Enterprise Risk Management (ERM)

Resource Toolkit

Division of Administration
and Finance
 Enterprise Risk Management (ERM) Resource Toolkit 2

Table of Contents
1.0 Introduction
1.1 Identification..........................................................................................................................................................................................................................................................3

1.2 Objectives...............................................................................................................................................................................................................................................................3

2.0 Risk Management Strategy

2.1 Risk Identification...............................................................................................................................................................................................................................................4

2.2 Risk Analysis.........................................................................................................................................................................................................................................................4

2.3 Risk Mitigation Approach................................................................................................................................................................................................................................5

2.4 Risk Reporting and Escalation Strategy......................................................................................................................................................................................................5

2.5 Risk Tracking Approach....................................................................................................................................................................................................................................5

3.0 Risk Management Organization

3.1 Risk Management Roles and Responsibilities............................................................................................................................................................................................6

4.0 Primary Mechanisms

4.1 Documentation.....................................................................................................................................................................................................................................................6

5.0 Primary Controls

5.1 Reporting................................................................................................................................................................................................................................................................7

6.0 Risk Assessment and Mitigation Resources

6.1 Purpose and Participating Units.....................................................................................................................................................................................................................7

6.2 Mitigation Plan Contents.................................................................................................................................................................................................................................8

7.0 Mitigation Planning Process

7.1: Step 1: Develop Mitigation Goals and Objectives.....................................................................................................................................................................................9

7.2: Step 2: Identify and Prioritize Mitigation Actions.................................................................................................................................................................................10

7.3: Step 3: Prepare an Implementation Strategy..........................................................................................................................................................................................12

7.4: Step 4: Determine Plan Maintenance and Update.................................................................................................................................................................................14

 Enterprise Risk Management (ERM) Resource Toolkit 3

1.0 Introduction
1.1 Identification • To implement a methodology for analyzing the potential impact and
probability of identified risks.
Enterprise Risk Management (ERM) is a continuous enterprise-wide
process that will enable Northern Illinois University to pursue its • To implement a methodology for establishing the relative criticality of
strategic mission while identifying, controlling and mitigating risks. identified risks.
Northern Illinois University will use ERM to aid in decision-making
• To implement a methodology for developing and executing responses
and improve the probability of achieving its strategic and operational
to risks (mitigation plans).
objectives. The Enterprise Risk Management Resource Toolkit
provides information and procedures for the ERM Plan and ERM • To implement a methodology for monitoring the status of each risk,
Mitigation Plan for the Northern Illinois University Enterprise Risk from identification through closure.
Management program.
• To implement a methodology for regularly reviewing the project level
1.2 Objectives status of risks and risk responses.

The ERM Plan includes project-level objectives for risk management • To implement a methodology for regularly reviewing program level
and communications management (which are necessary to support status of risks and risk responses.
effective risk management).
• To link risk responses (mitigation planning) that require additional
The ERM Plan includes additional objectives within the ERM framework: resources to the university budget.

•T
 o implement a methodology for identifying risks (i.e., the conditions • To promote a culture of risk awareness and prevention.
or events that could endanger project success).
 Enterprise Risk Management (ERM) Resource Toolkit 4

2.0 Risk Management Strategy

This section provides a narrative on the strategy for how risks are 2.2 Risk Analysis
identified, analyzed/quantified, mitigated, reported, escalated and tracked.
In order to create a Risk Inventory capable of ranking the assessed risks
2.1 Risk Identification across all of the units, a Risk Scoring Rubric scoring was formulated.

Risk identification is carried out on a unit-by-unit level with Enterprise Risk Management Risk Scoring Rubric
representatives from the particular office, department or division In order to create a Risk Inventory capable of ranking the assessed
submitting risks to the Core ERM Team for inclusion within the risks across all of the units, a scoring formula is produced.
current year’s risk register. The Core ERM Team facilitates risk
Identified risks are assessed by the units involved for their potential
identification, but their participation is not required for units to submit
severity (impact) and likelihood for a risk event to occur using the
risk status update forms with new risk information included.
scales below:
As part of the risk identification process, representatives from a unit
should list the key strategic activities their unit engages in to achieve Likelihood or Frequency of Risk
their objectives and identify the risks associated with each of those key 1 = Unlikely
activities (e.g., the risks of putting student athletes on buses to travel 2 = Uncommon or Infrequent
to competitions). This exercise serves as the process to review the 3 = Possible or Occasional
different types of risk: 4 = Likely or Common
5 = Almost Certain, Inevitable, Regularly Occurring at the Present Time
•F
 inancial (risk of financial loss, risk to credit rating, risk to financial
position/liquidity, etc.). Severity
1 = Minor
•O
 perational (risk of delay, backup, complication to ongoing
2 = Moderate
operations, etc.).
3 = Substantial
• Health and Safety (risk to individual or collective health and safety). 4 = Serious
5 = Severe
•R
 eputational (risk to the reputation of the institution or programs,
6 = Business Critical
either direct or indirect).
The basic elements of the score indicate the initial assessments of
•S
 trategic (risk to institutional or program capacity to achieve
Likelihood (L = 1 to 5) and Severity (S = 1 to 6) provided by the units
strategic goals and objectives).
identifying and assessing each risk. These scores, when multiplied,
•C
 ompliance (risk of violating federal, state or institutional laws, produce a basic Unweighted Risk Score (L x S).
regulations and policies).
Weighted Risk Score Factors
During the identification exercise, unit representatives should consider Two weighting factors, Velocity (V = 0 or 5) and Cascading Effect (C =
these additional risk factors: 1 to 3), are utilized to determine a weighted risk score.
• External Risks (risks arising from events external to the university).  Velocity score of 5 points is assigned to a given risk if there would not
A
be time to control or mitigate the immediate effect of the severity of
• I nternal Risks (risks arising from actions, procedures, policies or
that risk once it occurred (e.g., a power blackout). All other risks should
circumstances within the university).
be assigned a Velocity score of 0.
•E
 merging Risks (events, actions or circumstances that present new
 Cascading indicator is applied to cases where a risk event occurring
A
risks to the institution).
in one unit or area of campus would have significant effects in multiple
Any additional types or considerations for a particular risk as identified areas on campus.
by the unit representatives should be included in the risk status update
• Cascading effects are classified as: 1 (Limited), 2 (Moderate) or
form submitted to the ERM Core Team.
3 (Significant).

