Enterprise Risk Management (ERM) – Growing our Approach to Managing Risks
After the financial catastrophes of Enron and WorldCom, and the passage of the Sarbanes-Oxley Act, public universities found themselves under intense scrutiny and new demands for much better business practices. We are rightly expected to catch those who misuse resources, to prevent the worst abuses with strict internal controls, and to develop the best standards of practice across a range of difficult and often complex business enterprises. This is as it should be, but most universities haven’t been aggressive enough in evolving their approach to risk management; nor vigilant enough in addressing both traditional and new vulnerabilities.
Our goal at East Carolina University is to have the best possible systems for controlling our risks and for internal auditing. For that reason, in addition to our Office of Internal Audit and Management Advisory Services, we established the Office of Enterprise Risk Management (ERM) one year ago, and then hired Tim Wiseman to oversee our ERM work. I view this as a vital effort in maintaining and improving public trust in our university.
Enterprise risk management is a holistic, comprehensive approach to risk identification and prioritization ultimately leading to better governance, strategic decision making, resource allocation and stewardship. In the university setting, ERM involves assessing risks in strategic, financial, operational, compliance and reputational categories.
A mature ERM program is proactive and prevention-oriented. It does not replace or interfere with our necessary internal auditing functions, but rather is complementary and reinforcing. It does not stymie initiative. Enterprise risk management instead helps us make the most of opportunities by increasing awareness of associated risks.
Enterprise risk management requires us to change our internal culture over time to train ourselves to think not only about risks associated with our individual departments, but also about the effect a procedural weakness or vulnerability might have on the university as a whole. ERM is a continuous process successfully implemented only when everyone is involved. It includes many pre-existing risk processes and functions and ties them together under the ERM umbrella.
The enterprise approach strives to develop a mindset that makes people at multiple levels ask “Who else needs to know?” and “Whom haven’t I told?”. Identified risks from all areas of the university are discussed and prioritized in terms of probability and cost/operational impact of occurrence of a risk-related event. This work is primarily done by our Enterprise Risk Management Committee (Risk Council). The recommendations and advice derived from this exercise are then used by senior leaders to better understand the inherent risks associated with the long term operation of a large and rapidly expanding university. Significant risks are also communicated to the Board of Trustees through the Board’s Audit Committee, to facilitate its oversight role.
Enterprise risk management is a strategic enabler for ECU Tomorrow. By developing and implementing an effective ERM program, I hope to help focus our collective attention on traditional, as well as new and emerging risks, in advance of crisis so that we manage our risks wisely. With the tremendous growth ECU has seen in the past decade, and the further expansion we foresee in the future, we must also mature our risk assessment mechanisms and internal control methods and practices at a commensurate rate.
Done right, ERM will allow us to be good stewards of our resources, and may reduce reportable audit findings as we self-identify areas of concern and mitigate the risks before vulnerability is exploited. We have taken some significant first steps on our ERM journey, and in true Pirate fashion, we are in a small, elite group of universities that have chosen to pioneer the ERM construct in a university environment. We cannot neglect our risks as our university’s operations become more complex, interrelated, and far-reaching. I will offer “no quarter” to complacency in this regard, nor should we expect otherwise from our ECU supporters and stakeholders.