“Enterprise risk management is a structured, consistent, and continuous process across the whole organization for identifying, assessing, deciding on responses to, and reporting on opportunities and threats that affect the achievement of its objectives” (Institute of Internal Auditors, 2009).

ERM Program Purpose, Goals, & Objectives

The purpose of AU’s ERM program is to enhance the University’s ability to achieve its mission, vision, and strategic objectives and strengthen its competitive position by fostering an institution-wide culture of risk and opportunity awareness and providing a structured, consistent, and continuous process for the early and proactive identification and reporting of material risks and opportunities to senior management and trustees.

In support of this overall purpose, the University has established the following goals and objectives for AU’s ERM program:

1. Create a culture of risk awareness where all employees understand and consider risk in decision-making:
   1. Ensure that all AU employees are aware of the risks related to their roles and activities and understand their responsibilities for identifying, managing, and reporting on risk and opportunities in a systematic and timely way
   2. Provide best practice information, education, training, and facilitation resources to the University community.
   3. Build on the University’s current risk management activities and practices.
2. Reduce operational surprises and losses.
3. Increase capacity to identify and seize opportunities by facilitating greater transparency and openness regarding risk.
4. Enhance institutional decision-making by providing senior management and trustees with timely and robust information that improves their understanding of enterprise-level risks and opportunities.
   1. Assess risks in the context of strategic objectives
   2. Identify inter-relations of risk factors across the institution
   3. Anticipate and respond to changing social, financial, economic, environmental, and legal/regulatory conditions
   4. Assist management in safeguarding University assets, including people, financial resources, property, and reputation.
   5. Assist management in optimizing the use of institutional resources by aligning resource allocations with the areas of highest risk and the greatest impact on the institution’s strategy.
5. Improve the efficiency and effectiveness of institutional risk management efforts.
   1. Provide the University community with a common language, framework, and set of procedures for identifying, assessing, responding to, and reporting on risk posed in new and ongoing endeavors across the organization’s entire range of assets and operations.
   2. Provide enterprise-level coordination of existing institutional functions for identifying, assessing, and reporting on risk.
   3. Integrate risk ownership and management activities at all levels of the institution.
   4. Where possible, use and strengthen existing management processes, reporting and approval channels, and organizational structures.
   5. Establish and maintain an institutional risk register that allows for the tracking and reporting of risk trends and of risk response plans.
   6. Review the effectiveness of risk management practices regularly.

ERM Guiding Principles

American University seeks to establish a risk-aware institutional culture where consideration of both upside and downside risk is integrated into decision-making at all levels of the organization. The purpose of these guiding principles is to support that culture and set expectations for the behavior of University employees and administrators regarding risks and opportunities.

1. All individuals, regardless of their role at the University, are empowered and expected to report early on to senior management any perceived risks or opportunities and any near misses or failures of existing control measures, without fear of retribution.
2. Risk management is integral to the management and future direction of the University and is a shared responsibility at all levels of the University.
3. Ownership and management of risk will be retained within the University function, department, or unit that creates the risk or is best capable of responding to it.
4. The University’s risk philosophy will guide strategic and operational decisions at all levels.
5. AU encourages an open and honest discussion of the institution’s environment, strategy, risks, opportunities, and actions taken in pursuit of its objectives.
6. All credible reports of risks or opportunities are responded to promptly, incomplete reports are investigated with integrity by the responsible University official, and information about risks or opportunities is shared promptly with senior management and other key stakeholders.

Institutional Risk Philosophy

The University takes a broad view of risk as any event—positive or negative—that could affect the University’s competitive position or ability to achieve its mission, vision, and strategic objectives.

The University acknowledges that risk, in one form or another, is present in virtually all its endeavors, and that successful risk-taking will often be necessary to achieve its aims.

We therefore do not seek to eliminate all risk; rather, we seek to be risk-aware but not risk- averse, and to effectively manage the uncertainty inherent in our environment.