This detailed example of Enterprise Risk Management follows the definition and methods for ERM that I describe in my podcast episodes.

Solved case in enterprise risk management 
 This is a case study in successful implementation of enterprise risk management — the first of five parts addressing the case of Camosun College. Two key aspects of ERM; viz., a good risk identification/ assessment process, and the proper approach to program implementation, are emphasized. They apply to the implementation of ERM in any organization, as long as it has planned goals and objectives.

Operant definition of risk
The interpretation of risk operant here aligns with the one in the international standards: "risk is anything that prevents or impedes an organization from achieving its key goals and objectives." [1]

Many are struggling with bureaucratic issues, administrative overload, as well as lack of buy-in, in trying to implement ERM. We explain how these challenges were met.

I participated as consultant in the college’s risk management initiative, and so I advocate its approach. It did receive recognition from the provincial Auditor General (details below).

A longitudinal view: a follow-up interview with Camosun’s CFO, Peter Lockie, confirmed a successful implementation with the benefit of 8 years’ hindsight. 

Case Study – Contents
1. BACKGROUND
Quote from the Auditor General’s Office
Prior Risk Management Practice

2. INITIAL STAGES
Impetus to ERM: Compliance or Improvement?
ERM Implementation Advice
Principles of Successful Program Implementation
ERM Roadmap - the Program Steps
Organizational Culture and Enterprise Risk Management

3. IMPLEMENTATION APPROACH
Project Approach – Key Players
ERM Implementation: Risk Assessment of Strategic Plan
Risk Assessment Tools and Templates

4. DEVELOPMENT OF ERM PRACTICE
Conclusions Drawn from Initial Risk Review
Follow Up Risk Identification and Assessment Sessions
Challenges to Successful Implementation
ERM Policy
Enterprise Risk Management Tools and Templates

5. REFERENCES AND RESOURCES

=====

Part 1
BACKGROUND
Camosun College is located in Victoria, B.C. The President’s Welcome Message reports an annual budget of over $100 million.

From the employee handbook:

“Camosun College is one of the most comprehensive colleges in BC offering 160 different degree, diploma and certificate programs and over 300 university transfer courses. The college has two main campuses serving approximately 13,000 learners (full-time equivalents registered in degree, diploma, certificate and apprenticeship trades programs), and a further 7,400 registrants in courses offered through continuing education. We have nearly 1,000 Aboriginal students from 50 nations including Inuit and Métis, and more than 600 International students.”

This case therefore represents the introduction of risk methods in a large and complex institution, with significant facilities, assets and budget. The post-secondary or higher education environment has the added challenge of a division in the culture between the administrative and the academic sides.

Quote from the Office of the Auditor General
I have already characterized the case as a successful one. As evidence to support the claim, consider the following testimony given before BC Government Select Standing Committee on Public Accounts, Monday, June 11, 2012.

“Our examinations also found examples of good governance practices…[examples include] Camosun College’s risk management framework…” ~ Malcolm Gaston, Office of the Auditor General.

It was in September of 2004, when I worked at Risk Management Branch, BC Government, that I was first approached by Camosun College to advise on the implementation of Enterprise Risk Management. This raises questions regarding the original organizational context. What was the character of their risk management before ERM? What was the state of the college’s planning regime?

Prior risk management and planning practice
Certainly there was risk management of some description happening at Camosun in earlier days. The college participates in BC Government’s risk management pool for higher education called the University, College and Institute Protection Program (UCIPP), which covers the traditional insurance purview of hazard risk management – boiler and machinery, liability and crime coverage.

There was also some sort of risk analysis done by various administrative departments oriented towards operations; for example, by HR or finance. But this was done in a piecemeal manner, and was not linked to regular reporting or corporate goals.

Camosun's activities actually did reflect the content of their plans, which were developed at the strategic level. Departmental plans were expected to align. A performance management regime was also in place.

Thus far, we’ve seen that the college had strong planning and associated performance measurement (an important foundation) but only a traditional approach to risk management.

Notes
[1]  Camosun College policy document: College-wide Risk Management        
ERM Case Study Camosun College Part 2