• avatar

    Share This:

    • Share on Facebook
    • Share on Google Plus
    • Share on Linkedin
    • RSS
    « Back to Blogs
    January 2017

    Learn How to Build an ERM Program From Scratch

    Learn How to Build an ERM Program From Scratch

    Do you want to develop an enterprise risk management (ERM) program on your campus? Are you puzzled about where and how to start? It’s a big task, but it’s not impossible, as Claremont Graduate University (CGU) discovered. 

    A two-person team, Arturo Rodriguez, assistant vice president for Finance and Administration, and Carrie Herr, ERM program coordinator, built CGU’s robust program from scratch. They did it on a shoestring budget in approximately two years, Rodriguez said. You can learn from CGU’s experience by following these tips. 

    Capitalize on a “sentinel event.” A major negative, or sentinel event, such as a sexual assault allegation or severe athletics injury, could convince an institution to launch an ERM initiative. CGU’s catalyst was discovering that it had awarded financial aid that exceeded the budgeted amounts, resulting in a significant deficit at the end of the fiscal year. A new board member who was experienced in risk management and internal audits, asked why the problem wasn’t detected earlier and insisted on implementing ERM to understand and evaluate CGU’s risks. Rodriguez, who was charged with creating the program, began by reading extensively about ERM best practices at other schools. This approach enabled him to consider a range of practices that might fit CGU’s culture and needs.

    Choose first steps strategically. At CGU, Rodriguez and Herr began by taking stock of institutional policies, which required a centralized storage system with easy access. They cleaned up and transferred CGU’s policies to a cloud-based server before beginning departmental risk assessments. This enabled the administration to see a tangible product early in the process and laid the groundwork for future visibility of the emerging program.

    Use mixed methodology to perform risk assessments. An important benefit of mixed methodology—which incorporates two or more evaluation methods and usually includes both qualitative and quantitative data—is that it increases confidence in the assessments’ validity and reliability. Rodriguez and Herr use a qualitative employee interview format for risk identification. Then, in the quantitative component , employees are asked to rate the risks they identified for likelihood and potential impact based on Likert scales (1-5 rankings). Rodriguez and Herr then create a risk register using data from the interviews and a heat map—a graph showing the likelihood and severity of risks—based on the Likert scores.

    Structure interviews to alleviate anxiety and encourage communication. Employees may be suspicious and reluctant to participate in interviews. To combat this, carefully consider which interviewers will speak to which employees, as high-ranking officials may inadvertently intimidate some employees. Through trial and error, CGU discovered that interviews were more effective when Rodriguez, as an assistant vice president, interviewed employees at vice president rank and above, while Herr, as a program coordinator, interviewed everyone else (i.e., all employees in departments of 20 or fewer and a random sampling of larger departments). Interviewers may need to convince employees that the risk assessment’s purpose is not to eliminate their jobs. They should make clear that ERM interviews are confidential, which makes it easier for employees to speak candidly. Finally, it can be helpful to adopt CGU’s practice of asking primarily open-ended questions, including, “If you could say anything to the president, what would it be?” This is important because employees often feel that upper management does not listen to them, Rodriguez and Herr said. Employees express their concerns more freely with assurances that their comments are confidential and will go to the president and the board.

    Provide regular progress updates. Institutions should provide regular ERM updates to keep the board and administration informed and overcome any resistance within the wider campus community. CGU’s board receives a quarterly ERM update for each department, consisting of the comprehensive risk register, heat map, and a compilation of “other” comments, including suggestions for the president. After Rodriguez and Herr complete their second round of departmental risk assessments in 2017, they plan to provide “trend” reports that compare changes in risks from one year to the next, which will help the board evaluate ERM’s impact. In addition, Rodriguez and Herr constantly remind the campus community about the project’s purpose and importance.

    Going forward at CGU, Rodriguez and Herr hope to focus regular attention on students as well as employees. Students—the institution’s customers—are valuable sources of information about risk because they typically know about not only hazards like cracked sidewalks, but also problems like faculty classroom misconduct. CGU has already seen an encouraging culture change among employees, who are more willing to share concerns and suggest improvements. 


    Claremont Graduate University Office of Enterprise Risk Management
    A Wake-up Call: Enterprise Risk Management (ERM) at Colleges and Universities Today

    By Hillary Pettegrew, senior risk management counsel


    Add Comment

    Text Only 2000 character limit

    Page 1 of 1