ENTERPRISE RISK MANAGEMENT ENTERPRISE RISK MANAGEMENT (ERM) ERM forms an important element of organizational management and provisioning of consolidated services. The effective deployment of resources performs a rollup of risks into a holistic view. Monitoring and testing provides transparency into the operational 'state of readiness' at most process points to effectively manage organizational efficiency INTEGRATED FRAMEWORK ERM Policies Present a holistic method of managing both operational and strategic risks across the organization. The strategic plan for Enterprise Risk Management includes four strategic initiatives for all areas: Mitigation Preparedness Emergency Response Resumption & Business Recovery MANAGEMENT ACTIVITIES Create high level-risk strategy (policy) aligned with strategic business objectives Create a risk management organization structure and ensure clear reporting lines Develop/assign responsibilities for risk management Communicate vision, strategy, policy, responsibilities and reporting lines to all employees across organization EMBED RISK ACTIVITIES INTO ONGOING BUSINESS PROCESSES Align and integrate risk management activities within all processes Embed real-time controls related to risk into digital systems as appropriate Develop continuous improvement processes related to risk MEASURE & MONITOR Identify key performance indicators and critical success factors related to risk Establish success measures for risk strategy/activities Provide a periodic process for measuring risk/return Identity and implement monitoring processes and methods of feedback ENTERPRISE RISK MANAGEMENT IS MEANT TO HAVE A BROAD MEANING AS AN ALL-ENCOMPASSING TERM TO DESCRIBE AN INTEGRATED AND ENTERPRISE-WIDE COMPREHENSIVE PROCESSES THAT INCLUDE: 1.) EMERGENCY RESPONSE; 2.) RESUMPTION; 3.) RECOVERY; AND 4.) RESTORATION Accident prevention Business Impact Analysis Business Recovery Business Resumption Planning Command Centers ERM Perspective Contingency Planning Crisis Communication Crisis Management Disaster Recovery Emergency Management & Response Strategic Risk Exercising & Training Information Security Mitigation Planning Risk Control Risk Financing & Insurance Operational Risk Safety & Security Risk Management EHS Police BAIT Reputation Risk Event Management Computer Security Business Continuity Regulatory Compliance Safety & Security Council Regulatory or Contractual Risk Fire Protection Student Housing Academic Administration Operations Risk Mgmt Adhoc Committee Financial Risk TOP-DOWN SUPPORT IS NECESSARY Without support from the top, you might as well not have an ERM program. If executive leadership does not support ERM, it will either not exist or not provide any value. Support from senior leaders must be built if it is to achieve its mission. What is not mentioned very often is the importance of the support of everyone else Executives to project managers to all company employees These are the people who support the process by helping identify risks and developing treatments TOP-DOWN SUPPORT IS NECESSARY Engagement is key to support Focused the assessment process on the development of treatments Communicate and work with staff to demonstrated how the ERM process can help them achieve their goals to improve their own organization's processes Emphasize that ERM is there to enable strategy, not curtail it Going through the assessment process, a given strategy can often look more appealing because you know what to expect. With a good road map, you can safely navigate paths others cannot. Demonstrating the value of ERM to the entire team will earn their support and with that support, the risk assessments will provide more value. RISK CATEGORIES ARE NOT A ROAD MAP Define and describing all of the risks is important. All stakeholders in the ERM process must understand how a given risk is defined It is easy to become complacent with the \"defined\" risk categories Don't' limit risk identification efforts to those defined categories alone That may leave a false sense of security that every area of organizational risk has been identified Just because all of the risks have names and categories within an organization, do not stop looking Continually seek out and identify risks See if new risks might drive us to change what we are looking for Don't let the risks that already have been identified prevent you from uncovering those that still need to be found SIMPLICITY IS BLISS Present information in such a way that ensures the most valuable discussions are being had at the top and that key factors are not missed. Keep rating methodology simple and transparent If the methodology is too complex, the discussion will focus on the methodology instead of the risks Some aspects are inherently complex (risk interactions, for instance) and require complex thought or tools to be properly understood But always avoid unnecessary complexity Published by the Public Risk Management Association www.primacentral.org Nov/Dec 2010 Doing Damage to Vandalism How Public Entities can fight back Social Media Minding the Gap of Section 508 Compliance 2010: PRIMA Continues to Excel Despite Economic Challenges Pitfalls and Pratfalls of Implementing ERM A Case Study from the State of Washington Adjuster & Actuary: Blending Perspectives Pitfalls and Pratfalls of Implementing ERM A Case Study from the State of Washington What is enterprise risk management? A holistic approach to identifying, defining, quantifying and treading all of the risks facing an organization, whether insurable or not. - Glossary of Insurance and Risk Management Terms By Sydney Martin Dor I admit it. I'm a fan of enterprise risk management (ERM). The very first time I heard about it, I thought, \"This makes sense!