New - ERM Toolkit - Sample forms and Charters to get your ERM program started

New - OPRS has a limited supply of "Enterprise Risk Management for Dummies" books. Contact or RIMS. This book is a very helpful guide for ERM first timers.

New - Link to Wikipedia - Enterprise Risk Management

NEW - Online library of ERM information and resources (Updated 8/07)

NEW - "Enterprise Risk Management: The full picture" This report by Aon provides a comprehensive assessment of how global organizations are now taking a "full picture," enterprise-wide view of their risks, and what significant cultural, resource, and strategy challenges exist when they attempt to fully embed ERM within their organization. Visit Aon's website at www.aon.com/erminsight2007 and enter your contact information to receive a free copy of the report

ERM Bulletins

What can ERM do for you?

Enterprise Risk Management (ERM)
Enterprise Risk Management (ERM) what can it do for you? At its best ERM can help you take greater risks while ensuring the most positive outcome. When done right, ERM should be tied to your strategic decision making. An ERM program can also facilitate collaboration and communication throughout your organization.

In the "old days" a risk manager would usually not be called upon for assistance till after a negative event occurred. Sometimes consideration of risk might be given prior to an activity: "We are going on a research trip and travel by boat down the Amazon river, what insurance do we need?" Traditionally, the risk manager would address the insuring issues, contractual issues and the loss prevention issues."Do you have waivers?".."Will you have life vests?" The consideration of safety, insurance and indemnity provisions are important, but they are not all of the risks involved and may not represent the greatest risk for an organization.

Moving from Traditional Risk Management to Enterprise Risk Management requires that there be a more in depth consideration of risk during the development of "the plan". Is the trip being sponsored through a grant or other program that has certain reporting requirements that need to be fulfilled? If the trip is part of a graduate study program will the education objectives be fulfilled? Is the trip fiscally sound? What are the political risks in the country of travel? What are the health risks? To help you understand this concept further take a look at the ERM Case Study exercise that was presented at the NACUBO forum on ERM in June of 2007, it illustrates a methodology for considering risk and relationship to attaining strategic goals.

In order to bring the needed expertise to considering risk in strategic planning, we believe that the best place to start your ERM effort is to form a cross-disciplinary panel that meets regularly to discuss risks and develop your organization ERM program. Many of UC's campuses have formed ERM groups - see our sample charters to get a better idea about who would be on the panel and the duties and responsibilities of the group.

Many professional organizations are helping to further develop the art and discipline of ERM and there are many different methodologies and frameworks to choose from - visit our library to see what others have developed. Most major teaching institutions have or are in the midst of implementing an ERM program and we keep an updated summary of their efforts. Why re-invent the wheel, when you can review what already exists and refine it to fit your needs? So how is ERM different than other initiatives that you have implemented: 6-Sigma, Balanced Scorecard, Risk Assessments, Control and Accountability Programs, Compliance Programs, etc? PriceWaterhouse Coopers' publication, "Achieving goals, protecting reputation - Enterprise Risk Management for educational institutions" states "Many academic medical centers and large, multi-campus public universities already have a process in place that very closely parallels the ERM model - that is, comprehensive institution-wide compliance programs.ERM extends the compliance program model to also embrace the other categories of risk faced by an institution (i.e., strategic, operation, and reporting risks.)" In fact, having an ERM program can help to support other programs and "give them legs". For example if you have implemented a balanced scorecard, the tool not only houses organizational metrics but the strategic direction and resulting initiatives. After your leadership has refreshed the strategic direction, as expressed through the scorecard and initiatives, your ERM panel and program will be able to identify and optimize strategic risk surrounding these initiatives and make recommendations to these activities based on their assessment.

The University of California has been moving towards an enterprise approach to identifying and managing risk including financial, business, operational and governance risks for sometime.

• The Regents adopt COSO1 framework (1996)
• Controller positions established at each campus (late 1990s)
• Several campuses develop ERM initiatives (2004-present)
• Chief Risk Officer (CRO) position established December 2004
• ERM Panel formed to develop an ERM strategy (June 2005)
• ERM meetings and interviews completed (October 2006)
• ERM survey completed (February 2007)
• ERM Panels formed at most campuses and medical centers (August 2007)

As a leading institution of higher education and financial practices, the University of California adopted the Enterprise Risk Management (ERM) framework advocated by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). An ERM Panel was formed that includes management representatives from Office of the President and the campuses. I n the last two years there has been a major effort to develop and mature our ERM Program.

Our initial strategy was to develop a data warehouse that can manage information that is currently being collected by various groups, existing programs, and initiatives throughout the system. This data could then be used with the COSO framework to analyze processes, risks, and controls system-wide. We are currently in the process of making a final selection and procuring a Risk Management Information System (RMIS).

ERM meetings, interviews and surveys were completed to identify key risk factors, key controls, and identify data that would be helpful in monitoring our strategic plans and goals.

Many of our campuses have continued with existing ERM efforts and others have just begun new efforts.

To assist campuses in this effort this website provides resources, reference materials, links to helpful websites, and a tool kit of sample forms and documents focused on ERM and Risk Assessment.

We have also focused on managing our traditional risk program in a more "enterprising" manner by encouraging a cross discipline approach to managing risk. For example our Risk Management Leadership Council's associated workgroups are made up a subject experts rather than Risk Managers. Our Be Smart About Safety program is a collaborative effort rather than a Risk Management or Environmental, Health and Safety (EH&S) effort. Our ERM program includes looking at our Total Cost of Risk and by identifying and analyzing the full cost of risk, we have been able to develop strategic plans to reduce the cost of risk and free up resources to be used for meeting the University's mission. ERM also supports the monitoring of internal controls and accountability, providing valuable information to the Controllers and Internal Auditors.

We hope you find the information on our website helpful as you look to manage your risk in an enterprising way, and don't forget to Be Smart About Safety! If you have any questions, please contact Chief Risk Officer Grace M. Crickette, , telephone 510-987-9820).