As the risk environment for higher education continues to expand, an enterprise-wide approach that links ERM with strategic planning becomes increasingly essential for effective risk management.
In the context of ever-evolving and emerging issues ranging from the demographic cliff to legislation impacting equity in admissions, college and university leaders are faced with understanding and engaging with risk in a dynamic environment. Traditional strategies for risk management can lack the flexibility and comprehensive framework needed to keep pace with changing conditions in the expanding landscape of emerging risks. Institutions of higher education need a comprehensive and integrated framework that embeds risk considerations into strategic planning and decision-making; the traditional siloed approach to risk management is no longer sufficient.
Driven by the recognition that institutions face a myriad of interconnected risks, higher education leaders are moving away from traditional risk management and toward enterprise risk management (ERM). Unlike conventional risk management, which often operates within units and addresses risks on a departmental or operational basis, ERM adopts a holistic perspective, integrating risk considerations into the organization's overall strategy and decision-making processes. As a holistic framework for understanding and managing organizational risk, ERM is critical within the business of higher education to understand and effectively manage risks that may impact strategies, operations, finances, safety, compliance, and reputation, all of which are critical to continued growth and success.
For many colleges and universities, embracing ERM can require a cultural shift for stakeholders. In this case study, we document the process of ERM adoption and change management at the University of Maryland, Baltimore (UMB), highlighting the evolution, challenges, and outcomes achieved in implementing and refining the ERM program. The case study highlights how UMB worked to embed ERM into the culture, capability, and practice within the organization in order to integrate risk management with strategy setting and performance to create, preserve, and realize value—not just to check a box—and how the university utilized technology to do so.
We use the definition of ERM developed by the Committee of Sponsoring Organizations (COSO): "The culture, capabilities, and practices, integrated with strategy setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value."Footnote1 This definition is intentionally broad and deals with risks and opportunities. In addition, COSO has stated that ERM is a "process, effected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of its objectives."Footnote2 In presenting UMB's experience as a case study, we embrace this definition in describing the ways in which ERM was adapted to the specific culture and context of a single institution.
Establishing an ERM Framework: The Importance of Leadership
Founded in 1807, the University of Maryland, Baltimore is Maryland's only public academic health, human services, and law center, enrolling approximately 6,700 students annually across its six nationally ranked professional schools and an interdisciplinary graduate school. Combined, these schools offer 97 doctoral, master's, baccalaureate, and certificate programs and confer most of the professional practice doctoral degrees awarded in Maryland. In addition to its academic programs, UMB has a strong research portfolio, and its $1.2 billion annual budget supports more than 18,000 jobs and produces more than $2.8 billion in annual economic activity annually.Footnote3
The university's ERM journey began in 2010 under the leadership of a new president who recognized the need for a more proactive and holistic approach to risk identification, assessment, and management. The university had recently embarked on a comprehensive strategic planning process to identify and adopt the strategic priorities that would propel the institution forward into the future envisioned by the new president. Leadership believed that an ERM program would, in time, complement the strategic planning process and improve strategic goal attainment by mitigating the risks that might negatively impact the priorities in the adopted strategic plan. The ERM program drew inspiration from established models such as COSO and was intentionally adapted to the unique institutional culture and organizational structure at UMB.
ERM 1.0: Risk Identification and Mitigation
The organizational structure at UMB was and remains highly decentralized. This is typical of predominantly graduate and professional institutions in which schools and colleges focus on a specific discipline and adhere to an articulated regime of professional, accreditation, and licensing standards set by the discipline and the profession. UMB's six professional schools—medicine, nursing, dentistry, pharmacy, law, and social work—by necessity are afforded significant autonomy in pursuing their teaching, research, clinical, and service missions and have excelled in each of these mission areas. There are challenges, however, to operating within a decentralized environment that offers significant autonomy. In a decentralized academic environment, the tendency for departments and units to operate in silos can pose significant challenges. This fragmentation often leads to a lack of communication and collaboration across different areas, hindering the sharing of knowledge and resources. As a result, opportunities for interdisciplinary research and innovation may be missed, and the overall efficiency of the institution can be compromised. To overcome these challenges, fostering a culture of openness and collaboration is essential, encouraging departments to work together toward common goals. Implementing regular cross-departmental meetings, shared projects, and integrated communication platforms can help bridge the gaps and create a more cohesive and dynamic academic community.