\" Although I had been working in loss prevention for a while, I had always hated the fact that it seemed we only had time for negative 'events' and spent most of our time trying to mitigate things that had already happened. ERM finally brought together the swirling concepts of loss prevention, risk reduction, appetite and prediction together into a sharply defined picture and I loved it. The light bulb came on with a flash and made me realize that ERM was a unified concept I could use, not only in my own work, but as a framework to explain risk management to anyone in a clear, simple way they could immediately understand and use. In an instant, I was a believer. A few months later, I got a once-in-a-lifetime chance to work in the governor's risk management office to help implement ERM at other state agencies and I jumped on it! When we started working on this challenge, there were 165 very diverse state agencies in Washington state, although the number varies from year to year. Some were very small, almost tiny, with less than 20 people operating as a regulatory board or commission. Others, like my home agency, were edging close to 20,000 employees. And their missions were also diverse; some agencies only dealt with one thing, like vehicle licensing or state printing, while others housed myriad divisions with varied purposes and methods of operating. These differences meant that our first challenge was to devise a simple way to provide ERM training in an accessible, usable way to people from many different agencies with widely different skills, experience and frankly, interest. As you all know, some November/December 2010 | Public Risk 19 Pitfalls and Pratfalls of Implementing ERM approaches to ERM require a fairly high level of risk management experience but we needed a way to talk about ERM with people who had very little risk management background. And we wanted our version of ERM to meet some amazing criteria. It had to be easy to explain to many different audiences, flexible, scalable, memorable and a good fit with management practices for state agencies. No small task. Our team was small and we needed to carefully marshal our resources so the ERM plan we put together had to concentrate on the essentials. We started with purchased ERM training for agency executives to share the concepts and advantages of ERM training with the top people in our agencies. The training turned out to be a great kick-off. It was fast paced, informative, fun and a great vehicle for introducing ERM to the agency community. Unfortunately, it was also very, very expensive. 'Step two' had to be an in-house training plan that we could do ourselves and offer free to agencies. To make that happen, we got to work boiling ERM background, philosophy, vocabulary and techniques down, down, down into its basic essence and what finally emerged was the Seven-Step ERM Method that would work for agencies regardless of their size, business functions or experience with risk management. You know there are many ways to talk about ERM and some of them are quite complex. Because we knew that most of the people we would be training would bring a social service orientation, not a financial or insurance background, we charted a very simple ERM path: Clearly state the goal. List everything that could keep you from meeting the goal (the 'risks'). Evaluate each risk: Choose a likelihood rating from 1-5. Choose an impact rating from 1-5. Multiply together and 'map.' Prioritize (pick the most severe risks). 20 Public Risk | November/December 2010 Treat/Mitigate: Avoid Accept and Monitor Transfer Reduce the Likelihood. Reduce the Impact. Make a Risk Register that includes: Treatment plans. Measures of success. Communicate Results: Gather and share 'best practices.' Review and refine. We used this simple path as a platform to talk about basic risk management concepts, as well. Since the people we worked with were program managers, not risk managers, we needed to cover a lot of basic risk management in the training before we even got to the \"Seven Steps.\" To do that, we always opened the training with a quick game of '21' (using chocolate we handed out to everyone as poker chips) to demonstrate differing risk appetites, generate discussion about what \"risk\" means and get people talking about risk in their personal and professional lives. After that, we would do a quick risk management \"history lesson\" where we defined traditional (or transactional) risk management practice and talked about the growth and principles of enterprise risk management practice, as well as the risks and benefits of each. Once we actually started explaining the method, the steps gave us plenty of opportunity to explain the other things they needed to know: how to write a goal statement, why anonymous voting works best, crafting effective success measures, mitigation techniques and even a bit about using surveys and online voting. At the end of our training time, everyone got a chance to practice, first on a silly, personal goal like cleaning closets or saving for a vacation, then on a real goal statement about a problem facing the group. This w w w.primacentral .org gave everyone who attended a chance to practice and made sure that every session ended with real, practical results! We trained hundreds of people in ERM, but we didn't stop there; we also developed simple tools and tracking methods to chart our progress. These included an online version of the risk register (Illustration 1), tools and a framework for agencies to use in government management accountability and performance (GMAP) reporting and even a customized maturity model just for Washington agencies. Illustration 1 GOAL: To treat a risk, you can: Treatment must reflect the: Avoid Risk appetite of your group Accept and Monitor Amount of control you have Reduce the Likelihood/Impact Values of the group, and Transfer the risk Be measurable, and time-limited RISKS: HEAT MAP 1 Very Little 5 Almost Always (5) 4 Frequent (4) 3 Often (3) 2 Once or Twice (2) 1 Hardly Ever (1) Likelihood Risk 