UNIVERSITY BUSINESS EXECUTIVE ROUNDTABLE
Implementation of Enterprise Risk Management at Mid-Sized Institutions
Education Advisory Board 2445 M Street NW ● Washington, DC 20037
Telephone: 202-266-6400 ● Facsimile: 202-266-5700 ● www.educationadvisoryboard.com
2012
August
Custom Research Brief Research Associate David Godow Research Manager Lisa Geraci
2 of 14
Education Advisory Board
2445 M Street NW ● Washington, DC 20037
Telephone: 202-266-6400 ● Facsimile: 202-266-5700 ● www.educationadvisoryboard.com
© 2012 The Advisory Board Company
3 of 14
Education Advisory Board
2445 M Street NW ● Washington, DC 20037
Telephone: 202-266-6400 ● Facsimile: 202-266-5700 ● www.educationadvisoryboard.com
© 2012 The Advisory Board Company
Table of Contents
I. Research Methodology ...................................................................................................... 4
Project Challenge ............................................................................................................. 4
Project Sources ................................................................................................................. 4
Research Parameters ....................................................................................................... 5
II. Executive Overview .......................................................................................................... 6
Key Observations ............................................................................................................. 6
III. Development of Enterprise Risk Management Procedures .................................... 7
Impetus for ERM .............................................................................................................. 7
Governance of Initial Risk Policy and Inventory ........................................................ 7
IV. Improving Risk Identification Procedures ............................................................... 10
Consultants ..................................................................................................................... 10
Identification of Unit-level Risks ................................................................................. 10
V. Maintenance of Unit-Level Risk Management Practices ........................................ 12
Oversight of Unit-Level Risk........................................................................................ 12
Accountability Mechanisms ......................................................................................... 13
Networking Contacts .......................................................... Error! Bookmark not defined.
4 of 14
Education Advisory Board
2445 M Street NW ● Washington, DC 20037
Telephone: 202-266-6400 ● Facsimile: 202-266-5700 ● www.educationadvisoryboard.com
© 2012 The Advisory Board Company
I. Research Methodology
Leadership at a member institution approached the Roundtable with the following questions:
Have administrators implemented enterprise risk management? If not, why?
What factors motivated development of enterprise risk management practices?
Did an independent risk committee manage the ERM process or an existing university
office? If a committee managed the process, what was its composition?
Did administrators produce a comprehensive ERM implementation plan? If so, would
contacts be willing to share these plans, as well as any other strategic documents or
charts?
Did contacts employ risk management consultants to develop ERM processes? If so, what
value did the consultants add?
How did contacts identify risks (e.g., through surveys or interviews)? By what process did
administrators rank risks by likelihood and impact?
What was the development process for unit-level risk treatment plans? How did
administrators reallocate funds between risk areas in reaction to risk treatment plans?
What strategies help administrators hold unit-level leaders accountable for
implementation of risk treatment and mitigation plans?
What was the role of senior administrators and the institution’s board during ERM
implementation? How did risk managers earn faculty buy-in for ERM?
Have administrators observed any quantifiable benefits from the implementation of ERM?
What improvements would administrators make to their own ERM development process?
Advisory Board’s internal and online research libraries
(www.educationadvisoryboard.com)
University Business Executive Roundtable, A Practical Approach to Institutional Risk
Management, Education Advisory Board (2012)
National Center for Education Statistics (NCES) (http://nces.ed.gov)
Contact institution Web sites
Project Challenge
Project Sources
5 of 14
Education Advisory Board
2445 M Street NW ● Washington, DC 20037
Telephone: 202-266-6400 ● Facsimile: 202-266-5700 ● www.educationadvisoryboard.com
© 2012 The Advisory Board Company
The Roundtable interviewed internal audit directors, directors of risk management, or other
individuals involved in enterprise risk management (ERM) implementation at six mid-sized
public institutions.
