Monitor Risks and Repeat the Process by Starting the Next Round of ERM

Resilient enterprise risk management (ERM) programs monitor the risk landscape throughout the year to adapt to change. They learn from risk management efforts at the end of that year’s ERM cycle before beginning a new cycle the following year.

Consider the following strategies to adapt throughout the year, as well as how to close the loop at the end of the year and begin the ERM cycle again the following year:

Monitor Throughout the Year

Since new risks may surface at any time, your ERM committee should continuously monitor risks, update its risk register, and re-prioritize efforts in response to changes.

Risk Monitoring Feeds the Next ERM Cycle

Ideas for monitoring risks over time and keeping risk management efforts top of mind include:

• Scan for new and emerging risks. Throughout the year, consider if a risk is increasing in significance.
• Kick-start risk assessment. Each ERM cycle calls for reassessing risks. During reassessment, you will ask three questions: What was last year’s assessment? Did our risk mitigation efforts decrease this risk’s prominence? Did the external environment increase or decrease this risk’s prominence? Risk monitoring quickly answers the first two questions, leaving more time to work to mitigate risk.
• Learn from and improve risk mitigation tactics. The effectiveness of past mitigation efforts can inform improvements on mitigation tactics. Monitoring risk can help leaders consider which mitigation efforts succeeded and which didn’t. Your ERM committee can then decide whether to continue, adjust, or scrap a mitigation plan.
• Open up strategic opportunities. Instead relying on anecdotes, many institutions struggle to base their threats and strategic opportunities on recorded trends. Monitoring risks and risk mitigation efforts creates a source of data to analyze when considering direction for annual and strategic planning.

Track Three Data Points for Every Top Risk

Use a spreadsheet or dashboard to connect risk mitigation activities to outcomes associated with that risk and track the following data points over time:

1. Current, past, and target risk assessment scores
2. What was done to mitigate your top risks
3. How well your institution minimized losses associated with the risk — or maximized gains

For example, monitoring the risk of student mental health incidents would include trends in the risk scores and priorities each year, a list of each year’s initiatives to improve student mental health, and outcomes, such as the number of students self-harming and taking a leave of absence due to mental health. As risk monitoring becomes more complex, it often includes more quantitative metrics and interactive dashboards.

Regardless of the complexity of risk monitoring methods, an ERM observer such as a board member should be able to quickly see what the institution is doing to manage a given risk and how successful those efforts have been. The ERM leader should see an outline for the next round of risk identification, assessment, and treatment.

Close the Loop: Start Next Year’s Risk Identification Process

For risk management efforts to succeed and become part of campus culture, it is important to consider ERM a process and not a one-time event.

After concluding the four steps of the ERM process, discuss progress on past efforts and whether there is room to improve or lessons learned as you consider starting the ERM process for the following year.

To begin identifying risk in following years, start with the risks you identified at the beginning of this year’s ERM cycle, including risks that weren’t ultimately selected for treatment and mitigation.

Next, consider what new or emerging risks occurred throughout the year or at the time of that reporting year. Review UE’s blog Identify Institutional Risks With Confidence for a refresher on strategies to identify new and emerging risks or use our ERM Process Tracker to monitor and document your ERM efforts as you restart your ERM process.