INITIAL STAGES
Impetus to ERM: Compliance or Improvement?
The impetus towards risk management came from the Board of Governors. They were aware of BC Government’s initiative, led by Risk Management Branch, to incorporate enterprise risk management into regular planning and management across the provincial public sector.

The BoG was also aware of the fragmented nature of the college’s existing practice, where risk assessment was either lacking, or not oriented to strategy.

Was then the impetus towards ERM driven by a need for compliance, or for improvement? At that time, ERM discourse had a focus on financial institutions and insurance companies – ERM in the public sector (at least in Canada) was a novelty. Undoubtedly the board saw the opportunity to align the college’s approach with a progressive new standard. The decisive factor, however, was the desire for better oversight and assurance of results on major capital projects, budgets and programs. The Board’s aim of real improvements in management practice, as opposed to merely demonstrating compliance to a standard, ultimately affected the character of the implementation.

Gaining ERM Implementation Advice

ERM seemed to promise great benefits, but there was a need for reflection and careful definition of approach. The Board of Governors itself delegated the responsibility for implementing ERM to the CFO, who engaged an internal project consultant. They in turn sought advice from Risk Management Branch (inviting my participation on their steering committee) in the earliest stages.

In response to this initial request for guidance, I wrote a memo to the project manager: “Notes on Establishing An Enterprise Risk Management Program in Colleges / Universities: Principles of Implementation; Program Steps; Special Considerations.”

Here is a synopsis of this memo:

Principles of Successful Program Implementation

I thought it was important to begin not with specific advice (telling them what to do) but suggesting the important principles to follow to help ensure success.

SENIOR MANAGEMENT SUPPORT
1. The active support of the Board of Governors and senior administration is essential.

STAFF SUPPORT
2. The support of the middle management and staff – i.e., those who carry out risk management activities – is essential. This is achieved by ensuring that they have a role in designing the program and have a stake in its success.

PROGRAM ADEQUACY
3. The ERM program must answer the business needs of the participants and add value to their work.

RESOURCES
4. Providing adequate resources, both personnel and fiscal, for a sustained implementation, is axiomatic.

STAGED IMPLEMENTATION
5. A phased approach to implementation is necessary. It is impossible to impose a program wholesale and have success. A demonstration of value, learning new processes, and a change of culture all take time. Opportunities for feedback and design changes help ensure that value is being obtained.

ERM Program Steps, in an Approximate Order

This section of the memo set out the actual management activities.

1. Assess risk culture, raise awareness; gain support.

2. Write policy and establish standards. Ensure the policy and standards are integrated into the framework for corporate governance and internal controls..

3. Set out objectives, roles/responsibilities, and activities for implementation (observe the 5 principles noted above).

4. Establish resources to build and support organizational capacity (web-based resources, consulting and facilitation help, training, software.)

5. Ensure the sustainability of the program through feedback and continuous improvement against maturity criteria.

Special Considerations: Organizational Culture and Enterprise Risk Management

This section advises further consideration of the organizational context.

1. Asses the culture.
A key challenge in ERM for post-secondary institutions is to integrate a plan for both the administrative and academic environments. The diversity of cultures, attitudes, priorities and working styles must obviously be taken into account.

2. Define the context for implementation.
Possibilities:
- service plans or project tasks;
- strategic plans; risk ID at the senior level;
- review of a critical program or investment.

Make the immediate objective to test the value of the process.

3. A crisis management plan and business continuity plan should be considered.

4. ERM should be integrated into and lend structure to existing processes.

The foregoing was advice given. In the next post, we will examine the actual approach taken to implementation of enterprise risk management.

Links

ERM Case Study Camosun College Part 3