This article was originally published in the URMIA Journal. The University Risk Management and Insurance Association (URMIA) is an international non-profit educational association serving colleges and universities. Our core purpose is to promote the advancement and application of effective risk management principles and practices in institutions of higher education. For more information visit urmia.org.
The ERM leader does not “own” the risks since that should be the accountable role of the functional areas or departments. It is the role of the leader, however, to bring together the key stakeholders who can drive the mitigation activities.
Much is being written and discussed about enterprise risk management (ERM) for higher education institutions, but there is an important issue missing from this topic. What skills, knowledge, and abilities does it take to make an ERM leader and support his or her success?
The ERM leader acts as the primary architect that facilitates the design and delivery of the ERM program. This includes creating the blueprint for program activities and overseeing the program delivery as it evolves over time. It is this evolution that demands an integrated view of the risk profile that addresses ERM program goals, as well as anticipates emerging and future requirements. This role also requires the ability to consider the impact of specific risks individually and in the aggregate to the institution. To be clear, the ERM leader does not “own” the risks since that should be the accountable role of the functional areas or departments. It is the role of the leader, however, to bring together the key stakeholders who can drive the mitigation activities.
Given this broad and deep landscape of responsibility, the ERM leader emerges as a multi-dimensional role under the umbrella of the ERM program. For higher education institutions, this role includes attributes derived from several skills sets, some outside of traditional higher education roles, including:
First and foremost, the leader needs to be a trusted advisor. A trusted advisor is approachable and a good listener and can be counted on to hold confidences. Gaining trust with key stakeholders is the most effective way to open the communication channel that leads to an effective ERM program. The trust that the leader builds around the ERM program creates a safe forum for discussing key issues, escalating risks, or seeking advice. A trusted advisor is known to collaborate well with others and to leverage, not duplicate, efforts and processes to add new value. This efficiency is key to getting and keeping open necessary doors at your institution.
While it is unlikely that an ERM infomercial is on the horizon, another important skill for the institutional ERM leader is sales. A true sales professional is a problem solver that thoughtfully seeks to understand the client’s needs and to deliver cost-effective solutions. This may involve researching the root cause of the risk; identifying the range of peer practice; determining potential alternative courses of action, their costs, and timelines; and presenting the results in a concise manner to inform decision makers’ thinking. Since it is sometimes challenging to present risk related material, sharpened sales skills will serve the leader well.
While project management may not be the first thing one considers when it comes to ERM leadership, it can mean the difference between order and chaos when developing or enhancing an ERM program. Given the competing priorities, multiple work streams, and varying stakeholder demands, a project management orientation can help prioritize action steps to expedite desired outcomes, including positive program results and change management. While ERM frameworks, risk identification and assessment methodologies, and reporting mechanisms are all critical to the role, it is equally important that the leader can facilitate a process to manage constructive change. This includes working with stakeholders to develop work plans that provide a transparent tool for sharing milestones, resources, and the level of effort needed by participants to complete desired goals. This is particularly true in the operational risk management space; risks can be mitigated through improved controls and/or process redesign. An ERM leader can provide tangible value to a process owner by collaborating on a reengineering project.
It is imperative that the leader be able to share information by communicating in a way that is culturally appropriate for the venue. Formal settings can include trustee meetings, while less formal settings could include institution committee meetings. The domain of the leader is well served by the raconteur who can adapt. For example: Storytelling and examples can be very effective ways to convey important information that might not be digested by the audience through a red, yellow, and green scorecard.
Since the ERM department in an institution is likely a very small group, building a go-to group of other control colleagues and institutional risk management practitioners to provide advice and input is critical.
The leader’s multi-dimensional set of roles supports the myriad of issues arising in ERM program discussions that will take place with stakeholders. The leader must be connected to the stakeholder community since they are the internal and external constituents that are concerned with the risks to the institution. While these stakeholders may have individual areas of focus (i.e., athletics, safety), they would likely share the collective interest in risks that rise to the level of reputational impact. These stakeholders can include:
Engaging stakeholders is a critical success factor that will leverage each aspect of the leader’s job description and, importantly, will require time and trust.
The leader may not directly communicate with some of the stakeholders, but the effectiveness of the ERM program will be of interest to all. Therefore, engaging stakeholders is a critical success factor that will leverage each aspect of the leader’s job description and, importantly, will require time and trust. Building trust is an important role that will require outreach, education, and listening. The leader must understand the current state of each stakeholder’s perspective to do what is needed to migrate to an integrated view that is enterprise- wide. Since these stakeholders may have both similar and divergent interests, it is incumbent upon the leader to team with the stakeholders to understand the issue and the impact to the institution. Through this facilitated education, the leader can foster a shared view of risks that accelerates the value that ERM can bring to the institution.