• These indicators are used to rank risks with the same overall score,
placing those with significant cascading effect at a higher weighted risk.

Taken together, these scores produce the Weighted Risk = Unweighted

Risk + Velocity + Cascade or L x I + V + C.
 Enterprise Risk Management (ERM) Resource Toolkit 5

2.0 Risk Management Strategy (continued)

2.3 Risk Mitigation Approach 2.4 Risk Reporting and
The following provides an outline of the risk mitigation planning Escalation Strategy
process which is detailed more thoroughly in the Risk Mitigation Plan. Risk Owners will report on new and emerging risks as part of the
Step 1: Develop Mitigation Goals and Objectives Enterprise Risk Management annual cycle. Risk Owners additionally
•R
 eview and analyze the results of the risk identification and risk provide updates on previously identified risks resulting from changes in
assessment process. the control environment or the progression of mitigation efforts.

• Formulate mitigation plan goals. As new risks are identified and information about the risks are updated,
risks are integrated into the risk register using the scoring rubric. The
• Determine mitigation plan objectives. rubric allows for changes in multiple variables, including (1) likelihood,
Step 2: Identify and Prioritize Mitigation Actions (2) severity, (3) velocity of event and (4) cascade effects to contribute
• Identify alternative mitigation actions. to a particular risks priority within the register.

• Identify and analyze mitigation capabilities. Risks will be escalated, or rise in priority within the risk register, either
due to a change in one of the variables listed above or as a result of a de-
• Evaluate, select and prioritize mitigation actions. escalation of other risks in the register.
Step 3: Prepare an Implementation Strategy
• Identify how the mitigation actions will be implemented. 2.5 Risk Tracking Approach
Risks identified as part of the ERM annual cycle will generate regular
• Document the implementation strategy.
reporting in two ways, dependent upon the actions of the Risk
•O
 btain the consensus of the planning team and appropriate Owner(s). As part of the ERM annual cycle, Risk Owners will submit
unit leadership. risk reports to indicate changes in status of identified risks once per
year. A risk may go down in priority as mitigation efforts are completed.
Step 4: Determine Plan Maintenance and Update Similarly, a risk may go up in priority because of a change in internal
• Document risk owners and reporting milestones.
or external factors. A risk may also be removed if there is a significant
• Provide system of monitoring and updates to relevant stakeholders. change in environment.

During a specified time within the ERM annual cycle, risk status
reports will be submitted and added to a database which will provide
risk assessment information and analysis of trends over time by risk,
risk owner and unit.
 Enterprise Risk Management (ERM) Resource Toolkit 6

3.0 Risk Management Organization

3.1 Risk Management Roles and Responsibilities
The following table lists specific roles and responsibilities for risk management,
as an addition to the roles and responsibilities in the Project Management Plan.

Role Responsibility
Unit Representatives Actively pursue the identification of risks.
Report identified risks.
Provide input into possible mitigation strategies.
Risk Owners Submit Risk Status Update Forms.
Review risk priorities and establish risk tolerance.
Submit ERM Project Forms.
Link mitigation planning with budget development.
Implement and monitor mitigation plans.
Core ERM Team Integrate new risks and changes into Risk Register.
Write and distribute annual report.

