Article by Donna Davis
This article originally appeared in the July/August 2015 Net Assets.
ERM stands for “enterprise risk management,” but for Chris Duble, CEO of Fred C. Church Insurance, the acronym has another meaning: “Everybody is a risk manager.”
Duble’s definition reflects ERM’s holistic approach toward identifying and mitigating risks. The process originated with the meltdowns of companies like Enron and Arthur Andersen in 2001–2002, as corporate board members and senior administrators elsewhere sought to address potential liabilities that could damage or destroy their companies. Many of those leaders brought their experiences to the higher education boards they served. Now ERM is gaining followers in K–12 independent schools among trustees, heads and business officers who recognize the need for a higher level of risk management at the top.
“Generally, the bigger schools with larger endowments and students in grades 9–12 have made a serious commitment to ERM, but it’s our belief that ERM is absolutely coming to all independent schools,” says Duble, whose company provides insurance and risk management services to 127 independent school clients. “There’s almost nothing about ERM that is unique to higher education. It’s as viable for a K–6 school as it is for a large university.”
Indeed, inquiries about ERM from independent school trustees and business officers have increased at United Educators, which provides liability insurance and risk management services to K–12 schools and higher education institutions. “They are interested for the same reason colleges and universities are,” says Janice Abraham, president and CEO of UE.
“They want to address external market forces such as technology and curriculum shifts that are forcing schools to look at how to better achieve their missions.”
Duble predicts that in five years, every independent school will be familiar with ERM and that 50 percent will at least have started the process. His hope, he says, “is that 5 to 10 percent of the leaders in this independent school world will have a fully integrated, successful ERM program that will be as good as any college or university or Fortune 500 company.”
It Starts at the Top
Often the move toward ERM begins with trustees, but many factors can drive the process, including contact with other schools, professional organizations and insurers who are implementing or educating their colleagues and clients about ERM. Sometimes events are the impetus, as at The Bolles School, a 1,671-student preK–12 day and boarding school in Jacksonville, Florida. In 2012, a 10-year-old student died in an accident on the middle school campus’s ropes course, where he was playing after school while his older brother practiced football. A few months later, the Sandy Hook Elementary School shootings occurred. The Penn State sexual molestation scandal also was making the news almost daily. No surprise, at NBOA’s 2012 Conference on the Business Officer, risk management was on everyone’s mind, including that of the Bolles chief financial officer, Nancy Greene.
“We came to the conclusion that the business manager can’t own risk management alone anymore,” Greene recalls. “Schools are too complicated. The world is too complicated. I started thinking how can we shift the culture and get everyone aware of and involved in ERM.”
Whatever prompts schools to turn to ERM, the process typically starts with the board, the school’s ultimate fiduciary. Trustees, in turn, must work to engage the head of school, business officer and other senior administrators in understanding the value ERM can bring. “You certainly want to ensure that there is strong support from the board chair and the head of school,” says Roger Smith, a Hotchkiss School trustee who helped the Lakeville, Connecticut, boarding school establish ERM shortly after the Enron disaster. “You want to clearly establish ownership for this process at the board level. It’s not something that gets assigned to a task force; it needs to stay at a high level.”
Many schools choose four broad target categories: strategic, financial operations, reporting and compliance, and reputation. A top administrator or board committee takes responsibility for each category. For example, trustees and the head of school may handle strategic risk management, while the business manager, audit committee and finance committee become the financial risk experts. “Every risk should have an owner,” Abraham says. “It’s best to report the risks to committees. One lesson we have learned is that the audit committee should not own all of risk management.”
Identifying the Risks
These leaders collaborate to identify risks, assess their impact and their relevance to the school’s mission, develop and implement risk mitigation, and monitor those processes. ERM never ends, with the school leaders regularly re-examining current risks and staying up-to-date on emerging risks. Key to the entire process is talking with as many people on campus as possible.