To mitigate the pitfalls associated with a siloed environment, a comprehensive ERM organizational structure was established (see figure 1). Within the structure, a cross-institutional steering committee was formed to lead and oversee the ERM program. The ERM Steering Committee included senior leaders from each of the schools and major central administrative units. The steering committee reported up to the university's Executive Committee (cabinet)—which in turn reported to the president—and included the provost, deans, and vice presidents.Footnote4 A subcommittee of the steering committee called the ERM Workgroup was the engine that powered the ERM program and did so through smaller groups called Subject Area Workgroups (SAWs). Twelve SAWs were established to reflect the diverse areas of the university's operations: academic affairs, campus security and public safety, clinical practice, internal and external relations, facilities and environmental health and safety, finance and internal controls, global activities, government regulations and compliance, human resources, IT systems and communications, research, and risk management and insurance.
Environmental scanning conducted by the SAWs led to the identification of more than 400 potential risks. These risks were then prioritized based on their likelihood of occurrence and potential impact, ensuring that resources and efforts were focused on the most critical areas. Working collaboratively, the SAWs ensured that potential risks were identified and evaluated from a variety of perspectives, thus fostering a comprehensive understanding of the university's risk landscape.
For each prioritized risk, a detailed mitigation plan was developed. These plans outlined the specific steps to be taken to address the risk, the resources required, and the expected timeline for completion to ensure that risk-mitigation efforts were well structured and actionable. Important to mitigation was the operational implementation and monitoring process. To support this aim, the ERM Steering Committee implemented a mitigation monitoring plan to track the progress of risk-mitigation efforts. The committee prepared regular status reports during this phase and shared those reports up the organizational structure to the cabinet and the president, ensuring accountability and allowing for course corrections as needed.
The inaugural ERM cycle at UMB served as a valuable learning experience, paving the way for future iterations of the program. Three early and important lessons emerged from experience. First, clear communication and collaboration across the diverse units and departments within the university was critical to a fledgling ERM program. The flow of information and shared understanding of risks proved to be the cornerstone of effective risk identification and mitigation, creating a risk-aware culture and building trust and confidence in the program. Second, the cycle highlighted the need for adequate resource allocation. It became evident that both financial and human resources needed to be strategically invested to support the successful implementation of ERM initiatives. Third, the experience reinforced the understanding that ERM is not a one-off project but an ongoing process. The ever-evolving nature of risks necessitates continuous monitoring and improvement to ensure the university remains adaptable and resilient in the face of new challenges.
ERM 2.0: Integrating ERM and Strategic Planning
What became clear early on is that finding ways to integrate ERM into the organization's strategic planning program would be critical for a holistic approach to appropriately resourcing enterprise risks. This approach is recognized by COSO, which notes that ERM "does not refer to a function, group, or department within an entity" but that instead, it should be understood as practices that are aligned with the organization's culture and capabilities that are adopted to integrate with strategy setting.Footnote5
To this aim, in 2016 (six years after the initial ERM conception), UMB timed the launch of ERM 2.0 to coincide and overlap with the university's next strategic planning cycle. As part of the strategic planning process, UMB developed six themes to frame the university's new five-year strategic focus. An enhanced feature of the new strategic plan required each school and central administrative unit to develop SMARTFootnote6 goals, each of which needed to map to one of the six strategic themes in the plan and, more specifically, to one of the theme's strategic outcomes—there were typically five or six under each theme. In addition to developing goals, each school and administrative area was asked to identify and describe perceived risks in the internal or external environment that could impact the school's or unit's ability to achieve its strategic goals. This, too, was an enhanced feature of the strategic planning process.
To implement the risk-identification process, a workgroup was established to manage the activity. This team conducted focus group meetings with campus leaders in key roles or who possessed knowledge related to themes in the plan. Participants in these focus groups were mainly either faculty or staff at the associate dean, associate/assistant vice president, and director levels. A focus group session was held for each of the six strategic themes, with eighty-nine members of the UMB community attending the sessions. The objectives of the focus groups were twofold: (1) to identify and delineate strategic risks that could impede UMB's ability to achieve the strategic objectives and outcomes for each theme; and (2) to provide leadership perspectives on these risks. Each focus group session commenced with an overview of the strategic theme's objectives and outcomes, the risk-management process, UMB's definition of strategic risks, and examples of strategic risks from the private sector and other higher education institutions. Participants then broke into smaller groups to pinpoint the top risks they believed could hinder the achievement of the strategic theme's objectives and outcomes. At least two facilitators were present at each session to assist participants through this process. Moreover, participants were provided with the following questions to guide their discussion on assessing the risks:
- Why or how does this risk threaten the achievement of the strategic theme's objectives and outcomes?