The collaboration between the leader and stakeholders will be influenced by the culture of each institution. Working together to refine and agree on desired outcomes is the foundation for creating a forum for more risk-informed decision making. While the leader is accountable for the advancement of the program, he or she is not alone in accountability for the success of the ERM program. Lessons learned from experience indicate that the leader should drive a point of view but also gather feedback on key aspects of the ERM program, including:
Vision and Mission: The leader needs to have an ERM vision and mission to articulate the purpose and scope of the ERM program and leader role. These definitions are helpful boundaries to keep the program on track and focused on the expected goals. It is also a useful tool to manage, deflect, and even reject issues that are beyond the mission and goals. To support success, the institution must decide the short- and long-term view of the ERM program so the leader can plan accordingly…. starting with the mission statement.
ERM Program Design: Once the vision and mission are drafted and agreed on by stakeholders, the leader can focus on the program design and/or enhancements. The leader and the institution will benefit from having a work plan to support short- and long-term goals. The plan is a tool that supports the work steps for milestones and resources, but it is also a learning tool for the level of effort and foundation steps that are needed. Some steps may take longer to achieve, and the leader can leverage the tool to illustrate issues impacting timing, i.e. competing priorities, funding, etc.
Since the risk appetite is an articulation of the amount and type of risk an institution is willing to take to meet its objectives, defining the tolerance levels for low, medium, and high risk will guide risk taking, risk mitigation, and risk escalation.
Risk Appetite: The concept of a risk appetite is an integral part of an effective ERM framework, but currently it is not widely adopted within higher education. Since the risk appetite is an articulation of the amount and type of risk an institution is willing to take to meet its objectives, defining the tolerance levels for low, medium, and high risk is a meaningful effort that will guide risk taking, risk mitigation, and risk escalation. The leader’s role in this area can include presenting draft language for discussion and providing examples of quantification to stimulate discourse. While risk appetite can mature and change over time, it is an important marker in the development of the program that the leader may want to champion.
Risk Assessment: The ERM program will likely include a periodic risk assessment process. To add value, this exercise must consider the most important risks, as well as the input from the functional areas that “own” them. The leader should pursue an approach that is focused on these desired outcomes.
Leveraging Tools and Techniques: The mission statement and risk appetite can help drive the template of the assessment by aligning the aspirations of the mission statement with the quantification of the risk appetite. This combination of qualitative and quantitative techniques provides both the structure and the balance needed to assess key risks.
Assessment Process: The leader should consider the best fit for engaging the stakeholders involved in the risk assessment process. Depending on where the institution is in its ERM program’s maturity, the leader can consider a top-down or bottom-up approach or integrate both to also assess alignment across constituents. Regardless of the approach, the leader should focus on the tools and techniques that foster the assessment of the most important risks to the institution, including interviews, surveys, facilitated workshops, and committee discussion.
Reporting and Remediation: Keeping track and communicating to management, advisory groups, and stakeholders is a key part of the leader’s role in the program. Reporting on the program can take a myriad of forms. Many institutional risks don’t lend themselves to easy quantification; however, forward progress needs to be identified and communicated. Milestones in remediation plans can be tracked. The form of reporting will be dictated by your institutional culture. Perhaps it will take the form of regular briefing of all projects to an oversight committee; alternatively, reporting may occur only when others need to intervene to help facilitate progress where efforts are not leading to satisfactory results. The leader may use many different communication styles for different stakeholders and venues.
Governance Practices: For these activities to come together to serve the ERM program, there needs to be a governance structure. The process can be as formal as the institution decides but should include appropriate (accountable) oversight of the information that is reported and ongoing monitoring of remediation activities. The leader can be the intermediary for this process, representing the outcome from the ERM process for the risk owners.
In addition to identifying and helping your institution proactively address risks to reduce frequency and impact of occurrence, the ERM leader often engages with university colleagues when events happen on campus. The form of the leader’s engagement varies depending on the event type and institutional organizational design, but the same attributes that are so critical to building and maintaining the program can be utilized in event management. In the last few years, many institutions have dealt with controversial speakers and the outsiders some of those events bring to campus. A robust emergency response program may have the membership and protocols to plan for such an event and an extensive cross-organizational team to minimize impact.
The leader may be a team participant and may be consulted as a trusted advisor. He or she may be able to reach out to the ERM network to learn what other institutions have faced under similar circumstances and lessons learned to share with campus officials. Sometimes, sales skills can be deployed to construct the business case to engage all constituencies who are needed to coordinate for an effective response. While emergency response tends to have their own processes, managing a potentially disruptive event can be viewed as a multi-stage, potentially evolving project within a tight time frame. Finally, a debrief process after the fact is great practice, as is closing the loop with your ERM network to share successes and opportunities for enhancement to advance the practice in higher education.
The ERM leader’s mandate is both broad and deep; they must balance and consider many perspectives. Given that complexity, it is also imperative for the leader to consider internal and external factors that could impact the institution, as well as available data and metrics to support decisions. These factors, viewed through the filter of institutional culture and risk appetite, should be among the tools and techniques the leader calls upon to guide an ERM discussion. The outcome of discussions and meetings may not please everyone or solve every problem, but the overarching theme is to be “risk-informed” to make the best decision given available information and perspectives. It takes thoughtful perspective to be an ERM leader at a higher education institution. Forward thinking institutions are moving towards using ERM to align strategy with planning and key decision making; they will need the perspective of a skilled ERM leader to meet that challenge.