Defining Enterprise Risk Management (ERM)
ERM is a business-continuous process, led by senior leadership, that extends the concepts of risk management and includes:
- Identifying risks across the entire enterprise;
- Assessing the impact of risks to the operations and mission;
- Developing and practicing response of mitigation plans;
- Monitoring the identified risks, holding the risk owner accountable, and consistently scanning for emerging risks.
From: "Risk Management - An Accountability Guide for University and College Boards." 2013 Association of Governing Boards of Universities and Colleges.
Enterprise Risk Management at Carnegie Mellon University
- The purpose of the ERM program at CMU is to provide a comprehensive framework to proactively manage risks and opportunities that university leadership collectively agrees are the most important to the achievement of the institution’s strategic objectives.
- ERM promotes an ongoing, risk-conscious culture across the university to enable decision makers to perform a risk-reward analysis of choices, and make decisions with an understanding of implications of such actions, while pursuing the mission and goals of CMU. It is not intended to be a one-time process or a prescriptive method for managing individual risks, but instead a tool for leadership to use in managing existing and emerging risks within their portfolio of activities.
- A Risk Management Working Group, comprised of a cross-functional representation of both administrative and academic campus leaders, provides strategic direction and insight to the Program. This group applies their lens of expertise to an identified risk to assess if the risk is actual or perceived, validates the likelihood and impact a risk could impart upon the university, and helps to prioritize risks based on alignment with strategic priorities, among other duties.
Benefits of the Program:
- Identifying risks across the entire enterprise;
- Assessing the impact of risks to the operations and mission;
- Minimization of negative risks and enabling risk-informed pursuit of opportunities;
- Enabling risk-informed decision-making across the university, empowering CMU to more fruitfully pursue strategic objectives.
The ERM Framework at CMU
Definition and Scope of Risk
A risk is defined as any event or action that impacts the organization’s ability to achieve its objectives, both positive and negative. In support of this definition, ERM addresses risks and opportunities that may have an impact on CMU’s strategic goals and objectives. As such, ERM looks across the entire institution using a forward-thinking approach and open communication. ERM also examines potential risks and opportunities outside of the institution that could have an impact including but not limited to peer institutions, higher education as a whole, and Carnegie Mellon specifically, as well as regional, national, and global risks that have the potential to impact both higher education and Carnegie Mellon. ERM examines risk from these perspectives to capitalize on thought leadership, identify lessons learned, and benchmark upon best practices. ERM examines potential risks and opportunities based upon the following risk categories:
Risks or opportunities related to the university's reputation are inherent in all activities and encompass every risk category. Therefore, the reputation of the university is taken into account for every risk.
Life / Health Safety
Risks or opportunities related to injury, damage, or health and safety of the campus population, including impacts caused by accidental or unintentional acts, errors or omissions, and external events such as natural disasters.
Risks or opportunities related to physical assets or financial resources, such as: tuition, government support, gifts, research funding, endowment, budget, accounting and reporting, investments, credit rating, fraud, cash management, insurance, audit, financial exigency plan, long-term debt, etc.
Risks or opportunities related to CMU’s mission to transform the educational experience for students, to cultivate a transformative community, and to impact society in a transformative way – regionally, nationally, and globally.
Risks or opportunities related to management of day to day university programs, functions, activities, facilities, infrastructure (including technology) and the efficient, effective and prudent use of university resources.
Compliance / Legal
Risks or opportunities related to violations of federal laws and regulations, state laws and regulations, local municipal laws, case law, accreditation standards, university policies and procedures, and contractual obligations, including contractual agreements, employment contracts, and collective bargaining agreements.
Governance Structure - Three Lines of Defense
Figure 2: Three Lines of Defense
The Three Lines of Defense are adopted by organizations to establish risk management capabilities. It distinguishes the areas of the university responsible for owning and managing risk, oversight of risk, and independent assurance of risk. Each of the three lines of defense have direct accountability to CMU’s Executive Management Team as well as the Board of Trustees Audit Committee. The maturity and effectiveness of ERM within the university may be reflected in the effectiveness in the implementation of the Three Lines of Defense model. The greater the level of integration, the greater the likelihood of achieving a culture of risk consciousness and organizational resiliency.