Smith, along with Hotchkiss’s chief financial officer, John Tuke, spent hours interviewing school staff and faculty at every level of the 600-student, grades 9–12 school. “We wanted to talk to people who were close to the activities we had identified and get them to articulate their concerns and how they were managing risk,” Tuke says. “That way, we could identify if we were missing a policy or procedure and find ways to mitigate risk.”
Some administrators were wary at first. “People had been managing these risks themselves for years and doing a very good job,” Smith says. “All of a sudden, it felt like someone from the board was telling them how to do their job, but very quickly they saw us as partners in trying to manage risk as opposed to the old model that made them manage all the risk by themselves without the support of the board.”
Like Hotchkiss leaders, Bolles administrators met with staff and faculty in every area. “We told them risk management is not a silo system,” Greene says. “We told them we needed them to identify a list of every risk they could think of that could impact the mission of the school, and challenged them not to be limited by their department but to categorize the risks. We also talked with them about risks they saw on campus and things that bothered them. Then we distilled them all down and asked them to help us build mitigants.”
Plotting the Hot Spots
Gathering information from a wide range of sources about risks allows a school’s leadership team to create a risk matrix, or heat map or register—a tool that lists the prime risks the institution faces, along with the likelihood of the events occurring and the impact they would have on the school. Some schools may have international students or trips to consider, for example, while others may rent athletic or other facilities to outside groups.
The number of risks the school initially addresses should reflect the school’s available resources in terms of time and staff. Five to 10 is a good number. The school can create a longer list, but it’s best to handle the highest priorities the first year, saving the rest for future years. “Culturally and organizationally, with a new concept like ERM, you can only focus on so much change at any one time,” Duble says. “Keeping the number small increases the likelihood of success, and success breeds buy-in and commitment from more people on campus and leads to further success.”
At Parish Episcopal School in Dallas, the ERM process started in 2014, two years after the former church-run school became independent and responsible for governance and financial tasks that church officials had always handled. “Our board members are lawyers, CPAs and hedge-fund folks—all of whom had been through ERM after the financial crisis of 2008,” says Mark Kirkpatrick, CFO at the 1,100-student preK–12 school. “They wanted to make sure that we were doing everything from a fiduciary standpoint to allow us to be a continuing organization.”
The board “morphed” its audit committee into a risk management team consisting of a human resources attorney, a regulatory attorney, private equity managers, a corporate IT expert and an audit partner, along with school leadership. The team devised a 17-item risk matrix that ranks items in terms of likelihood of occurrence and potential impact (see chart next page). Risks considered possible or likely that would also have major consequences included cybersecurity issues, major equipment failure and health care changes. One risk considered “catastrophic”—although unlikely to happen—involved losing the head of school. “Someone might want to know why the head of school is on there,” Kirkpatrick says. “In our case, the head was the key person who helped raise $20 million in endowment.”
Although a risk matrix is the cornerstone of the ERM process, schools do not need to start with a blank sheet of paper. Parish Episcopal worked from one developed at a board member’s business. Schools can also find examples by contacting colleagues, consulting with their insurance brokers or taking advantage of resources from professional organizations like NBOA, including resources in the NBOA Library.
Balancing Risk and Reward
Schools can also decide which risks they don’t want to take on, and, on the positive side, which risks they will tolerate because the programs or initiatives associated with those risks add value. “Ask, what’s the risk if we don’t do this?” Abraham says. “Great schools look at both the opportunities and the things that can go wrong. It’s being able to balance both of those.”
Ask, what’s the risk if we don’t do this? Great schools look at both the opportunities and the things that can go wrong. It’s being able to balance both of those.
Janice Abraham
United Educators
Hotchkiss uses several means to manage the risks it faces. For example, the school has made boundary training for adults dealing with children mandatory, along with previously implemented requirements for harassment and mandatory reporting training. Swimming may not occur without a certified lifeguard present, whether for a school activity or an outside event. For several years the school has also outsourced driving for athletic trips beyond a certain distance, citing possible driver fatigue as a risk.
