Emory University's ERM Implementation
Originally Published: December 01, 2008
The process of implementing ERM at Emory University began with its introduction by the chair of Emory's audit and compliance committee, who was familiar with the merits of ERM from his work as a bank executive. Emory had recently hired a new executive team consisting of the university's president, provost and executive vice president for finance and administration, which was developing a comprehensive strategic plan and launching a capital campaign. The support of senior leadership helped the ERM program gain traction and made managers accountable for their progress.
The Emergence of ERM at Emory
Recent corporate governance failures and public criticism of adverse events at other universities prompted the leadership at Emory University to undertake an ERM initiative. After the tragedy at Virginia Tech, there was increased pressure to share information about risks across campuses to develop a coordinated response to risks.
ERM subcommittees, organized around topical areas like campus safety or governance and corporate affairs, generated a list of every risk within their domain and ranked those risks by likelihood and severity. The steering committee eliminated overlapping risks and pared the list to the top fifty risks. The severity of the event was given more weight than the likelihood, because Emory wanted to give more attention to risks that might have catastrophic consequences, like an influenza pandemic. Emory generated this general statement about risk:
Risk in one form or another, is present in virtually all worthwhile endeavors. We recognize that not all risk is bad and our goal is not to eliminate all risk, for by doing so we would cease all productive activity. Rather, our goal is to assume risk judiciously, mitigate it when possible, and prepare ourselves to respond effectively and efficiently when necessary.
Risk Responses and Knowledge Sharing
After the top risks for Emory were identified, the steering committee assigned a risk management process owner for each risk. This person was deemed to be sufficiently knowledgeable about the risk to create a risk management plan. The plan, limited to two pages, identified the risk and an example, steps taken to manage the risk to an acceptable level, the operational response to an adverse occurrence, and the communication response to an adverse occurrence. Quarterly risk hearings are conducted by the ERM executive committee which is comprised of the university president and senior management. The risk management process owner is allowed five minutes to present followed by questions and answers. This format allows the process owners of all fifty risks to share their planning with leadership on an annual basis. At the end of each three-hour risk hearing, the executive committee identifies any gaps between Emory's risk tolerance and their current position with respect to specific risks.
The risk identification and management process is ongoing, with attention paid to emerging risks facing the university. The involvement of senior leaders in the planning and review process has elevated the importance of ERM on campus and created a sense of accountability for risk management process owners. This ongoing process has helped Emory achieve the goals it set for an ERM process:
Identify risks to the university, particularly those that could
interfere with Emory's mission
• Assess the major risks, identify vulnerabilities, and help management decide whether to accept the existing level or invest additional resources to mitigate it
• Detail a plan for communication and operational responses to potential risk events
• Build a process to implement these plans
• Eliminate surprises