Defining and Improving Enterprise Risk Management Frameworks and Maturity Models in Institutions of Higher Education

Findings and recommendations from a roundtable hosted by the Disaster Resilient Universities (DRU) Network® and the University of Oregon Institute for Resilient Organizations, Communities, and Environments

This project was supported by a generous gift from Deloitte & Touche LLP (Deloitte). Points of view or opinions in this document are those of the authors. Deloitte was not involved in the creation of this paper or part of any research referenced within.

Contents

Executive Summary

On December 9, 2022, 15 professional leaders in safety, risk management, emergency management, and compliance from eight institutions of higher education (IHEs) and from Deloitte gathered in San Francisco, California, for an in-person roundtable discussion about enterprise risk management (ERM) in higher education. The event was held at the Deloitte offices near San Francisco's financial district.

The objective of the roundtable was to review findings from the 2022 Disaster Resilient Universities (DRU) survey, as well as to discuss next steps and real-world actions that can help IHEs cultivate ERM programs, concepts, and resilience on their campuses.

The roundtable and related survey were facilitated by the University of Oregon Safety and Risk Services team, in conjunction with the University of Oregon Institute for Resilient Organizations, Communities, and Environments (IROCE) and DRU Network.

André Le Duc of the University of Oregon facilitated the roundtable discussion and guided participants through a hands-on process of group discussions and exercises. This report contains key takeaways and conclusions that constitute the principal findings of the roundtable discussions. 

Challenges Identified

The group identified several strategic hurdles that IHEs face when attempting to define and improve ERM concepts and organizational resilience on their campuses:

  • Low awareness and understanding of what ERM is and how it fits within IHE. 
  • Difficulty obtaining buy-in, participation, and accountability from IHE leaders.
  • Challenges integrating ERM programs into IHE culture.
  • Trouble measuring the maturity of ERM programs.
  • Difficulty tying ERM programs to IHE strategy and budget allocation.
  • Lack of time and resources to start, grow, and manage ERM programs.

Heard at the roundtable:

Organizational resilience is the ability to survive a crisis and thrive in a world of uncertainty. Resilience is a strategic capability. It is more than just about getting through crises... A truly resilient organization has two other important capabilities — the foresight and situation awareness to prevent potential crises from emerging and the ability to turn crises into a source of strategic opportunity.”

The group also discussed several potential recommendations that professional organizations, networks, and groups can use to help IHEs address challenges associated with growing, linking, and leveraging their ERM programs: 

  1. Conduct a follow-up ERM specific survey.
  2. Form a partnership among IHE ERM professionals.
  3. Develop an ERM benchmarking tool for IHEs.
  4. Create and host ERM webinars for IHEs.
  5. Develop ERM best practices/resources/ERM framework guidance.

About Disaster Resilient Universities (DRU) Network®

Established in 2005, DRU Network facilitates open communication, discussion, and resource-sharing among university and college practitioners in all areas of safety, risk, continuity, and emergency management. DRU Network provides peer-to-peer information-sharing among members, helping them and others mitigate, prepare for, respond to, operate during, and recover from all types of campus emergencies. 

About IROCE

The University of Oregon Institute for Resilient Organizations, Communities, and Environments links, leverages and aligns resources, professional networks, researchers, practitioners, and practical tools to help communities, organizations, and groups adapt and thrive in the face of adversity. Its mission is to cultivate collaborative, trust-based learning environments for multidisciplinary teams to focus on addressing some of the most significant risks facing their organizations. Readers interested in learning more about IROCE or the DRU can email resilient@uoregon.edu.

Acknowledgments

We wish to thank the University Risk Management Insurance Association (URMIA) for its support. We also wish to thank Deloitte for its generous sponsorship of this event. Readers interested in speaking with Deloitte on how it can assist with risk management in higher education may contact Cynthia Vitters or Jake Braunsdorf.

Back to Top

Background

Many institutions of higher education (IHEs) manage risk by tasking department heads or other unit leaders with managing distinct risks that are specific to their individual operations. Although this approach may pair subject matter experts with management of certain risks, the resulting silos often mean certain risks go undetected, underestimated, or inappropriately monitored. 

