UNIVERSITY RISK MANAGEMENT INITIATIVE
An Initiative to Implement an Improved University Risk Management System
By George Wendt
Title of This
Identifying, assessing and negating the risks that threaten the objectives of Ohio
University should be facilitated based upon strategic considerations. The traditional
approach to risk management focuses upon operational risks addressed through
insurance; it is not an all-encompassing approach. Conventional risk management,
utilizing a sole department to recognize and address a limited category of threats to the
organization, must be given the opportunity to adopt a more robust method. All types of
risk should be evaluated and controlled. The Enterprise Risk Management model should
be adopted. Enterprise Risk Management involves the elimination or mitigation of threats
which could adversely impact its strategic objectives. An on-going formal process must
be used to identify, assess, prioritize and manage exposures to loss. Enterprise Risk
Management affords the University the opportunity to optimize the attaining of its vision.
History of the Discipline
A short review of the history of risk management puts the matter into proper context. The
insurance industry originated in England in 1688 with the creation of Lloyd’s of London.
The insurance buyer bought coverage for their organization. Typically, this was the
approach to handling governmental risk in North America until the 1970s. In the 1960s
and 70s new legal theories challenged the notion that government should not be sued.
State legislatures and courts changed the law so that legal action could be taken against
governmental entities as a result of their negligence. During the same time, organizations
bought coverage out of convenience and frequently paid too much for it. Attempting to
transfer all risks to insurance companies was too costly. It is cheaper to insure risks with
high deductibles and to apply loss prevention tools to keep costs down. During the 1990s,
risk management experienced another major change. Organizations began to marshal a
greater share of their resources in order to counter more kinds of risks. The result was
Enterprise Risk Management.
Framework
What basic guidelines govern the operation of a well-functioning Enterprise Risk
Management program? ERM assumes that when something is done in one area of the
University, there can be reactions elsewhere. It addresses the question, If a decision leads
to a diminution of Ohio University’s reputation, for instance, it may cause an economic or
financial loss. Higher education is faced with communication problems as a result of risk
silos. ERM core groups would break down these silos and sets an example for all of the
staff under its direction. ERM, with its various components, works to build bridges of
communication so that risks can be better managed.
2
Enterprise Risk Management enhances risk identification. All types of risk would be
evaluated. ERM builds upon the work already being done by the Department of Risk
Management and Safety by expanding its scope in addressing all types of losses. More
categories of risk are evaluated than in the past. Even the consideration of the traditional
operational risks can be expanded.
Significant potential losses were always an important consideration under conventional
risk management; they are emphasized even more with Enterprise Risk Management.
One of the major tasks of an ERM core group is the prevention of potentially debilitating
losses, especially those with a high probability of occurrence. With Enterprise Risk
Management, there is more of an emphasis on what might bring down the house. As a
result, Enterprise Risk Management enhances the organization’s ability to visualize a
greater population of major threats before they occur. These efforts put the University on
a much better footing.
Furthermore, Executive Staff’s heavy involvement in this initiative is a key factor in
ensuring its success. When individual members of the senior administration take
ownership of the process it not only makes transformational change possible through
their use of line authority, but it also creates a culture where the proper treatment of risk
is appreciated. As it is with quality, so it must also be with risk; risk management must
not be confined to a single department, but deeply embedded in the culture. All of those
participating should seek to isolate risks leading to severe losses that have a high
probability of occurrence. Department heads should address the risks created by their
operations and be willing to manage them.
In addition, Enterprise Risk Management should be integrated with the development of
strategic objectives. ERM works in conjunction with the organization’s strategic
objectives. Enterprise Risk Management is a strategic tool. The risk associated with an
objective should be evaluated as it is being developed and should become a part of the
implementation decision.
Finally, monitoring the results of the Enterprise Risk Management process should be
handled by the audit function of the University. Internal Audit’s interest in and familiarity
with ERM would greatly enhance its potential for success.
