Article
Lessons from leading ERM programs in higher education
Apr 04, 2019 · Authored by
In November 2018, Baker Tilly was honored to co-convene the Enterprise Risk Management (ERM) in Higher Education Workshop with North Carolina (NC) State University’s ERM Initiative. This interactive event provided a unique opportunity for leaders from 30 institutions to share strategies for evolving their ERM approaches. The workshop engaged participants through a combination of group discussions and technical sessions facilitated by leaders from across higher education, including the following themes:
- Gaining practical insights from leading corporate ERM practices
- Evolving ERM in higher education
- Putting risk appetite into practice
- Leveraging the intersection of internal audit, compliance and ERM
Download our findings or continue reading below >
1. Gaining practical insights from leading corporate ERM practices
Boards and senior leaders across all industries are calling for more effective risk oversight. While practices and principles vary among industries and organization types, many common themes and leading practices from the corporate world can be leveraged to tackle the challenges faced in higher education. During the workshop, Mark Beasley, Director of the Enterprise Risk Management Initiative at NC State University, reviewed applicable themes from the corporate landscape that could also improve the effectiveness of higher education ERM programs. Shifting ERM’s focus from a more detailed, operational view to broader enterprise-wide issues (i.e., those with potential impact to mission) can increase ERM’s value-add.
Other key themes from Beasley’s presentation included:
Expanding your institution’s peripheral view
Many institutions fall into the trap of “knowing what they know,” or focusing on familiar risks based on their industry experiences, institutional structure and culture. However, in order to fully capture the current and emerging risks of an institution, Beasley encourages looking for “blind spots,” or hidden biases, when assessing an organization’s risk landscape. Institutions should consider expanding their peripheral views by leveraging risk events at other institutions and evaluating the likelihood of similar event occurring at their own institution? What would be the impact? Does your institution’s “blinders” prevent that risk from being mitigated sufficiently?
Defining the types of risks your institution is willing to take
The higher education industry is inherently in the risk-taking business – finding new ways to innovate and educate students, while pushing the boundaries of cutting-edge research. As such, institutions should consider not only what risks not to take, but also the risks, or opportunities, they should take. To appropriately evaluate these opportunities, it can be helpful to pinpoint ranges of acceptable and unacceptable risks for your institution. Since few metrics may initially exist to monitor these opportunities, consider a mix of qualitative and quantitative measures.
Seeking for the ERM program to be more advisory and streamlining communications
Simplifying your messaging and communications around risk can help functional leaders (i.e., risk owners) better understand the big picture that you are trying to capture for senior management and the Board. The approach should focus on collaboration and sharing insights from across the organization, providing a value-add advisory service to risk owners. In addition, according to Beasley, “more” is not always better when communicating and reporting to stakeholders. Instead, focus on identifying the top institutional risks (e.g., five to 10 significant risks) and providing impactful, informative visuals for reporting.
2. Evolving ERM in higher education: the case for change
Developing and maintaining a successful ERM program is an ever-evolving process. During the workshop, participants shared their personal experiences, goals and challenges related to implementing and maturing their ERM programs. One higher education ERM leader provided participants with a historical roadmap that demonstrated the institution’s evolution from simply defining and describing risk, to developing a targeted strategy for evaluating risks and prioritizing resources to address these risks across the institution.
The evolution of this institution’s ERM program centered on the development of a common risk language and the implementation of an assessment tool to help stakeholders understand the institution’s parameters for risk. This included development of a common format for creating risk profiles, to be completed by the risk owners. Components of the risk profile include:
- Potential risk indicators (i.e., symptoms, triggers, performance indicators)
- Potential impacts (i.e., financial, operational, safety)
- Mitigation priorities (i.e., actions to be taken)
- Desired outcomes (i.e., risk reduction target)
The assessment tool enabled effective risk discussions across historically siloed functions. These discussions highlighted the importance of engaging stakeholders in the ERM process and making ERM a shared responsibility. Facilitated, active engagement of leadership and risk owners helped drive momentum and elevated how ERM was viewed at the institution – as adding value and enhancing productivity.
3. Putting risk appetite into practice
Discussing, evaluating and setting the institution’s risk appetite should be a core consideration of any ERM approach. While an institution’s ability to define its risk appetite may vary based on the maturity of the overall risk program, participants discussed common considerations for putting risk appetite into practice, including:
- Establishing and communicating a risk appetite statement(s)
- Developing a process to continually evolve the statement(s) based on changes in internal and external factors (e.g., regulatory and compliance implications, risk events)
- Creating risk descriptions based on the likelihood and impact of a risk
- Building actionable criteria for evaluating and addressing risk and risk-tolerance levels
- Engaging leadership to understand and consider emerging and evolving risks
- Integrating a risk management strategy within the institution’s strategic planning process
Upside of risk: questions to consider when evaluating opportunities
- How do you differentiate opportunities from threats?
- How do you evaluate opportunities once they have been identified?
- What opportunities could be realized in areas with limited resources?
- What is the cost of not taking the risk (e.g., opportunity to innovate)?
- What past opportunities do you or your institution regret not taking?
4. Leveraging the intersection of internal audit, compliance and ERM
Evaluating the intersection of internal audit, compliance and ERM can identify opportunities to enhance value to the institution. Rather than viewing these functions as silos, many institutions have begun to embrace the synergies that can be realized across these important functions and leverage them to create a new paradigm for supporting effective risk management. Some of the common intersections of these functions include:
- Identifying risks
- Performing risk assessments
- Evaluating and prioritizing enterprise-level risks
- Monitoring and communicating risk mitigation efforts
- Providing training and education related to key risk areas
About the ERM in Higher Education Workshop
The ERM in Higher Education Workshop brings together enterprise risk management leaders from colleges and universities across the nation. Annually, the workshop features real-world illustrations of university ERM implementations along with discussion sessions about ERM challenges and successful practices. Co-convened by the ERM Initiative at NC State University and Baker Tilly, this intimate and interactive environment promotes interaction among attendees and speakers, and allows a greater sharing of experiences with colleagues.
For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.