[800 words, first published 2012/11/06]
This is a continuation of the Enterprise Risk Management implementation case study of Camosun College, B.C., Canada.
Impetus to ERM: Compliance or Improvement?
The impetus towards risk management came from the Board of Governors. They were aware of BC Government’s initiative, led by Risk Management Branch, to incorporate enterprise risk management into regular planning and management across the provincial public sector (by 2004, already well into the implementation phase).
The BoG was also aware of the fragmented nature of the college’s existing practice, where risk assessment was either lacking, or not oriented to strategy.
Was then the impetus towards ERM driven by a need for compliance, or for improvement? At that time, ERM discourse had a focus on financial institutions and insurance companies – ERM in the public sector (at least in Canada) was a novelty. Undoubtedly the board saw the opportunity to align the college’s approach with a progressive new standard. The decisive factor, however, was the desire for better oversight and assurance of results on major capital projects, budgets and programs. The Board’s aim of real improvements in management practice, as opposed to merely demonstrating compliance to a standard, ultimately affected the character of the implementation.
Gaining ERM Implementation Advice
ERM seemed to promise great benefits. However, enterprise risk management was the subject of intense debate regarding even a definition; still today, its implementation is for many a mysterious science. There was a need for reflection and careful definition of approach. The Board of Governors itself delegated the responsibility for implementing ERM to the CFO, who engaged an internal project consultant. They in turn sought advice from Risk Management Branch (inviting my participation on their steering committee) in the earliest stages, to inform the approach.
In response to this initial request for guidance, I wrote a memo to the project manager: “Notes on Establishing An Enterprise Risk Management Program in Colleges / Universities: Principles of Implementation; Program Steps; Special Considerations.”
I reproduce here a synopsis of this memo.
Principles of Successful Program Implementation
I thought it was important to begin not with specific advice (telling them what to do) but suggesting the important principles to follow to help ensure success.
SENIOR MANAGEMENT SUPPORT
1. The active support of the Board of Governors and senior administration is essential.
2. The support of the middle management and staff – i.e., those who carry out risk management activities – is essential. This is achieved by ensuring that they have a role in designing the program and have a stake in its success.
3. The ERM program must answer the business needs of the participants and add value to their work.
4. Providing adequate resources, both personnel and fiscal, for a sustained implementation, is axiomatic.
5. A phased approach to implementation is necessary. It is impossible successfully to impose a program wholesale. A demonstration of value, learning new processes, and a change of culture all take time. Opportunities for feedback and design changes help ensure that value is being obtained.
ERM Program Steps, in an Approximate Order
This section of the memo set out the actual management activities.
1. Assess risk culture, raise awareness; gain support.
2. Write policy and establish standards. Ensure the policy and standards are integrated into the framework for internal controls and corporate governance of the institution.
3. Set out objectives, roles/responsibilities, and a framework for implementation. This means: design a program of activities while observing the 5 principles of successful implementation noted above.
4. Establish resources to build and support organizational capacity. These can include web-based resources, consulting and facilitation help, training, software, etc.
5. Ensure the sustainability of the program through feedback and continuous improvement against maturity criteria.
Special Considerations: Organizational Culture and Enterprise Risk Management
This section advises further consideration of the organizational context.
1. Asses the culture.
A key challenge in ERM for post-secondary institutions is to integrate a plan for both the administrative and academic environments. The diversity of cultures, attitudes, priorities and working styles must obviously be taken into account.
2. Define the context for implementation.
What approach will answer the greatest need? That is, how will the context for risk analysis first be defined, and who will participate? Possibilities:
-an analysis of service plans or project tasks;
-a strategic planning and risk identification exercise at the senior level; or
-a review of a critical program or investment.
Make the immediate objective to test the value of the process.
3. A crisis management plan and business continuity plan should be considered.
4. ERM should be integrated into and lend structure to existing processes.
The foregoing was advice given. In the next post, we will examine the actual approach taken to implementation of enterprise risk management.