Policy, Strategic Planning, and the Future Adventures of an Enterprise Risk Management Newbie

I am the policy manager for my campus, and I am organizationally housed within a department called Plans, Policies, and Analysis.  The unit includes the traditional institutional effectiveness functions, including academic and co-curricular assessment, institutional strategic planning, and, of course, policy process management.  My role within my department is to manage the institutional policy review process, but I have no role with managing the policies themselves (other than our own departmental policies).  Despite the clear boundaries around my responsibilities, I have arguably the widest view of policies on our campus—which policies we have and how they relate—since I work with all of them. 

Because of this broad policy view, I was recently asked to represent my department on my college’s Enterprise Risk Management (ERM) Committee.  While I am generally familiar with ERM, I have not been part of any ERM activities before, so my first action, after asking a few questions and receiving the committee charter, was to dive deeper into the role of policy in ERM, so that I can attend my first meeting well prepared.

My role on this committee hasn’t really begun yet, but for now, I believe that it will be to articulate risks, as they arise, that are created by extant policy or the absence of policy.  Because my unit drives institutional strategic planning, my role will also be to identify and articulate risks associated with our strategic plan and its processes.  According to Deloitte, these include risks that inform the strategic plan (such as legislation that could alter our activities), risks to the implementation of the plan itself (such as imminent budget cuts), and risks created by the plan.  An example of the latter could be creating a strategic priority around moving data to the cloud, which would create some risk around security of the data.

One of the things I’m most looking forward to is working with campus leadership in a slightly different capacity.  I currently work with a wide swath of administrators and staff through the policy editing and review process.  They know me as the person who provides training for policy processes and best practices and the editor of individual policy changes.  My role on the ERM committee will be more analytical and broad-based, as we work together to identify risks and prioritize the amount of risk they present.  Another thing I’m looking forward to is the opportunity to “sit at the top of the mountain” and further my understanding of how key institutional processes work together to feed the success of the college.  I’m a bit of an organizational development nerd, so I’m sure I will find it fascinating to learn more about how the strategic plan, institutional policy, and the various parts of ERM work together (or, don’t, eek!). 

What experiences have you had with ERM?  What advice or resources can you share that have been helpful to you in risk management?  In your current role, do you identify policy risks, either inside a risk management structure or more informally?  What do you do to increase the chance that these concerns are responded to?