Enterprise risk management (ERM), on the other hand, is a more holistic system of identifying, assessing, prioritizing, responding to, and monitoring the full spectrum of an entire organization’s internal and external risks. Because it provides tools, processes, and a cultural foundation for detecting risks, ERM can provide immense value to IHEs and their leaders, particularly in eight areas:

Heard at the roundtable:

Risk is the ‘effect of uncertainty on objectives’ where effect is a deviation from the expected outcome. Risk may be caused by a single event or a set of circumstances that affect, adversely (threats) or beneficially (opportunities), the achievement of objectives.” [1]

  1. Strategy. ERM helps IHEs consider how risks affect their progress toward fulfilling their mission(s) and objectives.
  2. Budget. ERM helps IHEs incorporate a more comprehensive risk awareness into spending decisions and priorities.
  3. Performance. ERM helps IHEs devise ways to forecast and track risks that can affect how an IHE works.
  4. Cybersecurity. ERM helps IHEs protect all data rather than just data in certain areas.
  5. Controls. ERM helps IHEs integrate disparate internal systems to ensure its operations are effective.
  6. Fraud. ERM helps IHEs reduce the risk of fraud by creating a culture of proactive identification of risks across the organization and providing a way for employees to report those risks.
  7. Accountability. ERM helps IHEs understand who within the institution is accountable for tracking and monitoring risks that could affect IHE missions and objectives.
  8. Agility. ERM enables IHEs to respond to changes quickly by increasing situational awareness and capacities to address risks that could affect strategic plans; it also highlights opportunities to advance those plans.

Why ERM is important now

Despite ERM’s more comprehensive approach and notable benefits, just over half of IHEs have ERM programs, according to a 2022 DRU Network survey. Furthermore, among IHEs that do have ERM programs, there appears to be a significant absence of framework consistency and staffing support, according to the survey of IHEs across the country.

The 2022 DRU survey found that 55% of the 388 respondents said their IHEs did have ERM programs, but of those, about half (49%) did not know what ERM framework (ISO, COSO, etc.) their IHEs used, fewer than half (47%) had more than 1.5 full-time-equivalent employees dedicated to ERM, and only 35% said their ERM programs reported to an IHE’s VP or CFO.

Furthermore, almost a third of the survey respondents (31%) said their IHEs did not have an ERM program, though many said they had key ERM program elements. The most common elements of ERM programs respondents reported, according to the survey, were:

  • Identification of risks and opportunities (24%)
  • Risk assessments and categorization (22%)
  • Information and communication (20%)
  • Enterprise response and mitigation (12%)

These ERM elements are important because they provide internal partnership opportunities to IHE teams and departments by leveraging and building off the components, which can help foster and promote ERM in IHEs. An example of this could be an internal audit team leveraging a risk assessment in its audit plan.

There is an opportunity to link, leverage, and align programs such as emergency management and continuity (academic, research, and business) with ERM principles to advance overall resilience among IHEs.  Individually advancing both ERM and continuity and emergency management programs and initiatives could help IHEs leverage limited resources to protect their core missions.

How ERM programs work

An effective ERM process should be a strategic tool for leaders of the institution. Achieving an effective ERM process with an IHE requires ongoing collaboration and partnerships, which takes time to cultivate and maintain.

The power of ERM maturity

Many ERM programs are new at IHEs. According to the 2022 DRU survey, 54% of respondents said their IHEs’ ERM programs were five or fewer years old. More than a quarter (28%) of respondents said their ERM programs were three to five years old; 16% said their programs were one or two years old.

This suggests that many IHEs have room to grow and evolve their ERM programs so that they maximize their strategic value to the institutions. In turn, it has become more important for IHEs to measure and understand the maturity of their ERM programs.

Several methods exist for measuring the maturity of ERM programs. For example, IHEs may wish to assess their competency in key capability areas, or against key milestones, or with regard to expected outcomes, or using a combination of all three (see appendix 3).

