What You Can — and Can’t — Borrow from Other ERM Programs
November 11, 2019
The best framework for enterprise risk management (ERM) is one that fits your campus’s culture, structure, and needs. Although education has a tradition of sharing insights, there are limits to what you can learn from others regarding ERM due to the program’s unique dependence to each institution’s identity. You can’t simply reproduce your peer institution’s ERM program and expect to succeed. However, you can borrow some components that are common to all ERM programs. Knowing what to mimic and what to modify can accelerate the implementation process.
Foundational Elements of ERM Programs
Although ERM programs might look different, nearly every program contains certain common elements as a foundation. These practices and processes at peer institutions likely will work at your institution too:
- Institution-level focus — ERM programs focus on risks that significantly affect the institution’s ability to achieve its mission as a whole rather than department-level risks that tend to be narrower in view. For instance, deferred maintenance is an institutional risk because it impacts divisions across campus, while inefficient maintenance planning is a departmental risk because it resides squarely in the facilities department. Inefficient maintenance planning is one component of a larger deferred maintenance risk.
- Cross-functional collaboration — ERM management includes a cross-functional set of leaders who help elevate discussion of risk to an institutional level. These leaders are typically part of an ERM committee and are invited to participate based on their functional position, unique skill set, and/or special personal interest. Committees typically always include the leaders of finance, legal affairs, human resources, facilities, marketing and/or communications, student affairs and/or wellness, campus safety, and technology. They can include others based on your campus’s needs. You also can invite members to the committee on a rotation or ad hoc basis if needed.
- Prioritized list of risks — No matter the nomenclature people use for it (be it risk register, heat map risks, prioritized risk register, or just risk list), the backbone of ERM is a list of risks the institution prioritizes to treat across a certain timeline. These lists differ in length and format across the sector, but they all help prioritize risk management activities across the institution.
- Repeatable process — ERM is a process that recurs on a regular cadence, allowing your campus to report progress and make adjustments across time.
Institution-Specific ERM Elements
High-impact ERM programs include more than just the elements above. However, these need to fit the established culture and organizational structures of each institution. Peers may serve as inspiration for the following elements of ERM, but you should work with your colleagues to develop versions that best fit your unique needs.
- Purpose — All ERM programs focus on reducing downside risks, but many target other goals that vary according to the institution’s mission, ERM stakeholders, and strategic plan. Common ERM purposes include evaluating strategic opportunities, overseeing cross-campus compliance, and breaking down silos.
- Formal charter — Institutions that thrive on formal mandates often develop an ERM program charter that establishes reporting lines, accountability structures, goals, and meeting frequency. Leaders who respond better to a free-flowing culture build flexible ERM programs that adapt to the institution’s immediate needs. There is a spectrum of formality between these two approaches, and effective ERM programs find the right level of formality for their institution.
- Techniques or methods — There are countless ways to identify, assess, treat, and monitor risks that range from qualitative to quantitative and from simple to complex. Effective methods reflect your program’s goals, the prioritization of risk management on campus, institutional culture, and external pressures.
- Tools — These range in complexity, from simple guides for prioritizing and tracking risks to complex software that strives to systematize ERM into series of algorithms. As long as your tools fit your campus’s ways of working, no level of complexity is inherently better than any other. Tools are merely devices to help achieve an ERM program’s goals.
High-Performing ERM Programs
While no two high-performing ERM programs are alike, all great programs develop risk-aware cultures on campus. They position risk as a concern for campus leadership and the board, advance strategic decision-making, and solve tricky campus problems.
Why Pursue an Enterprise Risk Management (ERM) Program?
The Four Steps of the ERM Process
Three Keys to a Successful Enterprise Risk Management (ERM) Strategy