Learn from others’ experiences in starting an ERM program.
A Slow Start for Both
If the processes at Carnegie Mellon University (CMU) and the University of Pittsburgh (Pitt) are any indication, starting an Enterprise Risk Management (ERM) program at an institution of higher education may not have just one starting date. Both universities initiated ERM programs 13-15 years ago and learned that developing an ERM program that is the right fit for its risk stakeholders and leadership was a process that evolves over time.
Fast forward to 2022 and the programs are now in their toddler/youth stages following revamping efforts at their respective universities. Here's a look at the programs at these two universities: Carnegie Mellon University's Melanie Lucht shares how CMU has approached ERM and University of Pittsburgh's Mark Anderson provides an overview of how Pitt has structured its ERM initiative.
Carnegie Mellon University's ERM Program
The primary goal of Carnegie Mellon's ERM Program is to support organizational resiliency with a risk conscious culture that aligns to the strategic mission and values of the university.
The ERM framework is an annual cyclical process, starting with a review and refresh of our overall risk appetite. Discussions are facilitated with university leaders to sense, identify, and prioritize potential areas of enterprise risk for assessment and risk treatment strategy development. Emergency preparedness and response, business continuity planning and exercising, and opportunities for process improvement are also a part of the framework with the goal toward risk consciousness and organizational resiliency.
ERM Governance Structure
The ERM governance structure at Carnegie Mellon has the traditional three lines of defense: management control, risk and control monitoring, and internal audit, yet also includes a unique aspect in that first line of defense — the Risk Management Working Group.
When CMU restructured its efforts around ERM five years ago, a steering or advisory committee was purposefully avoided. Instead, we wanted risk stakeholders and subject matter experts who would take on a sense of ownership in how ERM across the institution was going to be advanced, including the establishment of a common language. Vice presidents were asked for a delegate from their teams who would represent their interests in the Risk Management Working Group, which meets on a quarterly basis.
The Risk Management Working Group is comprised of a cross-functional representation of both administrative and academic campus leaders to provide strategic direction and insight to achieve the following goals:
- Apply their lens of expertise to an identified risk to assess if the risk is actual or perceived;
- Validate the likelihood and impact a risk could impart upon the university;
- Prioritize risks based on alignment with strategic priorities;
- Identify gaps between risks that are actively being mitigated and controlled, and those that may not be;
- Represent their vice president/provost and risk owner as managers/custodians of risks that apply to their domain area;
- Aid in the development and communication of plans or actions to mitigate the actualized risk, and present the risk owner with recommendations of risk tolerance vs. further risk mitigation techniques;
- Assist in the monitoring and tracking of risks within their domain area and recalibrate as needed;
- Increase the university's adoption toward a risk conscious culture, including how risks are identified and managed;
- Oversee the strategic direction of the Business Continuity Program.
University of Pittsburgh's ERM Program
The purpose of the University of Pittsburgh's ERM program is twofold: to empower the university to leverage its risk portfolio to achieve strategic and operational advantages through enhanced risk management processes and to identify the university's risk appetites and risk tolerances and align them to the university's strategic plans and objectives.
We established the following goals for the ERM program:
- Develop a portfolio view of current and emerging risks across the university
- Promote an efficient and repeatable methodology for identifying, prioritizing, and treating risks
- Ensure risk mitigation strategies are effective and are in alignment with overall risk profile, culture, and appetite
- Monitor regularly the risks identified and the effectiveness of migration activities; and communicating findings to responsible executives
Our approach has been to utilize an ERM ad-hoc steering committee for guidance and direction. Those individuals include the chief financial officer, chief legal officer, director of internal audit, and the chief information officer.
Laying the Foundation
One of the first objectives for the ERM initiative at Pitt was to define risk and provide a distinction between an ordinary and enterprise risk and sharing that differentiation as we conduct risk assessments of various university departments.
Our risk assessments begin with developing a preliminary risk inventory through our interviews with senior leaders in the specified department. We then prioritize those risks based on the application of six metrics (see table below).
We then help the departments evaluate those risks based on how they are going to treat the risk — accept, avoid, transfer, or mitigate. If the risks can be treated by mitigation, then we work with those risk owners to develop a high-level workplan consisting of three to five initiatives that will mitigate the identified risks along with the estimated time of completion. That mitigation plan is documented, and we review and monitor efforts ensuring the risk owners are progressing toward reaching those mitigation goals.
The table below forces a more comprehensive level of thinking about individual risk by the departments.
Helping Departments See the Whole Picture
One of the initial challenges we had was figuring out how to do risk assessments from a bottom-up approach. We developed a matrix to illustrate the interconnectedness of the departments around the university and use it to emphasize with stakeholders how one department's risk can be connected to several other parts of campus.
The ERM Plan Outlined
The University of Pittsburgh's ERM roadmap includes a year-one focus on conducting risk assessments of three to five departments to determine gaps in risk management processes and to coordinate with stakeholders to develop mitigation strategies to address them.
Developing risk escalation protocols to identify emerging risks for key stakeholders is a priority in year two along with conducting risk assessments for an additional three to five departments and evaluating how to incorporate a broader ERM framework as part of the ERM rollout.
The ongoing part of the university's ERM plan is to continue reporting to senior executives and the compliance committee of the university's board of trustees on mitigation efforts to address key risks identified through the risk assessment process.
Where the Two Approaches Meet
While there are several different aspects of each university's ERM program, there are some similarities, too, including:
- Both align risks to the strategic goals of the institution.
- Their definitions of risk are the same.
- The risk assessment methodologies have the same goals.
- Commonality exists between the mitigation plans developed for high priority risks.
Advice to Others
Aside from having a hefty budget for coffee and food as you build relationships across campus, those embarking on an ERM program or even thinking about implementing ERM should:
- Exercise patience and persistence.
- Practice what you preach in terms of resiliency along the way.
- Set achievable goals.
- Make a value case for ERM.
- Share what the strategic and operational values are of an ERM program.
Want to Know More About ERM?
URMIA has additional resources to help with ERM.
Authors
4/22/2022
Executive Director, Enterprise Risk Management
University of Pittsburgh
Associate Vice President and Chief Risk Officer
Carnegie Mellon University
Insights Home#InsightsArticle