Motivated by some key internal and external drivers, DeVry Inc. decided to amp up its focus on risk so that discussions about risk would be engrained in every strategic conversation surrounding product development and capital spending.

The company is an educational services provider in business, healthcare, and technology with 120 locations around the world. It took note of new regulatory requirements to increase disclosures about risks, risk management practices, and the board's role in risk oversight, as well as rating agencies' plans to consider enterprise risk management in overall credit ratings. At the same time, the rugged market conditions have allowed little tolerance for surprises.

Elizabeth Truelove McDermott, senior director of internal audit at DeVry, said during a presentation at Compliance Week 2011 that the company wanted its risk assessment process to become more intelligent about risk. “We took an overarching, umbrella approach,” she said, to provide a common language for risk, risk appetites, and risk management strategies across all critical functions, including ethics, legal, compliance, internal audit, regulatory, treasury, insurance, and IT governance.

The company defined precise roles and processes to make it clear who would own which parts of the risk management process. The board is ultimately accountable while an ERM steering committee meets quarterly to serve as a clearinghouse for risks, policy, appetite determinations, and governance. Division and functional heads have the primary responsibility for carrying out risk mitigation strategies and assuring risks are managed to levels that are defined as acceptable.

The company is in its third year of its focus on becoming more intelligent about risks, and it's honed the process along the way, said Truelove McDermott. In the first year, the company established a risk framework that defined 44 risks of concern with six of them considered the top vulnerabilities. In the second year, DeVry zeroed in on 27 defined risks with four of them deemed top priority. “We did a little too much condensing last year, and that caused some confusion,” said Truelove McDermott, so the company raised the bar back to 30 defined risks for the current year.

William Keevan, chair of the audit committee at DeVry, said the company recognizes it has to take some risk in order to take advantage of opportunities. “But we have to be careful,” he said. “We have to think about management's capability to manage the risk and manage everything else that management has to manage on an everyday basis.”

Keevan said the risk intelligence approach has assured that risk is a consideration in every strategic and tactical discussion at DeVry. “When you sit in the board room and management comes in with a presentation, you hear the word ‘risk' a lot,” he said. “Top management at DeVry thinks about risk all the time. They know they're going to be asked about risks and how they are mitigating them. They include that in their presentations, and that saves the board from asking the questions we have to ask do to our jobs.”