New York University Skip to Content Skip to Search Skip to Navigation Skip to Sub Navigation

Enterprise Risk Management

Enterprise Risk Management at NYU

The focus of NYU’s Enterprise Risk management (ERM) program is to recognize the university’s goals, identify risks to these goals and work toward mitigating and managing these risks while helping the university to grow as an organization.

The ERM program works to identify risks and consequences and their effect on the University community. Within these risks, we then work closely with the risk owners to assess the likelihood of the risks, the time frame of the consequences, the impact it may have on the university and the preparedness toward the risk. Once these are identified, determining an acceptable tolerable level of the risk is important in building a mitigation strategy. 

Determining Risk Criteria

The risk criteria should be defined by an organization and used to evaluate whether or not something is a risk. The criteria should embody the organizations values and objectives and be aimed at the organizations overall goal. When setting criteria for an organization, some can be easily developed from legal and compliance standards, while other criteria may be based on the type of organization for which your program is developed for.

The risk management program should develop from an organization’s mission statement. Here at NYU, we are a leading institution of higher education and set high standards for our University community. Our commitment is to creating an environment that is diverse and inclusive, while educating and leading the way in higher education.

What is Risk?

While risk has a variety of meanings, within the realm of insurance and risk management, risk is an uncertainty about an outcome an organization takes, whether that outcome is positive or negative. All activities in an organization involve risk.
Risks can be associated in a variety of categories including:

  • financial
  • political
  • legal
  • health & safety
  • environmental
  • and many more

Risks are also categorized throughout many levels at an organization depending upon their impact. These levels may include organization wide risks, project or process specific risks or strategic risks.

What is Risk Management?

Risk management is a defined set of coordinated activities to direct and control an organization with regard to risk. Risk management can be quickly described in three key steps: identify, analyze and treat. Throughout each step of this process, it is important that risk managers work closely with the risk owners to gather accurate information regarding their risks, to appropriately assess the risk and then ensure that the necessary mitigation is being developed. Identifying risks early on allows for the organization to create mitigation strategies and achieve its goals.

  • Enterprise Risk Management (ERM) is a coordinated set of processes that enables risks to be identified, analyzed and prioritized to meet the university’s key objectives
  • Once prioritization is determined, mitigation is developed, implemented and monitored
  • When a risk becomes fully mitigated, the mitigation plan is updated to reflect the ongoing monitoring plan

Principles of Risk Management

Data is gathered from a variety of sources – historical data, experience, observation, etc. – which creates a risk database of the best and most detailed information available.

Perhaps the most important aspect of risk management is that it fosters an environment that promotes improvement and growth. Strategies that develop through risk management will enable an organization to mature and grow stronger.

The process of risk management works hard to both create goals and objectives that result in achievements and improved performance.

Risk management assists organizations in making informed decisions and prioritizing those which are most vital to the functioning of the organization.

With the constant change of organizations, the knowledge we have of an organizations risks change as well. Risks can move toward being completely mitigated while at the same time, new risks may appear.

Human and cultural factors are taken into account in order to facilitate the achievement of the organizational goals.

Risk management must be a part of an organizations everyday activities and a daily responsibility of management.


These contributed to the accuracy and efficiency of risk data and results.

Risk management is tailored to fit an organizations needs and risk profile.

Involvement at all levels in an organization, from stakeholders to risk managers ensures for up-to-date and relevant data that is properly represented from all levels of the organization.

The nature of uncertainty is taken into account in risk management and provides organizations with ways to address it.



Search for services by keyword in ServiceLink or

Email for any questions or concern related to enterprise risk or the ERM program

NYU Footer