Early adopters of enterprise risk management (ERM) brought this practice to their campuses in the early 2000s and sometimes stumbled as they worked through the first step: identifying risks across the enterprise. In the process, these leaders assembled campus groups that developed voluminous lists articulating myriad potential events, the scenarios of which “kept administrators up at night.”
While the identification of potential risks was comprehensive, and addressed the complexity and evolving nature of colleges and universities, the ERM process collapsed under the very weight of the lists. Administrators became so inundated with frightful possibilities that their efforts became diluted and scattered; they were unable to find a path forward. In the confusion, they failed to address the subsequent and most important steps—assessing impact, developing responses, monitoring risk areas, and so forth. In the end, most business officers and risk managers, eager to start an ERM process, were left with lists and no action plans.
Fast-forward through the financial crisis, and we see that those early adopters have fine-tuned the process, shared best practices, and now have ERM policies and procedures that engage the campus, from the board of directors to individual departments.
For example, Whitman College, Walla Walla, Wash., where I serve as a trustee, has drilled down into its Clery Act reports and is now better able to understand the trends for sexual assaults on campus. The chief business officer can be a useful partner to student services staff and Title IX coordinators to help analyze data (without revealing any confidential student information), so that campus leaders can identify potential correlation or causation as it relates to location, the characteristics of students involved in complaints, and the timing on the incidents. By using this analysis, campus leaders can better allocate training and prevention resources.
Duke University, Durham, N.C., and Virginia Tech, Blacksburg, Va., are two other examples of the many early adopters who now have active ERM programs. (see sidebars, “Creating a Culture of Integrity” and “Technology Influences Risk Reporting,” for details of some of the institutions’ specific efforts.)
In most cases, senior leadership follows a four-step, collaborative ERM business process that includes:
1. Identifying risks across the entire enterprise.
a. Paying attention to the gaps between departments and programs.
b. Using risk registers that list the five to 10 key risks that are identified by senior administrators.
2. Assessing the impact of the risks and opportunities relative to the institution’s operations and mission.
3. Developing and practicing response or mitigation plans.
4. Monitoring the identified risks, holding the risk owners accountable, and consistently scanning for emerging risks.
Culture and Simplicity
What have we learned from those early adopters? Their work reveals two primary lessons: Culture matters, and simplicity enables the ERM to take root. A robust ERM program begins with creating a culture throughout the institutional community that motivates individuals to engage in working together, across silos and within the gaps, to identify, assess, and manage risk—as well as opportunities—in support of the institution’s mission.
A strong risk management culture is comfortable in the “gray areas,” where some identified risks are probably not insurable, cross several different departments, or can be considered “sacred cows” and thus untouchable by the community.
In creating a culture focused on risk, establishing the right tone at the top does matter. In researching and writing Risk Management, an Accountability Guide for University and College Boards (AGB Press, 2013), it became clear to me that without champions at the senior administrative and board level, ERM programs flounder.
Another insight is that a culture that supports ERM assigns each risk to an owner, someone responsible for managing and tracking the risk so that accountability is established and roles are clear. When provosts own academic risks and the vice president for advancement owns the risks associated with development, the dynamics make for a more powerful and productive process than a scenario in which the CBO or risk manager controls the process.
Creating an environment that supports risk reporting involves several other actions described below.
Culture change requires consistent, constant communication about the top risks, plans to respond to risks, and the process used to scan emerging risks. Institutions that regularly report on risk to the appropriate board committees and broader community are further along in culture change than those that keep the process closed and out of sight. If private institutions are concerned about openly sharing the risks, take a lesson from the public universities that have been transparent on ERM programs for more than a decade. Daily we are reminded about how important open communication and transparency are as building blocks for creating a trusting community. Opening up the risk management process to share risk registers and plans that the campus has to reduce vulnerabilities creates a sense of trust and a culture of risk awareness.
Institutions that relied on large committees to identify, monitor, and report risks were less successful in advancing the four steps than those that organized a small (three to five administrators) senior group to assess risks, assign ownership, monitor progress, and report out.
Learning from the early adopters to not overwork step No. 1, identification of risks, has led institutions to use risk registers developed by others as a starting point. As unique as each campus is, risks faced by colleges and universities are similar enough to allow the initial ERM program to leverage the hard work of others and build from there, broadening the circle of engagement and risk identification (step No. 4) in subsequent years. (See sidebars, “Typical Risk Register for a University” and “Risk Register for Liberal Arts Colleges” for more detail.)
The Committee of Sponsoring Organi-zations of the Treadway Commission (COSO) and the International Organization for Standardization (ISO) have done good work and analysis in the 2009 framework (ISO 31000) to establish frameworks for ERM. Many campus risk managers use these frameworks to structure their processes.
Keeping the process simple and streamlined, but open and transparent, is the magic sauce for effective ERM. Starting with a small number of risks, and growing the circle wider each year as the risk culture expands, facilitates greater success.
The Next Frontier for ERM
As institution leaders have used enterprise risk management more widely, two issues have emerged as the next frontier in advancing its value as a business tool: more robust discussion on risk tolerance, and the use of data and analytics to respond to risks.
How much can you take? For-profit companies, the earliest adopters of ERM, have an easier task of developing risk tolerance. The effort focuses on: “How much money/market share are we willing to lose?”
On the other hand, mission-driven institutions, with long-term time horizons and limited or shrinking resources, have a much more difficult challenge in developing the right level of risk tolerance. Risk tolerance is important, as a successful ERM program is a tool for resource allocation: balancing limited resources against the top priorities, or put another way, “How much of our scarce resources should we put into this project to move the risks to a position we can tolerate?” Business offices are well-situated to lead these discussions for administrators, in assessing how much risk is appropriate for the institution.
Drilling down to the details. The increasing availability and sophistication of data-driven decision making is driving the evolution of ERM on campuses. The business office, used to tracking and analyzing data, can be a key partner in helping other offices understand and respond to the data that drives key risks.
For example, student behavior appears on most ERM risk registers, encompassing many key areas of vulnerability: reputation, compliance, and operations. Campuses are using data collection and analysis to help better understand the risk, and craft more targeted responses. As noted in the Whitman College example, the Clery Report and individual incident reports can be analyzed to better understand where and when sexual assaults are occurring and the common characteristics of the assaults (using anonymous data while identifying attributes of the involved students). Then training, oversight, and response can be shifted to vulnerable populations and locations based on the analysis.
Duke University and Virginia Tech are models to follow on creating the risk reporting culture, keeping it simple, and using data and technology for decision making.
JANICE M. ABRAHAM is president and chief executive officer, United Educators, Bethesda, Md.