The University Risk Management and Insurance Organization (URMIA) is the key source for higher education risk management information.  Following the passage of the Sarbanes-Oxley Act of 2002 (SOX), URMIA realized that organizations of all types, including institutions of higher education, are in a new world of risk.  In response, URMIA appointed a task force of Risk Managers to prepare this white paper about ERM for institutions of higher education.  The purpose of this white paper is to provide URMIA members and institutional colleagues with a better general understanding of ERM and to provide a set of resources available for structuring and implementing an ERM framework at member institutions.  This white paper also includes appendices describing how several universities have implemented ERM


In the 1980s, long before SOX, several significant business failures occurred as a result of high-risk financing strategies. These failures, among others, have placed a greater focus on improving overall risk management practices for organizations of all types, including institutions of higher learning.  Several organizations related to educational institutions, such as the Association of College and University Auditors (ACUA) and the Public Risk Management Association (PRIMA), are recognizing the need for more effective risk management practices.  These organizations are tracking ERM related developments in the broader corporate sector and looking for ways to implement many of those concepts for institutions of higher education.

One of the more recognized ERM frameworks was issued in 2004 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).  COSO, which is sponsored by the American Institute of Certified Public Accountants (AICPA), the American Accounting Association (AAA), the Financial Executives Institute (FEI), the Institute of Internal Auditors (IIA), and the Institute of Management Accountants (IMA), defines ERM as, “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”  In addition, to COSO, other organizations have issued other thought-leadership documents that generally offer similar views of ERM, which together are creating a commonly recognized vocabulary for organizations of all types to consider ERM practices.

Need for ERM in Higher Education

The following drivers are increasing pressure to transform risk management for institutions in higher education:

  • Fierce competition for faculty, students, staff, and financial resources.
  • Pressure for increased productivity, responsiveness, and accountability while reducing costs.
  • Increased external scrutiny from government, the public, governing boards, journalists, and taxpayers rights groups.
  • Powerful new technologies that require significant investment of both financial and human capital resources,
  • Rapidly increasing entrepreneurial ventures beyond the traditional educational venues that create stresses and strains on traditional administrative and financial infrastructures.
  • Increased competition in the marketplace.
  • Increased levels of litigation in general and internally, with ever-increasing levels of financial competition.

Strategies to address these drivers for change are introducing more complex risks for institutions of higher learning.  Leaders are in need of techniques to manage the complex portfolios of risks they now face.  Many are turning to ERM to help them establish a more robust risk mindset because it helps link institutional governance, risk management, and the strategic goals of the institution. Leaders are beginning to find that ERM is an effective method to manage all the risks that exist on a college or university campus.

The benefits of ERM for a university or college can help in management’s efforts to:

  • Sustain its competitive advantage
  • Solidify its integrity and reputation
  • Respond effectively when a significant event occurs
  • Avoid financial surprises
  • Effectively manage all of its resources

Finding an ERM Framework Relevant to Higher Education

The white paper notes that the first step to implementing ERM is the selection of a conceptual framework to provide an overriding structure to help develop a more robust view of risk oversight – one that extends far beyond the traditional university risk management practices.  The framework provides an overall structure, while at the same time preserving the need for customizing ERM practices to take into account the institution’s goals, objectives, management culture, and philosophy.  The white paper identifies several alternative frameworks, in addition to the widely embraced COSO ERM framework, that provide relevant guidance to those leading the launch of ERM.  While many may view these frameworks as applicable to the for-profit setting, these frameworks have been developed for enterprises of all types.  That is, they lay out fundamental concepts that are relevant to all.

Some schools appoint a Chief Risk Officer (CRO) to oversee the implementation of ERM. The person in this position is able to encourage and facilitate the entire organization to integrate thinking about the costs and benefits of taking risks, and how to manage them, through the entire strategic planning process.  The CRO is different from a more traditional risk manager.  The CRO serves as the institution’s risk champion, encouraging and facilitating an enterprise-wide view of risks and helps lead thinking about the costs and benefits of taking risks, and how the institution manages risks through a strategic process.