4.0 Primary Mechanisms

4.1 Documentation
Risk Management relies on the following documentation:

Document Title Description

Risk Identification Begins the annual review cycle (start Oct. 1). Update Risk Register with new and
emerging risks identified following the previous cycle.
Risk Owners review previous list of risks for their unit/area. Add newly identified
risks via Risk Status Update Form. Remove resolved/managed risks, or modify risk
significance based on mitigations via Risk Status Update Form. Submit risk status
update forms to the Core ERM Team by Oct. 31.
Risk Analysis Core ERM Team, utilizing data from Risk Owners, integrates new and emerging risks
into the risk register. Using a scoring rubric, pertinent data regarding each risk (i.e.,
changes or new developments) are utilized to rank risks within the register. Draft ranking
prepared by Nov. 30.
Risk Evaluation Full ERM Team and Resource, Space and Budget Committee reviews the Risk Rankings.
Risk Owners provide tolerance level for new and emerging risks at the unit level and
identify which risks intersect. Risk Evaluation completed by Dec. 31.
Risk Mitigation Plan Development Risk Owners develop risk mitigation plans for new and emerging risks and update
previous plans. Risk Owners identify resource needs for mitigation plans. All information
submitted by Jan. 31.
Mitigation Resourcing Merges with budget development process (March). Needs addressed within current
budget capacity, or submitted as unfunded requirement (UFR).
Mitigation Plan Implementation New Fiscal Year (July).
Enterprise Risk Management Annual Report An annual report is produced by the Core ERM team using data from Risk Owners. The
annual report will include: Relevant background information, top institutional risks, top
new and emerging risks (as applicable), highlights of mitigation efforts for previous top
risks, top identified opportunities and challenges, appendices of relevant risk related
material for top institutional risks. The report will be distributed by Sept. 1.
 Enterprise Risk Management (ERM) Resource Toolkit 7

5.0 Primary Controls

5.1 Reporting
Enterprise Risk Management Annual Report
•A
 n annual report will be produced by the Core ERM team using data
from Risk Owners. This report will be provided to the Finance, Audit,
Compliance, Facilities and Operations committee (FACFO).

• The annual report will include:

– Relevant background information.
– Top institutional risks.
– Top new and emerging risks (as applicable).
– Highlights of mitigation efforts for previous top risks.
– Top identified opportunities and challenges.
– Appendices of relevant risk related material for top institutional risks.

• The report will be distributed annually within the first quarter of the
new fiscal year.

6.0 Risk Assessment and Mitigation Resources

6.1 Purpose and Participating Units Participating Units
The purpose of this ERM process is to permit and promote risk-informed ERM Core Team:
decision-making. The process of creating the Risk Inventory and of ranking • Facilitates the completion of the risk assessment process and
all of the institution’s risks provides a process for prioritizing and addressing development of risk migration plans.
needs for risk mitigation resources. As part of the ERM process, forms and • Integrate new risks and changes into Risk Register.
processes have been developed to permit those units with high-ranking risks • Write and distribute annual report.
to request funds as part of the annual budget process specific to mitigation Division Representatives:
efforts for recognized high-ranking risks. As the ERM and budget processes Works with division risk owners on assessments/monitoring of risks
become integrated, units will report their progress toward meeting their and related risk mitigation efforts.
mitigation goals to the ERM Program on a quarterly basis.
Executive Budget Committee (EBC):
For all Rank 1 risks, the progress reports will be forwarded to the Finance, Reviews risk mitigation plans with funding requests in context of NIU
Audit, Compliance, Facilities and Operations committee (FACFO) of the budget process and provides budget recommendation to the NIU
Board of Trustees for each meeting. For all Ranks 2 and 3 risks, mitigation Board of Trustees.
status reports will be provided to senior leadership semiannually. In cases
where significant improvement is reported, a reassessment of the risk Advisory Group (with subject matter expertise):
will be performed and reviewed by the committee. As a result, the Risk Provides feedback and insight to the EBC as part of the review of
Inventory will be modified to reflect the change in risk status for that risk, the risk mitigation plans with funding request in the context of NIU
and the ranking will be revised. In this way, the Risk Inventory will serve as budget process.
a working document tracking the status all risks, with more detailed focus
and reporting on those in the top three ranks.
 Enterprise Risk Management (ERM) Resource Toolkit 8

