Navigating Risk Management Challenges in Today’s Highly Complex Environment
In 2008, East Carolina University (ECU) was deep in a period of unprecedented growth, embracing ambitious strategic objectives that would not only present fantastic opportunities, but could also potentially strain the university’s administrative support structure and create gaps in oversight. Institutional leaders looked to enterprise risk management (ERM) to help navigate the increasingly complex operating environment and help augment traditional risk management and compliance functions by creating a more formal and proactive approach to risk identification, treatment and communication. In this interview, ECU’s Chief Risk Officer Tim Wiseman—an energetic former Army colonel with financial and risk management credentials—reflects on their decision to implement an ERM system and shares his thoughts on the value of ERM to supporting institutional management in today’s highly complex era.
The EvoLLLution (Evo): What is unique about enterprise risk management in a higher education environment?
Tim Wiseman (TW): I often tell people that higher education institutions offer a risk environment similar to a layered cake in the dessert world. Not only do colleges have the usual risk management challenges associated with large, complex and diverse organizations from purely a business perspective, but they also have the additional considerations of having a large number of young adults concentrated in a relatively small geographic area; shared governance between appointed trustees, faculty, students and administrators; and a diverse group of stakeholders with different ideas about priorities and direction.
Decisions in any one department, school or business unit can have a ripple effect on many other parts of the institution that may not be fully understood and anticipated because of the complexity of the enterprise.
Evo: What led ECU to implement a formal ERM program?
TW: Several key members of our board of trustees and our chancellor were aware of the advancement of enterprise risk management concepts and models in the private and corporate sectors. There was clearly a growing need at ECU for a process that would help elevate risk information to senior leaders and governing board members for their awareness and consideration in both strategic decision oimaking and resource planning. Growth of the university and regional engagement also demanded more attention to related risk exposures and improved regular inter-departmental communication about risks. In addition, our internal audit department also recommended the adoption of ERM in a quality assurance review. These things all led to the launch of our ERM program implementation initiative.
Evo: How has ERM added value to the institution?
TW: Our ERM program has provided a forum and process for regularly reviewing the most significant strategic, financial, operational, compliance and reputational risks and developing coordinated and holistic responses to them. ERM allowed us to move from traditional defensive risk postures and crisis response to a more methodical and forward-looking approach. We’ve developed a comprehensive two-year ERM activity rhythm which includes risk identification and prioritization processes, risk plan development and regular summary reporting to senior executive leadership and our board of trustees audit committee.
Having a distinct risk management framework and process for the entire enterprise has changed the culture and reduced communication barriers that previously existed. We’ve seen that having a formal ERM program in place is a positive indicator of institutional control when reviewed by auditors and bond rating agencies alike. The ERM program has led to efficiencies by reducing the amount of time our internal audit staff spends on risk assessments and allowing them to focus on higher-priority audits. Lastly, ERM can coordinate multi-disciplinary efforts to tackle emerging issues that don’t fit nicely into any one department or business unit.
Evo: What would your response be to critics who think ERM principles and activities are already adequately addressed in conventional risk management, audit and legal compliance functional areas?
TW: If you look closely at the main areas of concentration for traditional (hazard) risk management, auditing and legal services, you can see that there is a need for a larger overarching function that addresses risks across the enterprise. We’ve found that ERM provides an important triage for emerging risks and areas of concern that is less formal than an audit or legal review. This additional consultation option can be very helpful to senior administrators as they are constantly trying to put things into the proper relevant context to support decision making and response.
I like the analogy of shingles on a roof. They overlap a bit, but collectively prevent gaps and leaks that could damage the house. So it is with ERM, audit, legal services and traditional risk management and insurance services. All have their important primary roles that must be performed and respected, but working together, they provide great protection and assurance for the institution at strategic, operational and frontline levels.
An effective ERM program framework also allows institutions to assess larger enterprise-wide risks regularly and more methodically.
Evo: Having successfully developed and implemented an ERM program at ECU, what advice would you give to others who are pioneering ERM efforts in higher education institutions?
TW: I think ensuring that you have a clear and genuine mandate from the most senior levels of your institution to embark on the ERM program implementation journey is critical, and this includes making sure that the definitions of risk, enterprise risk management, and the vision of what is intended to be the result of putting an ERM construct in place are identical or nearly identical for the core champions starting out. Even small differences in opinion will grow to be very divergent gaps later if not attended to up front in the concept development phase.
I also strongly advocate using the ISO 31000 Risk Management Standard (my personal preference), or the COSO Enterprise Risk Management Integrated Framework as a foundation for building and tailoring an institution’s ERM program. This is critical to help maintain credibility for the effort and activities, and to avoid the ERM initiative being hijacked and redefined along the way by any particularly influential or powerful leaders within the organization to suit another agenda or purpose.
Be advised, though, there will need to be some translation of concepts and approaches from these reference frameworks to make ERM work in a higher education environment. Be patient! Changing the culture and building institutional risk awareness and risk intelligence takes time. It took ECU five years to get the foundation in place and to replicate some of our activity cycles. We’re now past the implementation phase, and are focusing on maturing and sustaining the effort. We still have to circle back regularly to refresh the current cast of players on the fundamentals of ERM and the expectations and roles of process participants. Be tenacious.
Author Perspective: Administrator