Enterprise Risk Management


Northwestern’s ERM process has been designed with a dual “Top Down” and “Bottom Up” approach. Larger, more global risks which traverse multiple schools and administrative units are identified and managed through the University’s Risk Initiative Steering Committee, and evaluated by the President’s Senior Staff. More detailed or localized risks are identified through meetings with individual Schools, Units, and Departments. After risks are assessed, quantified for impact and likelihood, their overall prioritization and residual risk is established and a mitigation strategy can be set. 

As facilitators of the University’s ERM process, we are here to assist in the assessment, documentation, and administration of the process. However, ownership of the risk decisions, mitigation strategies, and work to change internal controls still resides within the Schools, Units, and areas where the risks are owned and managed.

Definition of "Enterprise Risk Management"

ERM is defined as a comprehensive, organization-wide set of processes and procedures used to document and manage risk. This process takes into account an organization’s strategic goals as well as its operational goals including an understanding of the current internal control environment.

ERM Best Practices

  1. Assess in the context of University-wide strategic objectives and identify inter-relation of risk factors across the University.
  2. Cover all types of risk:  Operational, Strategic, Compliance, Reputational, Financial, Academic, Research.
  3. Promote a program of risk management based on recognized frameworks (ISO, Cobit) and supplemented with design elements used by peer institutions.

Implementing ERM

  1. Use University-wide measures of likelihood and impact in order to produce risk maps.
  2. Enhance risk management through understanding of how well current controls are mitigating risks.
  3. Provide University leadership with accurate, pertinent, and centralized risk and compliance information.

More Information