System Risk Management will request a yearly submission of members risk matrix by early April of each year.
The risk matrix submitted should only show those risks that have been classified as having both, high or medium impact as well as high or medium likelihood.
Although System Risk Management only asks to see those risks that are categorized as outlined above, System members need to be cognizant of lower ranking risks and their mitigation and periodically check to make sure those risks are still ranked appropriately.
System Risk Management is providing a common language and set of standards to identify, evaluate, prioritize, and manage ongoing risks inherent at your institutions. The below elements should be applied across the enterprise in accordance with the strategic plan, but can also be used as a tool to address departmental or functional unit level risk.
Identify and Prioritize Risk-Identify and prioritize risk associated with the achievement of strategic plan goals and/or other key continuing operational programs.
Determine Level of Acceptable Risk– Management determines the level of risks acceptable to the organization, including the acceptance of risks designed to accomplish the organization’s objectives.
Develop Mitigation Activities– Develop and implement mitigation activities to reduce or otherwise manage risk at levels determined to be acceptable to management.
Conduct Ongoing Monitoring– Conduct monitoring activities to periodically reassess risk and the effectiveness of controls to manage risk.
Report Periodically on ERM process– Report and communicate quarterly on the application of the Enterprise Risk Management tools in the management of risk. Risk deficiencies should be reported upstream, with serious matters reported to top management.