- What controls, if any, are currently in place to mitigate the risk?
- Who at UMB might have additional insight on managing this risk effectively?
The focus groups culminated in the identification of ten risk sources that could jeopardize the objectives and outcomes of the strategic plan. The identified risks were then distributed to all focus group participants, who were instructed to classify them into one of three priority levels—high, medium, or low—for further examination and action. Notably, no more than five risks could be placed in any single priority level. Participants also ranked each risk within a category from most to least urgent. As a result, each category reflected risks prioritized from highest to lowest importance.
Integrating ERM into a cyclical and important institutional process involving goal setting and resource allocation at the unit level migrated ERM away from an ad hoc, stand-alone activity and elevated and embedded it as an institutional effectiveness activity within an existing university system and framework.
ERM 3.0: Leveraging Technology to Enhance Integration, Tracking, and Reporting
The incorporation of ERM into the strategic plan was further refined and evolved during a subsequent strategic planning cycle in 2022. A significant enhancement was the integration of ERM queries into the Strategic Plan Implementation Management System (SPIMS), the university's proprietary strategic planning tool. The Office of Institutional Effectiveness, Strategic Planning, and Assessment (IESPA), in collaboration with the Center for Information Technology Services, developed SPIMS to support the creation and approval of SMART goals, risk evaluation, and progress reporting for the FY 2022–26 UMB Strategic Plan. SPIMS, hosted within the Anthology (formerly Campus Labs) Planning system, was designed to overcome the limitations of the previous system, which primarily focused on goal tracking with limited data-field manipulation capabilities. In the earlier system, all data was exported to Excel, managed via pivot tables, and later analyzed using Power BI with support from the analytics staff.
Developed by CITS Web Development for IESPA, SPIMS seeks to enhance the planning and tracking of strategic information. The application utilizes custom development languages, including ColdFusion, and integrates campus multifactor authentication to maintain secure and selective access. Data for the system resides in SQL Server databases, with both the application and data hosted in a cloud environment. Adhering to current UMB IT standards, the development and architecture ensure data privacy, integrity, and confidentiality through robust security, web accessibility, and authentication measures. The new SPIMS application (see figure 2), used by every school and administrative unit at UMB, offers a comprehensive platform to monitor strategic goals and their status over a five-year span.
SPIMS is designed to be reusable for future five-year periods, allowing users to generate new goals for each strategic planning cycle, update the status of goals, search the system on several variables, select and assign risks categories to goals, and run multiple custom reports (see figures 3–7) to track metrics, risks, progress, and annual plans for each goal.
Another advantage of integrating ERM within the strategic planning process was the valuable insights derived from data collected throughout this process. By embedding risk-evaluation questions into SPIMS, the steering committee could identify, aggregate, and prioritize top enterprise risks. This approach was continually improved with refined categories and supplemented by personalized technical support and guidance from a dedicated ERM program manager. The risk-evaluation questions have been evolving to incorporate feedback from stakeholders and insights from industry best practices.
The Current State of ERM
As the ERM process evolved, so did the resources necessary to manage it. The president and the provost, instrumental in identifying new organizational risks and considering how best to address them systematically through the ERM process, determined that additional resources were needed to ensure sustainability. They ultimately decided to create a new ERM-focused assistant vice president position to ensure consistent leadership engagement with ERM. This brought about several key changes to the ERM program. First, new foundational tenets and objectives were developed for the program, with support secured from the president, provost, and other university leaders in early 2022. Second, two crucial committees were reconceptualized: the Executive Committee, chaired by the provost and comprising executive-level leaders, and the ERM Implementation Committee, consisting of the assistant vice president in charge of ERM and director-level individuals from various business units and schools. Setting up the Implementation Committee was relatively straightforward because many participants from UMB's previous ERM efforts were already involved. Third, funding was reallocated to hire a full-time ERM program manager, significantly boosting the ERM program's capacity and accelerating its implementation. Finally, the two ERM committees approved short-, medium-, and long-term program goals, providing focus for its program.