Critical barriers

ERM programs are not easy to implement or maintain. In particular, the survey respondents indicated that IHEs face six key challenges in developing and managing their ERM programs:

  • Low awareness and understanding of what ERM is.
  • Difficulty obtaining buy-in, participation, or accountability for ERM.
  • Challenges integrating ERM into IHE culture.
  • Difficulty measuring the maturity of ERM programs.
  • Difficulty tying ERM to an IHE’s strategy and budget allocations.
  • Lack of time or resources to start, grow, or manage ERM programs.

 

Heard at the roundtable:

"We do a good job of identifying risks, but we’re not following up or there’s no coordination of it, so it’s hard to track the outcomes and it’s not tied to budget decisions."

Accordingly, on December 9, 2022, a group of IHE leaders in safety, risk management, emergency management, and compliance gathered in San Francisco, California, to review findings from the 2022 Disaster Resilient Universities (DRU) survey and discuss the next steps and real-world actions that can help IHEs cultivate ERM concepts and resilience. Key questions included:

  • How do IHEs define ERM?
  • What are the defining characteristics of mature ERM programs?
  • What does linking, leveraging, and aligning ERM programs look like for IHEs?
  • What can IHEs do now to improve that?
  • What barriers stand in the way?

These questions sparked a critical discussion.

Back to Top

Discussion

IHE leaders have a lot to consider as they work to create and grow ERM programs on their campuses. Questions such as these are common:

  1. What does a mature ERM program look like?
  2. What specific efforts can we make in the next 12-24 months to link, leverage, and align resources and needs?
  3. What barriers or blockers stand in the way of taking these actions, and how can we overcome them?

Roundtable participants had these questions and others during the discussion, which occurred in two sessions.

Discussion Session 1: ERM Maturity

The objective of the first part of the roundtable discussion was to determine how IHEs can assess the maturity of their ERM programs. Various models exist for measuring ERM program maturity (see appendix 3). However, participants noted that six things make it particularly challenging for IHEs to assess the maturity of their ERM programs:

  1. Few people understand ERM. Low awareness of ERM concepts and principles can make it hard to tell who is willing or able to support ERM efforts.
  2. ERM programs often don't have a seat at the leadership table. ERM leaders frequently struggle to get access to or educate senior leaders about ERM. In turn, many rely on other C-suite members to relay information to IHE leaders, which cna lead to miscommunication.
  3. ERM programs aren't integrated into IHE culture. Participants said they often encounter IHE leaders who feel that risk management is not part of their jobs. In turn, ERM programs often become heavily reliant on support from a few allies or government mandates.
  4. Few IHEs measure the maturity of their ERM programs. Only one participant said their IHE has established a system to measure the maturity of its ERM program. Measurement models exist (see appendix 3); however, one participant noted that developing a model is only 25% of the effort. Adapting it to the IHEs culture is the other 75%.
  5. Existing maturity-measurement models are often vague. Participants noted that many ERM maturity-measurement models aren't tailored for IHEs, don't define key terms, or don't provide specific examples that help IHEs asses their programs accurately.
  6. Many IHE leaders are included to use other measures. Peer comparisons are more relevant and important to many IHEs, according to some of the participants, making it harder to get buy-in on implementing or relying on ERM maturity models.

Participants completed an exercise in which they wrote down ways to tell that an IHE's ERM program is mature. They then grouped and ranked the answer into the following list.

Characteristics of mature ERM programs

  • The ERM program has a documented, openly understood framework.
  • The ERM program can track an issue from identification to an explainable outcome.
  • The IHE's leaders discuss and understand risks during decision-making processes.
  • The IHE is integrating risk considerations into its budget, planning, and strategic initiatives.
  • The ERM program's purpose, success, and vocabulary are part of the IHE's culture.

Several roundtable participants noted concerns that survey respondents and IHEs in general are not aligned on how to define ERM. Specifically, several were not sure whether enough risk-management professionals know what ERM is and how IHEs can implement it. In turn, some IHEs may have ERM programs and not know it.

Participants also discussed challenges of assigning ownership of specific risks to specific campus leaders. In some cases, participants felt this approach creates undue burden for one person to manage; others fest that assigning risk to one person is akin to assigning the entire risk responsibility to a team leader. In some cases, IHEs struggle with getting team leaders, particularly new ones, to accept responsibility for managing a given risk.