1 ... Risk 2 ... Risk 3 ... While the reporting framework linked ERM implementation to the overall goal of reducing deaths, serious injuries and other substantial loss in the state, the tools we developed, including the maturity model, helped agencies track their progress in managing risk. Using a maturity model tool is a sound business practice of ERM and our Washington tool, still in use, measures ERM maturity in five areas annually: fundamentals of risk management, executive leadership, ERM integration into agency culture, applying ERM principles and ERM embedded into agency strategic business operations. One hundred agencies have been using this tool for several years now and reporting their progress and their plans to reach maturity in this area. In addition to basic and advanced training and measurement and reporting tools, we provided other ERM resources including quarterly risk \"forums\" on topics as varied as e-discovery, public disclosure law and reducing employment liability risk, a risk management Web site, an online risk management manual, 'Risk Management Basics' (http://www.ofm.wa.gov/rmd/publications/rmbmanual.pdf ) and ongoing, regular meetings for agency risk managers. All of this work really did pay off, raising awareness of ERM and increasing agency skill levels in this area. The free training customized to agency needs, the simplified 'plain-talked' ERM method we developed and the ongoing dialogue along with the new resources like the Web site and manual worked together extremely well. All of this work really Not so successful? Well, you have to admit that the vocabulary of ERM is not exactly mainstream; it was tough to get people to make \"COSO-speak\" the norm and while I hear more people talk about \"enterprises\" and \"mitigation,\" it would have been easier if we could have started with 2 3 4 5 Minor Major Critical Fatal more familiar terms. agency skill levels in (10) (15) (20) (25) And there is always a struggle to get non-risk managers to move beyond (6) (9) (12) (15) their definition of risk management as a safety (4) (6) (8) (10) program or an insurance/ workers' comp program (2) (3) (4) (5) into a broader application Your Group of risk management as a Impact Score Score Color (L x I) (Avg.) set of principles and tools they could apply to better reach their program goals. Add that to the reluctance most people have to talk about or focus on risk, and their limited definition of the term, and you have a topic that doesn't come up much unless people are educated to bring it up. (8) (12) (16) (20) did pay off, raising awareness of ERM and increasing this area. The free training customized to agency needs, the simplified 'plaintalked' ERM method we developed and the on-going dialogue along with the new resources like the Web site and manual worked together extremely well. Finally, of course, budget matters. In times like these, people fall back on old habits to manage the crisis and it is hard to change course in a storm. If you have been around for a while, though, you know that every storm passes and I believe ERM will prevail here. It is easy to explain and easy to learn. It brings focus to what is important and helps us put scarce resources where they will do the most good. It fosters a 'no-blame' culture and teaches that risk can be measured and managed. It helps us look at goals instead of just talking about things after something goes wrong and it provides a framework for dealing realistically with problems that can help us make bold, proactive decisions that fit the amount of resources we actually have available. Government will always need that. Sydney Martin Dore is economic services administration enterprise risk manager for the Washington State Department of Social and Health Services. November/December 2010 | Public Risk 21 Enterprise Risk Management - Virginia Commonwealth University White Paper Enterprise Risk Management (ERM) is a new way of thinking, planning and strategizing. \"Enterprise risk management is a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.\" COSO/Treadway Commission Traditionally, businesses and universities have identified and managed risks individually or transactionally. Some examples are information technology breaches or failures, legal issues, and carrying traditional fire and other types of insurance. This can, at times, create a \"silo\" approach to risk management that may create a lack of coordination that could fail to identify strategic and reputational risks. Risk is always a part of any business and not all risk is detrimental or must be eliminated. Successful organizations are those that can identify and manage risks in advance of those risks transforming into actualities. Unexpected occurrences can drive a business to react in a non-proactive manner and/or create significant liabilities. Establishing an organizational Enterprise Risk Management (\"ERM\") process and structure can help to cover gaps by creating a holistic organization-wide approach to risk management that increases communication and integrates risk management with strategic planning. Additionally, ERM can help to position an organization to not only identify and mitigate traditional risks, but also to manage risk and, whenever possible, turn risk into opportunities. Traditional risk mitigation involves one-time organizational action to try to avoid or reduce risk. Examples of risk mitigation include purchasing fire insurance, installing computer intrusion software, and/or instituting a policy prohibiting a certain type of activity. However, ERM institutes active and on-going identification and management of risks. An organization with an effective ERM process will continually work to identify and prioritize its risks across the business and develop a process to manage and monitor those risks. Strategic Risk ERM focuses on an institution's achievement of its