A Guide to the Institutions Profiled in this Brief
Institution Location Type Approximate
Total Enrollment
Maclean’s or CarnegieClassification
University A Ontario Public 20,000 Comprehensive
University B Ontario Public 20,000 Medical Doctoral
University C Ontario Public 10,000 Primarily Undergraduate
University D U.S. South
Public 10,000 Master’s Colleges &
Universities (larger programs)
University E Ontario Public 15,000 Comprehensive
University F Manitoba Public 10,000 Primarily Undergraduate
Source: Maclean’s, National Center for Education Statistics (U.S.)
Research Parameters
6 of 14
Education Advisory Board
2445 M Street NW ● Washington, DC 20037
Telephone: 202-266-6400 ● Facsimile: 202-266-5700 ● www.educationadvisoryboard.com
© 2012 The Advisory Board Company
II. Executive Overview
A small staff team can quickly and inexpensively develop an enterprise risk management
(ERM) policy if the team researches policies and risk inventories at peer institutions;
consultants are useful but may not be worth the cost if administrators already have access to
peer policies. Emulation of existing policies can save months of surveys, interviews, and
committee meetings spent inventing new policies from scratch. If administrators are concerned
about the applicability of peer institution policies to their own institution, they can supplement
research with targeted interviews of senior staff or a short survey.
Consultants are a good source of best practices and pre-built ERM frameworks and assisted
most contact institutions during their respective ERM development processes. Additionally,
consultants can help to educate skeptical administrators or faculty about the definition of ERM
and allay any concerns about the ERM implementation process. Consultants’ experience
implementing ERM at other universities encourages academics to take ERM seriously.
However, consultants are not always an economical solution if staff or administrators can
perform their own research. Several contacts note that administrators can assemble sample
risk inventories and ERM procedures from peer institutions by themselves without hiring
consultants. Additionally, one contact institution ultimately did not implement consultants’
proprietary ERM frameworks in order to avoid recurring consulting engagements to update
and refine the frameworks.
At some institutions, standing executive committees or ad hoc committees composed of
senior administrators develop ERM procedures or oversee their implementation; no
institution has created a separate, dedicated risk committee. The involvement of senior
administrators from around the university ensures that the risk inventory is complete and
includes risks that affect multiple divisions or units. Committees responsible for ERM
generally include the president, vice presidents, deans, and, occasionally, associate vice-
presidents and directors of non-academic units. Committee membership ranges from
approximately 10 to 25, which promotes diversity of opinion without excessive bureaucracy.
Previous EAB research suggests that risk committees that exceed 25 members encourage
excessively detailed discussion of minor, non-strategic risks. A single risk officer can conduct
targeted interviews with senior administrators to garner diverse input without the inefficiency
of large committee meetings.
Senior administrators should assign a university-wide risk owner who works at least half-
time on ERM to encourage ERM compliance and active risk mitigation among unit-level
mangers. Several contact institutions have successfully adopted an ERM policy and created an
initial risk inventory, but have struggled to update and monitor unit-level risk management
regularly due to a lack of accountability. Contacts attribute this failure to a lack of clearly
defined reporting responsibilities and a lack of ERM staff resources; only one institution
employs a full-time, dedicated director or risk management to oversee ERM. The remaining
institutions assign ERM duties to an existing staff member in the finance and administration
unit, such as the internal auditor of budget director. A dedicated director of risk management
is more likely to enforce risk mitigation practices, require units to submit annual reports on
new risks, and provide useful updates to senior leaders.
Key Observations
7 of 14
Education Advisory Board
2445 M Street NW ● Washington, DC 20037
Telephone: 202-266-6400 ● Facsimile: 202-266-5700 ● www.educationadvisoryboard.com
© 2012 The Advisory Board Company
III. Development of Enterprise Risk Management Procedures
Primary Motivations for ERM Implementation are Board Pressure, Regulation
Across profiled institutions, administrators developed an ERM implementation plan in
response to board pressure. Board members with corporate backgrounds often have extensive
experience with ERM and expect their institutions to consider risk in a systematic way.
