Enterprise Risk Management

Enterprise Risk Management (ERM) is the System’s comprehensive program to identify and proactively manage real and potential threats as well as opportunities that may affect System members.


The Texas A&M University System will use the ERM to assess and define actions to be taken by System members to identify, monitor, and mitigate risks that threaten the achievement of strategic plan goals and/or continuing operational programs.

ERM Integration and Compliance

In May of 2012 The Board of Regents put System Policy 16.01 into effect; this policy outlines the framework for all System members to create a System Ethics and Compliance program.  The ethics and compliance program is meant to assess and ensure compliance by the officers and employees of the system or a member with applicable laws, rules, regulations, and policies.  Also approved in May, System Regulation 16.01.01, System Ethics and Compliance, states that each system member is required to set up an infrastructure (committee) to systematically identify and address risks so that faculty and staff are aware of their ethical and compliance responsibilities.

Your member institution’s ERM committee will be identifying and mitigating many of these same opportunities and risks as the compliance program.  It is System Risk Management’s goal to ensure that duplicate efforts are not being carried out and there is a partnership between these two committees.  Working together will assist both committees with the identification of different risks, strategizing the best mitigation efforts, and promoting a culture of risk management as well as achieving high levels of ethics and compliance.  Working together and sharing resources will maximize the effectiveness of both committees.


Policy 24-01

System Policy 16.01

System Regulation 16.01.01

Links and Tools

These tools will enable you to visualize, assess and manage risks that may adversely impact the attainment of key organizational objectives.

ERM Process:

ERM Example:


Standards and Best Practices

System Risk Management is providing a common language and set of standards to identify, evaluate, prioritize, and manage ongoing risks inherent at your institutions.  The below elements should be applied across the enterprise in accordance with the strategic plan, but can also be used as a tool to address departmental or functional unit level risk.


Identify and Prioritize Risk-Identify and prioritize risk associated with the achievement of strategic plan goals and/or other key continuing operational programs.

Determine Level of Acceptable Risk– Management determines the level of risks acceptable to the organization, including the acceptance of risks designed to accomplish the organization’s objectives.

Develop Mitigation Activities– Develop and implement mitigation activities to reduce or otherwise manage risk at levels determined to be acceptable to management.

Conduct Ongoing Monitoring– Conduct monitoring activities to periodically reassess risk and the effectiveness of controls to manage risk.


Report Periodically on ERM process– Report and communicate quarterly on the application of the Enterprise Risk Management tools in the management of risk.  Risk deficiencies should be reported upstream, with serious matters reported to top management