objectives or mission in the following four areas: Strategic - high-level goals that are aligned with and support the institution's mission Operational - ongoing management process Financial - protection of the institution's assets Compliance - the institution's adherence to applicable laws and regulations 1 Operational Risk Reputationa l Risk Reputationa l risk is a risk of loss resulting from Compliance Financial Risk Risk Enterprise Risk Management is a Best Practice in Business. The control framework developed by the Committee of Sponsoring Organizations (COSO) states that risk management is an essential part of strong controls by ensuring that risk appetite aligns with management's decisions and an organization's strategy. A recent report by Ernst & Young noted that companies that made risk management practices part of their corporate culture tended to do better financially than those that did not. (\"Turning Risk into Results,\" Ernst & Young Global Management 2012) The Sarbanes-Oxley Act requires businesses to utilize a control framework in their internal control assessments. (Sarbanes-Oxley Act of 2002, Section 404) Many opted for the COSO Framework, which includes a risk assessment element. NYSE corporate governance rules require listed companies to "discuss policies with respect to risk assessment and risk management." (NYSE Listed Company Manual Section 303A Part 7. (c) (iii) (D)) Most recently, corporate debt rating agencies have started reviewing risk management in its company evaluation process. When properly implemented, ERM integrates the concepts of internal control, Sarbanes- Oxley, and strategic planning; all recognized as best practices. Can Enterprise Risk Management Improve How Universities Operate? Current trends point towards increasing pressure to transform risk management for universities: Fierce competition for faculty, students, staff, and financial resources. Pressure for increased productivity, responsiveness, and accountability while reducing costs. Increased external scrutiny from government, governing boards, and the public demanding accountability. New technologies that require investment of both financial and human capital resources. Rapidly increasing entrepreneurial ventures beyond the traditional educational venues that create stresses and strains on traditional administrative and financial infrastructures. Increased competition in the marketplace. Additionally, this framework helps a university manage one of its most important, overarching risks - reputational risk. The importance of reputational risk for a university cannot be over emphasized. There is not a single activity at a university that is not touched by potential or actual reputational risk. From academic quality to degree awarding, from research to instruction; a university's reputation is always a factor in customer and stakeholder decisions. If an incident were to occur to diminish a university's reputation, the financial and strategic repercussions could be devastating and have a long-term impact. Using an ERM framework, management can review pressures and risks on an organization-wide basis and determine which risks may or could affect the ability to meet the university's strategic goals. ERM can also clarify the role of the board and senior management in risk management and decide whether the university should take on new risks or reduce its current risks. Although higher education has lagged 2 behind the for-profit business sector in implementing ERM, it is now widely accepted in higher education as a best practice in strategic organizational management. Given the university's goals in education, research, and public service; implementation of ERM is one of the best ways to assist VCU to meet its strategic vision. Why Should Virginia Commonwealth University Implement Enterprise Risk Management? As a part of the state-required ARMICS process, the university has annually completed an \"agency-wide risk assessment.\" (Update on Agency Risk Management and Internal Control Standards (ARMICS) Presentation to Finance, Investment and Property Committee, VCU Board of Visitors, August 24, 2011) That assessment has identified challenges and opportunities for the university and has identified ways to improve the control environment. The university currently has wide-ranging policies and procedures to actively manage many of its financial, compliance and operational risks. However, some financial policies may need to be written, revised or updated. Implementing ERM to expand upon the current risk assessment processes will create opportunities to identify and manage risks and controls to include strategic and reputational risks. This could present an opportunity for VCU to lead among its peers. ERM is an important step in implementing the overall strategic plan that identifies, analyzes, and strategically mitigates risks across a wide range of sources. Without ERM, implementation of a strategic plan like Quest for Distinction could be analogized to driving on a freeway without routinely checking one's mirrors for other cars and related risks. ERM helps the board members understand how management knows that the important risks to the university will be identified and managed. Quest for Distinction identifies VCU as forward looking and future planning. Successful implementation of ERM would complement the strategic plan by focusing on those risks that could keep the university from successfully reaching the Quest for Distinction goals. The first step for any strategic plan is to focus on implementing those activities that help to achieve those goals. A similarly important parallel step is to identify and manage those risks that may prevent reaching the goals. Additionally, other risks may be identified that do not directly relate to Quest for Distinction, but relate to the university's mission statement and core values. What