Insights

Analyze different models and rationales to find the best home for your institution's ERM program                                                                                                                                                                                                        

Success Is Impacted by Where ERM Lives

An enterprise risk management (ERM) program doesn’t always fit neatly into an organizational chart. In fact, according to COSO, “Enterprise risk management is not a function or a department. It is the culture, capabilities, and practices that organizations integrate with strategy-setting and apply when they carry out that strategy, with a purpose of managing risk in creating, preserving, and realizing value.”¹ ERM’s value is hard to question. When successfully implemented, it can serve as a roadmap for decision-making for executives like university provosts, presidents, and boards as a pillar of strategic planning. However, the principle to this value statement is the idea that the program has to be successfully implemented and one major piece of program implementation is finding the program’s right “home.” So where should ERM live to have the highest chances of success?

There are numerous models in higher education for housing risk management and compliance functions and there are long lists of pros and cons associated with each of these configurations. ERM can easily align with business functions like compliance, insurance, and audit and have done so successfully in many organizations. But what happens when it embeds itself into an operational unit like health and safety? Does that provide additional outlets and resources to a broad effort like ERM or does it feel like the program ended up in a parking lot? I’m betting that its alignment with health and safety is an operational win and here is why.

Calling Health, Safety & Risk Management Home

At the University of Minnesota, ERM is integrated with departments such as Environmental Health & Safety, Radiation Safety, Biosafety, Emergency Management, and Building Codes in a department called Health, Safety & Risk Management. Part of the reason for this alignment hangs upon our cross-cutting mission of risk reduction, mitigation, and promoting safe, compliant programs. At Minnesota, Health and Safety staff are embedded on all five campuses and core safety teams work directly with academic and operational units to understand their risks and work cooperatively to fill those gaps. Environmental health and safety units have historically been a prominent component of a risk management strategy, so why not also serve as the risk management home?

Figure 1: Health, Safety & Risk Management (HSRM) Organizational Chart

Another reason that the University of Minnesota opted for this alignment was the idea that programs or initiatives that are separate from the action can struggle to gain traction because of their distance from the work. This distance not only makes risk identification and analysis more challenging but it may also make establishing trusted networks difficult. On the flip side, operational-level programs may know too much about an organization and, at times, struggle to see the big picture, potentially creating unintended negative consequences to enterprise-level analysis. Credibility is a critical ingredient to building a value-added program and its importance was a driving factor in deciding on an ERM home.

The Logic Behind ERM Placement

In industry, most ERM functions live within the chief financial officer’s suite. There are obvious reasons for this placement such as the broad exposure to the organization, the link between risk and financial loss along with the budgetary and financial impacts of strategic planning. In higher education, ERM alignment with finance and audit is common with a few notable early adopters that have a more mature organizational structure, such as Stanford University. A 2023 op-ed article by Clifford Rossi from the University of Maryland notes, “While there is no best way of structuring an ERM function, Stanford’s approach is a good model that includes separate functions for ERM, Internal Audit, Risk & Insurance, Ethics and Compliance, Privacy and Information Security.”² Perhaps pairing ERM with like compliance and regulatory functions, such as health and safety within a university, follows a similar logic as noted by Rossi.

In contemplating an organizational home for ERM, one major bonus to adding the program to an operational unit is the ability to capitalize on the manpower available in a larger department. Most university and college ERM departments have limited resources with one to two FTEs comprising the program. This staffing model can deeply constrain the breadth and reach of ERM teams as their capacity is limited and the program ‘ask’ is never-ending. Integrating ERM within a broader department could allow for cross-functional training and a greater breadth of reporting by utilizing staff in the field. Additionally, having some lived operational and academic experience within the teams could help add context and depth to risk reporting and analysis and at times provide those all-important networks to departmental contacts.

A Piece of a Larger Puzzle

In the end, what’s most important in this analysis is understanding how to provide an environment where ERM is best positioned to be successful. With many schools and colleges constantly restructuring to account for years of budget cuts, there is limited capacity for anything extra. How do we balance our intention to add value with our limited resources to build a home and program? As we work through these early stages at the University of Minnesota, I’m starting to realize that while the institutional home is a component of this program’s success, it’s just a piece. Maybe the real question is how we collectively bring ERM programs to life so that they are engrained within the culture, governance, operations, and planning. Doing this could ensure that we aren’t seen as “just another report,” but rather as a team that offers valuable insight and guidance and, most importantly, positions our team as a valued strategic partner.

References:

¹Committee of Sponsoring Organizations (COSO). “Enterprise Risk Management Guidance.”

²Rossi, Clifford. Op-ed: “The Case for Enterprise Risk Management in Higher Education.” University of Maryland, Robert H. Smith School of Business. December 11th, 2023.

Insights Home