What is Enterprise Risk Management?

Enterprise risk management (ERM) is defined by COSO, the Committee of Sponsoring Organizations, a leading industry cooperative and a strong proponent of ERM, as “a process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of its objectives.”

Critical to the success of ERM is the recognition that it is strategic, it requires an enterprise-wide view, it is an ongoing process, and it involves a balancing of risk with reward in achieving the entity’s objectives.

ERM as a tool for comprehensive risk management has gained increasing momentum in the last 10 years. Initially, ERM found its way into the business world, with securities firms and others recognizing its importance and benefits after the turbulence in the housing and financial markets. The federal government demanded increased emphasis on transparency, accountability, and responsibility through the Sarbanes-Oxley Act and more stringent U.S. Securities and Exchange Commission reporting requirements, and institutional rating firms such as Standard & Poor’s also have made ERM an important measure.

In simpler terms, enterprise risk management is a proactive and ongoing process examining that which keeps us up at night, tossing and turning, or which might do so, and taking action to ensure we are managing well. 

ERM in Higher Education

The value of enterprise risk management in higher education has been recognized as an important process to manage risks and opportunities across the institution in an effective manner in order to meet mission objectives. A number of organizations and firms have brought focus to ERM in higher education and worked to develop guides and tools to facilitate the development of ERM programs at colleges and universities. A few examples of such resources are cited below, with these and additional resources cited elsewhere on this website. 

In 2007, the National Association of College and University Business Officers (NACUBO) and the Association of Governing Boards of Universities and Colleges (AGB) held a summit, including leaders from a number of colleges and universities, to explore the model for enterprise risk management in higher education. NACUBO/AGB subsequently captured the results of the summit in a paper titled “Meeting the Challenges of Enterprise Risk Management in Higher Education” (2007).

In 2009, the private firm of Arthur J. Gallagher & Co. through its affiliate Arthur J. Gallagher Risk Management Services, Inc. (Gallagher) hosted a so-called think tank study of thought leaders from a broad spectrum of college and university leaders who had initiated ERM programs. From this study, Gallagher published its ERM guide titled “Road to Implementation, Enterprise Risk Management for Colleges and Universities.”

Also in 2009, the AGB issued an additional ERM publication, “The State of Enterprise Risk Management at Colleges and Universities Today.” This paper provides further information and resources to aid in the development of ERM programs in higher education.

Enterprise risk management programs have been implemented or are in various stages of development at a broad spectrum of colleges and universities across the country, from private to public and from community colleges to major research universities.

In each instance, the goal of ERM is to create a risk-aware culture throughout the institution, to take a holistic approach to risk identification and management and not to view risk in narrow silos, to recognize the institutional risks associated with our activities and decisions, and to proactively and continuously manage our affairs and to pursue our objectives in an informed and thoughtful manner—with our eyes fully open to the reputational, financial, operational, strategic, and other consequences of our actions on the institution.

The University of Maryland believes that it is more important than ever to implement enterprise risk management as a tool to enhance the current management of our strategic affairs and daily operations, and remain a leading academic and research institution. The success of our ERM program will rest with all of us on campus, our collaborative efforts, and actions.