First Line of Defense
The first line of defense owns and manages risks. Contrary to how risk management is perceived, individual risks and the controls that mitigate them are not owned by risk or compliance professionals. Rather, operational management and senior leadership are responsible for ongoing activities that include:
- Owning and managing risks.
- Identifying, assessing and mitigating risks.
- Implementing corrective actions.
- Implementing and maintaining internal controls.
- Conducting evaluations of internal controls.
- Executing risk and control procedures on a daily basis.
Second Line of Defense
The second line of defense oversees risks. It is at this line of defense where functions associated with risk are found, including Enterprise Risk Management. Functions of the second line of defense include:
- Ensuring that operational management and senior leadership are implementing effective risk management practices.
- Assisting risk owners with risk evaluation by taking into account the institution’s risk appetite.
- Helping risk owners report risk-related information throughout the institution.
- Providing updates on the status of risk and resiliency to executive management and the Board of Trustees Audit Committee.
Third Line of Defense
The third line of defense provides independent assurance. Internal Audit forms the third line of defense, and provides assurance on the effectiveness of governance, risk management, and internal controls. It assesses the effectiveness of the first and second lines of defense in achieving risk management objectives, and the effectiveness of the risk management and internal control framework.
Risk Identification and Prioritization
One of the simplest ways in which a risk or an opportunity can be identified is by asking the question, “What keeps you up at night?” Appreciating that this can result in a multitude of different answers, risks and opportunities can be framed by thinking about topics that have the potential to have an impact on the institution’s strategic goals and objectives. Issues present within the university, the geographical region, peer universities, the higher educational landscape, or throughout the nation and world could all have the potential to have such impact. Risks are identified through open, transparent, and collaborative communication, and are initially identified as inherent or perceived risks. It is not until a risk is assessed further to determine if it could have both the likelihood and severity of affecting the university either positively or negatively.
Industry thought leadership and expertise pertaining to both enterprise risk and higher education can be excellent resources in understanding the risk landscape. These resources offer best practices that may help to proactively expedite the escalation of emerging risks that would have the potential to affect the institution. The Educational Advisory Board, external audit firms such as PwC and KPMG, The Chronicle of Higher Education, EDUCAUSE, and the University Risk Management and Insurance Association (URMIA) are such valued resources.
Following the identification of inherent or perceived risks, the result may be dozens of risks that have been brought to the attention of Enterprise Risk Management. In collaboration with the Risk Management Working Group, ERM prioritizes risks that have the greatest potential likelihood and severity impact from a life/health safety, compliance/legal, operational, financial, reputational, and mission perspective. The goal is to narrow the list of enterprise risks each fiscal year to 3-5 that will be prioritized for assessment with the appropriate Risk Custodian and Risk Owner. As a caveat to this approach, risks may materialize unexpectedly (i.e., the unknown unknowns), which might realign the prioritization for assessment and redirect resources accordingly to address.
Risk Prioritization Pyramid
Risk Response and Management Actions:
For risks identified, prioritized, and assessed, a response and management action plan is captured by ERM in collaboration with the Risk Owner(s) and their designated Risk Custodian(s). The purpose is to provide awareness and transparency to university leadership of the actions being taken to ensure that risks outside of the university’s appetite are managed to reduce the likelihood and severity of occurrence. Additionally, for risks that are outside of the university’s capability to effectively manage due to internal and/or external factors, this provides an opportunity for any residual risks to be highlighted. Risk responses may include one or several the following:
Risk Acceptance with Further Monitoring
The risk and current mitigation activities are within the risk appetite of the university, and will continue to be monitored for any changes.
The risk and current mitigation activities are outside of the risk appetite of the university, and will undergo further mitigation and control activities until the risk demonstrates improvement with a reduction in potential likelihood and severity of occurrence
The risk and current mitigation activities are outside of the risk appetite of the university, and will be avoided by discontinuing the activities that are resulting in the increasing likelihood and severity of occurrence.
Risk Management and Monitoring Report:
The Risk Management and Monitoring Report (RMMR) enables the implementation of a common language and clear ownership of action plans through the capture and reporting of data.
Through training and awareness, Risk Owners and their Custodians have the ability to independently take on ownership and accountability of their risks through this method, and have the ability to continually track and monitor their risk management performance. A Risk Profile is also provided as a condensed, more visual report of the risk to complement the more comprehensive RMMR.