Enterprise risk management orchestrates an approach that includes all areas on campus. Together, rather than solo, leaders evaluate and plan for the impact that unexpected events might have on the institution’s objectives.
By William G. Shenkir and Paul L. Walker
In the private sector, many businesses are implementing a relatively new approach to managing risk: enterprise risk management. This article highlights the major elements of ERM and relates the process to decision making in academia. (For more about ERM, see "Learning to Harmonize.")
What Is ERM?
Traditionally, academic institutions tend to address risk management through various organizational silos. The institution's finance and accounting operation and its internal audit group are concerned with financial risks related to weaknesses in internal controls. An insurance group may handle hazard risks, such as fire and accidents. The information technology department is concerned with security and systems risks related to student and faculty records and processing financial transactions. The board, executive leadership team, deans, and department heads focus on academic strategies and, presumably, the institution's strategic academic risks. The assumption is that administrators overseeing such operations as the registrar's activities, physical plant, security, and food services, among others, consider an array of operational risks in their work.
Rather than manage risk through this fragmented approach, ERM takes an integrated and holistic view of the risks facing the institution. ERM has been defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) as:
... a process, effected by an [institution's] board ..., management and other personnel, applied in strategy setting and across the ... [institution], designed to identify potential events that may affect the ... [institution], and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of ... [the institution's] objectives.
The COSO definition has been adapted here to refer specifically to an academic institution, but it can apply broadly to many types of organizations. (For more information about the Committee of Sponsoring Organizations of the Treadway Commission, see www.coso.org.) According to this definition, ERM is:
- A process, ongoing and flowing through an ... [institution].
- Effected by people at every level of an organization.
- Applied in strategy-setting.
- Applied across the ... [institution], at every level and unit, and includes taking an ... [institution]-level portfolio view of risk.
- Designed to identify potential events that, if they occur, will affect the ... [institution] and to manage risk within its risk appetite.
- Able to provide reasonable assurance to an ... [institution's] management and board.
- Geared to achievement of objectives in one or more separate but overlapping categories.
The ERM approach implies that risk management is a part of every manager's job description, so managers at every level are expected to be attentive to the risks facing their units. Such risks can then be approached on a strategic level, with an eye toward minimizing the overall risk to the institution in an integrated fashion.
Establishing an ERM Framework
Several ERM frameworks have been advocated by consulting firms performing ERM advisory services, by professional associations, and by groups such as COSO (see sidebar, "ERM Resources").
Background on risk
ERM field research and case studies
William G. Shenkir and Paul L. Walker have written several books on enterprise risk management. Among them are:
With Thomas L. Barton, Shenkir and Walker have also written:
From the Committee of Sponsoring Organizations of the Treadway Commission (COSO):
From the Joint Standards Australia/Standards New Zealand Committee:
Most of the frameworks have the following essential elements:
- Clear strategies and objectives.
- Risk identification.
- Risk assessment.
- Risk response.
- Risk communication and monitoring.
Before launching an ERM program, the institution's board and executive management must champion the process and fully support the endeavor. Indeed, the ERM framework may be implemented at the senior level prior to moving to individual schools, departments, and supporting operations.
Clear strategies and objectives. The process begins with the unit that is implementing ERM articulating its strategies and objectives. If the focus of the review is the entire institution, then the strategic objectives at that level must be clearly stated to identify events that might prevent their attainment. The focus could also be a specific school, department, or process. Those responsible for achieving the objectives must fully understand their content before they can identify potential risks. An objective such as "we want to be the best department," for example, is not very clear.
Risk identification. The next step is to identify the significant risks that might threaten achievement of the strategies and objectives. Various techniques can be used at this stage, such as brainstorming, interviews, self-assessments, facilitated workshops, SWOT analysis, risk questionnaires, and scenarios. A combination of these techniques may be the best approach to identify the significant risks. The techniques selected must be implemented in an open environment where individuals can express their views about the risks to the organization without fear of retaliation. When rigorously and openly applied, these methods should uncover most risks facing the institution and should produce an institutional risk language.
The identification process can also be seeded by providing some general risk frameworks that are available from professional sources. In addition, studying loss-event data from other higher education institutions as well as from firms in the private sector may trigger the identification of risks that might otherwise be overlooked.
Risk assessment. The next step is assessing the risks. Assessment can determine both the dollar impact on achievement of the strategies and objectives and the related likelihood that the event will occur. The time horizon for this analysis should correspond to that of the strategies and objectives and can be qualitative or quantitative. Some risks (e.g., strategic and certain operational risks) are generally difficult to subject to rigorous quantification. However, consensus judgment and some data gathering can help determine ranges of impact from these risks. Having a sense of a risk's impact and likelihood can greatly improve management's decision making.
