What Makes an ERM Leader in Higher Education?

What Makes an ERM Leader in Higher Education?

This article was originally published in the URMIA Journal. The University Risk Management and Insurance Association (URMIA) is an international non-profit educational association serving colleges and universities. Our core purpose is to promote the advancement and application of effective risk management principles and practices in institutions of higher education. For more information visit urmia.org.

The ERM leader does not “own” the risks since that should be the accountable role of the functional areas or departments. It is the role of the leader, however, to bring together the key stakeholders who can drive the mitigation activities.


Much is being written and discussed about enterprise risk management (ERM) for higher education institutions, but there is an important issue missing from this topic. What skills, knowledge, and abilities does it take to make an ERM leader and support his or her success?

The ERM leader acts as the primary architect that facilitates the design and delivery of the ERM program. This includes creating the blueprint for program activities and overseeing the program delivery as it evolves over time. It is this evolution that demands an integrated view of the risk profile that addresses ERM program goals, as well as anticipates emerging and future requirements. This role also requires the ability to consider the impact of specific risks individually and in the aggregate to the institution. To be clear, the ERM leader does not “own” the risks since that should be the accountable role of the functional areas or departments. It is the role of the leader, however, to bring together the key stakeholders who can drive the mitigation activities.

The Skill Set of an ERM Leader

Given this broad and deep landscape of responsibility, the ERM leader emerges as a multi-dimensional role under the umbrella of the ERM program. For higher education institutions, this role includes attributes derived from several skills sets, some outside of traditional higher education roles, including:

Trusted Advisor

First and foremost, the leader needs to be a trusted advisor. A trusted advisor is approachable and a good listener and can be counted on to hold confidences. Gaining trust with key stakeholders is the most effective way to open the communication channel that leads to an effective ERM program. The trust that the leader builds around the ERM program creates a safe forum for discussing key issues, escalating risks, or seeking advice. A trusted advisor is known to collaborate well with others and to leverage, not duplicate, efforts and processes to add new value. This efficiency is key to getting and keeping open necessary doors at your institution.


While it is unlikely that an ERM infomercial is on the horizon, another important skill for the institutional ERM leader is sales. A true sales professional is a problem solver that thoughtfully seeks to understand the client’s needs and to deliver cost-effective solutions. This may involve researching the root cause of the risk; identifying the range of peer practice; determining potential alternative courses of action, their costs, and timelines; and presenting the results in a concise manner to inform decision makers’ thinking. Since it is sometimes challenging to present risk related material, sharpened sales skills will serve the leader well.

Project Manager

While project management may not be the first thing one considers when it comes to ERM leadership, it can mean the difference between order and chaos when developing or enhancing an ERM program. Given the competing priorities, multiple work streams, and varying stakeholder demands, a project management orientation can help prioritize action steps to expedite desired outcomes, including positive program results and change management. While ERM frameworks, risk identification and assessment methodologies, and reporting mechanisms are all critical to the role, it is equally important that the leader can facilitate a process to manage constructive change. This includes working with stakeholders to develop work plans that provide a transparent tool for sharing milestones, resources, and the level of effort needed by participants to complete desired goals. This is particularly true in the operational risk management space; risks can be mitigated through improved controls and/or process redesign. An ERM leader can provide tangible value to a process owner by collaborating on a reengineering project.


It is imperative that the leader be able to share information by communicating in a way that is culturally appropriate for the venue. Formal settings can include trustee meetings, while less formal settings could include institution committee meetings. The domain of the leader is well served by the raconteur who can adapt. For example: Storytelling and examples can be very effective ways to convey important information that might not be digested by the audience through a red, yellow, and green scorecard.

  • Lessons learned (particularly from another institution) can be used to great effect, especially in a safety context. An explanation of the event, an exploration of the vulnerability exploited (and whether it exists at your institution), and what mitigations might be in place or implemented to avoid the issue are considered time well spent, even by risk management skeptics.
  • Often, the ERM leader convenes a group to review a risk event, so facilitation skills are valuable to get the most from the assembled experts most efficiently. Skillful facilitation allows for the root cause to be identified, as well as leaving time for the most important part of the meeting – to determine what needs to be done and by whom to avoid repeating the event.
  • At the other end of the spectrum, there are opportunities for public speaking that should not be passed up when it can promote the program and/ or the higher education institution as a thought leader on safeguarding reputation.


Since the ERM department in an institution is likely a very small group, building a go-to group of other control colleagues and institutional risk management practitioners to provide advice and input is critical.

