oversight of ERM at Stanford?

The Board, the Audit, Compliance and Risk Committee and other committees of the Board, the Cabinet, and the Compliance, Ethics and ERM (CEE) Steering Committee provide oversight of ERM at Stanford.  

7.  Who owns enterprise risks at Stanford?

Each enterprise risk is owned by a member of senior leadership (“risk owners”) in various functional areas across Stanford. These risk owners and their staff periodically report on risks, including their management and monitoring efforts, to the Cabinet, the Board, or the various committees of the Board, to ensure informed strategic thinking and effective decision-making at the highest levels. 

8.  Who is responsible for coordinating the ERM program at Stanford?

The ERM Office within the Office of the Chief Risk Officer is responsible for coordinating the overall ERM program at Stanford. 

9.  What is an Enterprise Risk Assessment (ERA)?

An ERA is a systematic process for evaluating events (i.e., possible risks) that could affect the achievement of objectives.  

Each sub-risk is assessed to determine the likelihood of it occurring and the impact should it occur.  The assessment is performed with the goal of assisting the organization with better prioritizing the management of identified risks.

10.  What is likelihood?

Likelihood represents the probability that a given event will occur. Likelihood can be expressed using:

  • Qualitative terms such as Extreme, High, Medium, Low or Negligible, 

  • As a percent probability, or

  • As a frequency.

11.  What is impact?

Impact (or consequence) refers to the extent to which a risk event might affect the enterprise, should it occur. Impact assessment criteria may include regulatory, health, safety, security, human (students, employees, patients, faculty, etc.), environmental, operational, financial or reputational effects.  

PDF of ERM FAQs:  ERM FAQs