Additionally, ERM implementation exerts a self-reinforcing effect on the rest of the higher
education industry; as the number of universities considering ERM increases, the pressure on
the remaining boards to address risk management also rises.
Canadian universities also face increased pressure from government regulation.
Administrators and board members at University C, for example, expressed concern over the
implications of federal Bill C-45 (the “Westray Bill”), passed in 2004, which renders employers
criminally liable for negligence in cases of harm to employees or the public. Administrators
also wished to avoid liability under the Ontario provincial government’s Bill 168, the
Occupational Health and Safety Amendment Act of 2009, which requires employers to
establish workplace violence and harassment policies and to assess the risk of workplace
violence formally.
Though boards provide much of the impetus for institution of ERM, they generally do not
actively participate in policy development.
Most Institutions Charge a Single Staff Member with Initial ERM Implementation
At three profiled institutions, a single staff member – usually the internal auditor– or small
team developed the initial ERM policy and risk inventory. Under this system, the staff member
with oversight of ERM devotes ½ or less of his or her time to ERM activities. By contrast,
committees of senior administrators at University A and University D participated directly in
development of risk inventories and policies. The below table describes oversight of the initial
policy and risk inventory development processes; it also lists, where applicable, the officer or
committee that currently manages ERM.
Operational Oversight of ERM Development and Implementation Process1
Institution Officer(s) or Committee(s) with
Oversight of Policy Development Officer(s) or Committee(s) with
Current Oversight
University A Senior Management Team (President, Vice Presidents,
Assoc./Asst. Vice Presidents, Deans) Planning Director
University B Director of VP-Finance’s Staff, Committee of Administrative Staff2
Director of VP-Finance’s Staff
University C Director of the President’s Office Director of Risk Management /
Presidential Council
1 Titles have been altered to protect contact institution anonymity. 2 The internal auditor directed the ERM development process until 2010, when the director assumed control; most policy
development occurred under the director.
Impetus for ERM
Governance of Initial Risk Policy
and Inventory
8 of 14
Education Advisory Board
2445 M Street NW ● Washington, DC 20037
Telephone: 202-266-6400 ● Facsimile: 202-266-5700 ● www.educationadvisoryboard.com
© 2012 The Advisory Board Company
University D Presidential Council (President,
Vice Presidents, Deans) / Independent Risk Committee
Financial Development Director / Presidential Council
University E Budget Director Budget Director
University F Internal Auditor and Associate Vice President
Internal Auditor
A Small Staff Team Can Efficiently Develop ERM Policy but is Vulnerable to Work Overload
One or two staff members from the administration and finance division1 developed ERM
procedures at University C, University E, and University F. A small team can efficiently
implement an initial risk plan and assemble an initial risk inventory because they operate
without the extensive, bureaucratic deliberation associated with a committee. Additionally,
administrators need not hire a full-time, dedicated risk manager if they assign ERM
development duties to staff members with some excess work capacity; administrators at
contact institutions typically choose a director-level staff member within the finance and
administration office. Contacts at University C suggest that administrators develop an ERM
procedure quickly and with as few resources as possible; a small staff team can fulfill this goal.
The ERM development team may base its risk inventory and policy documents either on
research into other institutions’ policies or templates provided by consultants. Like other
major policy documents, a committee of senior administrators and/or the board approve
inventories and ERM policy documents once they are complete.
Though a small ERM development team generally operates efficiently, a surge in non-ERM
workload can significantly delay ERM implementation. For example, though University B
began its ERM implementation process in 2008, staff did not develop a formal risk inventory
until 2011 due to repeated interruptions. In 2008, the internal auditor who had been assigned
ERM implementation duties was needed to manage university financial services due to staff
turnover. In 2010, administrators assigned risk management duties to the director of the office
of the vice president of finance and administration. The director again put aside ERM
development in summer 2011 to prepare continuity plans in case of a possible staff strike. In
order to increase the comprehensiveness of the risk inventory and spread the workload more
evenly, the director has enlisted several colleagues into an informal committee. Appointment
of a single risk officer dedicated to ERM implementation can avoid these problems.
