Insights

Catching Greenlights: How to Build an Enterprise Risk Management (ERM) Program

  

Learn how one institutional system used the art of “catching greenlights” to develop its ERM program                                                                                                                                                                                                        

The Art of Catching Greenlights

You may be asking, what does “catching greenlights” mean in the context of enterprise risk management (ERM), and it is a good question to ask. Christine Packard of the University of Massachusetts (UMass) recently shared during a webinar for URMIA members how the perspectives she learned from Matthew McConaughey’s book Greenlights apply to implementing ERM in higher education and some of UMass’s relevant experiences as they developed and implemented their systemwide ERM program.

As some background for those who haven’t yet read Greenlights, McConaughey analogizes his many successes as moments when he “caught greenlights” on his lifepath and shares humorous but enlightening observations through what he terms as prescriptions, notes to self and bumper stickers. Packard applies these observations to ERM, interpreting greenlights as opportunities to get traction in developing or enhancing an institutional ERM program, yellow lights as opportunities to pivot the approach as needed, and red lights as obstacles – many of which can be overcome. She discussed the art of catching greenlights in an institution’s approach to ERM, the skills necessary for leading ERM, and how to demonstrate the value of ERM.

Approach to ERM

There two primary guidance sources for implementing an ERM program - COSO and ISO, but these guidance documents were developed with the private sector industry in mind and are not specific to higher education. Many institutions also leverage their peers to identify best practices and strategic approaches to ERM.

All of these are sound resources, but the best approach to ERM is YOUR OWN approach. Your ERM program has to work for your institution. Only you know what will get traction with your stakeholders and how to design your program to achieve your institution’s objectives. Adapt identified best practices and approaches to better fit your institution.

UMass caught greenlights for its ERM program by adapting approaches to their program governance, risk assessment methodology, and mitigation assessment methodology. For their program governance structure, UMass overcame the red light of inconsistent and disruptive participation in their ERM program to the greenlight of active, positive participation by formally defining membership, roles, and responsibilities. In their risk assessment methodology, the institution overcame the yellow light of loosely defined parameters in their risk assessment tools to the greenlight of strong, well-defined parameters in their risk assessment tools, enabling the creation of a baseline against which mitigation strategies can be measured. Finally, in their mitigation assessment process, they overcame the red light of the lack of alignment between risk assessment and mitigation assessment to the greenlight of developing and implementing an aligned methodology and assessment tool called MATRX that evaluates the effectiveness of individual mitigation strategies, ranks mitigation strategies according to the degree of effectiveness, and demonstrates overall reduction in risk exposure (residual risk).

Skills Essential to Implementing an ERM Program

Three skills were identified in the context of greenlights as essential to building an ERM program: navigation, timing, and soft skills.

  • Navigation Skills enable ERM practitioners to map out a path for their program that either avoids red lights or provides the agility to swerve as needed. As applied to ERM, navigation skills enable you to iterate while developing your ERM program. Navigation skills can include:
    • Building a strong foundation as essential elements of your ERM program. A strong foundation enables you to identify and navigate red and yellow lights and potentially turn them to greenlights.
    • Moving forward even when you do not have a reliable map - because getting a little lost along the way is all part of taking an iterative approach to ERM.
    • Learning from your wrong turns and subsequently updating your map.
    • Recognizing when you have to swerve, adapt, and change course.
  • Timing Skills enable you to acknowledge that there is a relationship among red, yellow, and green lights and determine whether those red or yellow lights will influence catching a green light up ahead. In the ERM world, that translates to:
    • Setting short-term goals with long-term vision and work on those goals in bite-size, attainable pieces.
    • Developing a regular cadence for your program. Engage all parts of your governance structure in regular meeting schedules.
    • Determining when a red light or yellow light may be a greenlight in disguise. Seize opportunities that may provide added visibility to your ERM program.
  • Soft Skills are critical to the ERM role, as the ERM practitioner role is truly one of facilitation. These soft skills include being able to:
    • Build relationships with internal and external stakeholders
    • Connect the dots among risk, everyday operational activities and your institution’s strategic priorities
    • Accurately and adequately define a problem to enable the identification of solutions
    • Navigate internal and external politics
    • Facilitate people and conversations
    • Shepherd the many and varying individuals involved in your program

Demonstrating the Value of an ERM Program

One of the best ways to overcome yellow and red lights is to demonstrate the value of ERM to your stakeholders. Packard shared the strategies of:

  • Providing consistency and repetition in messaging to ensure ERM remains at the forefront of stakeholder discussions. UMass ensures the risk registry is shared at the outset of each ERM meeting and presentation to ground discussions.
  • Leveraging ERM data in unique ways. Present your risk assessment data in ways in which your audience can relate. ERM is far more than a risk registry, so demonstrate how risk assessment data can be used to focus on a topic. UMass provided its newly formed executive compliance committee with risk data based upon the assessed compliance exposure (one of the consequence categories evaluated in their risk assessment process).
  • Proactively acknowledging what your ERM Program can and cannot do. Be upfront with your audience to ensure they understand the scope and mission of your ERM program, including what is within the responsibilities of the program, and what is not. Doing so can help reduce any potential friction or confusion. Help ERM make sense to them and easier for them to understand. UMass shared the following as part of their program:
Slide describing bulleted list of what an ERM program can do and what it cannot do

Hitting Greenlights in the Future

In the sentiment of Greenlights, if you accept and embrace the challenges associated with building and enhancing an ERM program, you are enabling success. By identifying and adapting red and yellow lights, you are paving a road full of greenlights for your ERM program.





1/29/2025

By Christine Packard, Assistant Vice President, Enterprise Risk Management, University of Massachusetts President's Office


Insights Home


#InsightsArticle

0 comments
37 views