DEFINE RISK. TO AN INVESTOR WHO'S NOT SQUEAMISH, RISK MIGHT BE putting money into the commodities market, where prices go up and down on a daily basis. To a gambler at a blackjack table who’s down to only a small pile of chips but has a big pot staring him in the face, risk could mean asking for another card when he’s showing 17. Staying at 17 would be a very low-risk move on that particular hand, but it could mean losing more money overall.
To a college or university risk manager, identifying the major risks that might lurk around campus—such as a broken sprinkler system in a residence hall—and then fixing them protects the school from costly claims, thereby mitigating the risks.
This is the way a steering committee at Emory University in Atlanta defined risk in its planning stage at the launch of the university’s enterprise risk management (ERM) development program in 2006: “Risk, in one form or another, is present in virtually all worthwhile endeavors. We recognize that not all risk is bad and our goal is not to eliminate all risk, for by doing so we would cease all productive activity. Rather, our goal is to assume risk judiciously, mitigate it when possible, and prepare ourselves to respond effectively and efficiently when necessary.”
Shulamith Klein, senior director for the office of risk and insurance services of Emory University and Emory Healthcare, says that the underlying premise to the institution’s ERM process was a heartening jumping-off point for the 10-member committee. “The composition of the steering committee was the key to our salvation. The individuals had a very good handle on their respective areas of risk responsibility.” The group’s camaraderie is strong, and their meetings have become a “safe zone,” she adds. “There’s nothing we can’t discuss in a healthy, open, and meaningful way.”
That’s how Emory started its ERM program, which identified more than 550 risks during the first risk assessment go-round. As the steering committee refined that list, the number of risks dropped to 141. That was still too cumbersome, so they further shaved the list to the top 50 risks, based upon a frequency and severity analysis. That’s a much more manageable number of risks to monitor.
There are probably dozens of definitions of ERM, some much more jargon-filled than others, depending on whom you ask.
In a white paper on ERM published in 2003, a definition by former university risk manager Leta Finch contains the important concepts that still underlie the most successful higher education ERM programs. Finch, now executive director of the Higher Education Practice Group at A.J. Gallagher Risk Management Services, wrote that “ERM expands upon traditional risk management practices by taking a holistic, comprehensive, organization-wide approach towards managing risks.” That reflects the paths higher ed institutions follow when implementing an ERM process.
But today, any U.S. college or university that hasn’t already instituted some version of ERM is sure doing it now. The plunging economy has steamrolled through campuses, reducing already shaky budgets, decimating endowments, and making it difficult, at best, for schools to impose their usual annual tuition hikes. Recent reports have surfaced that question why the highly touted ERM programs haven’t protected schools from having to lay off employees, scuttle programs, and raise tuitions. “I don’t think it’s possible to have a fail-safe solid wall that protects us from every risk,” says Klein.
While some institutional risk managers understand ERM’s strengths, others believe it’s just too complicated, or they just don’t want to be bothered. After all, isn’t that what insurance is for?
About a year ago, during a break at the Risk and Insurance Management Society’s annual conference, a group of university risk managers were discussing common problems. An outsider spoke up: “What do you think about ERM?” A member of the group rolled his eyes, saying, “Don’t even talk to me about ERM.”
That’s been the problem with ERM. The concept has been around for years—expand your risk management analysis and identification across the institution and figure out, in advance, how to mitigate your risks should the unthinkable happen. But earlier versions of the ERM framework were presented in such a complicated format that it made it difficult to translate the concepts for many universities.
A veteran risk manager of a major state research institution with multiple campuses once asked a group of his peers, “Do you really expect me to stick my nose into every building on our campus, looking for risk?” That would be an overwhelming task anywhere.
This perspective highlights a misperception about ERM. It’s not as overwhelming as it may sound. Originally, the frameworks weren’t written for higher ed, and that was a major problem. As president and chief executive officer of United Educators, a risk retention group owned by its members that provides insurance for schools, Janice Abraham says the business world didn’t have a difficult time embracing ERM from a regulatory and good governance standpoint. However, educational institutions have been slower to look at ERM as an integrated business tool, as a way to help all the stakeholders—trustees, presidents, provosts, CFOs, department heads, and frontline supervisors—identify early warning signs of something that could jeopardize a school’s operations or reputation.
Vince Morris, director of risk management at Wheaton College (Ill.) and president of the University Risk Management and Insurance Association (URMIA), is somewhat skeptical about putting his resources into a formalized ERM format, instead calling it risk management “on steroids.” He believes he’s been practicing ERM all along, but more along the lines of former New York City Mayor Ed Koch’s well-known habit of walking around the city and asking people, “How am I doing?” Morris explains, “Our goal is to go to every department, every year—the physical plant, environmental and safety, fire safety, chemical storage, operations, business continuity plans, internal audits—and ask proactive questions.” Essentially it’s the management-by-walking-around method, or MBWA, as he calls it.
In its perfect form, ERM is:
— Strategic: high-level goals that are aligned with and support the institution’s mission
— Operational: ongoing management processes
— Financial: protection of institution’s assets
— Compliance-based: the institution’s adherence to applicable laws and regulations
Because reputational risk is also a major concern for universities (think Virginia Tech), any disastrous event in any of the above categories could seriously affect a school’s reputation.
