The term “enterprise risk management” (ERM) is getting a lot of attention lately. But the fact is, your institution is already implementing enterprise risk management every time you make a decision considering risk, which is probably every day.
The question is whether your institution is managing the enterprise risk management proces
s and effectively anticipating, planning for, and responding to risk — or whether you are just reacting to risk as it occurs.
The Benefits of Effective Enterprise Risk Management
A properly designed and implemented ERM process will help your university align risk and strategy, enhance your risk response decisions, and reduce operational surprises and losses.
Further, a properly functioning ERM process will allow your university to identify and manage multiple and cross-enterprise risks, seize opportunities, and properly deploy capital. It’s important to note that ERM is not a risk avoidance process—it is a risk understanding process that allows your institution to make better decisions. And that will help you accomplish your mission more effectively.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines ERM as:
“…a process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
Three Steps to an Effective Enterprise Risk Management Process
We recommend using a three-phase approach to creating an ERM process.
Phase One: Data Gathering and Training
- Start by surveying or interviewing employees about what they perceive as risks. The information you gather during this step will set the framework for what is perceived as risks at different levels across your institution.
- Train key individuals on how to identify and manage the risk associated with the different items identified.
Phase Two: Identification and Assessment
- Classify the risks identified in Phase One based on the likelihood of each event occurring, as well as the impact such an event would have. For instance, a slip and fall on your campus could be likely in the winter months, but the impact would be relatively small. A data breach of critical student information may be less likely, but the impact would be significantly larger.
- Prioritize your list. After all the data has been gathered and all the risks have been measured, we recommend that you narrow the list down to no more than 15 risks. If you include more than 15, you may end up spread too thin or focused on risks that are not likely to happen and would not be impactful even if they did occur.
- Assign responsibility for each risk to someone within the organization.
- Execute a plan of action for each risk. In the example of the slip and fall risk, you may just need to make sure you have the proper insurance. To address the risk of a potential data breach, an IT audit may be necessary.
Phase Three: Reporting and Monitoring
- Create and implement a system for reporting the process around each risk. This system must allow for the risk to be monitored, mitigated, and reported upon at regular intervals.
- Monitor and address risks as needed. This is where you may have a risk drop out of your top 15 and a new risk rise to replace it.
An Ongoing Process
It is important to note that ERM does not end with phase three. Risk management is a process and must be continuously monitored, updated, and reported on. All departments should have representation within the process, and each risk should have an owner. This will keep ERM a moving and evolving process at your institution.