ERM in Action in Higher Education

Cynthia Vitters


September 16, 2019

Colleges and universities are a cross-section of many interests, which can result in a bundle of diverse and potentially severe risks. Some of these risks have manifested themselves in recent high-profile transgressions, including pay-to-play admissions, Title IX adjudication of sexual misconduct cases, hazing-related deaths and athletic program violations, raising serious questions about institutional leadership, governance and the ethical standards employed across American campuses. Less sensational, but equally urgent, are risks related to business and operating models, compliance, reputation and the variability of student enrollment, which can create financial and resource gaps and imbalances.

To address these exposures, colleges and universities are strengthening their enterprise risk management (ERM) programs. Schools aiming to elevate their ERM capabilities can learn from these institutions’ experiences. One example is Carnegie Mellon University (CMU) in Pittsburgh. Melanie Lucht, CMU’s associate vice president and chief risk officer (CRO), stressed the importance of getting buy-in from the start:

“You can have the science of risk management down to a tee, but you also need others in the organization to be involved,” she said. “A higher education institution is very much a community. Building the trust needed to succeed requires active listening and thoughtful understanding of what that community cares about.”

Lucht noted that some institutions are taking the additional step of naming a CRO or otherwise assigning accountability for risk management oversight. A CRO can serve as an unbiased advocate and collaborate with subject-matter experts in the institution to help leadership make sound, risk-informed decisions that support strategic priorities and goals.

Institutions that are spinning up a risk management program and creating a framework that puts someone in charge of ERM could find it to be a complex undertaking. However, Lucht suggested following some simple guidelines to facilitate the process:

Scope and prioritize. Institutions often face hundreds of risks. Applying the principles of risk management to set priorities, coupled with training and awareness, can help the community develop risk-consciousness and make risk-informed decisions. An important element of this is the CRO getting to know the people across the institution in departmental leadership roles and gaining an idea not only of what keeps them up at night, but also things they may sense—either specific to their area of expertise or more systemic issues—that could affect the strategic objectives of the institution.

Know that it will not happen overnight. A crawl-walk-run approach can help control the complexity. Designing an ERM framework and piloting that framework in collaboration with university leadership and risk champions can aid in gaining early traction that will overcome resistance.

Do not try to boil the ocean. Prioritizing risks that have the potential to present the greatest impact to the organization from a life/health safety perspective will help to manage those risks as opposed to managing a crisis. CROs should clearly and regularly communicate with stakeholders to ensure that the risks remain in the foreground and quick action can be taken to mitigate them should they arise.

Understand your culture and environment. Both in startup mode and ongoing, it is important for CROs to listen actively, build relationships, and understand the concerns of people in the trenches day in and day out. There is no right or wrong approach. At the end of the day, it is about providing the community with an ERM program that helps leaders understand what their highest priority risks are and how to manage them.

Lucht also recommended benchmarking the program against peer institutions to understand how they approach ERM. “While no two institutions are alike, benchmarking can provide a level set and help you avoid reinventing the wheel,” she said. “Coupling this exercise with an understanding of your institution’s unique culture can help in shaping a program framework.”

Carnegie Mellon’s Heinz College has even taken the additional step by establishing a CRO executive education certificate program. Lucht was a participant in the inaugural program three years ago and is now a program coach. “It’s an excellent opportunity because it really gives today’s risk management leaders intensive training in what it means to be a CRO,” she said. “They also gain the latest thought leadership on risk management and the opportunity to benchmark and network with risk leaders in other industries.”

As higher education continues to evolve, new risks are likely to emerge, known risks may take new forms, and crises will inevitably unfold. Schools cannot and will not have all the answers. At the same time, knowing they have taken steps to become more resilient in the face of risk can help boards, presidents, and the university community be more confident as they embrace future challenges.
Cynthia Vitters is in the risk intelligence practice of Deloitte Risk & Financial Advisory and a managing director at Deloitte & Touche LLP.