1 The internal auditor at the University F received research support from an associate vice president.
9 of 14
Education Advisory Board
2445 M Street NW ● Washington, DC 20037
Telephone: 202-266-6400 ● Facsimile: 202-266-5700 ● www.educationadvisoryboard.com
© 2012 The Advisory Board Company
Committees of Administrators Can Develop Effective ERM Policies if they Remain Small, Avoid Reduplication of Work
At University A, University B, and University D, one or more committees of administrators
developed the initial risk inventory and management procedures. As committees typically
include administrators from multiple divisions, the risk inventories the committees produce
include risks from across the university’s business. Similarly, contacts at University A note
that a diversity of backgrounds and opinions leads to deeper understanding of each risk and a
more complete mitigation strategy that takes into account how multiple units can contribute to
a single risk.
No contact institution developed an independent risk committee to develop ERM. Instead, a
standing committee of senior administrators (e.g., the president’s advisory council at
University D) or an ad hoc committee of between 10 to 25 administrators oversee the process.
Membership includes the president, vice presidents, and deans; University A’s committee also
includes associate vice presidents. In general, the membership of ERM development
committees at profiled institutions is generally the same as that of stand-alone risk committees
at larger institutions.
The below diagram describes the development of the risk inventory at University D.
Committees may rely on a member of the administration and finance division (e.g., business
and financial development at University D) to conduct surveys or interviews, which
committee members then discuss.
Development of Risk Inventory at the University D
Avoid Large Committees of More than 25 Individual to Limit Bureaucratic Inefficiencies
Because most contact institutions employ one administrator to oversee initial ERM policy and
inventory development, they have avoided a common problem uncovered in previous EAB
research1: an unwieldy and overly bureaucratic risk committee. Many larger research
universities form committees of 25-50 representatives2 including both senior administrators
and frontline staff. These committees typically make decisions slowly and include an overly
broad series of risks in their final risk inventory.
1 See A Practical Approach to Institutional Risk Management (UBER, 2012) 2 Ibid.
Risk Interviews
Independent Risk
Committee
Presidential Council
Assign Risk Owners
A finance and administration staff member conducts about 20 interviews with vice presidents, deans, and the president, surfacing 125 potential enterprise risks.
An ad hoc committee of academic affairs, student affairs, and advancement staff assess the risks between June and August using a point-based matrix (see p. 14)
Administrators can limit the need for interviews by sourcing risk inventories from peer institutions or purchasing an inventory from a consulting firm.
A standing committee of vice-presidents and deans evaluates the committee’s analysis and identifies the top five enterprise risks; these are forwarded to the board.
The risk committee assigns a risk owner to manage each risk. For example, the chief business officer is responsible for minimizing the effects of a decrease in state funding.
10 of 14
Education Advisory Board
2445 M Street NW ● Washington, DC 20037
Telephone: 202-266-6400 ● Facsimile: 202-266-5700 ● www.educationadvisoryboard.com
© 2012 The Advisory Board Company
IV. Improving Risk Identification Procedures
Increase Process Efficiency through Consulting Engagements or Peer-Sourced Risk Registers
As university administrators often lack risk management experience, many turn to consultants
for help in implementing an ERM policy framework. Additionally, consulting firms generally
also offer sample risk inventories or custom risk identification services. Four profiled
institutions engaged consultants to help implement ERM; University A, University B, and
University E retained Deloitte Consulting and University C engaged Marsh Risk Consulting.
Consultants Provide an Initial Risk Management Blueprint: Proprietary ERM
frameworks offered by consultants include suggested policies for risk identification,
staffing, unit-level risk mitigation, periodic risk inventory updates, and other factors.