6.0 Risk Assessment and Mitigation Resources (continued)

Risk Owners: Does the plan include all corrective, detective and preventative
• Manage the risk. recurrence actions?
• Submit Risk Status Update Forms. • Do the actions relate to requirements in scope?
• Review risk priorities and establish risk tolerance. • What is being mitigated?
• Submit ERM Project Forms. • How is it being mitigated?
• Link mitigation planning with budget development. • When is it being mitigated?
• Provide funding requests to the EBC for review. • Has prevention of increased risk or changes in risk been addressed?
•D evelop risk mitigation plans and funding requests to be utilized in • Have completion dates for all actions completed prior to submission
execution of the risk treatment process. of the plan been included?
•E xecute risk mitigation plans, evaluate risk treatment effectiveness
Does the plan include milestones as needed?
and report on mitigation process.
• H ave milestones been defined where appropriate (for future
6.2 Mitigation Plan Contents dated actions)?
• If milestones are included, do the milestones have
What is a Mitigation Plan? sufficient detail?
A mitigation plan is an action plan developed by a risk owner, unit and/
• Are the milestone intervals reasonable?
or division to (1) diminish the likelihood or impact a risk might have to
• Are the milestone intervals able to be completed over a single
that unit; and (2) prevent the likelihood of increased risk or assist in
fiscal year?
adapting to changes in the risk addressed.
• Remember to retain evidence to provide proof of completion for all
What should be included in a Mitigation Plan? actions taken.
A mitigation plan addresses the actual and potential risk assessed through
Does the plan include a proposed completion date?
the Enterprise Risk Management process, identifies controls and corrective
• Will all milestones be completed prior to the proposed plan
actions to reduce the likelihood of a future risk related to the addressed risk,
completion date?
and outlines the steps a unit will perform to mitigate the possible risk.
Describe the interim risk associated with the reliability of operations
The following is a list of statements that provide the details of an
while the mitigation plan is being implemented.
effective risk mitigation plan.
• Does the mitigation plan contain interim steps to address this risk?
Does the plan describe the scope of the risk/noncompliance
Describe the prevention of future risk to the reliability of the operations.
being mitigated?
• How will the successful completion of this mitigation plan prevent or
•H
 as the scope changed from what was originally reported (e.g.,
minimize the probability that your unit will incur further risk in the future?
additional devices/facilities/personnel found to be in scope)?
• How will the mitigation plan actions taken prevent the likelihood of
Does the plan describe the cause of the risk? increased risk or assist in adapting to changes in the risk addressed?
• Has the root cause been identified?
• Were there any contributing factors identified?
 Enterprise Risk Management (ERM) Resource Toolkit 9

7.0 Mitigation Planning Process

7.1 Step 1 2. Review existing plans and other policy documents to identify
potential conflicts. Risk mitigation goals, while broad, should
Develop Mitigation Goals and Objectives be consistent with the goals and objectives of other plans in the
In this step, information revealed in the risk assessment stage of particular unit. Review existing plans and list the goals established
the Enterprise Risk Management program is used to develop clear in these plans to assess whether they conflict with those for reducing
mitigation goals, general guidelines that explain what you want to the effects of risk events. In the event that goals do conflict, it is
achieve, and objectives and statements that detail how those goals will important to discuss how such a conflict would be resolved. It may
be achieved. be that the existing plan did not benefit from the risk knowledge now
One way to begin this step is to phrase the findings of the risk obtained. When the goals complement each other, an opportunity to
assessment as problem statements and noting trends or patterns in build support for mitigation is created, and there is the potential to
the types and location of previous or potential risk events; and in the implement planning initiatives that serve multiple objectives. Look
vulnerability of infrastructure, buildings, or populations. You can for plans or policies that address topics that are closely related to
then structure goals and objectives that steer you toward appropriate mitigating the effects of risks or risk events, including:
mitigation actions. • Sustainability
Review and analyze the Risk Identification and Risk • Economic growth
Assessment process results
Most of the information needed to complete this task can be drawn • Enrollment
from the NIU Enterprise Risk Management Full Report 2015-2016. • Environmental preservation
Some technical assistance may be needed to interpret these findings.
• Student engagement
1. Note the causal factors of each risk. Knowing the causes of a risk
will help determine what type of actions you can take to prevent • Research development
future damage. • Health and/or safety
2. Note the risk characteristics. How the risk “behaves” will greatly • Recreation
influence the range of actions you take and when you implement them.
• Public partnerships and outreach
3. Note the important and/or critical assets category (historic, civic,
emergency facilities, transportation, lifelines, etc.). Look at the asset • Transportation
inventory you completed at the end of Step 3 in Understanding Your When reviewing the plans/policies, note sections and related procedures
Risks for this information. that could be revised or updated to provide a more comprehensive
4. Identify specific characteristics of assets related to risks that approach to risk mitigation. These changes may end up as recommended
contribute to their impact or the likelihood of a risk occurring (i.e., actions. Review goals presented in another unit’s or institution’s
outdated infrastructure or critical systems). mitigation plans within the same region, or those with similar profiles, to
determine whether you have overlooked any key issues.
5. R
 eview and identify the areas and risks that would produce the
most potential losses. Note whether there are special features or Determine Mitigation Plan Objectives
characteristics related to particular areas or specific risks that After you have developed your mitigation goals, you are ready to
contribute to their impact. formulate objectives. Objectives are more specific and narrower in
scope than goals. They expand on the goals and provide more detail on
Formulate Mitigation Plan Goals the ways to accomplish them. While the planning team undoubtedly
Your goals should reflect your unit’s mitigation mission statement as will have many good ideas, they should also consider involving
well as the goals of your division and the larger university. peer groups in developing these objectives. It is important to have
1. Develop proposed goal statements. Goals are broad, forward- measurable objectives which will provide a roadmap for successfully
looking statements that succinctly describe your aims. Several implementing the strategy. Some goals and objectives may not be
problem statements can lead to one broad goal. There is no right based solely on the results of the risk assessment, but also on social and
or wrong way of writing your goal statement. Some mitigation environmental values, or institutional mitigation priorities and funding
plans have very general goal statements while others may be more opportunities. If this is the case, the planning team should document
specific. The key is to write goals that are achievable through the the reasoning behind these goals or objectives.
corresponding objectives.
 Enterprise Risk Management (ERM) Resource Toolkit 10