The first official framework, and the first bona fide, broad-based introduction of ERM, arrived in 2004 when the Committee of Sponsoring Organizations of the Treadway Commission (COSO) expanded on an earlier report on internal controls. But the report, “Enterprise Risk Management—Integrated Framework” (with its 16-page executive summary), features a graphic of a three-dimensional colored box that is overwhelming by itself and is clearly designed for corporations, not higher education.
COSO’s model contains eight components: internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring. The report concedes that the “components will not function identically in every entity.” That alone has scared off a lot of university risk managers, even though they might want to incorporate some components in their own programs, using different terminology.
It seems so complicated to so many, especially for comprehensive and liberal arts colleges, Abraham explains. “The large research universities are much further ahead. ... All are adapting ERM to their specific uses, and no one is following a cookie cutter approach, which is something we encourage. It needs to be a tool that can be integrated into their regular planning, either annual planning or strategic,” she says. “Otherwise, we believe that if ERM is simply a new process, one of the ‘idea du jour’ concepts, then it will be dropped when the internal champion moves on.” According to United Educators, 29 research institutions of all sizes have implemented ERM programs (see the online version of this story for the list).
Within the past few years, administrators and boards (frequently made up of businesspeople whose companies have adopted ERM principles) have begun to embrace some of the ERM ideologies. Emory’s president, Jim Wagner, an engineer by trade, was attracted by ERM’s systematic approach, for example.
And when Steve Golding arrived at Cornell University in 2005 as executive vice president for finance and administration, he found the same standard structure typical of large, research universities, which are highly decentralized. “There was no overarching philosophy, how to manage the institution holistically, without changing the decentralized nature of the institution,” he says. Although risk identification was an ongoing process, “it had holes in the institutional level,” and he wanted the university to look at its risk management process holistically. “We’re making progress, but we still have a long way to go,” he admits.
Golding points to Duke University, the University of Pennsylvania, and the University of Rochester—all major research universities with medical schools. “The plan has to be tailored to the unique nature of the institution,” he says. The primary issue is how to pick and choose the risk management components of ERM that can be appropriately applied to your institution.
Golding describes Cornell’s overarching philosophy on institutional risk management (as ERM is known there) in this way: determining how the institution thinks about risk; creating the processes that hold people accountable; developing strategies and processes that identify the higher levels of risk; making sure the institution is taking actions to control risk; and having someone who takes the lead. In other words, hundreds of people are responsible for thinking about risk, from vice presidents and deans down to the people with functional responsibilities, such as the university police.
As with any structure, there are the purists who were early ERM adaptors (most from the corporate world) and have since become regular speakers for the cause at university conferences (they probably made other risk managers, who figured ERM would quietly go away, feel guilty). Other institutions, such as Cornell, have simply instituted the ERM philosophy, or expanded their current risk management programs. They may not call them ERM, though.
The traditional silo culture in higher ed nurtures innovation, creativity, and academic freedom, making the culture change required by ERM a slow, uphill battle—despite efforts in recent years to diminish silos. ERM essentially requires co-opting people from across campus. “You’re asking these same people to co-exist with the ERM philosophy,” says Allen Bova, director of risk at Cornell.
Of course, universities could not exist without their committees. Implementing a holistic risk management program is no different. Once the VPs, deans, and department heads are schooled on ERM’s advantages, they pass along this message to their staff and faculty, who then discuss through committees what kinds of risks exist in their individual departments and come up with ideas on how to mitigate those risks. In some cases, as the committee at Emory knows, the initial list of risks can be overwhelmingly long. The Emory committee pared it down to the top 50 based upon a frequency and severity analysis done with the input of executive leadership.
An ERM program must be overarching and holistic, but it must also be flexible enough to respond to any events or broader array of risks that might come down the pike. ERM is supposed to make your risks more predictable.
Could even the most well-thought-out ERM program have anticipated the worst recession since the Great Depression? No. As a tool, ERM has its role. But it can’t prevent an institution from losing money under all circumstances. Emory’s Klein believes the question shouldn’t be “Why didn’t ERM protect your pocketbook?” but instead “What does ERM do to help when there’s a problem?” She explains: “With ERM you feel more confident if you have a problem, because you have enough tools, resources, individuals, processes, and trigger points that enable you to get on top of a problem quickly.”
What ERM also does is modify a university’s culture, by the nature of its process, adding an element of elasticity. “The new culture [of ERM] means you’re more flexible in dealing with change,” says Richard Denning, chief executive of Shelter Island Risk Services, a risk consulting firm that is a unit of A.J. Gallagher. “ERM is crucial to be able to nimbly operate in times like this.” He suggests that schools focus on retaining students, which might mean instituting lower-than-usual tuition increases than in the past.
Face it: No institution is going to fix major financial woes in a year, or maybe even two years, or more. Denning advises looking at economic challenges as an opportunity to be more strategic—such as by offering more adult education programs at night that can bring in income. Institutions might even offer seminars on risk management for regional companies.
Right now, college and university leaders are scrambling to find every way possible to save money, from mothballing parts of their transportation fleets to shifting to e-mailing information instead of mailing it. “Everyone is evaluating everything they do,” says Bova of Cornell. “We’re charged with finding innovative ideas to try to save money.”
Susan Gurevitz is a Philadelphia-based freelance writer who specializes in covering risk management.