ERM 3.0 signifies a transformative phase at UMB, aimed at enhancing strategic integration and fostering a proactive, risk-aware culture. This evolution built on past successes and adapted to new challenges, particularly highlighted by lessons learned during the COVID-19 pandemic.
Reflections on UMB's Experience with ERM
Implementing an ERM program delivered notable value, enhancing collaboration and support in mitigating risks and advancing strategic objectives. This transformation did not occur overnight; rather, ERM capacity was methodically developed through a deliberate, collaborative, and iterative process. One significant outcome was the progress made in risk mitigation. ERM initiatives at UMB led to enhanced protection of student records from early years, regular reviews and updates to financial policies and procedures, monitoring and auditing of purchase-card transactions, a comprehensive understanding of safety and IT security needs, and a better grasp of the complexities involved in UMB's global programs. These improvements have translated into numerous benefits, including an improved student experience and increased operational efficiency. UMB's ERM program has been recognized by the University System of Maryland (USM) as a best practice and is the model on which the eleven other institutions in the USM are designing and building their programs, which are now required by the Board of Regents.
Beyond effective risk mitigation, the ERM process strives for inclusivity and transparency, from identifying risks to their complete mitigation. It relies on a collective approach to identify, assess, and prioritize critical risks and determine the resources required to address them. A major success of this inclusive and systematic approach is the strengthening of a risk-aware culture across UMB, encouraging the integration of ERM principles within various roles. A crucial lesson learned is the significance of both leadership and the practical management of the ERM process. The top leadership's commitment was vital in driving the cultural shift necessary for ERM's adoption across the university. Aligning the ERM program with the president's and provost's offices enhanced the buy-in from key institution leaders.
Additionally, dedicating a specific role to ERM efforts helped institutionalize the goals of the program, providing essential support and structure. This has resulted in improved processes and better accountability in risk mitigation.
Conclusion: ERM as a Journey, Not a Destination
More than a decade into its ERM journey, UMB offers insights into how ERM can be effectively implemented and can enhance an institution's capability to identify and mitigate enterprise risks. In today's complex and uncertain world, effective risk management is more important than ever for institutions of higher education. The work of proactively identifying, assessing, and managing risks and is a journey, not a destination. It requires leadership commitment, collaboration, resources, and a willingness to adapt and improve. But the benefits are clear: ERM can help colleges and universities navigate challenges, seize opportunities, and achieve their missions in a risk-responsible manner.
Notes
- Committee of Sponsoring Organizations of the Treadway Commission (COSO), "Enterprise Risk Management—Integrating with Strategy and Performance," June 2017. Jump back to footnote 1 in the text.
- Committee of Sponsoring Organizations of the Treadway Commission (COSO), "Enterprise Risk Management—Integrated Framework," September 2004. Jump back to footnote 2 in the text.
- University of Maryland, Baltimore, "UMB Fast Facts." Jump back to footnote 3 in the text.
- The provost at that time was called the "chief academic and research officer." Jump back to footnote 4 in the text.
- COSO, "Enterprise Risk Management—Integrating with Strategy and Performance." Jump back to footnote 5 in the text.
- The acronym SMART stands for Specific, Measurable, Achievable, Realistic, and Time-Bound. This approach to developing goals assures that goals are attainable and outcome oriented. Jump back to footnote 6 in the text.
Roger Ward is Provost and Executive Vice President at University of Maryland, Baltimore.
Jenny Owens is Vice Provost of Academic Affairs and Strategic Initiatives at University of Maryland, Baltimore.
Peter Murray is Chief information Officer and Senior Vice President of Information Technology at University of Maryland, Baltimore
Victoria Meadows is Assistant Director, Enterprise Risk Management Program, at University of Maryland, Baltimore.
Jon Kucskar is Deputy Chief Risk Officer at Johns Hopkins University (formerly Assistant Vice President for Enterprise Risk Management at University of Maryland, Baltimore)
Leandra Cate is Research Associate, Office of the Provost, at University of Maryland, Baltimore.
© 2024 Roger Ward, Jenny Owens, Peter Murray, Victoria Meadows, Jon Kucskar, and Leandra Cate. The content of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.