Three Keys to a Successful Enterprise Risk Management (ERM) Strategy
July 11, 2019
Did a leader at your institution tap you to “do ERM?” You may feel overwhelmed. Where do you begin when it comes to enterprise risk management?
Whether you are new to the concept or have already initiated an ERM process on your campus, we recommend three key steps to ensure that your program will succeed over time.
1. Get leadership buy-in. ERM focuses on risks that cut across the institution, lack a formal owner, and require cross-functional coordination to manage. As a result, ERM programs can quickly become marginal if they are not prioritized at the highest ranks of the institution. Long-term success depends on a champion of substantial power who provides program visibility to the board, president, and/or head of school and demands accountability. (This is different from traditional risk management, which tends to focus on specific risks, like compliance or hazards, that are delineated in the formal responsibilities of a single person or team.)
2. Take action. ERM is less about precision and absolutes and more about relativism and action. Doing something “fast and roughly right” is virtually always better than doing nothing. Many institutions overwhelm themselves with getting organized or identifying and assessing risks, spending 80% of time and effort on these endeavors and 20% on treatment and implementation. We recommend the opposite: 20% on the former, 80% on the latter. There’s no need to unearth every stone at your institution immediately or gain full consensus from the community. Force yourself to move forward on treating one or a few risks and expand your program over time. Get some small wins early. Expect to learn as you go and iterate over time.
3. Manage burnout. ERM is not a project with an end date; it’s a process that grows and matures over time. You must manage against burnout to be successful:
- Focus on achievable goals and small wins.
- Identify key champions that can share some of the burden and bring energy to the process. These people could be part of a key functional or operating team that inherently manages risk and can gain new visibility with your program; or a key administrative leader that fears a major risk and is looking for some help; or just a dynamic, well-liked personality that can help inspire others to engage.
- Be mindful of scope when delineating mitigation activities or assigning risk owners.
- Make goals attainable and offer positive feedback to those doing the work.
ERM can seem daunting, but adopting these keys to success can help. ERM does not value precision or absolutes like it does incremental improvements—being better today than you were yesterday. If you are discussing and treating risks that you were not before, you are making your campus safer and more likely to thrive each and every day!
What You Can — and Can’t — Borrow from Other ERM Programs
Why Pursue an Enterprise Risk Management (ERM) Program?
The Four Steps of the ERM Process