This is a case study in successful implementation of enterprise risk management — the first of five parts of the case of Camosun College.

Two key aspects of ERM; viz., a good risk identification/ assessment process, and the proper approach to program implementation, are emphasized in this case study. They apply to the implementation of ERM in any organization.

Many are struggling with bureaucratic issues, administrative overload, as well as lack of buy-in, in trying to implement ERM. This case study gives a detailed account of how these challenges were met.

A Solved Case

This is not a purely objective case study, in the sense that I participated as consultant in the college’s risk management initiative, and so I advocate its approach. Naturally, I selected an exemplary case in order to illustrate certain principles.

I drew upon some of the original consulting documents, and gained more information in a follow-up interview with Camosun’s CFO, Peter Lockie. Many publicly available materials are useful – I will give a full list in the final resources post.

Case Study – Contents

Quote from the Auditor General’s Office
Prior Risk Management Practice

Impetus to ERM: Compliance or Improvement?
Gaining ERM Implementation Advice
Principles of Successful Program Implementation
ERM Program Steps, in an Approximate Order
Special Considerations: Organizational Culture and Enterprise Risk Management

Project Approach – Key Players
ERM Implementation: Risk Assessment of Strategic Plan
Risk Assessment Tools and Templates

Conclusions Drawn from Initial Risk Review
Follow Up Risk Identification and Assessment Sessions
Challenges to Successful Implementation
Risk Management Policy
Risk Management Tools and Templates


First I present my plan and Part 1: Background.


Camosun College is located in Victoria, B.C. The President’s Welcome Message reports an annual budget of over $100 million.

From the employee handbook:

“Camosun College is one of the most comprehensive colleges in BC offering 160 different degree, diploma and certificate programs and over 300 university transfer courses. The college has two main campuses serving approximately 13,000 learners (full-time equivalents registered in degree, diploma, certificate and apprenticeship trades programs), and a further 7,400 registrants in courses offered through continuing education. We have nearly 1,000 Aboriginal students from 50 nations including Inuit and Métis, and more than 600 International students.”

This case therefore represents the introduction of risk methods in a large and complex institution, with significant facilities, assets and budget. The post-secondary or higher education environment has the added challenge of a division in the culture between the administrative and the academic sides.

Quote from the Office of the Auditor General

I have already characterized the case as a successful one. As evidence to support the claim, consider the following testimony given before BC Government Select Standing Committee on Public Accounts, Monday, June 11, 2012.

“Our examinations also found examples of good governance practices…[examples include] Camosun College’s risk management framework…” ~ Malcolm Gaston, Office Of The Auditor General

With the benefit of 8 years’ hindsight, we have the opportunity for a longitudinal study of a successful implementation.

In September of 2004, when I worked at Risk Management Branch, BC Government, I was approached by Camosun College to advise on the implementation of Enterprise Risk Management. This raises questions regarding the original organizational context. What was the character of their risk management before ERM? What was the state of the college’s planning regime?

Prior Risk Management and Planning Practice

Certainly there was risk management of some description happening at Camosun in earlier days. The college participates in BC Government’s risk management pool for higher education called the University, College and Institute Protection Program (UCIPP), which covers the traditional insurance purview of hazard risk management – boiler and machinery, liability and crime coverage.

There was also some sort of risk analysis done by various administrative departments oriented towards operations; for example, by HR or finance. But this was done in a piecemeal manner, and was not linked to regular reporting. The risk information was not evaluated in a larger framework. All in all, the practice of risk management outside the conventional sphere of risk financing for insurable categories of loss, or financial audit and control, was fragmented and unaligned with goals and objectives.

As evident on the Camosun site, this college culture emphasizes planning. When I inquired further about the nature of the plans (since many organizations produce paper that sits on a shelf) I learned that the plans are “live” and relevant management tools: they actually reflect the activities pursued and are updated. Plans are developed at the strategic level, giving a unifying vision and strategic direction within which departmental plans can align. Public reports demonstrate results on specific financial and percentage trend measurements, indicating a mature performance management regime.

Thus far, we’ve seen that the college had a fairly traditional approach to risk management, but had strong planning and associated performance measurement. In the next post, we discuss the original impetus towards enterprise risk management, and the initial stages of its development.

Follow-up: Enterprise Risk Management Case Study Articles listed.