  • On your campus, like-minded professionals – in audit, finance, and compliance, for example – are terrific partners in ERM. In the corporate construct of the “three lines of defense,” there are operational owners of the risk, who take and manage their own risks; the second line are the management functions who provide guidance and oversight; and the independent third line is audit, who reports to the board of directors or a committee thereof. Many audit departments believe that they can maintain their independence while collaborating on a common risk assessment with ERM and compliance; finance officers may have risk control and compliance responsibilities that dovetail nicely with the ERM mission.
  • Peers in other institutions can be great resources as well. As sole practitioners (or small departments in a large, diverse organization), day to day, we are facing a huge variety of risk issues. But rest assured, our contemporaries in other institutions have addressed many of the same challenges. Sharing of good practice in risk management is common. The active discussion communities maintained by URMIA demonstrate ample willingness to report on experiences in response to risk management queries. Reach out to others for input, but know that institutional cultures do vary; what works on one campus may need adaptation for another

Stakeholder Engagement

The leader’s multi-dimensional set of roles supports the myriad of issues arising in ERM program discussions that will take place with stakeholders. The leader must be connected to the stakeholder community since they are the internal and external constituents that are concerned with the risks to the institution. While these stakeholders may have individual areas of focus (i.e., athletics, safety), they would likely share the collective interest in risks that rise to the level of reputational impact. These stakeholders can include:

  • Administration
  • Faculty
  • Students
  • Alumni
  • University operational departments (safely, health center)
  • Press and media
  • Donors

Engaging stakeholders is a critical success factor that will leverage each aspect of the leader’s job description and, importantly, will require time and trust.

The leader may not directly communicate with some of the stakeholders, but the effectiveness of the ERM program will be of interest to all. Therefore, engaging stakeholders is a critical success factor that will leverage each aspect of the leader’s job description and, importantly, will require time and trust. Building trust is an important role that will require outreach, education, and listening. The leader must understand the current state of each stakeholder’s perspective to do what is needed to migrate to an integrated view that is enterprise-wide. Since these stakeholders may have both similar and divergent interests, it is incumbent upon the leader to team with the stakeholders to understand the issue and the impact to the institution. Through this facilitated education, the leader can foster a shared view of risks that accelerates the value that ERM can bring to the institution.

Creating a Foundation for Stakeholder Collaboration

The collaboration between the leader and stakeholders will be influenced by the culture of each institution. Working together to refine and agree on desired outcomes is the foundation for creating a forum for more risk-informed decision making. While the leader is accountable for the advancement of the program, he or she is not alone in accountability for the success of the ERM program. Lessons learned from experience indicate that the leader should drive a point of view but also gather feedback on key aspects of the ERM program, including:

Vision and Mission: The leader needs to have an ERM vision and mission to articulate the purpose and scope of the ERM program and leader role. These definitions are helpful boundaries to keep the program on track and focused on the expected goals. It is also a useful tool to manage, deflect, and even reject issues that are beyond the mission and goals. To support success, the institution must decide the short- and long-term view of the ERM program so the leader can plan accordingly…. starting with the mission statement.

  • Mission Statement: Having a mission statement is an important step that will clarify ERM expectations for the institution. It should be aspirational and reflective of the program goals but also be customized for the institution’s culture and governance style. This is deceptively simple to say (as many governance issues are) and will challenge the leader, but it is worth the effort since it is a cornerstone for the ERM program.

ERM Program Design: Once the vision and mission are drafted and agreed on by stakeholders, the leader can focus on the program design and/or enhancements. The leader and the institution will benefit from having a work plan to support short- and long-term goals. The plan is a tool that supports the work steps for milestones and resources, but it is also a learning tool for the level of effort and foundation steps that are needed. Some steps may take longer to achieve, and the leader can leverage the tool to illustrate issues impacting timing, i.e. competing priorities, funding, etc.

  • ERM Work Plan: The leader may be the primary author of the ERM work plan but is not responsible for all the activities. The group that comes together to discuss, review, and validate ERM activities shares the accountability for meeting deadlines, raising issues, and managing exceptions. Based on the level of detail requested by these constituents, the ERM work plan can be as complex or simple as needed, as long as it reflects the snapshot of the program’s desired short- and long-term goals.
  • For practicality, the leader may consider a detailed approach for an agreed upon shorter term since longer term goals may need to be refreshed. The impact of the short-term goals (whether positive or not) should be considered when updating long-term goals. Additionally, the leader should facilitate a refresh of the ERM work plan periodically to reflect internal and external changes.

Since the risk appetite is an articulation of the amount and type of risk an institution is willing to take to meet its objectives, defining the tolerance levels for low, medium, and high risk will guide risk taking, risk mitigation, and risk escalation.

Risk Appetite: The concept of a risk appetite is an integral part of an effective ERM framework, but currently it is not widely adopted within higher education. Since the risk appetite is an articulation of the amount and type of risk an institution is willing to take to meet its objectives, defining the tolerance levels for low, medium, and high risk is a meaningful effort that will guide risk taking, risk mitigation, and risk escalation. The leader’s role in this area can include presenting draft language for discussion and providing examples of quantification to stimulate discourse. While risk appetite can mature and change over time, it is an important marker in the development of the program that the leader may want to champion.

Risk Assessment: The ERM program will likely include a periodic risk assessment process. To add value, this exercise must consider the most important risks, as well as the input from the functional areas that “own” them. The leader should pursue an approach that is focused on these desired outcomes.

