Fillable Printable Sample Enterprise Risk Management Work Plan
Fillable Printable Sample Enterprise Risk Management Work Plan
Sample Enterprise Risk Management Work Plan
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information & Communication
Monitoring
C
O
M
P
L
I
A
N
C
E
R
E
P
O
R
T
I
N
G
O
P
E
R
A
T
I
O
N
S
S
T
R
A
T
E
G
I
C
D
E
P
A
R
T
M
E
N
T
S
C
H
O
O
L
C
A
M
P
U
S
S
Y
S
T
E
M
W
I
D
E
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information & Communication
Monitoring
C
O
M
P
L
I
A
N
C
E
R
E
P
O
R
T
I
N
G
O
P
E
R
A
T
I
O
N
S
S
T
R
A
T
E
G
I
C
D
E
P
A
R
T
M
E
N
T
S
C
H
O
O
L
C
A
M
P
U
S
S
Y
S
T
E
M
W
I
D
E
Sample Enterprise Risk Management Work Plan
Fiscal Years 20XX and 20YY
Revised June 2009
Page 1 of 5
COSO
Element
Internal Environment / Objectives Setting
Element
Purpose
The internal environment encompasses the management tone of the campus/medical center, and sets the basis for
how risk is viewed and addressed by all employees. It includes the campus/medical center’s risk management
philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.
Within the context of the campus/medical center’s mission, management establishes strategic objectives, selects
strategy, and sets aligned objectives cascading through the enterprise. The enterprise risk management framework
is geared to achieving objectives, in four categories:
• Strategic – high-level goals, aligned with and supporting our mission
• Operations – effective and efficient use of our resources
• Reporting – reliability of reporting
• Compliance – compliance with applicable laws and regulations.
ERM
Initiative
Goals
•
Develop a campus/medical center risk management philosophy, and a culture that promotes compliance with
top management’s risk appetite, allowing managers to manage risks within their spheres of responsibility
consistent with established risk tolerances.
•
Develop a campus/medical center environment in which risk assessment and risk management (mitigation) is
integrated into all business practices and decision-making activities.
Internal Environment / Objectives Setting
Objectives Focus Areas Project Description Deliverables Lead Timetable Maturity
Level
*
ERM Steering
Committee or
work group
Steering Committee will
oversee efforts to identify,
assess, measure, respond,
monitor, and report risks.
Formalization of ERM
Steering Committee and
Charter
Articulate
philosophy
regarding risk
management,
risk appetite,
and risk
tolerances
Policy Develop a comprehensive
risk management policy,
governance structure and
procedures to assess
campuswide risks, develop
action plans to mitigate the
identified risks, and
monitor the risks identified
on an ongoing basis.
Policy on Managing
Risks
Sample Enterprise Risk Management Work Plan
Fiscal Years 20XX and 20YY
Revised June 2009
Page 2 of 5
COSO
Element
Event Identification / Risk Assessment
Element
Purpose
Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed.
Risks are assessed on an inherent and a residual basis.
ERM
Initiative
Goals
•
Provide a portfolio view of risks (financial, environmental, research non-compliance, workplace disagreements
and injuries, claims and lawsuits, and new and emerging risks) across the entire campus.
•
Assist the campus/medical center and individual units identify and assess risks, develop action plans to mitigate
the identified risks, and monitor the risks identified on an ongoing basis to ensure management’s risk
responses are carried out effectively.
Event Identification / Risk Assessment
Objectives Focus Areas Project Description Deliverables Lead Timetable Maturity
Level
*
Identify risks
across campus
Risk Survey Survey leaders to identify
risks across campus –
financial, environmental,
research, workplace,
claims and lawsuits, and
new and emerging risks
•
Meeting with key
stakeholders
•
Listing of
campuswide risks,
prioritized based on
likelihood of
occurrence and
impact to campus
Questions and check lists
for departments to
examine processes and
procedures for efficiency
and effectiveness. These
tools can be used to
monitor selected risks
controls across
campus/medical center.
Online checklists
•
Separation of duties
•
Cash handling
•
Others as identified
Enable the
various units on
campus/medical
center perform
their own risk
and control
assessments
On-line Risk and
Controls Self-
Assessment
Tools
Develop an analysis tool
assisting departments in
assessing risk for an event
or activity at the start of
the contracting process.
Analysis tool identifying
strategic, operating,
reporting, and compliance
risks
ERM
Assessments
completed prior
to approval of
new ventures
Tool – ERM
Assessment
Multidisciplinary group
and owners complete ERM
Assessment exercise.
Report is completed and
strategy developed.