Discussion Session 2: Linking, Leveraging, and Aligning ERM

The objective of the second part of the roundtable discussion was to identify what mature ERM programs look like and to identify tangible methods IHEs can use to link, leverage, and align their ERM programs. Participants completed an exercise in which they wrote down ways to tell that an IHE is linking, leveraging, and aligning with another IHE's ERM program. Some common themes emerged.

Characteristics of linked, leveraged, and aligned ERM programs

  • The IHE has a unified approach on government relations and advocacy outreach.
  • The IHE has technical partnerships that leverage expertise to integrate technology processes.
  • The IHE joins and actively participates in industry groups such as the University Risk Management and Insurance Association (URMIA), the International Association of Emergency Managers- University of California & College Caucus (IAEM-UCC), the DRU, or FEMA's Homeland Security Exercise and Evaluation Program (HEEP), where it can provide peer reviews, share experiences, seek guidance, and obtain resources in a trusted environment.
  • The IHE co-sponsors webinars on key risk topics.
  • The IHE speaks to other IHEs' leadership teams to facilitate buy-in on risk efforts.
  • The IHE collaborates with other organizations in writing best practices for IHE ERM programs.

However, participants also said IHEs face several barriers in linking, leveraging, and aligning their ERM programs.

Bandwidth. At many IHEs, risk or emergency management teams involve only one or two people; they often have little time to tend to the additional work an ERM program might require.

Lack of funding. IHEs often struggle to find resources and federal funding for ERM. Federal sources of funding for ERM programs are particularly rare or don't apply to ERM efforts, according to participants.

Lack of buy-in. Participants noted that forming an ERM consortium for IHEs could spark a turf war among professional associations. If IHEs believe that joining the consortium will be cheaper than maintaining several association memberships, associations may begin to compete against one another for membership dollars.

 

Heard at the roundtable:

"I'm already on a lot of other committees and need to get my day job done."

Back to Top

Potential Recommendations

Participants identified several ways IHEs, professional associations/groups, and networks such DRU Network might help link, leverage, and align ERM programs over the next 12 to 24 months. These ideas fell into five categories, which the participants then ranked in order of importance. These recommendations are intended starting points; they require financial and time commitments to execute.

1. Conduct a follow-up ERM survey.

Participants recommended conducting a second, 10-to-12 question survey to measure what ERM programs are producing for IHEs, how tied ERM is to the budget process, and other matters including:

  • Whether IHEs understand what ERM is and how it works
  • What the governance structure looks like behind ERM programs
  • Whether the ERM committee reports to the institution's president or chancellor
  • Which leaders tend to own specific risks
  • The prevalence of maturity models
  • Which teams drive ERM projects
  • Whether IHEs consider their ERM programs effective/successful
  • Whether ERM programs are tried to funding
  • How respondents think their boards would rate the maturity level of their ERM programs

Next steps for DRU Network and professional association partners include using the 2022 DRU Network survey structure, develop this follow-up survey with professional associations to understand better why ERM is (or is not) working in campus environments.

2. Form partnerships.

Participants recommended creating an ERM alliance or network among IHEs so that IHEs have a place to share ERM resources, learnings, and tools. Organizers would need to create a matrix of professional associations to partner with in order to understand alignment; they would also need to evaluate legal and contractual requirements and identify suitable technology for sharing resources securely.

Next steps for DRU Network and professional association partners include using the DRU Network, membership, and platform to develop an IHE ERM alliance or workgroup. This alliance or workgroup would not replace existing professional associations or groups that provide ERM resources; rather, it would ensure IHE practitioners are aware of these groups and help them connect with other doing similar work with IHEs.

3. Develop a benchmark tool.

Participants recommended creating an IHE-specific maturity benchmarking tool for ERM programs. In order to provide peer comparisons, the tool should be able to sort data according to various IHE characteristics such as research-institution status, size, or demographic factors. This will require resources, technology, and more detailed inputs in order to build a physical tool, as well as a system for periodically reviewing the tool.

