Office of Risk Management > Enterprise Risk Management > Program Charter

Enterprise Risk Management Program Charter

The university Office of Enterprise Risk Management maintains an ERM Program to support the fulfillment of the university's mission, vision, and strategic objectives. 

The ERM Program seeks to spread the knowledge of risk management principles and practices across DePaul in order to promote a risk aware culture. The ERM Program does so through:

  • defining ERM strategy and objectives;
  • incorporating risk into university strategy;
  • maintaining strong ERM governance and oversight structures;
  • establishing risk appetite and tolerance thresholds;
  • deploying strategic communications and training;
  • conducting enterprise risk assessments;
  • developing risk response plans; monitoring enterprise risks;
  • collecting, analyzing, and reporting on risk data;
  • and elevating risk insights and intelligence to university leadership.

The Office of Enterprise Risk Management is overseen by the Associate Vice President (AVP) of Risk Management, who is responsible for the program's operations and excellence.  The AVP of Risk Management is responsible for communicating risk information to the Board of Trustees (BoT) and senior leadership including the President and Executive Vice President (EVP). 

To further coordinate risk management activities across the university and manage enterprise risks, the Office of Enterprise Risk Management leads and manages the Executive Risk Committee (ERC). The ERC is comprised of executive-level university leaders and convenes to provide oversight, guidance, and coordination of university-wide efforts aimed at identifying and responding to risks that may both impact DePaul's mission and operations in either an adverse or positive manner. The ERC is chaired by the AVP of Risk Management.

The Office of Enterprise Risk Management also leads and manages a Risk Workgroup to aid in the development and management of risk response plans and other risk management initiatives that require specific subject-matter and departmental expertise. The Risk Workgroup is chaired by the Enterprise Risk Management Manager.

The AVP of Risk Management reports to the Executive Vice President (EVP) as well as the Board of Trustees Finance Committee. The EVP is responsible for:

  • Review and approve the ERM program charter every three years
  • Review the financial and human capital needs of the Enterprise Risk Management program with the AVP of Risk Management and allocate resources accordingly
  • Support Enterprise Risk Management Program efforts by adhering to and promoting a culture of risk awareness and intelligence

The AVP of Risk Management, who adopts the roles and responsibilities of the CRO, CAE, and CCO, leads the Office of Enterprise Risk Management and oversees the office's execution of the responsibilities listed in the Accountability, Responsibility, and Services section below.

The Office of Enterprise Risk Management is designed to detect, prevent, and respond to enterprise-level risks and represents the university's commitment ensuring that all DePaul faculty and staff members have the tools to effectively manage the university's risks effectively and proactively. The following elements define the services, responsibilities, and accountabilities of the office:

Governance:

  • Establish an ERM governance model and organizational structure, including defining, documenting, and articulating ERM authorities, roles, and responsibilities.
  • Maintain and update the ERM Program Charter.
  • Oversee and lead the Executive Risk Committee (ERC) (Chaired by the AVP of Risk Management); update the ERC charter and manage membership as needed.
  • Oversee and lead the ERM Workgroup (Chaired by the ERM Manager); update the ERM Workgroup membership as needed.
  • Define the university's enterprise risk appetite to establish consistent, risk-based strategic and routine operational decision-making.
  • Develop, maintain, and provide periodic reports to stakeholders, including the Finance Committee of the Board of Trustees, EVP, ERC, Vice Presidents, Deans, Provost, and President.

Polici​es and Procedures:

  • ​Formalize ERM policies and procedures, including the framework for conducting enterprise risk assessments.
  • Advise, guide, and review, as appropriate, policies and procedures established by individual departments, proactively incorporating risk considerations.

Comm​unication and Training:

  • ​Establish lines of communications and risk escalation protocols to encourage DePaul stakeholders to elevate observed risks and issues to the Program.
  • Monitor and track successful completion of ERM-specific training.
  • Develop and implement on-going ERM awareness and training modules to help develop a risk aware institution.

Enterprise Risk Man​​​agement:

  • ​Lead the design and performance of the annual risk assessment in collaboration with Compliance and Internal Audit function. The ERM Program should:
    • Identify risks, conditions, or events, that could prevent DePaul from achieving its strategic goals and objectives or present opportunities for the university.
    • Assess risks by applying standardized criteria to evaluate the likelihood, impact, and velocity of onset of identified risks.
    • Prioritize risks by placing them into tiers from highest to lowest priority to inform resource allocation for business planning, leadership attention, and risk response.
    • Respond to risks by assigning risk owners (Workgroup Members) to actively manage risks to an acceptable level. Overseeing the ERM Workgroup's development of tactical plans with strategies, actions, key risk indicators and key performance indicators (KRIs and KPIs).  
    • Monitor the progress and performance risk response plans (including KRIs and KPIs) to determine whether risk response plans are being managed as intended.
  • Monitor the ERM profile relative to defined risk appetite and tolerance levels; assess changes to the profile relative to the achievement of university strategic objectives and implement additional response or control strategies as needed.  

Data, Reporting, and Techno​​logy:

  • ​Collect and report on risk information, including insights on risk trends, risk response progress, and KRIs/KPIs, to support informed planning and decision-making.
  • Utilize standardized risk reporting packages tailored for specific university audiences and allow for risk and trend monitoring over time.
  • Adopt and/or leverage technology to facilitate risk data aggregation, analysis, and reporting.

Strategy & Culture:

  • ​Align ERM processes and considerations with the university's business strategy, operating model, and day-to-day business activities (e.g., budgeting process).
  • Articulate and deploy ongoing communication that emphasizes how ERM can improve business value, performance, and assist DePaul with achieving its strategic objectives.
  • Regularly discuss and elevate emerging risks and their potential impact to university leadership.

DePaul's Office of Enterprise Risk Management activities have been informed by commonly referenced ERM frameworks and best practices, including:

  • Committee of Sponsoring Organizations of the Treadway Commission (COSO), “2017 Enterprise Risk Management – Integrated Framework"
  • International Standards Organization (ISO) Standard 31000:2018, “Risk Management – Guidelines"