Contacts at University C note that pre-made frameworks are helpful if administrators
do not have previous risk management experience. However, administrators at
University B and University E elected not to use their Deloitte frameworks.
Administrators at University B were concerned that use of the proprietary Deloitte
framework would lock administrators into further Deloitte engagements in the
future, while administrators at University E considered the model overly complex
and resource-intensive for a small university.
Consultants Offer Peer-Sourced Risk Inventories but are Costlier than Internal
Research: Consultants can help an institution develop its first risk inventory by
sharing sample institutional risk inventories from other client institutions. Sample
inventories typically include the 20 to 30 most important risks identified by other
institutions during previous consulting engagements. However, contacts at
University E and University F suggest that consultant-sourced risk inventories may
be more expensive than they are worth if administrators can obtain sample risk
inventories from other institutions.
If a client wishes, consultants can also interview or survey an institution’s own
stakeholders to develop a customized risk inventory; at University B, Deloitte
consultants surfaced 120 long-term risks based on its interviews with university staff.
Consultants Add Credibility to an ERM Initiative: Beyond practical advice,
consultants can help convince skeptical administrators or faculty that an ERM policy
is a valuable investment. Contacts at University A note that Deloitte’s experience
with other universities helped convince deans that their colleagues at other
institutions had accepted and benefited from an ERM process.
If Staff Resources are Available, Interviews Offer Better Information than Surveys and Create Buy-In
Though most ERM implementation teams assessed unit-level risks through surveys, several
contacts strongly recommend interviews as a superior source of information. In particular,
administrators at University B and University E experimented with both surveys and
interviews but assert that interviews provide much more detailed information and, in some
cases, led to greater enthusiasm for ERM among unit leaders. Face-to-face conversations allow
ERM implementation teams to explain the purpose of ERM and respond to resistance from
academic deans.
Consultants
Identification of Unit-level Risks
11 of 14
Education Advisory Board
2445 M Street NW ● Washington, DC 20037
Telephone: 202-266-6400 ● Facsimile: 202-266-5700 ● www.educationadvisoryboard.com
© 2012 The Advisory Board Company
Though interviews are valuable during creation of an initial risk inventory, risk managers may
not have enough time to conduct a full series of interviews every time they update the
inventory.
Prioritize Risks through a Matrix Evaluating Likelihood and Impact
Across institutions, administrators rank risk priority during a survey or interview through a
standard risk matrix. Unit-level managers assign a numerical score to the likelihood a risk will
occur and its potential impact –both factors are generally rated on a scale of one to three or one
to five. Senior administrators then calculate the product of the two scores to rank the risk on
the final register. For example, a risk with a likelihood of three and an impact of five would
receive a score of 15. The higher a risk’s score, the higher its position on the risk inventory and
the more attention it receives from risk managers.
Administrators can enhance risk prioritization and increase faculty buy-in by assessing risk
velocity, accounting for different types of risk impact, and correcting for bias.
Assess Risk Velocity: Though two risks may have identical likelihood and impact,
one may materialize much more quickly than the other; this is the risk’s onset speed
or velocity. To ensure that administrators consider the higher velocity risk first,
administrators at the University D include a numerical score for velocity within the
priority matrix.
Account for Different Types of Risk Impact: Administrators can build additional
buy-in among faculty by accounting for a risk’s impact in multiple areas of the
university space.1 For example, risk managers at one private research university ask
staff to separately list a risk’s impact on humans (faculty, staff, administrators), assets,
and on the University’s mission. This information satisfies faculty who worry about
intangible, unquantifiable costs to the University’s people or its mission.
Additionally, risk managers can increase the rigor of each type of impact by listing a
definition for each numerical score. For example, a score of “1” for human impact
may refer to injuries that are treatable with first aid, while a score of “2” refers to
injuries or illnesses that require medical care but do not result in permanent
disability.
