ENTERPRISE RISK MANAGEMENT J. Joseph Hoey, Ed.D. Bridgepoint Education CAIR 2015
Enterprise Risk Management (ERM) Defined ERM is a principles-based approach to manage, not eliminate risk. ERM is a process that is: Built into routine business practices Designed to: Identify emerging events with the potential to affect the entity, Assess the potential impact consistently, and Manage risk within a predetermined risk appetite Applied across the enterprise Tied to the organization s strategic goals
Why Is ERM Important? Consider these examples: Penn State athletics scandal Emory University USN & WR admissions data falsification Virginia Tech and other more recent campus shootings Others? They come up all the time!
Focus of ERM ERM focuses on an institution s achievement of its objectives or mission in the following areas: Strategic high-level goals aligned with the institution s mission Operational ongoing management processes Financial protection of institution s assets Legal and Regulatory adherence to applicable laws and regulations Political and Reputational risk includes loss or threat to accreditation, confrontation with legislators, and major institutional scandals
The Risk Management Process 1.Defining the risk universe 2.Identifying the risks 3.Assessing the risks Ranking the risks likelihood, impact, residual risk, and velocity Ascertaining the University s risk appetite Charting risk maps, creating influence maps to ID risk drivers Using event trees 4.Evaluating the risks What opportunities exist to mitigate? What is the cost-benefit analysis of mitigation? 5.Mitigating the risks mitigation plan development 6.Monitoring the plan keeping up with new risks
Responses to Risk High Medium Risk High Risk I M P A C Share Low Risk Mitigate and Control Medium Risk T Accept Control Low PROBABILITY High Source: AGB and NACUBO (2007). Meeting the Challenges of Enterprise Risk Management in Higher Education.
Campus Roles in ERM Board oversees ERM, but leaves the details to management; President sets high-level ERM agenda, and engages the faculty and board members in ERM; CFO establishes and manages ERM; CRO leads ERM and fosters a collaborative, campuswide approach; and Internal audit collaborates with CRO. Institutional Research provides supporting data, dashboards, and ongoing environmental scanning Source: NACUBO/AGB (2007)
AGB: The Board s Role in ERM The Board must enable the University to anticipate and respond rationally to the most serious exposures that could compromise the ability of the enterprise to function. To ensure that senior management develops and maintains a comprehensive ERM plan that maps out risk scenarios and potential responses. To ensure that plans, policies and practices adequately address critical risk exposures in every area of activity not just financial.
AGB Recommendations: The Board s Role in Monitoring ERM The Board can best monitor and oversee risk management through its committee structure Strategic risks are best evaluated in a finance committee or long-range planning committee Operational exposures and the measures to manage them are often best addressed by the audit committee The Board should conduct regular, rotating reviews of high-risk areas
Where to Start? Tips From The ERM Pros Start small Keep it simple - don t boil the ocean Focus on a limited set of risks Go for the quick wins Adopt change management framework and skill set Ensure accountability for risk areas Develop process capability through multiple iterations
Further ERM Resources Meeting the Challenges of Enterprise Risk Management in Higher Education. National Association of College and University Business Officers, Association of Governing Boards (2007). The State of Enterprise Risk Management at Colleges and Universities Today. Association of Governing Boards/United Educators (2009). Lots of great tools developed by the UC Office of the President: http://www.ucop.edu/enterprise-riskmanagement/tools-templates/risk-assessment-toolboxcontent/higher-education-risk-assessment-tool.html