Frequently Asked Questions

What is Enterprise Risk Management?

Georgetown University uses a process called Enterprise Risk Management, or ERM, to manage key issues facing the University. The key issues are “big picture” items that present major risks or exposures. The key issues may be obvious or subtle.

The ERM process enables Georgetown to address risks in a comprehensive, intentional manner. The ERM process helps Georgetown manage risks that could be strategic and significantly influence Georgetown’s initiatives. Georgetown is not alone in having an ERM process. Other universities use ERM, as do many businesses and nonprofits. Each organization adopting ERM identifies the risks and opportunities unique to its own situation.

Who selects the University’s most significant risks?

Key academic and administrative leaders throughout the University identify major risks, and the Enterprise Risk Management Committee, in consultation with the President, makes the final determination of the University’s most significant risks.

How does the process begin?

For the purposes of ERM, the University is divided into ten functional areas. These include, among others, academic affairs, health & safety, infrastructure, and information technology. Within each functional area, one or more key leaders become risk owners. In the academic affairs area, for example, the risk owners are the Provost and the heads of the Law Center and School of Medicine. In the infrastructure area, the risk owner is the Vice President for Planning & Facilities Management.

What do the risk owners do?

Every fall, the University asks the risk owners about major risks facing their department, campus and the entire University. Based on their own observations and the input of staff, the risk owners describe the main risks they see. They may flag new and emerging risks or suggest that the major risks remain unchanged from the prior year.

What kinds of risk are we talking about?

The University’s ERM risk categories include: IT Systems and Data Security, Condition of Facilities and IT Infrastructure, Clinical Partnerships, Research, Financial Performance & Advancement, Student Life/At Risk Students, Master Planning, Globalization & International Initiatives, Business Model, Emergency Planning & Business Continuity, HR & Talent Management, Compliance, Ethics & Governance, Catholic Jesuit Identity and Athletics.

What happens once risks are identified?

The executive management team, functioning as the ERM Committee, prioritizes the risk inventory. They evaluate the various risks according to three factors: impact, likelihood and velocity. 

What does velocity mean?

Velocity is an indication of how quickly the effects of a risk event would be felt.

How does the ERM Committee work?

The Senior Vice President and Chief Operating Officer leads the ERM Committee. The Committee reviews the risk inventory and develops a list of Tier 1 risks that could be strategic and significantly influence University initiatives. The Tier 1 list goes to the President, who sends it, with or without adjustments, to the Executive Committee of the Board of Directors.

What is the role of the Board of Directors?

The list of Tier 1 risks is reviewed by the Executive Committee of the Board of Directors. The Executive Committee assigns responsibility for each Tier 1 risk to a board committee. The Executive Committee might, for example, assign a financial risk to the Board’s Finance and Administration Committee. That committee would oversee how the risk owner, who originally identified the risk, is managing the issue. 

The Board’s Audit Committee oversees the whole ERM process. It ensures that management is following the ERM process and that Board Committees are overseeing specific risks.

What happens to Tier 1 risks?

Tier 1 risks receive sustained attention from the risk owners, senior management and the Board of Directors. The University creates a specific plan for managing each Tier 1 risk. Once a Tier 1 risk is adequately mitigated, the ERM Committee will recommend downgrading it.

How long does a Tier 1 risk stay on the list?

There’s no set timeframe. A risk might remain in Tier 1 for a few months or for many years.

What happens to risks that are not Tier 1?

Most items on the initial risk inventory do not become Tier 1 risks. The risk owners continue to manage these items without formal supervision by the Board of Directors. Inclusion or exclusion of an issue from the risk inventory or the Tier 1 list does not reflect on the issue’s importance. It is rather an indication of how the issue stacked up in a comparative process using set criteria and defined timeframes.

Who else is involved in the ERM process?

The University’s ERM process relies on efforts of staff in Risk Management, Internal Audit, Compliance and Ethics and General Counsel.