Enterprise Risk Management

SMU is committed to fostering a risk-aware culture that protects the University’s mission, people, and resources. Our Enterprise Risk Management (ERM) program provides a coordinated, University-wide framework for identifying, evaluating, and managing risks that could affect SMU’s ability to achieve its strategic objectives.

Through collaboration between leadership, faculty, staff, and governance bodies, ERM integrates risk considerations into decision-making, resource allocation, and strategic planning.

What is Enterprise Risk Management?

Traditional risk management often occurs within individual departments, but ERM takes a holistic approach. It breaks down silos and ensures risk information is identified, aggregated, and acted upon across the University.

Our ERM process:

  • Identifies risk that could impact operations, finances, compliance, reputation, or safety.

  • Assesses risk by impact, probability, and frequency.

  • Assigns ownership at both the Vice President and functional level.

  • Implements measurable mitigation plans. 

  • Reports results to senior leadership and the Board of Trustees Audit Committee.

ERM Governance

Our governance follows the Three Lines Model:

1st Line – Management
Functional Risk Owners lead risk identification, design and maintain controls, track performance indicators, and implement mitigation plans.

2nd Line – Oversight Functions
The Enterprise Risk Management Committee—including the Office of Risk Management, Internal Auditing & Consulting Services, the Office of Information Technology, and Institutional Planning and Effectiveness—provides expertise, support, monitoring, and challenge. The Committee facilitates assessments, documents controls, and ensures continuous improvement.

3rd Line – Assurance
Internal Audit provides independent evaluations of the University’s governance, risk management, and internal control systems, and offers recommendations for improvement.

Target State and Continuous Improvement

SMU’s ERM program is advancing toward a strategic state, where risk activities are embedded in decision-making at every level, predictive analytics inform planning and budgeting, ERM creates and preserves value, and performance measurement is directly linked to risk outcomes. At the same time, ERM operates as a continuous cycle—regularly reassessing risks, updating controls, and refining strategies—so the University stays proactive, resilient, and aligned with its strategic goals.