When campus colleagues ask, “What’s ERM?”
After preparing through the summer, and quick conversations with individual colleagues about what I’m doing this year, it feels great to get in front of some groups–the president’s cabinet, the senior administrative leaders–and talk with them about how we can engage risk on campus.
The response so far is energizing–just about everyone is on board and enthusiastic. But I was surprised when no one asked, “What’s ERM, anyway?” I imagine the question must be on some of their minds. So the history below is for my colleagues who may be wondering–and, if you are at another college, for yours.
History of Risk Management
Traditional risk management developed in the mid-20th century. Organizations began to designate an employee who could identify exposure and buy insurance to reduce loss in the event of an accident.
During the 1970’s, organizations began to rename their insurance director. Now the “risk manager” was expected to create programs that could transfer, reduce, or avoid losses through practices like safety training or contracts with external service providers (who then assume the risks associated with that service).
By the 1980’s, corporations began to use sophisticated financial risk models that expanded once again the scope of risk management. But, as Rick Whitfield relates in his 2003 doctoral thesis on risk in higher education:
In the late 1980’s, an era of business failures occurred as a result of high risk financing strategies. External publics and key stakeholders lost hundreds of millions of dollars, the overall economy was negatively impacted and public trust in Wall Street and the investment community was lost . . . The result was the commissioning of the Committee of Sponsoring Organizations (COSO) of the Treadway Commission (National Commission on Fraudulent Financial Reporting) to conduct a study of the business failures and to issue guidance on how to prevent reoccurrences. . . . This represented a major paradigm shift in and for corporate boards, management and external third parties responsible for auditing and regulatory oversight. COSO believed that by focusing on the broader spectrum of business risks versus solely on traditional financial risks, significant business failures might be minimized in the future. (12-13)
The models developed by COSO and the International Standards Organization (ISO) established the framework for Enterprise Risk Management as practiced today. John Hampton in Fundamentals of Enterprise Risk Management (2009)–also the source for my opening description of risk management in the 60’s and 70’s–notes that the spread of ERM got “bogged down” in the early years of the 21st century as “the world changed dramatically after 9/11 and the corporate scandals that followed at Enron, WorldCom, and other major corporations.”
Still, Hampton points out the seven contributions of ERM which should make organizations take it seriously as an approach.
Enterprise Risk Management:
- ♦ incorporates the positive side of “risk opportunity” into definitions of risk;
- ♦ advocates assigning a “risk owner” for each identified risk or category of risk;
- ♦ recognizes the importance of aligning your risk management plan with the existing structure of your organization;
- ♦ urges coordination of risk management (rather than compartmentalized treatment of each risk), because what’s best for one unit may not be best for the whole;
- ♦ recommends gathering risk information and resources centrally so they can be shared;
- ♦ identifies the ultimate accountability for risk at the Board level; and
- ♦ encourages the use of a viable ongoing evaluation process to assess risk.
In the end, the differences separating ERM from traditional risk management correspond to two meanings of “enterprise”:
1. ERM doesn’t limit its scope to the types of risk that can be handled by buying insurance, nor does it take each risk separately, but rather seeks to evaluate risks across all areas—an enterprise-wide look at risk.
2. ERM fosters an enterprising spirit by acknowledging a positive side to risk, as when we seize an opportunity that represents a good bet, or choose to tolerate a level of risk for the desirable reward that accompanies it.
Now we’re all equipped to move forward — knowing the origins of ERM.
Question for the curious: Was this answer sufficiently clear and complete? More than you wanted to know?