Once assessments have been made, they are plotted on a risk map, which provides a visual framework summarizing the risks. A risk map can serve as a discussion point between those involved in administration and those charged with governance. A risk map is sometimes referred to as a heat map, since the colors of red, yellow, and green are used to indicate risk zones (see Figure 1, Risk Map Template).
- Red zone risks have a potential significant impact and are highly likely to occur. Risks in this area require considerable attention by management to develop an appropriate mitigation response. For example, an objective assessment of an institution's reputation may reveal red zone risks that warrant immediate attention.
- Green zone risks, which have low impact and likelihood, do not warrant additional management attention. However, a review of the green zone risks may reveal that the expenses incurred in controlling these risks are excessive, which could lead to cost savings by streamlining control processes.
- Yellow zone risks present special problems and need to be monitored carefully. While some organizations focus on dollar impact from risks, other organizations consider how the risk affects reputation. For example, the higher-impact yellow zone risks could severely damage an institution's reputation if they occurred.
An assessment can focus on a single metric such as impact on the budget, on private fundraising, or on student applications for admission. In some instances, scales that combine several of these attributes could also be developed for assessment. After risks are assessed, it is important to consider how risks are correlated and how they can be managed across the enterprise.
Risk response. Using information from the risk identification and assessment process, management must decide what actions to take. A key element in these decisions is the institution's risk appetite, which is generally determined by the board and executive management and reflects the institution's financial and staff capabilities. It is possible that specific units may have different risk tolerances, but the individual tolerances overall should not exceed the institution's risk appetite. Failure to communicate risk tolerances to various levels of leadership within the institution can result in excessive risks being ignored or taken.
There are four main actions management might take in response to risk: avoid, reduce, share, and accept. For example, the academic leadership might choose not to offer a particular degree program in several foreign countries because the risks are too great. Or, the decision might be to mitigate the risks by limiting the number of countries in which the program is initially offered. Another mitigation alternative might be to offer the program jointly with another institution and thus share the risks. Accepting the risks could be appropriate when the institution has the financial and human resources to offer the program on a loss basis while it builds a reputation in the local student market.
When risks are plotted on a risk map, they are generally stated at their inherent level—before mitigation action—in terms of impact and likelihood. A risk map can be produced that shows the result of the risk mitigation action and the residual risk (see Figure 2, Risk Map Showing Mitigation Action). With this information, management may conclude that it can live with the residual risks, or it may decide to pursue further mitigation.
Risk communication and monitoring. Risk information, like risk maps and status reports on mitigation effectiveness, should be shared freely with those making decisions so that they are fully informed about the risks embedded in the alternatives they may be considering. In fact, upstream reporting is essential to consistent risk management. Risk information needs to flow to upper management in regular reports as well as across and down the organization. The owners of the risk then can monitor the status and make appropriate judgments about the effectiveness of mitigation actions.
The success of the communication and monitoring process is greatly influenced by the value and importance that the board and executive management place on the entire effort. To be effective, leadership should not allow individual units to expose the institution to excessive risks, nor should it overly manage smaller risks.
ERM Challenges on Campus
Institutions need to understand their strategies and objectives, identify and assess their risks, determine mitigation actions, and develop communication and monitoring plans. These are crucial foundational steps in ERM. Campuses also face unique issues that must be addressed. For example, colleges and universities must consider their underlying business (financial) model and funding sources. Is the model tuition-dependent? What are the key funding sources and how are they likely to change from year to year? University administrators should not be surprised by funding cutbacks when such reductions have occurred numerous times in the past several decades.
Related risks revolve around trends, enrollment patterns, international issues, and most recently, the financial crisis that emerged in the fall of 2008, to name a few. In the private sector, companies take a serious look at reputation risk and how to manage it. Reputation is a larger risk for some organizations than for others, but it is probably a major risk at most higher education institutions. Actions by key administrators, students, or student athletes can have a major impact on contributions. Institutions should always be aware that they are, in many ways, spending someone else's money—and with this awareness comes a greater sense of fiduciary responsibility.
A wise administrator once said, "The better you get, the worse the bottom line looks." As colleges and universities expand academic programs, hire new faculty, and increase physical facilities, they spend money, commit funds, and perhaps in the process deplete their resources. However, the upside of this risk is that it presents an opportunity to let stakeholders know that additional funding is needed to continue to build the institution's reputation.
