What is ERM and Why Should We Care About It?

June 15, 2018

I received a call this week from a PAISBOA member who had an inquiry from a board member about Enterprise Risk Management (ERM). He was familiar with ERM from his work in the corporate world and wondered if ERM was being used in educational institutions.

While many independent schools and universities have audit committees and engage in risk management best practices, more and more are beginning to embrace ERM. Enterprise Risk Management (ERM) is defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) as a process, effected by an entity's board of directors, management and other personnel which is:

  • applied in strategy-setting and across the enterprise
  • designed to identify potential events that may affect the entity
  • manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

The framework of principles of ERM are organized into the following interrelated components:

  • Governance and Culture: Governance sets the organization’s tone; culture pertains to ethical values, desired behaviors, and understanding of risk in the entity
  • Strategy and Objective-Setting: Enterprise risk management, strategy, and objective-setting work together in the strategic-planning process. A "risk appetite" is established and aligned with strategy; business objectives put strategy into practice while serving as a basis for identifying, assessing, and responding to risk.
  • Performance: Risks that may impact the achievement of strategy and business objectives need to be identified, assessed, and prioritized by severity in the context of risk appetite.
  • Review and Revision: By reviewing entity performance, an organization can consider how well the enterprise risk management components are functioning over time and in light of substantial changes, and what revisions are needed.
  • Information, Communication, and Reporting: Continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organization.

How does this relate to independent schools and universities? A report from Association of Governing Boards of Colleges and Universities (ASG) and United Educators outline some best practices to consider:

  • Define risk broadly. Traditionally, institutions focused on financial risks covered by insurance. Current thinking defines “risk” as any impediment to accomplishing institutional goals. In a 2000 report, the National Association of College and University Business Officers discussed the “new language of risk” and identified five types of risk: strategic, financial, operational, compliance, and reputational.
  • Recognize both the opportunities and downsides of risk. Many colleges focus only on the downsides of risk. In addition, they should weigh risks against potential rewards. All successful organizations take risks, and the most promising opportunities often involve heightened risk.
  • Develop a culture of evaluating and identifying risk at multiple levels. Presidents and board members rarely see the first warnings of risk. Institutions need to identify and assess risks regularly at multiple levels so that the most critical ones filter up to top decision-makers.
  • Look at the total cost of risk. Risk is not just about dollars and cents. Institutions must consider all the consequences of risk. For example, in a lawsuit, there are litigation costs, but there are also non-monetary costs such as lost productivity, distraction from mission, and negative publicity.
  • Boards and presidents should collaborate. They need to engage in candid discussions at the strategic level, ensuring the success of the mission and stability of the institution.

Nancy Greene, CFO/COO of the Bolles School, asserted that risk across campus is an everyday reality for schools, large and small. In her presentation Getting a Grip on Risk at the NBOA Annual Conference this past spring, she shared the process and tools administrators at Bolles School developed to identify and manage their community's risks. Some of the takeaways included how to build a risk inventory for your school, develop ways to communicate with your board, and foster a "we're all in this together" approach to engage the board, faculty, staff and fellow administrators.

Put another way, by COSO, ERM will help schools and universities:

  • More clearly connect enterprise risk management with a multitude of stakeholder expectations.
  • Positions risk in the context of an organization’s performance, rather than as the subject of an isolated exercise.
  • Enables organizations to better anticipate risk so they can get ahead of it, with an understanding that change creates opportunities, not simply the potential for crises.

With a more holistic approach to risk, independent school and university leaders will be able to balance strategy, risk, and performance to make better decisions and in turn, facilitate better outcomes.

PAISBOA is committed to working with member schools to advance their knowledge of ERM and will be providing programming to support those efforts with the PAISBOA Business Insurance Group and through our collaboration with ADVIS. Stay tuned for more information later this summer!

Take Advantage of the Power of the Flock!


Share this post:

Comments on "What is ERM and Why Should We Care About It?"

Comments 0-5 of 0

Please login to comment