would ERM look like at VCU? From the very beginning, the President must promote the importance of ERM to the university, lend his sponsorship to the ERM project, and lead the ERM process. Through its support and monitoring of the ERM project, the board sets the tone for risk management on campus. Senior management, including the Board of Visitors and the President, must demonstrate the importance of ERM to VCU by making time to add their expertise to the process and by making the ERM project a time and budget priority. The next step, as with most projects, is to put someone in charge. The most important indicator of success in this project will be having an individual whose responsibility is to continually maintain the momentum of the process. This project director would be someone reporting either to the President, Vice President for Finance and Administration, or Executive Director of Assurance Services. The project director would assist in developing a framework that would guide the process and identify resources necessary to make the project successful and further refine the map that the university will continuously follow to meet its strategic goals. The Department of Assurance Services would be a valuable resource in assisting in the direction of this project. 3 Similar to strategic planning, ERM is not a one-time process that develops a discrete inventory of risks that is then placed on the shelf for decoration or occasional reference. ERM must become part of the living culture and 4 strategic planning processes for the university. Whenever priorities are set or decisions are made, enterprise risk management must become part of the process. An important part of ERM is education and how to make risk assessment part of the decision-making process and vocabulary on campus and create a culture that supports setting priorities and responsible risk-taking. We will need to build on VCU's current risk management processes to identify, analyze, evaluate, treat, and monitor the university's current processes and strategic goals. In a large multi-faceted university with many schools, activities, research grants, foundations, associations, and a teaching hospital; this could be a daunting task. Similar to strategic planning, full implementation of ERM could involve many employees and stakeholders to tap the creativity necessary to identify all the university's risks. As ERM began in the for-profit business sector, it used a process-control approach that focused on key business processes and managing risk events by using consistency across the business processes. This approach used the COSO framework to comprehensively review each process creating detailed control documentation and comprehensive reporting. This approach requires an extensive amount of initial effort to catalog, document, and analyze all the risks. Some universities have embraced a measurement-driven approach that focuses on identifying the key risk factors and understanding their materiality and probability of occurrence. Risk mitigation activities are focused on the most material risks with appropriate mitigation strategies. This creates risk management as a tool that can be used for budgetary as well as strategic planning. This approach has been successfully implemented at Emory University in Atlanta (a 14,000-student university with a teaching hospital) and Cornell University in New York (a 22,000-student public land grant university with a teaching hospital). We have reviewed and evaluated these two ERM approaches. We have seen that the most successful models implemented by universities have used the measurement-driven approach similar to that implemented at Emory and Cornell Universities. This model is one that we believe would fit well with VCU and involves staff throughout the university to identify, prioritize, and manage risks. There may be opportunities to involve internal or external experts to assist in tailoring this or another ERM model to VCU. How Can VCU Identify and Prioritize its Risks? Interviews, group discussions, surveys, or other methods would be used by facilitators to guide the risk identification and evaluation process. An important part of the ERM process is for the user groups to have significant input in risk identification and evaluation. This process should identify those risks that the senior management and the board need to focus on, not trivial risks. One common way to identify and rate risks is through the use of facilitated meetings. VCU faculty, staff, and other stakeholders with different backgrounds and responsibilities would collaborate and brainstorm with the assistance of a facilitator trained in group dynamics and familiar with ERM goals. These groups would be organized around subject matters such as: Finance, Safety and Facilities, Human Resources, Information Technology, Governance, Academics, Student Affairs, and Research. Risks would be scored 4 as to both severity and likelihood, emphasizing severity. Certain areas could be reviewed for risk first because they have higher risks, have greater importance as strategic initiatives, or have higher exposure to affect the university's reputation. This process will identify many more risks than can be actively managed by senior management. After a broad range of risks are identified through this initial process, an ERM Committee (probably individuals at the Assistant Vice President level) would be tasked with grouping and prioritizing the risks. Establishing a cross-functional ERM committee is an opportunity to advance some real thinking and truth-telling about the risks various individuals on campus see. Staff from Finance and Administration as well as Assurance Services would be key members of this ERM Committee due to their risk analysis experience. This committee would then decide how many of these risks could be actively managed at one time, the Key