7.0 Mitigation Planning Process (continued)

7.2 Step 2 social, administrative, environmental and economic implications are
for your planning area.
Identify and Prioritize Mitigation Actions
The next step of development is to identify, evaluate and prioritize Furthermore, some potential alternative actions involve complex
mitigation actions that address the goals and objectives developed in engineering and may require additional study before a solution or
Step 1. These actions form the core of your mitigation plan, and will alternative mitigation action can be identified.
be the most outward representation of the planning process to the 2. R
 eview “success stories”
general public and unit leadership. As such, it may be tempting at this Other institutions or units may have already addressed your same
point in the planning process to quickly finalize a list of projects that problem and developed a solution that may also work for your
would simply get the job done. However, it is important to take time institution or unit. You may ask peer groups or members of the
to evaluate the relative merits of the alternative mitigation actions Enterprise Risk Management team to help identify success stories
and the local conditions in which these activities would be pursued. from other institutions or units in order to create a robust catalogue
In doing so, you can be confident that the actions you end up with will for review.
have support, and will be the appropriate technical response to the
risks which affect your unit. Some actions you identify may be “brick 3. S
 olicit unit input at multiple levels
and mortar” projects such as constructing tornado shelters or safe Depending on the size of the mitigation effort, it may be beneficial
rooms and retrofitting or rehabilitating existing structures to resist to receive input on potential alternative mitigation actions from
flood, wind or seismic forces. Others may be non-construction-related unit faculty or staff at different levels within the organization. Some
projects such as acquisition and relocation of threatened structures questions to consider include:
and implementation of educational awareness programs. Regulatory • What is the evaluation of what is currently being done to address
actions are also non-construction alternatives that often take the form risks within the unit?
of new legislation or amendments to existing laws, building codes or
land development ordinances. The evaluation and prioritization of • What do unit members think could be improved upon and what
the alternative mitigation actions will produce a list of recommended should be enhanced?
mitigation actions to incorporate into the mitigation plan. The process • Are there any suggestions or preferences regarding the proposed
outlined in this step includes a comparative evaluation of the pluses mitigation actions?
and minuses for each potential action. During this effort, the planning
team will address a number of important questions, including: • Which of the mitigation goals and objectives are most important to
pursue?
• Which actions can help us meet our mitigation objectives?
4. P
 rovide a report with recommendations based on the findings
• What capabilities do we have to implement these actions? The planning team should provide a report on their research and
• What impacts (if any) will these actions have on our community? present it to unit leadership. Any background information the
planning team discovers along the way regarding the implications of
Identify Alternative Mitigation Actions various alternatives (e.g., relative costs, potential cross-unit impacts,
The purpose of this task is to identify a variety of possible actions regulatory requirements, etc.) should be available to the whole
to address the mitigation objectives you developed in Step 1. After planning team for consideration in the next task.
determining your unit’s goal(s) and corresponding objective(s), you
should consult a variety of sources to identify potential alternative Identify and Analyze Mitigation Capabilities
mitigation actions appropriate for your area. In this task, you will review and analyze institution/unit programs,
policies, regulations, funding and practices currently in place that
1. Review existing literature and resources either facilitate or hinder mitigation in general. This inventory and
Using your list of mitigation objectives as the foundation, identify analysis is often called a capability assessment. By completing this
alternative actions that may achieve these objectives. Existing assessment, you will learn how or whether your unit will be able to
literature can help identify alternative mitigation actions and shed implement certain mitigation activities by determining:
light on specific issues to consider when you evaluate the alternatives
later. A number of publications, websites and other resources provide • Types of mitigation actions that may be prohibited by policy,
information on the structural integrity, specific design features and procedure or other regulations at the federal, state, local and
approximate cost ranges of actions. Unit leadership, scholars and risk institutional level.
experts (e.g., professors, risk managers, environmental health and • Limitations that may exist on undertaking actions.
safety staff, etc.) have valuable experience in knowing what works
to mitigate risks. These experts can help you evaluate whether the • The range of administrative, programmatic, regulatory, financial
mitigation alternative will fulfill your objective; if the action provides and technical resources available to assist in implementing your
a long-term solution to the problem; and possibly what some of the mitigation strategy.
 Enterprise Risk Management (ERM) Resource Toolkit 11

