Skip to content Skip to navigation

Office of the Chief Risk Officer

The mission of Internal Audit is to provide independent, objective assurance and consulting services designed to add value and improve the operations of Stanford University and the Stanford University Hospitals. Internal Audit Services helps these organizations accomplish their objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Specifically, we examine and evaluate the policies, procedures, and systems that are in place to ensure:

  • reliability and integrity of information;
  • compliance with policies, laws, and regulations;
  • safeguarding of assets;
  • economical and efficient use of resources; and
  • accomplishment of established objectives and goals for operations or programs.

Stanford is dedicated to upholding the highest standards of ethics and integrity in all its academic and business activities. Towards this end, the University has implemented a Ethics and Compliance Program to:

  • help inform the Stanford community regarding the ethical, professional, and legal standards to be used as the basis for daily and long-term decisions and actions;
  • ensure effective avenues for employees to report misconduct, and investigate reported concerns;
  • assess compliance risks and evaluate the effectiveness of existing compliance activities;
  • make recommendations for program improvements; and
  • coordinate decentralized compliance activities and ensure an institutional perspective is always present

The Privacy Office promotes Stanford’s commitment to protecting the privacy of the University’s community including its students, alumni, faculty, staff, research participants, and affiliated parties. The Privacy Office has been entrusted to establish University practices and policies in order to:

  • develop, implement and manage the University’s privacy compliance program to comply with applicable state, federal and international privacy laws;               
  • provide training and education across the University addressing privacy compliance responsibilities and obligations;
  • conduct appropriate auditing and monitoring of activities involving the collection, storage, use, disclosure and transmission of regulated data;
  • promote the reporting of violations of privacy policies and regulations to the Privacy Office; and
  • conduct investigations of unauthorized uses and disclosures of regulated data and ensure that appropriate actions are taken to mitigate any resulting harm to individuals.

Risk Management (RM) evaluates risk from the standpoint of the entire University, rather than a single department or area; eliminates or modifies conditions or practices, wherever practical, which may cause loss; assumes risks whenever the amount of potential loss would not significantly affect the University's financial position; and purchases insurance from whatever source (agent, broker, or insurance company) is deemed to be in the best interests of the University.

Enterprise Risk Management (ERM) coordinates the University’s enterprise risk management efforts to provide a framework and processes for the identification, assessment, mitigation and monitoring of risks to the achievement of the University’s mission and goals.

OCRO Overview


Office of The Chief Risk Officer
Stanford University
505 Broadway, Cardinal Hall, 6th Floor
Redwood City, CA  94063