The Enterprise Risk Management Process
Enterprise Risk Management, as mentioned, expands the opportunity to identify and
counter risks before they become disasters by utilizing the authority of the members of
senior administration. In addition, risks are evaluated and are prioritized so that scarce
resources can be properly applied. If the total elimination of a potential risk is not
possible, its minimization is pursued. Building inspections in residence halls conducted to
find flammable materials, for example, are an essential tool in our efforts to ensure life
safety. Furthermore, controls may be necessary in order to effectively diminish the
potential for loss. A sprinkler system in the same building, for instance, may be installed
in order to reduce the loss potential of a fire. Decisions made as a result of Enterprise
3
Risk Management should be communicated to all who have need of the information. In
addition, ERM’s methods should be utilized consistently across all departments.
Department heads, for example, should consider all of their risks and be vigilant to the
possible occurrence of major losses. Finally, all decisions made in the process should be
monitored for results.
Enterprise Risk Management Techniques
Every important choice involves at least some degree of risk. The risk associated with
Ohio University’s strategic objectives should be carefully assessed in order to better
ensure their proper implementation. Culture, the integrated pattern of human knowledge,
belief, and behavior, is a key consideration. Barriers to necessary change which are
deeply ingrained in the institution need to be overcome as the opportunities arise. An
Enterprise Risk Management program at the University would need to carefully assess
the various aspects of its culture in order to ensure success. A risk evaluation would
examine the environment that we exist in, taking into account risks that are both inside
and outside of the institution and any barriers that may stand in the way of results. The
University faces four types of strategic risk: compliance, operational, reputational and
economic. At times, these core risks interrelate and this linkage should be tracked. An
event causing reputational problems, for instance, could lead to a financial loss. An
NCAA violation, for example, might not only raise concerns on the part of future students
and their parents about Ohio University’s athletics, but could also lead to a fine. There is
heightened interest with ERM to identify and negate major losses, especially those that
have a reasonable likelihood of occurring.
Formal Risk Assessment
ERM should commence with a formal risk assessment. Such an assessment would begin
even before the creation of a group to sustain the effort over the long term. A risk
assessment drills down to bedrock. Data is collected through individual interviews,
surveys or workshops. Key questions are asked: “What are the recent changes in your
operations?” or “What are the challenges to your educational mission?” or “Do you know
of any unhandled risks within your department?” A list of risks is established from this
work. They are then evaluated and prioritized.
Root cause analysis is then implemented. A root cause is a basic source of risk; its
existence can bring about losses. A root cause is generated by people, processes or
technology. The question “why” is asked until the root cause is determined. Consider the
economic question, for example, “Why was there high unemployment during the Great
Depression?” A less than penetrating response might be “Because people were out of
work.” More is needed. “Why were people out of work?” “Because there were not
enough jobs.” “Why was this?” Because there was not enough economic growth. “Why
was that?” “Because the supply of money, which must grow to accommodate an
expanding economy, was insufficient.” Now, a root cause has been determined.
4
As a result of the formal risk assessment, strategies will need to be generated in order to
properly manage the risk which is identified. One approach is to avoid the activity or
operation, along with the associated risk altogether. If the University were contemplating
opening an additional regional campus, it might decide to forego this expansion out of
concern for the attendant risk. Another strategy is to minimize the risk. Supervisor safety
training, for instance, can diminish the incidence of industrial losses. Risks can also be
transferred from the University to other entities. Our property and liability insurance
program, including our membership in the Inter-University Council Insurance
Consortium along with commercial insurance, permits us to share risk with other
universities and the insurance industry. When we experience a major loss, for example, a
portion of the cost of such an event is assumed by these other organizations as well.
Finally, a risk can simply be accepted as an unavoidable reality.
The Enterprise Risk Management Advisory Group
Under the leadership of the Vice President for Finance and Administration, the
Enterprise Risk Management Advisory Group would become the centerpiece of the ERM
Program. The Group would function in an advisory capacity, reporting its findings to the
President of the University. Additionally, it would act to mitigate risk. Risk-related
information evaluated by its diverse membership, listed later in this paper, is utilized to
develop countermeasures which are then presented to senior administration. Risks
identified by individuals or other units of the University are also assessed. Group
members regularly report to the membership on significant dangers that have come to
their attention. One of the Group’s essential duties is holding each other accountable for
tasks associated with these risks. Integrating the consideration of risk into high-level
decision making is also one of the responsibilities of the Group.