7.0 Mitigation Planning Process (continued)

Review the capability assessment identified. There are many ways to develop and apply evaluation
The capability assessment provides valuable information to determine criteria. One method enables the planning team to consider in a
the viability of certain mitigation actions. Review the information systematic way the Social, Technical, Administrative, Political,
provided in the capability assessment with regard to the following: Legal, Economic and Environmental (STAPLEE) opportunities and
constraints of implementing a particular mitigation action in your unit.
• Are resources sufficient to assist you (financially, technically,
However, this decision-making is not necessarily a straightforward
administratively or with respect to regulations) in implementing
process; it is highly specific to each unit. This process would be difficult
specific alternative mitigation actions (e.g., is technical staff or
to describe in a step-by-step procedure that would reliably lead all units
funding available to assist in evaluating your critical facilities for
to the “right” solution, as the possible results or end products of the
risk vulnerability)?
process are quite varied and do not necessarily follow a straight path.
•W
 ill certain mitigation actions not be available to you (e.g., does the
A unit can go through a process of identifying and evaluating
policy prohibit a particular action)?
alternative mitigation actions and discover that everything is in place
After you have obtained information on programs, plans, policies, to undertake a certain type of action that would be very effective
regulations, funding and practices, review the results to gain a greater and easily affordable. However, the unit simply may not like some of
understanding of how these resources will affect mitigation in your the social or environmental implications of that action. As such, the
specific unit. Since research into potential mitigation actions and planning team may decide to undertake a more expensive or difficult
development/identification of unit goals and objectives (Step 1) have action that it is not necessarily as equipped for but feels strongly
already been completed, you can begin to address whether these should be the preferred alternative.
policies, regulations, etc., will have an impact on the type of mitigation
 rioritize selected mitigation
P
actions you are able to explore.
Now that the planning team has a list of acceptable and doable actions
Compiling this inventory will help the planning team identify what for your unit, it’s time to prioritize them. You may have identified a
is currently being done and begin to assess what is working well. The dozen actions for each of the risks affecting your unit and are now
second part of a capability assessment is the analysis of how effective faced with deciding where to start when you may have more than 50
the existing actions and capacities are and what gaps exist that hinder possible actions. You may want to review your goals and objectives
implementation. This evaluation allows the planning team to identify to see if you decided from the onset to address a particular risk
what may need to change to enhance what is working, or what to first, or if the risk assessment and loss estimate found that these
put into place to undertake new actions or implement existing ones. occurred more frequently and caused major losses. You should also
However, the more extensive analysis will occur when the planning review and take into account the results of your efforts evaluating the
team evaluates specific alternative mitigation actions by objective, as alternative mitigation actions appropriate to your particular risks.
described in the next task. You now know, given the capabilities already assessed, what it would
take to implement the alternative actions you ultimately select. The
Evaluate, Select and Prioritize Mitigation Actions
following considerations should be kept in mind when prioritizing your
In this task, the planning team will select mitigation actions suitable
mitigation actions:
to your unit and then decide in what sequence or order these actions
should be pursued. Below are provided a series of suggestions for • Ease of implementation. To initiate and/or maintain interest in the
evaluating and prioritizing proposed mitigation actions. There are planning process, particularly if support is tentative, you may want to
other ways to evaluate and prioritize mitigation actions. However, the select those actions that are easily implemented first. Initiatives such
methods suggested here have the benefit of showing how mitigation as media attention to risks cost little and reach a large number
actions were evaluated and prioritized to unit and senior leadership. of citizens.

Remember, your evaluation should determine whether the action • Multi-objective actions. Some mitigation actions may work toward
would work for the specific mitigation objectives you formulated in achieving multiple community goals. For example, an acquisition and
Step 1. Your evaluation is not a judgment of the general merits of the demolition project can lead to new open space that provides additional
action, but an assessment of the effect the action will have on the natural storage for floodwaters. This solves the problem of repetitively
specified mitigation objective in a particular location within your unit. flooded structures, which are now removed, and provides opportunities
The planning team should agree on the evaluation criteria and the for recreational use such as hiking/biking paths.
process for prioritizing mitigation actions.
• Time. To demonstrate more immediate progress, you may choose to
 valuate alternative mitigation actions
E initiate mitigation actions that are quickly accomplished over those
Now that the planning team has completed the capability assessment, that would take a long time to obtain the necessary approvals or
it must evaluate whether existing and potential alternative mitigation funding to carry out the project.
actions fulfill your objectives and if they are appropriate for the risks
 Enterprise Risk Management (ERM) Resource Toolkit 12

