Enterprise Risk Management

Enterprise Risk Management at SUNY

Organizations are subject to a number of risks, including strategic, financial, operational, compliance, and reputational risks. To help ensure goals and objectives are met, organizations must manage these risks.  Some organizations manage risk using an informal process, while others have a formalized structured approach.  Enterprise Risk Management, ERM, is a formal and continuous process that is designed to identify, assess, prioritize, and manage all risks and opportunities for an institution.  SUNY has developed a formalized Enterprise Risk Management (ERM) Program and approach to managing risk, codified in SUNY Policy, that identifies, assesses, and then manages risks and opportunities to effectuate the achievement of the University’s goals and objectives. 


Laws and Regulations

There are no laws and regulations in New York State that mandate Enterprise Risk Management, or ERM, as of 2016.

SUNY Policies and Procedures

SUNY Policy, Enterprise Risk Management Program, Doc. No. 7502

Related SUNY Policies and Procedures

SUNY Policy - Internal Control Program, Doc. No. 7500

SUNY Procedure - Internal Control Guidelines, Document No. 7501

Defining ERM and Risk Management

Enterprise Risk Management, ERM, is a formal and continuous process that is designed to identify, assess, prioritize, and manage all risks and opportunities for an institution, not just the risks that are insurable. Correctly implemented, ERM can help to ensure that SUNY is meeting its strategic goals and objectives by providing an opportunity to coordinate and focus SUNY’s numerous risk management activities; creating a “risk-aware” culture; providing a formal mechanism for responding to significant events; and enhancing collaboration and communication throughout the system.

Enterprise Risk Management seeks to:

Traditional risk management (Loss prevention/insurance), in contrast to ERM, is the identification, assessment, and prioritization of risks that are insurable.  The ISO 31000 defines risk management as “the effect of uncertainty on objectives, whether positive or negative.”  Traditional risk management deals with the insurable risks of an institution or corporation, and the insurance structures an institution needs to set up to have monetary assurance in the event of a risk loss.  ERM, in contrast, assesses all risks.

SUNY Guidance

SUNY System Internal Controls Website

SUNY System Administration Internal Control listserv (also serves as contact for the Enterprise Risk Management contacts at the campuses) 

SUNY Blue Enterprise Risk Management Webpage
SUNY ERM information, assessment and control tools, and other resources are released via the internal SUNY Blue Intranet.  Contact the Enterprise Risk Management Director for access to this internal SUNY resource.

SUNY Compliance Resources - This website outlines the SUNY structures, resources, and offices that comprise the compliance and risk management structures and resources at SUNY System Administration, as well as external resources and associations, that are available to the SUNY campuses for their compliance and risk efforts.

SUNY Effective Compliance Program - This website includes information on Compliance, the elements of a Compliance Program, the benefits of a program, and information on creating a compliance program at a campus.

∧ Back to Top  


The information contained on the SUNY Compliance website is for general campus guidance only and is not intended, nor can be relied upon, as legal advice or the imposition on SUNY campuses of specific policies or requirements. The site is intended to be an informational-only clearinghouse for some of the laws, rules, and regulations that may impact the State University of New York’s campuses. Additionally, given the rapid, changing nature of laws, rules and regulations, there may be delays or omissions contained on this site which therefore cannot be relied upon as complete. For complete compliance information, consult your campus compliance officials. For legal advice, consult your lawyer.

Compliance