Ask Staff to Evaluate Likelihood and Senior Administrators to Evaluate Impact in
order to Eliminate Bias: Though unit-level staff typically evaluate both the likelihood
and impact of a risk, they tend to overestimate the impact of any risks that affect their
job duties. Nonetheless, staff have the best understanding of the likelihood of a risk
due to their practical knowledge of operations. By contrast, senior administrators
may underestimate risk likelihood due to their lack of familiarity with front-line
operations; on the other hand, they often have the best knowledge of how a risk will
actually affect the institution. Previous EAB research into ERM practices suggests that
risk managers can ameliorate these biases by asking senior administrators to evaluate
the impact of a risk and staff to evaluate the likelihood.
1 A Practical Approach to Institutional Risk Management (UBER, 2012)
12 of 14
Education Advisory Board
2445 M Street NW ● Washington, DC 20037
Telephone: 202-266-6400 ● Facsimile: 202-266-5700 ● www.educationadvisoryboard.com
© 2012 The Advisory Board Company
Unit-Level Administrators (Deans, AVPs, or Directors)
Presidential Council
Board of Trustees
V. Maintenance of Unit-Level Risk Management Practices
Risk Managers Update Unit-Level Plans through an Annual Survey
Three profiled institutions –University C, University D and University E – have completed
risk inventories, prioritized risks, and begun continuous risk mitigation. Typically, a single
university risk management officer monitors ERM implementation across the university.1 The
officer nominally reports to a committee of senior executives or the board. Officers typically
survey unit-level managers each year to update the risk inventory and track risk mitigation
progress; he or she might also conduct in-person or phone interviews at smaller institutions.
Afterwards, the officer compiles and analyzes the information and presents the results to
senior leadership or the board in a formal report or presentation.
Formalize a Risk Reporting Hierarchy to Encourage Front-Line Staff to Report Risks
Administrators at University C have established a formal risk reporting hierarchy to include
new risks in the inventory as they arise.
Risk Reporting Process at University C
At University C, each employee is expected to report serious risks to his or her supervisor. If
the risk is impactful enough, the supervisor will notify his or her own supervisor. If the risk is
serious enough, successive supervisors will pass it up to a senior administrator (e.g., a vice-
president); the administrator decides if the risk poses a serious threat to the university as a
whole and justifies inclusion on the enterprise risk inventory. If so, he or she forwards the risk
to the risk management office for addition to the inventory.
The system allows staff considerable flexibility in how they approach risks and ensures that
only the most serious risks are passed on to higher-level administrators. However, contacts
note that supervisors are not proactive in informing administrators about serious risks.
Moreover, rank-and-file personnel may underestimate the impact of a risk entirely. The risk
management office supplements the reporting system through semi-annual surveys that
assesses mitigation progress and surfaces any new risks.
Academic-Friendly, Syndicated Surveys Encourage Diligent Risk Reporting
To ensure that unit-level managers regularly and completely report new risks and mitigate old
risks, administrators should create a single risk assessment and treatment worksheet for all
unit managers. Risk managers can also create workbooks that allow senior administrators to
categorize risks for new strategic initiatives, risks to the higher education industry in general,
1 In some cases, this may be the same as the staff members who initially developed the ERM process. See the table on pp. 7-8.
Oversight of Unit-Level Risk
Ris
k M
anag
em
ent
Off
ice
Semi-Annual Report
Risk Surveys
New potential risks reported up
the hierarchy until they reach the appropriate
authority.
13 of 14
Education Advisory Board
2445 M Street NW ● Washington, DC 20037
Telephone: 202-266-6400 ● Facsimile: 202-266-5700 ● www.educationadvisoryboard.com
© 2012 The Advisory Board Company
or risks to particular programs. A universal risk worksheet or survey also decreases the
amount of time required to process and analyze unit-level risk updates.