7.0 Mitigation Planning Process (continued)

•P
 ost-risk event mitigation. A number of potential mitigation capability assessment findings to better understand the administrative
actions being evaluated by the planning team may not be able to process necessary to see an action through to completion. Knowing the
be implemented in the near term due to funding availability or process will assist the planning team in developing a more realistic time
political and social considerations. In a post-risk event scenario, frame to accomplish the action. This is a good time for team members
however, the extent of damages, political will and access to state to contact or meet with unit leadership and stakeholders who will play
and federal mitigation funds can dramatically alter the feasibility of a role in implementing the actions. This will provide an opportunity to
implementation. Consider targeting specific mitigation actions for confirm their commitment and cooperation. This is also a good time for
implementation following a risk event. these partners to provide input on the steps necessary to carry out the
actions, allowing the planning team to fine-tune the proposed schedules.
A common way to rank actions is to have the planning team vote on the
Department or unit leadership should make sure the person(s)
actions. This approach is termed “multi-voting.” All of the mitigation
responsible for each task under each action has the time and ability to
actions under consideration must be listed so that the entire planning
follow through, otherwise implementation may be delayed.
team can see them. Each team member is then given half the total
number of potential actions to use as individual votes. The action that 2. Identify resources to implement the actions
receives the most votes is the highest priority. The item with the second Resources include funding, technical assistance and materials. The
most votes is the second priority, etc. team should prepare a preliminary cost estimate or budget, broken out
Numerical ranking is another way to prioritize mitigation actions. by task, for each of the actions. Knowing the cost will help the planning
Again, all of the mitigation actions are listed and the planning team team target a variety of sources to fund the action. The planning
reviews the entire list. After careful evaluation, the members assign a team should also prepare a list of materials (equipment, vehicles
numerical ranking to each action. You then add the ranks given to the and supplies) that would be required to effectively implement the
action and the one with the lowest number is the highest priority. If action. When preparing the list, note which items you have and which
there are a large number of actions and many people voting, you can you would need to purchase and include these costs in the budget.
average the rankings instead of counting each one. Assume that the Additionally, long-term maintenance may be required for projects such
planning team consists of four people and each person ranks all four as acquisitions. Be certain to factor the necessary maintenance funding
actions from 1 to 4. The rankings for each action are added and then into cost estimates and assign responsibility for the maintenance to the
divided by the number of votes. proper party. The team will probably need to seek help in preparing
these budgets. To back up these estimates, the team should work with
7.3 Step 3 the unit or organization that will be responsible for the action. The
planning team should look at the capability assessments to identify
Prepare an Implementation Strategy
resources to implement the identified mitigation actions. The team
In this step, the planning team will prepare a strategy for implementing should examine resources from all levels of government, private
the mitigation actions decided upon in Step 2. The implementation sector organizations and universities to explore all possible sources of
strategy (1) identifies who is responsible for which actions, (2) what assistance. The planning team should take appropriate action to ensure
funding mechanisms (e.g., grant funds, capital budget, or in-kind that funding for mitigation projects is incorporated into divisional and
donations) and other resources are available or will be pursued, and (3) unit-level budgets. These include:
when the actions are to be completed. It describes the way the unit will
use its resources to achieve its goals of reducing losses from future risk • Capital improvement budgets can incorporate mitigation costs into
events. It also focuses on coordination between the various individuals capital improvement project budgets (i.e., including costs to retrofit
and units involved in the implementation to avoid duplicating or a building or obtain particular assets). A key goal of the mitigation
conflicting efforts. planning process is for mitigation to be considered in all capital
improvement projects vulnerable to major risks.
Identify How the Migration Actions will be Implemented
In this task, the planning team will identify the responsible party or • Operating budgets of specific units can include costs for consultants,
parties, funding resources and a time frame for implementing the supplies and salaries to complete mitigation actions.
actions selected in Step 2. The planning team should apply this process • Special funds can be established to deal with post-risk event funding
to all of the selected actions. needs. Many states have initiated “rainy day funds” to help provide
1. Identify parties, define responsibilities, and the local match required for most federal grant programs.
confirm partners • Staff time has costs associated with its use in risk mitigation projects.
The capability assessment will be very helpful in completing this subtask. Most planning, policy and regulatory actions require only staff time
The planning team should review the list of units and organizations and leadership commitment. Staff time can be used as an in-kind
identified in the assessment and how they function so that the team match. In an event setting, employees can coordinate projects and
can match the appropriate department or office with the actions called volunteers, assist in the clean-up effort or help with other activities
for in the implementation strategy. It is also important to review the that can reduce losses and business interruption.
 Enterprise Risk Management (ERM) Resource Toolkit 13

