Enterprise Risk Management - What is it and how do you implement it?
By: Peggy Zapalac, Director of University Risk Management, Texas A&M University
From: Current Issues in Higher Education, NCURA Newsletter - December 2005/January 2006, Vol. XXXVII, No. 5
What is an enterprise risk management (ERM) program? First we need to define what a risk is. One manager simply stated that risk was "What keeps you up at night." Risk can also be defined as any issue or event that adversely impacts the institution’s ability to meet its objectives. The complex and rapid changes in today’s world continually affect universities and the universities' ability to identify and manage risks. Risks can affect the entire university and include financial, operational, technological, environmental, regulatory compliance, competitive, strategic, litigation, reputational, political, etc. In university environments, risks have traditionally been addressed in a decentralized manner where risks are managed independently in separate divisions, colleges, or departments and not necessarily coordinated between units or major functional areas.
Enterprise risk management is an emerging model at institutions of higher education where the management of risks is integrated and coordinated across the university as a whole. Enterprise risk management moves the traditional risk management process from a fragmented and ad hoc approach to an integrated, continuous, and broadly focused approach. Assessing risk data from across various departments and units provides managers the information needed to address risks on a broader university-wide scale. Enterprise risk management increases the awareness and connectivity of personnel at all levels. Assessing risks from a university-wide perspective provides personnel the opportunity to review their responsibilities and to review how, what they do or don't do, affects the achievement of the overall mission and goals of the institution. Managing risks requires identifying the risks and exercising prudent judgment to eliminate, limit, shift, or accept the risks.
Why implement a university-wide risk management program? Those institutions that have implemented an ERM program benefit from having a consistent and systematic approach to managing risks. The institutions have the ability to critically review their activities, assess new ideas, and seize opportunities. The institutions can align their risk appetite with risk management strategies. An ERM program increases communications, facilitates cross-institutional working, and improves awareness and buy-in of initiatives and new activities.
One executive asked, "Isn't enterprise risk management just good planning?" Enterprise risk management is just that. It is good planning for activities and initiatives but also good assessment, management, and monitoring of those activities. For example, at many universities there may be a number of risk management activities performed within departments or colleges but those activities also occur in other departments and colleges throughout the university (i.e., student travel, data security, development activities, etc). In a decentralized environment, responsibility and accountability is typically located at the unit level. Each unit retains ownership for managing their specific risks. However, assessing the risks from a university-wide perspective heightens the awareness of the most significant risks, improves the communication and cross-institutional working for those risks, and allows for the effective management and coordination of the mitigating activities used to manage those risks.
How do you implement an ERM program? In order to have an effective enterprise risk management program, there must be support from the top. The executive management must be a sponsor of the program. Their direct and visible involvement drives its success.
Other major components of enterprise risk management include performing risk assessments, identifying mitigating activities, and developing a monitoring plan, including a focus on continuous monitoring, follow-up, independent review, and reporting to executive management the status of risk management activities.
Risk assessments begin with establishing a common risk language. Using a common definition of risk and categorizing the various types of risks assists university personnel in brainstorming and identifying risks significant to their institution. Risks can be categorized in many ways such as strategic (affecting the achievement of goals, competitive and market risks, etc.); financial (loss of resources or other assets); operational (management processes, administrative procedures, controls, etc.); compliance (laws and regulations, safety and environmental issues, litigation, conflicts of interest, etc.); reputational (varied constituencies, political issues, media relations, etc.); and technology (computing infrastructure, applications, security, etc.)
Once identified, risks are prioritized or ranked while considering both the impact or consequence of the risk and the likelihood or probability that the risk could occur. Institutions can use a numerical ranking system and/or a 3-tiered high, medium, and low ranking method.
The next step involves identifying strategies (mitigating activities) for managing risks and assessing those strategies to identify any potential gaps. Potential gaps include faulty underlying processes, deficiencies in areas of accountability (i.e., not clear as to who is responsible for the activity or where multiple persons are responsible for the activity), and ineffective or missing procedures.
The final step involves developing and implementing a monitoring plan and reporting process for the on-going risk management activities. Reviewing key performance indicators for the mitigating activities assists management in assessing whether the activities continue to be effective.
Each one of these steps, depending on the culture of the institution, can be done in a facilitated workshop setting, group presentation and discussion, one-on-one meeting, or by e-mail and telephone. The main objective is to raise awareness of the risks that can affect the university's mission and to coordinate the strategies used to address those risks in the day-to-day operations.