Applicability of ERM in Institutions of Higher Education

Critics may challenge the applicability of ERM for institutions of higher education, based on the view that ERM is only relevant for the for-profit world.  Most argue that such a view is denying reality.  Enterprises of all types, including those in higher education, operate in a fiercely competitive landscape whereby they deploy various strategies to meet their objectives.  In doing so, they, like any other enterprise, face tremendous amounts of risk and uncertainty.  ERM helps provide them greater risk intelligence to more effectively navigate those risks in order to increase the odds that they meet and exceed their objectives.

The Appendices in this White Paper

The appendices include several case study examples that describe how other schools have implemented ERM. Schools included are Auburn University, Penn State, Maricopa County, Community College District, and the University of California.  Also, the Appendices include a section on suggested tools, references, and resources for more information and a glossary of common terms associated with ERM.


This was written by the Executive Director of Risk Management and Safety. She describes how she became gradually aware of and interested in ERM. The author partnered with the Executive Director of Internal Auditing to develop a model based on the ERM implemented by the CRO of Wal-Mart.  The goal was to help risk owners analyze the risks facing them, using an anonymous voting system called “Resolver Ballot” and a Microsoft Excel spreadsheet. Respondents ranked risks in terms of impact and likelihood.

Penn State

This segment was written by Gary Langsdale, University Risk Officer. The investigation of ERM at Penn State was led by senior financial leadership of the University who had read and heard about ERM and wanted to investigate further. The University Risk Officer and the Director of Internal Audit were both hired in 2003, and asked to investigate ERM for Penn State. They developed the, “ERM Key Initiative of 2004-2008 Strategic Plan.” The intention was not to provide a rigid risk management structure, but to provide tools for use by leaders and managers at the University.

Maricopa County Community College District (MCCCD)

This segment was written by Ruth Unks, Risk Manager. In 1999, the Chancellor created a task force to identify the District’s top risks. The task force identified 80 risks and prioritized them. In 2003, the Chancellor merged the enterprise risk management committee and the Risk Management Advisory Committee to ensure coordination and consistency in the development of a strategy for risk management within the District. The merger of committees is called the Maricopa Integrated Risk Assessment (MIRA) and is led by Ms. Unks. Leading the development an implementation of a multi-year plan is assigned to Ms. Unks. A five-year implementation plan was developed to guide the MIRA project.

The plan has five sections:

  • Project Planning
  • Evaluate the MCCCD’s Environment and Strategy
  • Develop a Comprehensive Risk Framework and Process for Evaluating and Prioritizing Risks
  • Review Risk Financing/Mitigation options
  • Develop a Risk “Nervous System” for Communicating, Reporting, and Monitoring

Ms. Unks also describes several specific challenges they faced as they attempted to implement ERM, and then describes the many accomplishments the MIRA committee has already achieved, despite the challenges. 

University of California

This segment was written by Grace Crickette, Chief Risk Officer. The University has been moving toward an ERM approach since 1996. They are following the framework advocated by COSO. Their timeline was as follows:

  • Regents adopt COSO framework (1996)
  • Controller positions established at each campus (late 1990’s)
  • Several campuses develop ERM initiatives (2004-present)
  • Chief Risk Officer (CRO) position established (December 2004)
  • ERM panel formed to develop an ERM strategy (June 2005)

The CRO was hired from the private sector and was experienced in using the COSO framework implementing ERM for private industry.

Since the campuses and medical centers in the UC system operate with a high degree of autonomy, ERM efforts have been largely locally driven. Many of the campuses already have ERM groups and others have expanded risk groups to include ERM. Centralized ERM activities are being driven by the CRO with an ERM panel including management representatives from the Office of the President and the various campuses.

Link: ERM in Higher Education, White Paper issued by the University Risk Management and Insurance Organization, Bloomington, IN (, 46 pages, September 2007.

Subscribe to ERM Insights

The latest research, insights and opportunities from the NC State ERM Initiative to help
you and your organization lead with confidence.

ERM Enterprise Risk Management Initiative 2007-09-01