Political risks also apply to many institutions. Campuses that have large endowment funds must continually fight the perception that as wealthy universities, they have a diminished need for additional funding. Politicians do not always understand that the money is restricted and is not sitting in one large bank account.
Another unique risk that colleges and universities encounter is their diverse set of stakeholders, which include donors, the community, the government—local, state, and federal—future employers, faculty, students, and parents. Several universities have initiated some form of ERM but have not yet attempted to view risk from the perspective of students and parents. A risk related to residence halls—safety, comfort, cleanliness, and convenience, for instance—may seem like a low priority to some university administrators, but is a major concern for parents and could influence admission acceptance decisions.
Thus, the stakeholders' views must be understood when making key decisions. Looking at corollaries in the corporate world, some major companies regularly study customers' views to help manage their risk, while others study the perceptions of those who do not buy their product in hopes of someday obtaining them as customers.
Administrator turnover and succession planning is another key risk that applies to many universities. Good administrators are hard to find and keep. Smart universities do not get caught with the top five administrators all between the ages of 65 and 70 without a plan in place to manage this transition. Long before Bill Gates was set to shift his responsibilities, Microsoft had considered key executive loss as a major risk. Wal-Mart aggressively prepares for manager turnover and can link metrics to increased shareholder value as a result of their efforts in managing this risk.
Monitoring is another critical, but slightly different, ERM component. Major corporations have boards with independent members, audit committees, and shareholder meetings. Government and stock exchange regulations partially control this aspect. However, university boards are not necessarily appointed to help monitor and provide governance. Some board members are political appointments that may only partially assume monitoring roles. Other individuals are appointed for their capacity as donors. Furthermore, even under the best conditions, monitoring cannot be effective if those charged with monitoring do not know the institution's risks or have the proper risk metrics to review.
The Journey to Risk Discovery
Enterprise risk management clearly applies to higher education. For public companies, a growing pressure exists to adopt ERM, and some of this pressure may roll over to higher education. The public pressure stems from companies completely missing some risks or managing them poorly.
There is also pressure to be more transparent with risks in order to compete for capital in a global market. For example, the Securities and Exchange Commission recently required publicly traded companies to disclose their risks in their annual SEC filings, while Standard & Poor's has announced plans to factor ERM into its firm ratings. Furthermore, institutions are now re-examining their financial arrangements in light of significant changes in the economic environment and to a number of established financial institutions.
As institutions consider whether or not to pursue ERM, some markers are available to assess where a campus stands on the ERM journey.
- Stage 1 is "nonexistent," in which organizations have yet to start an ERM process.
- Stage 2 is "preliminary risk awareness." Organizations at this point have become aware of some key risks but lack processes to integrate, assess, or monitor these risks.
- Stage 3 is "distinct financial risk and reporting process." This stage applies to those organizations that have a process in place for financial reporting risks and related controls only. Note that some of these processes and activities can be leveraged into an ERM process.
- Stage 4 is "distinct ERM process." In this stage, organizations have a process that manages the entire spectrum of risks.
- Stage 5 is "optimal ERM process," which describes organizations that have a fully integrated risk process that seeks to improve decision making and capture value. This stage also includes a process that links ERM to strategy, budgets, and corporate governance.
As an institution moves down the ERM path, it may find that some risks require immediate attention. While it may be unsettling at first to make such discoveries, this is the very point of engaging in ERM: to determine what risks an organization faces and what its leaders can do together to better manage those risks now. Considered in this light, what institution and board can afford not to know its major risks?
WILLIAM G. SHENKIR is William Stamps Farish Professor Emeritus at the University of Virginia’s McIntire School of Commerce, where he served as dean for 15 years. PAUL L. WALKER is an associate professor at the University of Virginia’s McIntire School of Commerce.
- NACUBO Expresses Concerns with ED Proposal to Expand Federal Financial Responsibility Rules
- IRS Proposes Modifications to 1098-T Reporting
- ED Policy to Require Annual Student Aid Compliance Audits Beginning FY17
- 2016 Intermediate Accounting and Reporting Fall
October 24-25, 2016
- ON-DEMAND: The CBO's Role in Diversity and Inclusion on Campus
- ON-DEMAND: The Clery Act: Strategic Planning to Mitigate Institutional Risk
- ON-DEMAND: Title IX: Key Issues Surrounding Institutional Compliance
- ON-DEMAND: NACUBO Live! Higher Education Accounting Forum
- ON-DEMAND: Responsibility Center Management: Two Different Perspectives