Annual Internal Risk Audit: A detailed assessment of risk conducted by an internal auditor or risk manager employing audit standards and using a formalized approach to select categories of risk for inclusion in the annual audit plan.
- Every year for a high-risk enterprise
- Every other year for an above-average risk enterprise
- Every four years for a moderate-risk enterprise
- Every six years for a low-risk enterprise
Cost-of-Risk: The financial impact to an organization from undertaking activities with an uncertain outcome, including such factors as the cost of managing those risks, cost of transferring potential liabilities, cost of sustaining uninsured or uninsurable losses, and cost of loss of use. Common determinants of Cost-of-Risk and impacts to Risk Ratings are:
- Frequency of occurrence
- Severity of potential loss
- Cost to mitigate
- Degree of uncertainty
- Financial value at risk
- Benefit potentially lost
Enterprise Risk Management (ERM): An integrated approach to assessing, analyzing and managing all risks that threaten profitability and survivability of an enterprise. The purpose of ERM is to understand, prioritize, and develop action plans to maximize benefits and mitigate risks of greatest concern. The ERM framework enables management to work collaboratively to identify, assess, and manage existing and future risks that are integrated across the enterprise in various ways, also known as business, holistic, strategic, or integrated risk management. ERM:
- Is central to an enterprise’s strategic planning and management
- Is focused on identifying and treating risks of all types
- Adds maximum sustainable value to all activities
- Increases probability of success and minimizes probability of failure
- Is continuous; integrated with plan implementation
- Is integrated with organizational culture and led by senior management
- Assigns responsibility of risk control throughout the enterprise at each position
- Risk Identification – Identify risk factors
- Risk Analysis – Analyze risk impact
- Assessment – Measure the risk levels associated with risk factors
- Quantification – Turn qualitative risk data into quantitative data
- Interpretation – Interpret the quantitative data
- Report – Compile the data and recommend action
- Risk Response – Establish an action plan; Assign those responsible to respond to risk and establish deadlines
- Risk Control – Implement a solution to reduce or transfer risk
- Risk Monitoring – Observe implemented risk controls and report the results
Impact: Effect or result of an activity or event. Impact can be positive or negative relative to the objectives of the enterprise, and there can be a range of possible impacts associated with any single activity or event.
Internal Environment: Encompasses the culture of an enterprise and sets the basis for how risks are viewed and managed, including risk management philosophy, risk appetite, acceptance of risk controls, and the overall environment in which the enterprise operates.
- Financial: Exposure to uncertainty regarding the management and control of the availability and cost of commodities and credit.
- Hazard: Exposure to loss arising from bodily injury, damage to property or from tortious acts; typically includes the perils covered by insurance.
- Operational: Exposure to uncertainty related to day-to-day business activities.
- Strategic: Exposure to uncertainty related to long-term policy directions of the enterprise—the “big picture” risks.
Risk Evaluation: Reviewing the results of a risk analysis, determining the significance of the risk exposures, and deciding whether to accept and manage them, transfer them by means such as insurance, a combination of the two, or eliminate the risks altogether.
Risk Financing: The mechanisms for funding risk mitigation strategies and/or funding the financial consequences of risk; i.e., insurance or the financial consequences of uninsured or uninsurable risks.
Risk Identification: The qualitative determination of significant risks factors that can potentially impact an enterprise’s achievement of its financial and/or strategic objectives. This is often done through in-depth structured review of the internal practices used in industry specific companies combined with interviews of key industry personnel, consultants and experts.
Risk Level: One of three risk levels: high, moderate, or low risk. Indicates the likelihood that an individual activity, condition or event will negatively impact the financial objectives of an enterprise. A rating of “high risk” reflects the criticality of instituting risk controls to mitigate the potential negative impact.
Risk Mapping: The visual representation of risks which have been identified through a risk assessment exercise in a way that easily allows priority ranking of them. This representation often takes the form of a two-dimensional grid with probability on one axis and impact on the other axis. The risks that fall in the high probability/high impact quadrant are given priority risk management attention.
Sarbanes-Oxley Act: The Sarbanes-Oxley Act of 2002, commonly referred to as “SOX” or “SarBox,” is an amendment to the Federal Securities Exchange Act of 1934. It is intended to prevent auditors from providing specific non-audit services, including actuarial services, to their SEC-regulated audit clients. There are five major components of the amendment that are of specific interest for higher education. They include sections on 1) transparency of financial reports, 2) corporate disclosure, 3) board independence, 4) accountability, and 5) development of ethical operating standards. Although the Act includes requirements that apply to publicly held companies only, some the components are essential good practices for all companies.