Office of Risk Management > Enterprise Risk Management > FAQs


Enterprise Risk Management, or ERM, is the methodology and processes used by organizations to manage risk and seize opportunities related to the achievement of their objectives. 

Some of the commonly used risk management terminology at DePaul includes:

RiskRisk is the potential for loss, harm, or missed opportunities in relation to achievement of an organization's mission and strategic objectives.

Enterprise RiskA risk that has broad or far-reaching implications for an organization as a whole and includes risk to its programs, operations, strategy, and reputation.

Risk Management: Focuses on managing risk in a limited area (e.g., office, division, bureau, business unit, program, etc.) or managing a specific type or category of risk (e.g., cyber, legal, financial, etc.).

Enterprise Risk Management: Focuses on managing the full spectrum of an organization's risks, including threats and opportunities, and integrates them into an enterprise-wide, strategically aligned portfolio view to support decision-making and organizational mission fulfillment. ERM brings to the forefront the most critical risks to mission fulfillment across various parts of an organization.

Enterprise Risk Management Lifecycle: The process of identifying, assessing, prioritizing, responding, and monitoring risks and opportunities related to the achievement of strategic goals and objectives.

Enterprise Risk AssessmentThe processes used by organizations to identify, assess, and prioritize risks and opportunities related to the achievement of their strategic goals and objectives. The Enterprise Risk Assessment informs risk response and monitoring, which are key steps in the ERM Lifecycle.

Risk RegisterA repository for all risks identified. This repository typically includes information about each risk, including its causes and consequences, risk owner and sponsors, and any risk response plans in place. A risk register is can also be referred to as a “risk taxonomy" or “risk inventory."

Risk ProfileA prioritized inventory of the most significant risks identified and assessed through the enterprise risk assessment process. A risk profile differs from a risk register in that it is not a complete inventory of risks, but rather a snapshot of an organization's most critical risks.

Risk Owner: Individual designated as the subject matter expert related to a particular risk and accountable for effective management of the risk. They may also be responsible for developing and implementing a response and monitoring plan for a given risk.

Executive Risk Sponsor: Individual at the Executive level responsible for providing oversight and support for Risk Owner's response plan implementation.

Enterprise Risk CommitteeThe ERC is comprised of executive-level university leaders and convenes to provide oversight, guidance, and coordination of university-wide efforts aimed at identifying and responding to DePaul's Enterprise Risks. The ERC is chaired by the AVP of Risk Management.

DePaul staff and faculty are responsible for escalating risks observed that may have a potentially significant impact to the university. In determining whether risks should be escalated to the Office of Enterprise Risk Management, personnel should consider the following factors: 

  • The risk occurrence may inhibit DePaul’s ability to meet a strategic goal or objective
  • Multiple departments may be affected by the risk  
  • The risk occurrence may have a significant impact 
  • The likelihood of the risk occurrence is high 
If most of the risk factors are confirmed, then the risk must be escalated to the Office of Enterprise Risk Management. If not, the risk should be discussed with department leadership and managed at the department or office level.