Next steps for DRU Network, professional association, and private sector partners include developing a project proposal with the DRU Network, Professional associations, and private sector partners to create a simple ERM assessment and benchmarking tool for IHEs.

4. Create and host ERM webinars.

IHEs and professional organizations should partner and cohost ERM-related webinars that educate and advocate for ERM programs. Organizers should develop a learning agenda, an appropriate frequency, and a promotional strategy. Webinars should cover the basics of matrix structures and their pros and cons.

Next steps for DRU Network, professional associations, and private sector partners include developing a jointly sponsored webinar series about ERM for IHEs; the webinars would be free or very low cost.

5. Develop ERM best practices/resources/framework guidance.

Participants recommended writing an addendum to URMIA's pending update of its best practices guide. The addendum would address maturity assessment, risk-committee formation and function, evaluation of return on investment in risk mitigation, or how to start an ERM program. Publishing a series of how-to documents on various ERM topics could be an alternative approach.

Heard at the roundtable:

"I'm trying to get the risk owners to revisit that budgetary ask from last year to see: What is the status of that risk? Has it increased or decreased? Where are we moving the dial on what we've already paid?"

Back to Top

Appendix 1: Participants

The following people attended the ERM roundtable.

  • Jake Braunsdorf, Senior Manager, Deloitte & Touche LLP
  • Bruce Brown, AVP Safety and Business Continuity, University of Texas Southwest Medical Center
  • Anagha Dandekar Clifford, Chief Advisor for UCSF Resiliency Strategy, University of California, San Francisco
  • Amanda Curler, Associate Director Enterprise Risk Management, University of Oregon
  • Lou Drapeau, Resource Manager, University Risk Management Insurance Association
  • Gretchen Fitzgerald, Interim Director Office of Institutional Risk Management, Syracuse University
  • Carrie Frandsen, Director Systemwide Risk Management, University of California
  • Andre Le Duc, Vice President and Chief Resilience Office, University of Oregon; roundtable facilitator
  • Sue Liden, Education Manager, University Risk Management Insurance Association
  • Jake Lord, Senior Consultant, Deloitte & Touche LLP
  • Leigh Ann Moffit, AVP and Chief Resilience Officer, Southern Methodist University
  • George Nunez, Director, Office of Emergency Management, Baylor University
  • Tina Orem, Contractor, DRU
  • Keith Perry, Assistant Director and University Emergency Manager, Stanford University
  • Brain Smith, Chief Ethics and Compliance Officer/Senior Associate Vice Chancellor - Research Infrastructure and Operations, University of California, San Francisco
  • Cynthia J. Vitters, Managing Director, Deloitte & Touche LLP

Back to Top

Appendix 2: The 2022 DRU National Network Survey Report

The DRU 2022 National Higher Education Program Survey asked practitioners about a variety of ERM topics as part of an effort to help DRU evolve and capitalize on it s core competencies. The 48-question survey received 388 responses and took place between May and July 2022. The 2022 DRU National Network Survey Report is available for review.

Appendix 3: Types of ERM Maturity Models

ERM maturity models can take four forms: capability based, activity based, hybrid, and activity and outcome based. Considerations for Maturity Model Selection (deloitte.com) explains how they work and details key outcomes from each approach.

Appendix 4: The United Educators Maturity Model

The United Educators Maturity Model allows IHEs to quantitatively assess each aspect of ERM. It also shows which aspects of ERM programs present the greatest growth opportunities.

Appendix 5: Key Resources

The members of DRU roundtable recommend the following additional resources. If you have a resource to add to this list, please email the link to resilient.uoregon.edu.

A Wake-Up Call: Enterprise Risk Management at Colleges and Universities Today - Association of Governor Boards for Universities and Colleges (Membership Required)

Enterprise Risk Management Framework Policy - University of Queensland, Australia

Enterprise Risk Management Initiative - North Carolina State University

Enterprise Risk & Resilience Resources - Office of President University of California

Risk Matrix Table - University of Queensland, Australia

 

Download pdf of this roundtable summary.

 

[1] ISO 31000:2018

Back to Top