About the Survey

Why we did the survey

To Understand

Enterprise risk management (ERM) is growing and changing. This survey helps the higher education community capture key data about ERM programs and continue advancing our shared mission of cultivating disaster resilience on our campuses. 

To Build

We can build on the DRU's prior ERM research and discussions to develop future DRU activities. This information also presents an opportunity to link, leverage, and align emergency management and continuity programs with ERM principles to advance overall resilience among Institutions of Higher Educations (IHEs) and help protect their core mission. 

To Adapt

The DRU can evolve its core competencies to advance interdisciplinary partnership and disaster resilience in IHEs. Information from surveys such as this one can inform how DRU can better serve IHEs. 

Survey Overview

Notable Metadata

• 25 Questions
• 21 days (January 28-February 27, 2025)
• 151 responses

About the Survey Respondents

Highest Degree Offered

Degree Type	Percentage of Respondents
Doctoral Degree	72
Master's Degree	8
Associate Degree	10
Bachelor's Degree	10

Total Student Enrollment

Student Enrollment	Percentage of Respondents
50,000 or more	18
25,000-49,999	24
15,000-24,999	17
5,000-14,999	19
2,000-4,999	18
< 2,000	4

Total Faculty and Staff

Number of Faculty and Staff	Percentage of Respondents
7,500 or more	35
5,000-7,499	12
4,499-3,000	10
2,999-2,000	9
1,999-1,000	13
400-999	18
100-399	2
<100	1

Public vs Private

Type of Institution	Percentage of Respondents
Public	64
Private	36

 

Research Status

Institution Research Status	Percentage of Respondents
R1	70
R2	9
R3	22

 

Respondent Time in Current Role

Amount of Time	Percentage of Respondents
10+ Years	16
5-9 Years	26
3-4 Years	20
1-2 Years	26
< 1 Year	12

 

Geographic Distribution

State	Number of Respondents
Florida	7
Texas	7
Maryland	6
Oregon	6
Pennsylvania	6
Virginia	5
California	4
Massachusetts	4

 

State	Number of Respondents
Minnesota	4
Non-U.S.	4
North Carolina	4
Kansas	3
Oklahoma	3
Utah	3
Washington	3
Arizona	2
Arkansas	2
Georgia	2
Indiana	2
Louisiana	2
New York	2

 

State	Number of Respondents
Alabama	1
Alaska	1
District of Columbia	1
Michigan	1
Mississippi	1
New Jersey	1
North Dakota	1
Ohio	1
Nevada	1
South Carolina	1
Tennessee	1
Wisconsin	1
Wyoming	1

 

Additional information about our respondents

• 34% of respondents were from IHEs with medical teaching centers
• 84% had residential campuses

Back to Top

Key Findings

Does your institution have an enterprise risk management program?

Key takeaway: Most respondents said their IHEs have enterprise risk management programs, and this represents an increase since the last survey in 2022. In 2025, most respondents said their ERM programs were at least five years old. Staffing for ERM programs averaged 1.8 FTEs and often is just one FTE. 

2025

Yes - 71%
No - 20%
Not Sure - 9%

2022

Yes - 56%
No - 31%
Not Sure - 13%

Average ERM Program Age in 2025

Program Age	Percentage of Respondents
>5 years	59%
3-5 Years	17%
1-2 Years	14%
Don't Know	9%
<1 Year	1%

Number of FTEs

• 1.8: Average number of FTEs
• 7.0: Highest number of FTEs
• 1.0: Most common response

Common Enterprise Risk Management Elements

Key takeaway: Of those who said their IHEs did not have ERM programs, about one in three said their IHEs also had no elements of ERM in place. However, the data suggests that many more IHEs have implemented at least some ERM elements since 2022. For example, almost twice as manay respondents said their IHEs now have systems for tracking risks. Relatively few, but still a growing proportion, reported that their IHEs have risk categorization, response, or monitoring systems. 

Where Enterprise Risk Management Programs Live

Key takeaway: Most respondents said their ERM programs are either part of their IHE's traditional risk management function or are a separate function at a higher level than their IHE's traditional risk management function. 

Within which department does the enterprise risk management function reside at your institution?

Department	Percentage of Respondents
Part of IHE's Traditional Risk Management Function	32%
Separate Function at Higher Level than IHE's Traditional Risk Management Function	22%
Other	15%
Separate Function at Same Level as IHE's Traditional Risk Management Function	10%
Committee Led by IHE's Senior Executive(s)	8%

Who does the enterprise risk management program report to?

Key takeaway: Respondents said it's common for ERM programs to report to IHE financial leaders. However, many ERM programs report to the president, chief risk officer, or board of trustees, according to the respondents. 

Enterprise Risk Management Frameworks

Key takeaway: About half of respondents said their ERMs follow a standard framework of internal controls such as COSO or ISO31000. This roughly the same as in 2022. Notably, in 2025 about one in five respondents weren't sure whether their enterprise risk management programs follow a framework. 

