Develop an enterprise risk management (ERM) framework for your institution

Bruce Griffin

Chief Compliance and Risk Officer, Towson University

The views and opinions expressed are those of the author and do not necessarily represent the views or opinions of EAB.

Enterprise Risk Management (ERM) in higher education has grown for several reasons since the early 2000’s. Private, and some public, institutions have boards of directors who may choose ERM as a way to fulfill their fiduciary responsibilities along with an audit committee. Public university systems may require schools within the system to follow an ERM process to anticipate major risks and to promote stewardship of limited resources. For colleges and universities that borrow funds for capital improvements, a robust ERM program can signal to potential lenders and rating agencies that an institution is focused on positive outcomes by understanding and mitigating its risks.

Several benefits can be gained from a diligent ERM program and a written framework to support it. These include long-term sustainability through leadership changes, keeping the focus on important issues, (not today’s problem), breaking down silos, and preparing for and monitoring emerging risks. These are all benefits that can reduce overall costs and offer a competitive advantage.

There are two main standards for ERM programs to follow, and both have been recently updated. They are the committee of sponsoring organizations of the threadway commission’s (COSO) enterprise risk management—integrating with strategy and performance, and the international organization for standardization (ISO)—risk management. The ISO standard offers a concise reason for ERM to exist. “The core principle and purpose of enterprise risk management is to create and protect value.” In higher education, value can be research outcomes, community service, and of course, the value educated students bring to society.

The goal of my particular capstone project was to draft an ERM framework for my institution. I wanted to follow a recognized standard, make it specific to the culture and governance of my institution, and allow it to become part of existing management systems and policy. This requires a detailed document that includes existing processes as well as possible solutions for areas that have not been incorporated into our maturing ERM program. The president and our leadership team are supportive of improving our ERM program, not just to meet system-wide requirements, but to ensure we are meeting strategic goals of maintaining a sustainable university in multiple ways, including financial sustainability.

After reviewing both standards, I chose to most closely model the ISO standard as it was more flexible and relatable to higher education. The COSO standard is more closely aligned with governance for a publicly traded company. In three years our ERM program has begun to mature, thanks to a risk register process using a modified Delphi technique to develop consensus. Risk assessments and mitigation plans have been developed and updated by task groups that include primary risk owners along with those who can support mitigation strategies from across the university.

The draft framework is over 75% complete and while continuous improvement is part of the framework process, I would like to develop some solutions to better involve our shared governance bodies, as well as our strategic planning process in ERM before proposing it to university leadership.