Leveraging Tools and Techniques: The mission statement and risk appetite can help drive the template of the assessment by aligning the aspirations of the mission statement with the quantification of the risk appetite. This combination of qualitative and quantitative techniques provides both the structure and the balance needed to assess key risks.

Assessment Process: The leader should consider the best fit for engaging the stakeholders involved in the risk assessment process. Depending on where the institution is in its ERM program’s maturity, the leader can consider a top-down or bottom-up approach or integrate both to also assess alignment across constituents. Regardless of the approach, the leader should focus on the tools and techniques that foster the assessment of the most important risks to the institution, including interviews, surveys, facilitated workshops, and committee discussion.

Reporting and Remediation: Keeping track and communicating to management, advisory groups, and stakeholders is a key part of the leader’s role in the program. Reporting on the program can take a myriad of forms. Many institutional risks don’t lend themselves to easy quantification; however, forward progress needs to be identified and communicated. Milestones in remediation plans can be tracked. The form of reporting will be dictated by your institutional culture. Perhaps it will take the form of regular briefing of all projects to an oversight committee; alternatively, reporting may occur only when others need to intervene to help facilitate progress where efforts are not leading to satisfactory results. The leader may use many different communication styles for different stakeholders and venues.

Governance Practices: For these activities to come together to serve the ERM program, there needs to be a governance structure. The process can be as formal as the institution decides but should include appropriate (accountable) oversight of the information that is reported and ongoing monitoring of remediation activities. The leader can be the intermediary for this process, representing the outcome from the ERM process for the risk owners.

  • Escalation Protocols: An important aspect of governance practices is the escalation process that identifies the inflection point where risk information is shared beyond the ERM program. Escalation protocols are informed by the risk appetite and the program operating model. Since this may not be as formal as a dividing line, the leader needs to consider the impact of trending metrics or a significant event for escalation.

Engaging Stakeholders During Campus Events

In addition to identifying and helping your institution proactively address risks to reduce frequency and impact of occurrence, the ERM leader often engages with university colleagues when events happen on campus. The form of the leader’s engagement varies depending on the event type and institutional organizational design, but the same attributes that are so critical to building and maintaining the program can be utilized in event management. In the last few years, many institutions have dealt with controversial speakers and the outsiders some of those events bring to campus. A robust emergency response program may have the membership and protocols to plan for such an event and an extensive cross-organizational team to minimize impact.

The leader may be a team participant and may be consulted as a trusted advisor. He or she may be able to reach out to the ERM network to learn what other institutions have faced under similar circumstances and lessons learned to share with campus officials. Sometimes, sales skills can be deployed to construct the business case to engage all constituencies who are needed to coordinate for an effective response. While emergency response tends to have their own processes, managing a potentially disruptive event can be viewed as a multi-stage, potentially evolving project within a tight time frame. Finally, a debrief process after the fact is great practice, as is closing the loop with your ERM network to share successes and opportunities for enhancement to advance the practice in higher education.


The ERM leader’s mandate is both broad and deep; they must balance and consider many perspectives. Given that complexity, it is also imperative for the leader to consider internal and external factors that could impact the institution, as well as available data and metrics to support decisions. These factors, viewed through the filter of institutional culture and risk appetite, should be among the tools and techniques the leader calls upon to guide an ERM discussion. The outcome of discussions and meetings may not please everyone or solve every problem, but the overarching theme is to be “risk-informed” to make the best decision given available information and perspectives. It takes thoughtful perspective to be an ERM leader at a higher education institution. Forward thinking institutions are moving towards using ERM to align strategy with planning and key decision making; they will need the perspective of a skilled ERM leader to meet that challenge.

About the Authors

Nancy Loucks
As director of enterprise risk management (ERM) at Yale University since 2015, Nancy Loucks has led the continuing evolution of Yale’s ERM program. Ms. Loucks is a member of a number of risk and safety committees and a regular presenter to senior leadership and the Corporation Audit Committee.
Ms. Loucks’ prior experience includes more than 30 years in financial services, in both client-facing and risk management roles, most recently serving as the head of enterprise risk management at State Street Corporation.
Ms. Loucks is a graduate of Harvard College (A.B., magna cum laude) and University of Virginia Darden School (M.B.A.).

Dolores Atallo
Dolores Atallo is the North American leader for Enterprise Risk Management (ERM) and a member of the Global ERM Leadership Team at Protiviti. She has over 25 years of experience designing and enhancing ERM programs and evolving governance practice to align strategy and performance. Ms. Atallo is a graduate of Rutgers University (B.A., M.B.A). She is an adjunct professor of governance and risk management at Martin Tuchman School of Business at New Jersey Institute of Technology (NJIT). Ms. Atallo can be reached at [email protected] or through the Protiviti ERM Center of Excellence at www.protiviti.com/erm.


Download URMIA Journal


Download full page


Ready to work with us?

Dolores AAtallo
Dolores A. Atallo
Managing Director