2025

Yes - 46%
No - 35%
Unsure/don't know - 19%

2022

Yes - 51%
Unsure/don't know - 49%

Top Challenges

Key takeaway: Respondents consistently said the biggest challenge for ERM programs is a lack of interest in, support for, and/or awareness of ERM and the work it involves. Respondents said a lack of resources and the size and scope of the work are the other two major challenges. 

Top Projects

Key takeaway: Fundamental risk assessment and mitigation work was the biggest ERM project for many respondents. However, many are also working on establishing or developing their ERM structures, goals, or culture. Respondents said they were busy with other tasks as well, especially related to technology  and legal and regulatory compliance. 

Back to Top

Key Takeaways

ERM programs aren't getting the attention and support they need. 

Poor involvement or support from the campus community and executive leadership are significant challenges for many IHE ERM programs. Lack of understanding or preconceived ideas of ERM may be contributing to the lack of interest and buy-in that many respondents report. It is critical that IHEs understand that ERM is a tool that they must make their own, which requires time and investment. ERM is not a turnkey operation. 

Resources and staff are lagging.

ERM programs are understaffed and underfunded at many IHEs, according to the survey results. This may be a function of low awareness of ERM among IHE leaders, as well as competing priorities and changes in regulatory and compliance requirements. 

ERM programs have matured, but they're also just getting started. 

Although most respondents said their ERM programs are at least five years old, the survey results also suggest that much of the ERM work many IHEs are performing still pertains to establishing the initial structure, goals, or culture of their ERM programs, as well as managing the fundamental activities of assessing and mitigating risk. 

Key Recommendations 

Advertise the role and advantages of ERM.

Campus leaders need to gain a better understanding of the role and benefits of ERM. ERM leaders should clearly define the purpose and role of their programs to ensure alignment with the institution's values, priorities, strategies, and mission. It is important to recognize that one size does not fit all; ERM must take into account the institution's culture and organizational structure. No two institutions are the same. 

Create and share more guidance among IHEs. 

Many IHEs may struggle to establish or justify the basic structure, goals, or culture of their ERM programs. Developing a centralized and easily accessible resource that includes national best practices, plan templates, and tools for plan development could help IHEs establish strong ERM programs more efficiently. 

Cultivate the profession. 

Expanding professional development, networking and mentoring opportunities can enhance and strengthen the pipeline of qualified individuals in the ERM field, ultimately fostering innovation and resources for IHEs. The DRU, IHEs, URMIA, and other organizations could collaborate to create professional certification programs, mentorship programs, internship guides, and professional development workshops or courses. 

Back to Top

About Us

Disaster Resilient Universities® Overview

Since 2005 the Disaster Resilient Universities® (DRU) has served as a simple yet effective peer-to-peer network for university/college practitioners charged with overseeing campus emergency management, environmental health and safety, public safety, organizational resilience, and risk management. 

In 2000, six post-secondary schools participated in the Federal Emergency Management Agency Disaster Resilient Universities pilot initiative. When funding was cut, several institutions of higher education kept the core concept of the DRU alive. They saw the need for a practical, common-sense approach to disaster prevention on their campuses. In 2005, the University of Oregon started the Disaster Resilient Universities® Network listserv. The listserv quickly became the cornerstone of the DRU Network by providing a multidisciplinary, practitioner-based resource and connections. 

The goal of the DRU listserv is simple: facilitate open communication, discussion, and resource-sharing among university and college practitioners responsible for making campuses more disaster resilient. The DRU Network does not have an operational budget. Collectively network members partner with each other and professional associations to develop tools and resources for campuses. The DRU Network continues to seek partnerships with professional associations, campuses, and federal agencies to further the critical work of promoting campus disaster resilience. 

In 2022 the DRU aligned with the Institute for Resilient Organizations, Communities, and Environments (IROCE) at the University of Oregon. IROCE is an applied research institute advancing interdisciplinary research, innovation, and partnerships toward action, making a practical difference in the resilience of organizations, communities, and the environment. 

DRU Advisory Committee Members

• Amina Assefa, Director Emergency Management and Business Continuity, University of California
• Kristina Anderson Froling, Founder, Koshka Foundation for Safe Schools
• Bruce Brown, Associate Vice President, Safety and Business Continuity, University of Texas Southwestern Medical Center
• Krista Dillon, Chief of Staff and Senior Director of Operations, Safety and Risk Services, University of Oregon
• Leo Howell, Vice President and Chief Information Security Officer, Georgia Tech
• Andre Le Duc, Founder and Administrator of DRU and Vice President and Chief Resilience Officer, University of Oregon
• Anne-Marie McLaughlin, Director of Emergency Management and Continuity, New York University
• Leigh Ann Moffett, Associate Vice President and Chief Risk Officer, Southern Methodist University
• Keith Perry, Associate Director EHS and Emergency Manager, Stanford University
• Bronwyn Roberts, Strategic Director of the U.S. Department of Education's Readiness and Emergency Management for Schools Technical Assistance Center
• Pascal Schuback, Executive Director, Cascadia Region Earthquake Workgroup (CREW)
• Brian Smith, Chief Ethics & Compliance Officer, University of California San Francisco