It could be argued that the industry that has been slowest to embrace ERM concepts is academia. Red tape and a status quo mentality seem to hang over campuses around America when it comes to risk management. However that could be changing as schools like Duke University illustrate.
Universities are large, complex organizations. Duke for example, has annual revenues of $2 billion from the university as well as the University Health System to go along with an endowment of $7 billion and $500 million of federal research grants. Needless to say, handling all this money comes with inherent risks. There needs to be a process in place for universities to handle these risks.
However, since places like Duke and the University of Washington have already learned many lessons they have made public, college and universities that are looking to implement ERM on their campus.
Assigning Risk Owners
One of the first major milestones that Duke reached was defining who was responsible for handling certain risks. Many times it was not clear who was responsible for being a risk owner of a certain area. No one was able to be subjected to the consequences of a risk either being handled well or poorly. At this point, Mike Somich, the head of internal audit at Duke and original proponent of ERM there, began his crusade for having a strong tone at the top. If managers saw their administrators accepting risk ownership roles and making ERM a priority on campus, then it would become important to them as well. By taking this first step of assigning risk owners, both managers and administrators were able to get on the same page about what risks the university faces, who should be responsible for handling each risk, and how it could affect the strategic mission of the University.
The complexities of a large campus, especially a research campus, make prioritizing risks difficult, especially because everyone thinks that their department’s risks are the most important. This is why Duke found it so important to have upper management involved in their ERM process. They were able to see which athletic, academic, research, or medical risks were most prominent at an enterprise-wide level. This is important for universities to do so that a “fly isn’t swatted with a hammer.” In order to do this, a heat map which measures likelihood and impact of risks assisted Duke quite a bit.
Involve the Board of Trustees
Many members of a University’s Board of Trustees have been involved with increased strategically based risk discussions in their business careers, and therefore can bring a plethora of experience to the school. They can also push the school to do more when it comes to risk management and hold it to the same standards stockholders expect of management for publically held companies. However, the board must be very careful not to cross into micromanaging risks and preventing the University from taking strategic risks in order for potentially great gains.
Don’t Move Too Quickly
Implementing an ERM process across a university is a daunting task and it is tempting to cut corners or to attempt to move fast in order to get a robust process moving quickly. However, small steps need to be taken to ensure that each step is fully completed and done correctly before moving onto the next step.
These lessons, among others, can be very helpful to anyone trying to implement an ERM process.
To purchase a copy of the full article go to New Strategies for Managing Risks: A Balancing Act for Boards