Four Steps to Proactively Manage Risks

January 30, 2020

Schools, colleges, and universities with effective institution-wide risk management programs tend to be better equipped to protect their institutions from major reputational threats.

Enterprise risk management (ERM) is a proactive and collaborative process that empowers campus leaders to discuss and manage risk at the institution level rather than at the level of a single functional area or department. Among the top risks: sexual abuse and molestation, cybersecurity, and student mental health. These risks tend to cut across silos and impact the institution’s ability to fulfill its mission. Institutions often have a cross-functional team, or risk management committee, that meets regularly to identify, assess, treat, report, and monitor these types of risks.

The four repeatable steps of ERM are:

1. Identify. Identify risks that affect the entire institution rather than individual risks or those affecting single departments or functions. In most cases, a short list of fewer than 10 risks — even as few as three or four — provides a great starting point for ERM.

2. Assess. Analyze and prioritize top risks to focus on by assessing likelihood to occur and impact to your institution’s mission and operations. By evaluating risks in this way, you can decide how to respond to each risk and how to prioritize efforts. Assign each risk to a risk owner (the leader responsible for overseeing risk management efforts for that risk) at this stage.

The ERM Process

3. Treat. Decide a treatment plan for each risk, how much to transfer, accept, reject, and/or mitigate. Most risks will require some mitigation. Develop mitigation plans by considering the five Ps of mitigation:

  • Policies and procedures
  • People (including training and personnel)
  • Property
  • Processes (such as reporting mechanisms, reference checks, and contracting)
  • Practice (such as lockdown testing or evacuation drills)

4. Report and monitor. Report your progress to the board and share future goals.

Consider creating a short overview report including all top risks for your board, president, or head of school. Also consider creating a separate, more detailed, operational report on each risk for each risk owner to track progress, maintain accountability, and manage next steps. Establish a regular cadence for reporting and as well as each process step. This way you can continually assess how the environment has changed, identify whether risk treatments work as expected, and determine whether your approach to the first three steps needs refinement.

ERM Workshop
What You Can — and Can’t — Borrow from Other ERM Programs
Why Pursue an Enterprise Risk Management (ERM) Program?
Three Keys to a Successful Enterprise Risk Management (ERM) Strategy