Academic deans in particular may be unwilling to report all of their risks accurately and
comprehensively if they view ERM in an adversarial manner. To create greater buy-in among
academics, administrators can add fields describing the potential positive effects of an
initiative or project as well as its risks. For example, if the university uses the common
“likelihood” and “impact” criteria for risk assessment, the survey can also include likelihood
and impact fields describing the positive benefit of the project. As a result, administrators
receive an assessment both of the potential benefits and costs of a project.1
Limit Board Involvement to All but the Most Serious Risks
Previous EAB research suggests that boards should only involve themselves in the assessment
and mitigation of truly systemic and existential risks (e.g., sustainability of university pricing
model, declining public perception of degree value); based on EAB review of risk registers at
U.S. institutions, these represent between five and 15 percent of risks. The board audit
committee should manage these risks as necessary.
Boards should receive periodic updates regarding serious but non-existential institutional
risks (e.g., failure to meet enrollment, retention, or liquidity targets) from the university risk
manager. The only contact institution that has formalized reports to the board is University C,
where updates occur semi-annually. Boards may become impatient without a formal reporting
structure; the board audit committee at University A has requested a more rigorous reporting
structure for both unit-level risks and risks that concern the board.
Unit-level risks (e.g., regulatory compliance failures, misappropriation of research funds,
improper receipt of gifts) are not appropriate for board review. If necessary, unit-level risk
owners should coordinate with the university risk manager. At institutions where the risk
manager reports to a committee of senior administrators, the committee may also give
guidance to the unit-level owner.
Unit-Level Managers Are Held Accountable for ERM during Performance Evaluations
Administrators have not linked submission of or progress towards unit-level risk mitigation
plans to any formal incentive or discipline system. Instead, senior administrators evaluate
unit-level risk management efforts during standard annual performance evaluations. A unit-
level manager’s supervisor includes any risk management-related successes or failures along
with other general performance feedback. Contacts at University C and University E suggest
that this is sufficient to hold unit-level managers accountable and that additional evaluation
processes might be excessively expensive and bureaucratic at a small or mid-sized university.
Create a Single Risk Management Owner and Institute an Annual Reporting Requirement
Contacts at University A, University C, and University D advocate a formalized risk
management structure to ensure accountability. Administrators at both institutions have
struggled to update their risk management inventory and track mitigation progress
consistently due to the lack of a single ERM owner. At both institutions, a director-level staff
member works part-time on ERM; neither has hired a formal director of risk management. A
risk management director is more likely to have the time and experience to encourage unit-
1 A Practical Approach to Institutional Risk Management (UBER, 2012)
Accountability Mechanisms
14 of 14
Education Advisory Board
2445 M Street NW ● Washington, DC 20037
Telephone: 202-266-6400 ● Facsimile: 202-266-5700 ● www.educationadvisoryboard.com
© 2012 The Advisory Board Company
level risk owners to write a plan, follow it, and send regular progress updates. Although
University A will soon allocate ERM duties to a new director of planning and analysis, the
director may not have enough time to manage ERM effectively.
The university risk manager should require units to report annually on the progress they have
made towards their risk treatment plans. The risk manager, in turn, should distill any
important information (e.g., new risks, major progress towards risk treatment) into an annual
report to a standing executive committee or the board.
Align Resource Allocation and Risk Management
Previous EAB research suggests that administrators should aim to reallocate unit budgets
based on risk, though no profiled institutions have yet done so. Administrators at one
Canadian institution have integrated strategic planning, risk management, and resource
planning functions to guide funds towards strategic goals. The integrated planning and
budgeting office reports potential risks to senior administrators as administrators attempt to
align each year’s budget with strategic priorities. Though combination of risk management
and resource allocation requires extensive reconfiguration of the finance and administration
division, it represents the most comprehensive integration of ERM into the university.
Integration of Strategic Planning, Risk Management, and Budgeting at the University of Alberta
Increase international enrollment to 15 and 30 percent of the undergraduate and graduate student bodies, respectively.
University lacks an “international-friendly” web presence and lacks seamless integration of application, acceptance, and payment.
Re-allocate $3.5 million to redesign the university web presence, including the registrar’s webpage.
Strategic Goal Risk Budget Response