ERM Goals and
Objectives
aligned with
Strategic Plan
ERM Strategic
Goal Programs
Survey completed based
on Goals and
Objectives/key
departments.
Report to Chancellor on
risk that could impact
strategic plan.
Risks are
analyzed
Risk Mapping Risk Map completed at
department or campus
level.
Report completed on Risk
Mapping evaluation.
Sample Enterprise Risk Management Work Plan
Fiscal Years 20XX and 20YY
Revised June 2009
Page 3 of 5
COSO
Element
Risk Response/Control Activities
Element
Purpose
Policies and procedures are established and implemented to help ensure the risk responses (avoiding, accepting,
reducing, or sharing risk) align with management’s risk tolerances and risk appetite, and are effectively carried out.
ERM
Initiative
Goals
Assist the campus/medical center and individual units in identifying and assessing risks, develop action plans to
mitigate the identified risks, and monitor the risks identified on an ongoing basis to ensure management’s risk
responses are carried out effectively.
Risk Response/Control Activities
Objectives Focus Areas Project Description Deliverables Lead Timetable Maturity
Level
*
Assist the
campus with risk
response and
control activities
that cross
multiple
operating and/or
control units
ERM Process
Reviews
Assist in developing
action plans to mitigate
identified risks using the
ERM process
•
Controlled Substances
Program
•
Recommendations for
improving the process
for Reasonable
Accommodations
•
Report on investigations
Determine the
current level of
ERM activities
on campus
ERM Activities Survey current ERM
activities and
communicate results to
VC-Administration
Survey on Enterprise Risk
Management
Identify where
key risk and
performance
indicator data are
located on
campus/medical
centers
Develop
indicators
Identify location of data
for monitoring key risk
and performance
indicators.
Data location listing
completed
Determine root
cause of risk and
develop risk
mitigation plan
Retrospective
Reviews
Risk Management brings
risk owners together pos
settlement for review.
Retrospective reviews on all
losses >$50,000.
Preplanning for
Mission
interruption is
ongoing and
sustainable
UC Ready Business/Mission
continuity plans are
developed at department
level.
Increase in number of plans
completed.
Performance
Management is
ongoing and
sustainable.
Balance Score
Card
Vision, strategy,
objectives and goals are
set and measured.
Balance Score Card program
is implemented.
Sample Enterprise Risk Management Work Plan
Fiscal Years 20XX and 20YY
Revised June 2009
Page 4 of 5
COSO
Element
Information and Communication
Element
Purpose
Relevant information is identified, captured, and communicated in a form and timeframe that enable people to
carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and
up the entity.
ERM
Initiative
Goals
Establish and maintain a campus communications structure/support network to support the University’s risk
management philosophy.
Information and Communication
Objectives Focus Areas Project Description Deliverables Lead Timetable Maturity
Level
*
Act as a campus
resource for
information on
risk and control
topics, links and
best practices
Web Site The Controls,
Accountability and Risk
Management Office web
site will be enhanced to
provide useful information
and links
Enhanced web site
Push out to the
campus, risk
and control
issues
Newsletter In partnership with Audit
and Advisory services, the
staff will produce a
newsletter called “Risky
Business.”
Semi-annual newsletter
Facilitate
greater
understanding
of ERM
Training
LMS
Local training on applying
the ERM model to unit
activities
One-hour informational
sessions
Institutional
knowledge and
training is
continuously
improved.
LMS Content is developed and
training is promoted.
Increase in documented
training.
Sample Enterprise Risk Management Work Plan
Fiscal Years 20XX and 20YY
Revised June 2009
Page 5 of 5
COSO
Element
Monitoring
Element
Purpose
Control activities are monitored, and modifications are made as necessary. Monitoring is accomplished through
ongoing management activities, separate evaluations, or both.
ERM
Initiative
Goals
•
Develop measures for monitoring key risks and communicate findings to responsible executives.
•
Assist the campus and individual units identify and assess risks, develop action plans to mitigate the identified
risks, and monitor the risks identified on an ongoing basis.
Monitoring
Objectives Focus Areas Project Description Deliverables Lead Timetable Maturity
Level
*
Answer the
question, “Are
our controls
adequately
mitigating
risks so that
the campus
can achieve its
goals?”
Metrics
Development
Develop key risk indicators
and key performance
indicators. The project will
include developing a means
of communicating the
indicators to decision
makers. The project would
build on the work done at
the campus/medical
centers.
•
Simple dashboard
for annually
monitoring the key
risk and
performance
indicators
•
On-line dashboard
for communicating
selected monthly
key risk and
performance
indicators
