Risk Insider: Paula Vene Smith

Does ERM Fall Apart in Volatile Times?

By: | March 15, 2017 • 2 min read
Paula Vene Smith directs the Purposeful Risk Engagement Project (PREP) and is a professor at Grinnell College. Paula consults on risk in higher education, and has written Engaging Risk: A Guide for College Leaders. She can be reached at [email protected]
Topics: Education | ERM | Risk Insider

Today’s headlines in higher education report high uncertainty and rapid change. Campus controversies erupt over free speech, prospective foreign students express newfound reluctance to study in the United States, and research funding is threatened in science, arts, and humanities. Even the principle of evidence-based decisions, fundamental to the academic enterprise, is questioned by national leaders. Do these times call for a new look at risk?

Advertisement




Colleges and universities only recently started to see value in developing a way to identify, evaluate, and address risks at the institutional level. By the time Enterprise Risk Management began to take hold on campus, most businesses and government agencies had already established systems of ERM. Realizing it wouldn’t work simply to replicate standard ERM frameworks, academic leaders developed their own systems based on shared governance and sustaining their mission.

The new presidential administration has issued statements, directives, and orders on issues from immigration policy to transgender rights; nearly all have implications for the academic realm.

But in recent months, uncertainty in academic decision-making has risen steeply. The landscape for higher education and for nonprofit organizations grows harder to navigate. The new presidential administration has issued statements, directives, and orders on issues from immigration policy to transgender rights; nearly all have implications for the academic realm. What happens to ERM programs assailed by so much change?

While this question affects any organization that practices ERM, it looms largest for those with fledgling and new programs—and that includes most academic institutions, especially the smaller ones. I’ve noticed three ways academic institutions are responding to these times of intensified uncertainty:

  • “Things right now are too volatile to do ERM.” Struggling to manage stepped-up risks in their own areas, administrators stop making institutional risk meetings a priority, and ERM goes on hold;
  • “Same old ERM.” The system proceeds on auto-pilot, without reference to the current political situation. A quarterly meeting of the ERM Council looks like the same meeting held a year and a half ago. Each risk owner summarizes what’s happened since last time and says, “We’re still working on it.” No one wants to acknowledge a new climate.
  • “Wait, let’s re-evaluate.” A risk leader makes the group face a new reality. The meeting agenda is rewritten; risk owners are asked to directly address potential and recent changes in the legal, political, and cultural environment.
  • Advertisement




This third approach enables new, crucial questions: How can we protect access for students whose immigration status makes them vulnerable? How does the rise of bigoted speech in the public sphere affect campus discourse? How might we respond to changing legal interpretations of Title IX?

Such adjustment to new circumstances should occur naturally as part of ERM. But in practice, people are so accustomed to their routines that unless it is given a name, even very large-scale change can be minimized or overlooked until it’s too late. Neither “ERM on hold” nor “ERM as usual” represents a wise option. Risk leaders should address big change head-on. Only then can Enterprise Risk Management—especially if newly established and still fragile—continue to drive good institutional decisions.

More from Risk & Insurance

More from Risk & Insurance

2017 RIMS

Cyber Threat Will Get More Difficult

Companies should focus on response, resiliency and recovery when it comes to cyber risks.
By: | April 19, 2017 • 2 min read
Topics: Cyber Risks | RIMS

“The sky is not falling” when it comes to cyber security, but the threat is a growing challenge for companies.

“I am not a cyber apocalyptic kind of guy,” said Gen. Michael Hayden, former head of the Central Intelligence Agency and National Security Agency, who currently is a principal at the Chertoff Group, a security consultancy.

Gen. Michael Hayden, former head of the CIA and NSA, and principal, The Chertoff Group

“There are lots of things to worry about in the cyber domain and you don’t have to be apocalyptic to be concerned,” said Hayden prior to his presentation at a Global Risk Forum sponsored by Lockton on Sunday afternoon on the geopolitical threats facing the United States.

“We have only begun to consider the threat as it currently exists in the cyber domain.”

Hayden said cyber risk is equal to the threat times your vulnerability to the threat, times the consequences of a successful attack.

At present, companies are focusing on the vulnerability aspect, and responding by building “high walls and deep moats” to keep attackers out, he said. If you do that successfully, it will prevent 80 percent of the attackers.

“It’s all about making yourself a tougher target than the next like target,” he said.

But that still leaves 20 percent vulnerability, so companies need to focus on the consequences: It’s about response, resiliency and recovery, he said.

The range of attackers is vast, including nations that have used cyber attacks to disrupt Sony (the North Koreans angry about a movie), the Sands Casino (Iranians angry about the owner’s comments about their country), and U.S. banks (Iranians seeking to disrupt iconic U.S. institutions after the Stuxnet attack on their nuclear program), he said.

“You don’t have to offend anybody to be a target,” he said. “It may be enough to be iconic.”

The world order that has existed for the past 75 years “is melting away” and the world is less stable.

And no matter how much private companies do, it may not be enough.

“The big questions in cyber now are law and policy,” Hayden said. “We have not yet decided as a people what we want or will allow our government to do to keep us safe in the cyber domain.”

The U.S. government defends the country’s land, sea and air, but when it comes to cyber, defenses have been mostly left to private enterprises, he said.

“I don’t know that we have quite decided the balance between the government’s role and the private sector’s role,” he said.

As for the government’s role in the geopolitical challenges facing it, Hayden said he has seen times that were more dangerous, but never more complicated.

The world order that has existed for the past 75 years “is melting away” and the world is less stable, he said.

Nations such as North Korea, Iran, Russia and Pakistan are “ambitious, brittle and nuclear.” The Islamic world is in a clash between secular and religious governance, and China, which he said is “competitive and occasionally confrontational” is facing its own demographic and economic challenges.

“It’s going to be a tough century,” Hayden said.

Anne Freedman is managing editor of Risk & Insurance. She can be reached at [email protected]