Into the Unknown: Connecting ERM to Specific Strategic Goals is Tough

Learn how University of Maryland, Baltimore (UMB) integrated ERM within the university’s strategic planning process.

Authored by Victoria Meadows, MS – Assistant Director, Enterprise Risk Management Program at UMB

According to the committee of sponsoring organizations (COSO), “Enterprise Risk Management (ERM) is not a function or department, but rather a culture, capabilities, and practices that organizations integrate with strategy-setting and apply when that strategy is carried out”. University of Maryland, Baltimore (UMB) really wanted to apply this to the university’s strategic planning process. However, UMB recognized that integrating ERM within a strategic plan is never an easy feat and sometimes seems like an impossible task. UMB’s ERM program wanted to take this task on and develop a strong risk-aware culture while doing so. The mission of the ERM Program is to have an ongoing process that will embed, sustain, and support a culture of responsible risk-taking and opportunity identification across UMB. In line with the COSO framework and to strengthen the ERM Program’s mission UMB thought it was essential to be a presence within the university’s strategic plan. Before getting to know the UMB’s strategic plan and the ERM integration, let’s spend a brief moment getting to know UMB.

UMB is an urban campus that is located on Baltimore’s Westside. Being the Founding Campus (1807) of the University System of Maryland (USM), UMB is one of twelve Maryland institutions within USM. UMB consists of seven schools that include Medicine, Nursing, Pharmacy, Dentistry, Social Work, Law, and Graduate Studies – Seven Schools, One University! UMB’s Carnegie Classification is Special Focus – Research Institution ($663M in extramural funding). The mission of UMB is to improve the human condition and serve the public good of Maryland.

Beginning in 2022 UMB’s five-year strategic plan consists of six strategic plan themes depicted in Figure 1. Those themes are then broken down into objectives then further by goals. Each school and unit at UMB have an assigned administrator that maintains the statistics and necessary information on their goals. Each goal is tracked and data collected in a homegrown system called the Strategic Plan Implementation Management System (SPIMS). An annual progress update for each of the goals is required.

Figure 1: UMB’s Strategic Plan Themes

To begin the UMB ERM Program’s journey in integrating within the strategic plan, a literature search was conducted. All articles that were found consisted of great theoretical concepts, but not practical processes that could be applied. In knowing this information and knowing the culture of UMB there was always the goal of linking risk and strategy together with keeping the following items in mind: (1) The connection between strategy and risk should be more frequent than every five-year review and more granular than at the “Theme” level; (2) Broader goals would increase risk/ERM awareness across campus and gain meaningful risk-related data; (3) There was an implementation time pressure because the “Annual progress update” cycle was starting in Spring of 2022 and we risked a five-year implementation delay.

In FY22, going Into the Unknown, we implemented a basic risk assessment framework that included the following:

• Likelihood, Vulnerability, Velocity (1-5 scale) – borrowed from USM
• Several risk categories
• Source of the risk: internal, external or equal
• Option to include a “Secondary Risk”

The positives during the FY22 cycle were (1) On-time integration – it happened!; (2) Online implementation functionality within SPIMS; (3) Most administrators responded with very little nudging. We did recognize some rooms for improvement that included (1) To gain more meaningful data; (2) There was limited capacity for follow up; (3) To have more synchronization with other ERM activities. Moving into the FY23 cycle there were some major changes that occurred. First, we requested more details about the risk identified by requiring detailed risk descriptions (up to 1000 characters). We added an option at the end of the assessment to expand on the reasoning behind specific likelihood, impact, speed of onset ratings as well providing mitigation responses. Second, there was a full-time ERM staffer hired (that’s me!) that had the capacity to train and follow up with stakeholders. Finally, we aligned the response framework with ERM program annual risk assessment because between FY2022 and FY2023, we developed a new risk assessment tool. Keeping in mind the vocabulary used as a ranking scale (1-4 but with words – e.g. “moderate”) and in using the developed risk assessment it established a common framework that deepened stakeholder understanding of ERM.

Thus, the FY23 strategic plan risk assessment process was the following:

1. Identify the primary risk
2. Add a description of the risk 
3. Select one of the 12 identified risk categories
4. Assign a rating of risk likelihood, impact, and speed of onset
5. Provide details as to why those ratings were chosen and/or state mitigation efforts
6. Repeat Steps 1 through 5 for a secondary risk, if applicable

Some tangible outcomes from the FY23 cycle were (1) We identified the risk category that was cited the most (1. Human Capital, 2. Funding and Budget, 3. Infrastructure, Technology, and Facilities); (2) We analyzed the source of the risk: internal, equal, and external; (3) We identified the top 15 risk items based on score. Some non-tangible outcomes from the FY23 cycle were (1) We provided an opening to talk to stakeholders about ERM; (2) We built key relationships with schools and units; (3) We strengthened the link between strategy and risk; (4) And the biggest success was that stakeholders considered and documented ideas on how to mitigate risks – this was an optional ask!