7.0 Mitigation Planning Process (continued)

It is critical to obtain unit leadership support for mitigation early on in the priority you initially gave to the actions to ensure that you address
order to have units commit to significant staff time. Year-end resources the issues in that order, whenever possible. If the order of priorities has
may become available toward the end of the fiscal year. To capitalize on changed, the planning team should make sure to document the reasons
this situation, the planning team should: why. Once implementation begins, the planning team should periodically
revisit the plan and actions to make sure they fit the changing needs of
•M
 ake priority projects known to leadership. If the appropriate
your community.
individuals have been included in the planning process all along, your
unit may be well-positioned to hear about these opportunities and Document the Implementation Strategy
successfully request funding. As part of any implementation strategy, the implementation and results
of mitigation efforts should be documented. Determine the format for
•A
 ssign a team member to track information on new federal, state and
presenting your implementation strategy. This, along with discussions
regional grant programs.
of goals and objectives, and identification and prioritization of actions,
•E
 xamine how a project could be broken into parts or phases that will comprise your overall mitigation strategy. If an action is currently
could be quickly completed when funding becomes available. being implemented, indicate it as ongoing under the time frame and
indicate an end date, when applicable. Be sure to indicate long-term
In addition to funding, the planning team should keep in mind that
maintenance activities as ongoing. If you choose short-term and
experts may be available to assist project implementation. Many of
long-term time frames, make sure you define, at the beginning of the
these experts were probably consulted when the team profiled the risks
implementation strategy, the time period you consider to be short and
during Phase 2 of the planning process.
long term (e.g., short-term actions are usually considered to be those
Having an approved mitigation plan in place is required to receive that can be accomplished within one year of plan adoption).
funding of any sort. The following provides suggestions of ways to
Obtain Consensus of the Planning Team and Appropriate
obtain funding/support in implementing an approved mitigation plan:
Unit Leadership
•P
 rivate sector organizations and businesses have a lot to gain by The planning team should review the resulting strategy and come to a
engaging in activities to reduce risks in the community. Businesses consensus on the timing of the mitigation actions and on the units or
and other private interests may be willing to contribute time, labor, other parties involved. When the team confirms that the timeline and
materials, space and other support as part of their commitment to use of resources are realistic, and the appropriate units or individuals
community improvement. The planning team should also consider are designated the appropriate responsibilities, it confirms that the
securing private grant funds that are available for environmental strategy is headed in the right direction.
and natural resource protection, and for sustainable community
Planning for Post-Risk Event Recovery and Reconstruction
development and redevelopment.
Prevention should be the focus and top priority for any mitigation
•T
 he link between risk mitigation and sustainability may not be as plan. However, the fact remains that risk events may still occur even
clear to some private funding sources and they may not list mitigation with robust mitigation measures in place. By addressing these issues
goals in their requests for proposals. In this case, the planning before a disaster strikes, units can rally around a recovery strategy that
team may decide to submit a grant application to fund that portion considers long-term sustainable development objectives rather than
of the project that most closely matches the sustainability grant rebuilding back to pre-disaster conditions. These units will have more
requirements. success if and when post-disaster funding and technical assistance
become available. Units are encouraged to incorporate a post-risk
•A
 cademic departments can provide valuable resources in the form of
event recovery component into the overall implementation strategy
technical expertise, the latest data related to your mitigation efforts
by addressing a set of priorities and policies that will help guide the
and training resources for planning and related tools.
recovery and reconstruction process. At a minimum, units should
3. Define the time frame for implementing the actions consider a set of risk mitigation actions that may not be economically
The planning team and responsible units should develop a specific time or politically feasible in the near term, but may become a realistic
frame for implementing each mitigation action that will be pursued. opportunity following a risk event. These “on-the-shelf” mitigation
Determining the time frame with staff members from the departments actions could be evaluated against the actual damages following a
or units that are responsible for the mitigation action will greatly risk event and, if appropriate, incorporated into a recovery strategy.
enhance the chance of your mitigation plan succeeding. The time frame Considering policies that would efficiently and wisely guide post-
should detail when the action will be started, when interim steps will risk event reconstruction in the implementation strategy is a wise
be completed and when the action should be fully implemented. When investment of resources for any unit developing a risk mitigation plan.
identifying start dates, keep in mind any special scheduling needs such Before finalizing the strategy, the team should take another look
as seasonal climate conditions, funding cycles, unit work plans and at all of the mitigation actions to ensure that the projects, taken
budgets. Funding cycles will affect when you can begin implementing an together, reflect the goals, objectives and priorities of the institution
action. After you have identified the start dates, you may want to review and unit. It would also ensure that the timelines of the actions show
 Enterprise Risk Management (ERM) Resource Toolkit 14

7.0 Mitigation Planning Process (continued)

project completions spanning from a short time after plan adoption Additionally, Risk Owners should maintain records of identified risks
through longer time frames. A consensus on the implementation and their status to provide data and report on trends and changes over
strategy, followed by the adoption of the plan, has the essential time. This is important to the success of a project because it highlights
ingredients of a functional plan that can truly help a unit mitigate its the efficacy of a mitigation effort, and enhances decision making for risk
losses from a risk event. owners and unit leadership by providing and utilizing data. By providing
a history of mitigation efforts and their efficacy, risk owners can build
7.4 Step 4 support for enhanced resource allocation and encourage risk awareness.
Determine Plan Maintenance and Update Updating a Risk Mitigation Plan
The maintenance, assessment and updating of mitigation plans does The Enterprise Risk Management program is implemented using an
not comprise a single step, but is instead a continuous process which annual cycle based around the Financial Year which links mitigation
should take place throughout the planning and implementation of a risk planning to budget. As part of this process, risk owners should provide
mitigation plan. data illustrating the progress of mitigation efforts and any changes to
identified risks or risk environments. A risk status update form (included
Risk Mitigation Plan Maintenance
on the following page) is provided for both the identification of new
As part of any mitigation plan, risk owners need to measure and
risks and to update the perceived impact and/or likelihood of previously
assess the efficacy of projects and implementation. Periodic updates
identified risks. By documenting the progress of mitigation efforts, risk
should be provided to Unit Leadership and relevant stakeholders.
owners and project managers ensure that their mitigation efforts will
Importantly, by maintaining communication to stakeholders, you
continue to be supported and can enhance the likelihood that they will
provide an environment for opportunities to emerge and for the
receive additional resources for additional mitigation efforts.
cultivation of enhanced support for mitigation efforts. This can
increase the likelihood that a project will be supported and resources
will be provided to a mitigation effort as the needs of the unit or control
environment changes.

Where to find the online forms.

Enterprise Risk Management Rick Status Update Form:
niu.edu/risk-management/enterprise/risk-status-update-form.shtml

Enterprise Risk Management Project Form:

niu.edu/risk-management/enterprise/erm-project-form.shtml