Risks. Generally, it may be difficult for senior management to be involved in managing more than 50 risks annually. Management could individually decide whether certain other risks should be managed by department managers outside of this ERM project. How are the Risks Managed? After the ERM Committee identifies those Key Risks, each risk would be assigned to a Process Owner. That individual may or may not be responsible for owning that risk or implementing action to mitigate that risk. The Process Owner would be responsible for ensuring that the risk is managed and to report on that risk to the ERM Executive Group (probably individuals at the President's Cabinet level). The Process Owner would have to work closely with those responsible for actually managing that risk (the Risk Owners), both to identify the details of the risk and to develop practical ways to mitigate the risk. The Risk Owners need to use their risk management and mitigation plans in budget development and clearly identify those budget requests that mitigate Key Risks. The ERM Executive Group would meet for a few hours quarterly to review Key Risks. Each Key Risk would be reviewed annually. The Process Owner would present the status of that risk, steps being taken to manage the risk, the planned operational response to an occurrence of that risk, and the planned communication response to an occurrence. In order to keep the meeting direct and concise, the Process Owner would be given approximately five minutes to present and a similar amount of time to answer questions. A rigid timetable ensures that the scheduled risks are addressed within the allotted time. Of course, the implementation is not complete until a monitoring procedure is in place to revisit the risk assessment process periodically and bring the process full circle by re-assessing risk and evaluating methods of risk control. The ERM Committee would periodically meet to decide whether there are new risks that may need to be managed as Key Risks and whether any Key Risks are so well managed that they no longer need to be managed by the ERM Executive Group. Annually, the project director would update the appropriate committees of the Board of Visitors on the status of risk management. This update would summarize important risk management activities, identify important risks that have not been sufficiently managed, and ask for the board members' input on their assessment of risks that may need to be considered. How Much is Enterprise Risk Management Going to Cost VCU? As previously noted, the university currently reviews enterprise level risk as a part of the ARMICS procedures. Implementing ERM would build upon this process and culture to make the process more 5 formal, involve management more deeply, and integrate risk assessment into strategic planning and decision-making. The university may want to engage internal or external experts in developing the ERM framework and in facilitating risk identification and scoring; this may involve the budgeting of resources. Additional costs and meeting time will be required to educate and inform those involved of the background, process, and goals of the project. However, most of the cost to the university will be \"soft costs\" in that individual staff members will be asked to make time in their regular work duties to fulfill ERM tasks. After some initial start-up and organizational meetings, the ERM Executive Group would meet for three quarterly. The ERM Committee may need to meet for two or three days to initially review and prioritize the Key Risks. The facilitated meetings to identify the risks may involve eight meetings of ten individuals lasting three to four hours. Initially, the individual identified as the project director may find that organizing and monitoring the project takes a significant amount of his or her workload. After the initial phase, the project director should find that maintaining the momentum of the project is less burdensome. The Process Owners and the managers in the identified risk areas will be performing tasks that are integral to their regular duties. We believe that many of these staff members are already identifying and working to mitigate risks in their assigned areas. Formalizing their procedures and then reporting their results to management annually should not be a significant additional burden. How Will the Implementation of Enterprise Risk Management Benefit VCU? Adoption and implementation of Enterprise Risk Management at VCU will give management and the board knowledge that, as a whole, the university is doing what it can to be ready for the future. We may have limited ability to affect or even predict the future, but if we are ready for the future then we can continue to direct our path through the future, instead of having the future direct us. A strong risk assessment with related mitigation strategies will increase the university's reputation as a leader in active governance by both the board and senior management. The university will be seen as a proactive steward of its resources by state government, donors, the bond market, and other stakeholders. Should an event occur that has been a part of the risk management process, the university's response can be quick, decisive and resilient, because it has been anticipated. Even if an event occurs that had not been part of the process, the university will be seen as having been active in risk management and had just not thought of the unthinkable and the risk management process may aid in mitigating future liabilities. Primarily, implementation of risk management will be another tool to successfully implement the themes of Quest for Distinction and lead VCU into its second 50 years as a premier urban, public research university distinguished by its commitments to education, research, human health, and engagement. ERM can help in manageme nt's efforts to: Sust ain 6