Potential Risks
What are the risks that the Enterprise Risk Management Group seeks to negate? First of
all, compliance issues are among the most significant risks that the University faces. The
failure to adhere to applicable laws, whether they are federal, state or local, could result
in sanctions relating to accreditation, athletic participation, or other adverse
consequences. In addition, operational risks of the institution, those conventional
exposures that arise in connection with an institution of higher education being in
business, continue to be an essential work of the Group. Furthermore, reputational risk, if
not properly addressed, can impact how major stakeholders perceive Ohio University.
The image of the University as it interacts with students and their parents, alumni,
taxpayers, contributors, and granting agencies is vital to the fulfillment of its strategic
objectives. Reputational risk has staying power; if a reputation is damaged due to an
event, it could take considerable time and the expenditure of scarce resources to undo the
damage. Finally, economic and financial exposures pose a major threat to the University’s
strategic objectives. Group evaluation of the stewardship and accountability of Ohio
University’s financial resources and the impact of the economy on these funds is an
essential duty. Given the weighty responsibilities of the Enterprise Risk Management
5
Group, each member must be committed to countering these core risks. The Group must
work on its own initiative to recognize and counter all strategic risk facing the University.
Group Tasks
What are the tasks of the Enterprise Risk Management Advisory Group? One of the first
duties of the Group is to generate a risk register from the data collected as a result of the
initial risk assessment. Listing potentially devastating perils by utilizing considerations of
both the likelihood and the potential severity of loss provides the Group with a baseline
to work from in the pursuit of a safer campus. Regular meetings would address emerging
issues as they present themselves. Individual members would be assigned the task of
evaluating risks for later presentation to the Group. Risk remediation plans would be
developed for each identified peril and assigned to the appropriate individuals.
Membership
Members will be selected based upon the risk creation potential of their divisions and
their familiarity with University activities. Membership should include at least the
following persons:
Associate Vice-President for Risk Management and Safety
Chief Audit Executive
Executive Director for University Communications and Marketing
Executive Vice-President and Provost (or designee)
A Faculty Member Economist
General Counsel
Risk Manager
Vice-President for Finance and Administration (Group chair)
Benefits of Enterprise Risk Management
The benefits of Enterprise Risk Management are considerable. ERM makes it possible for
better decisions to be made. It advances our strategic objectives by creating an
environment where the proper management of risk is appreciated. Also, improved
management consensus is developed along with increased management accountability.
Enterprise Risk Management improves communications and provides the opportunity for
everyone to assist in fulfilling the University’s educational mission. Everyone wants to be
able to sleep at night; any manager at Ohio University who is concerned about achieving
results could benefit from ERM in this way.
Implementation Steps
The following is a summary of implementation steps:
 Make a deliberate decision to pursue or not to pursue ERM.
 Appointment of a project leader to coordinate the ERM implementation.
 Select a consultant to conduct a risk assessment.
6












Conduct risk assessment.
Identify the desired membership of the ERM Group.
Gain approval of the Bylaws.
Group meets to refine and prioritize risks in order to form a risk register.
Group reports to President regarding risks monthly or more frequently, if needed.
Group executives direct remediation of risks that can be immediately negated.
Group evaluates the remainder of the items on the risk register.
Group assigns a champion to each risk to ensure its proper handling.
Each risk champion develops a remediation plan for all assigned risks.
Champions periodically report progress on each risk until the work is concluded.
New items are placed on the register as they come to the attention of the Group.
Internal Audit periodically evaluates the performance of the Group.
Enterprise Risk Management Proposal
Ohio University would greatly benefit from the implementation of Enterprise Risk
Management. Risk identification would be bolstered by addressing categories of risk not
previously considered. Frequently, risk identification is the most difficult aspect of the
Risk Management process, but ERM seeks to remedy this by enlarging its scope. Risk
assessment would be accentuated through the efforts of the Enterprise Risk Management
Group, whose members would possess high levels of expertise. Risk communication
would be greatly aided by the interaction between the members of the Group. For all of
these reasons, the Department of Risk Management and Safety requests that, upon due
deliberation, a risk assessment be conducted leading to the creation of an Enterprise Risk
Management Advisory Group.
7