Assess and Select Which Risks You Will Tackle This Year
Once you’ve completed identifying institutional risks – Step 1 of the enterprise risk management (ERM) process – your ERM committee can move on to assess those risks. This second ERM process step includes assigning risk scores to all risks on your register and prioritizing risks for treatment.
At the end of this two-part process, your K-12 school, college, or university will have a manageable list of risks to tackle through the ERM process.
Step 2A: Assign Risk Scores
Start the risk assessment process by assigning risk impact and likelihood scores to all risks on your risk register.
This step is deceptively difficult, as leaders are often tempted to assign the highest score to many risks. To help your ERM committee with scoring, use a scoring tool such as the one United Educators (UE) has created – although leaders can include other considerations.
Assigning risk scores to institutional risks helps prioritize which risks your institution will address through the ERM process this year. Rather than getting overly focused on precision, use risk scores to help determine how risks compare.
Risk scores aren’t intended to predict likelihood or impact of a risk occurring, since they’re only one input into prioritizing risks. As with any other document, leaders overseeing the ERM process should discuss documentation strategies and confidentiality with legal counsel.
Step 2B: Prioritize and Select Risks for Treatment
Consider inputs beyond risk scores to help you prioritize and select the top risks your institution has the resources and needs to tackle this year.
While you may start with risks that received the highest scores, consider the following:
- Strategic plan initiatives and priorities
- Existing risk management efforts
- Budget and resources
- Feasibility and timing
- Whether risks require a cross-functional response
- Requests from students, parents, employees, and institutional leaders
- Trends peer institutions and/or associations experienced or the media has reported
- Direction a risk is trending, like an upward or downward trend
If an institution hypothetically assigned lower impact and likelihood scores to a risk like diversity and inclusion, leaders may point to the institution’s strategic plan and growing concern nationwide about this topic to assign higher priority to this risk despite lower risk scores. As a result, that institution may choose diversity and inclusion as one of the risks the institution will manage through the ERM process even though the risk had lower scores.
Assess and Prioritize Risks
- Don’t overload your program with risks. Prioritizing top risks can help you plan based on available resources and avoid burnout by focusing on too many risks too soon. Select one to five risks in early years to ensure that efforts are successful. In future years, as risk management efforts gain momentum and ERM committee members gain confidence in managing risk, consider whether your institution can undertake several additional risks. We’ve seen mature ERM programs address 15 to 50 risks, particularly if senior leaders allocate additional budget and full-time equivalent employees (FTEs) to the ERM program.
- Reverse the 80/20 rule by focusing on taking action. Many institutions focus 80% of their efforts on risk identification, perfecting risk scores, and planning to treat risks ─ and only 20% of their time and resources on actually managing risks. Avoid this trap by focusing 80% of your time and efforts on taking action and managing top risks.
Continue onto UE’s blog Strategies to Treat and Mitigate Risks Effectively or use UE’s ERM Process Tracker and Risk Scoring Tool to input your risk scores and track which risks you have selected.
More From UE
About the Author
-
Liza Kabanova, Esq.
Risk Management Consultant, United Educators (Former)
Liza serves K-12 schools, colleges, and universities by discussing campus-specific risk management questions. Her areas of focus are enterprise risk management (ERM), COVID-19 response, change management, and training facilitation. She creates practical resources, leads education-specific ERM workshops, and co-authored Risk Management: An Accountability Guide for University and College Boards. Prior to joining UE, Liza served as Assistant Director for Safety and Learning at Pepperdine University. There, she worked to centralize campus safety programs, implement the first employee learning management system (LMS) platform, and serve on the university’s threat assessment team and its workers’ compensation and hazardous waste committees.