No school can avoid risk altogether; often, in fact, risk is inherent in mission. Hotchkiss supports sports, school trips and other activities as important educational experiences. “If we say students can’t be involved in experiential learning because there are manageable risks, then we are wasting critical opportunities to educate the next generation in non-academic ways,” Tuke says. If schools don’t adopt ERM programs to mitigate and manage traditional higher-risk activities like football, they may not be able to maintain them, he adds. “Sooner or later, their boards will require a robust ERM process.”
Nor should schools overlook a potential risk “because we have always done it that way,” Abraham says. Tragic incidents at colleges and universities—from the bonfire deaths at Texas A&M in 1999 to the Penn State scandal—illustrate the potentially high cost in lives, reputation and finances of failing to examine everything. At an independent school, administrators can look at their own practices. For instance, at a school that values time for students and teachers to talk one-to-one, perhaps even papering-over the classroom door to enhance privacy, “someone has to be willing to say … maybe there should be more openness,” Abraham says. “At least question it. What are we afraid to talk about? What are the issues that people say could never happen here?”
In developing mitigants, it is sometimes necessary to think beyond risk transfer or insurance. “You can’t buy insurance for shifting demographics,” Abraham says. “You may be able to buy insurance for sexual molestation or assault, but that doesn’t mean you want to address the issue that way.”
Putting ERM into Practice
Abraham suggests the 20/80 rule for ERM: Spend 20 percent of time looking at other risk registers and sharing information, and 80 percent developing responses to those risks. Many organizations tend to take the opposite approach. “Think of it as a heat map and work on the reds first—the things that are likely to happen and will have the greatest impact,” Abraham says. Then get to work developing an action plan.
The Bolles School team began with simple steps—literally walking the school’s three campuses. “We started with low-hanging fruit,” Greene says. “A mistake a lot of schools make is going right to a (safety) audit.” The team checked for hazards and security risks such as inadequate lighting and fencing, uneven sidewalks and overgrown shrubbery. More costly and complicated mitigation such as security cameras and entry systems came later.
The Bolles team also created a training and development tool for all faculty and staff. One of the first programs involved active shooter training—a top-of-mind risk for teachers and staff. “Although that is less likely to happen, it’s something everyone thinks about,” Greene says. “That training made it very real for them so we could take the training to a less dramatic level.”
A Dynamic Process
ERM is ongoing. To keep everyone involved, Greene leads a “state of the school” address at the beginning of each academic year for faculty and staff. She covers not only financial information, but also safety and security. “We share the areas where we had the most claims, such as workers comp and slips and falls. We talk about proper footwear or whatever is needed to mitigate risk. And we talk about how the losses impacted premiums and how anything that costs money impacts salary.” The bottom line, says Greene, is that the Bolles community understands that “the safer we are, the more resources we have to put toward mission. Now people come to us with their concerns.” Those worries may range from an uneven sidewalk to setting tighter controls on campus visitors.
The Bolles School developed a matrix to help consolidate identification of all risks. By keeping the matrix constantly updated with changes to existing and emerging risks, the entire community can be involved. “People love the tool because it’s a great way to communicate,” Greene says. “After we listed the risks and mitigations, we highlighted all the ones we had done in green, ones in process in yellow and ones we had not done or even thought about in red. We update that for the audit committee. Because of everyone’s involvement, we now have almost all greens.”
At Hotchkiss, Smith says the matrix brings credibility to risk management because it is a fact-based tool. “It allows us to deal with these risks in thoughtful ways. It gives us something that you can quantify and decide how risky it is relative to other risks. It looks like something you can manage as opposed to the loudest voice in the room rules.”
A thorough, dynamic ERM process can change a school’s culture around risk management. With training, updates on risks and mitigants, and involvement of everyone on campus, Tuke says schools can relay the message that the “ultimate stewards and fiduciaries of the school are aware of risk and want to create a culture of safety and risk management.”
