This is the next post in the Enterprise Risk Management implementation case study of Camosun College, B.C., Canada.

Project Approach – Key Players
As mentioned previously, the idea for enterprise risk management came from the Board of Governors, who were keen to participate in the provincial government’s foray into the new practice. While many public sector executive seemed at least intellectually to accept the idea of applying risk methods to strategy, the Board wanted to see it done and effect some real changes.

The Board members were aiming for improved oversight and management of capital projects, plans and substantial programs.

The person charged with implementation was the CFO, Peter Lockie, who brought an internal project manager into the picture to act as lead. It is noteworthy that the Board simply acted in an oversight role, giving instructions as to strategic direction, but did not over-prescribe the program’s execution. The CFO and PM instilled a project management discipline, with goals and objectives; timelines; and deliverables.

Yet, the implementation team did not rush into action, but did their homework. They familiarized themselves with the risk management standard (AS/NZ 4360); read the government guideline, and asked Risk Management Branch for recommendations on general approach.

The team’s careful consideration of risk management philosophy resulted in a project plan whose long term goal was to establish a mature culture of risk management, while the immediate objective was to introduce risk methods into existing processes. The low risk implementation plan started with a single risk ID session – not a general roll-out.

ERM Implementation: Risk Assessment of Strategic Plan

In this case, senior executive support was outstanding, because they directly participated. The Camosun College President and the executive team of department heads (administrative) agreed to a trial risk assessment during their next scheduled meeting. The purpose was twofold: first, possibly to gain insight into the soundness of the college strategic plan; second, to gauge the value of the risk identification and assessment process itself – the cornerstone of the ERM program. The implementation team did not opt for risk management software as a solution to these initial quandaries.

The PM cautioned me that this high level group was used to their own style of interaction and debate. As facilitator, I responded by steering the discussion minimally, as discreetly as possible, while following the structure of the risk ID method. We followed scope and criteria outlined in a brief context paper developed for the session. Here is a facsimile pdf:

The great advantage of working with the executive group was that they had no trouble conceptualizing risk at the strategic level. They accepted a bit of coaching to formulate the risks so that they should be precisely associated with planned goals. The aim of the exercise was to produce high grade information – a risk profile that would be defensible as the basis for decision making.

Risk Management Terminology

Alterations in the college’s risk management language are noteworthy. The actual risk register and related tools are scarcely found in the standards themselves. I introduced the ones that I had for generic use: risk register; likelihood and consequence scales; and risk categories. Before the first risk ID session, the PM informed me that they had taken my suggested document templates and “Camosunized” them. They modified the terminology, descriptors and measures to suit their own management environment. This resulted in markedly changed schemas for likelihood and consequence, and the new term “College-wide risk management” to better suit their culture, but did not change the basic method.

We have seen that a small team began the work by marshaling the support of senior executive through direct participation. The initial session served as a testing ground, and allowed the alteration and customization of the materials – at once making them more meaningful, while giving participants a sense of ownership. Next we will describe the further development of the ERM practice, consider its challenges to success, and go through the risk management tools and templates in detail.