Imagine for a moment that everyone engaged in school activities and projects had the same perspective on how to manage risk.

This perspective would not be based on strict requirements, policies or checklists, but rather – it would reflect a shared understanding of which risks are most critical, which threats need prioritized budgeting and treatments, and when and how to take appropriate risks. Everyone would understand the priorities and the interconnected nature of managing risks across your institution. Communication about risk is effective and engages the right stakeholders. People integrate the consideration of risk into decision-making at every level, including the development of strategy, budget prioritization, project management, site-level decisions and day-to-day operations. Risk management would not only protect value, but also create it, as you manage risks more efficiently and are able to confidently take risks in support of your institution’s mission and operational goals.

This is Enterprise Risk Management (ERM).

We know that, in truth, everyone is managing risk all the time. We just don’t do it very consistently, proactively or as effectively as we could. An example of this is when individual sites or departments are separately managing similar risks, instead of coordinating risk treatment tools and techniques and communicating about results. We also have different tolerance levels when it comes to taking and managing risks, and without shared understanding, what is acceptable may differ widely. Differences in risk tolerance vary by age (think of the risks that a teenager might take versus a parent), by activity (a school security officer versus a business officer), and by the importance of the risk. Without a consistent, proactive approach to managing risk, like ERM, you are probably managing risk well in some areas (but not all), thinking about risks after they occur (there is always a surge in school hardening after a shooting), and missing opportunities to be efficient and forward-thinking.

The purpose of the revised international standard on risk management (ISO 31000: 2018) is to assist organizations of any size, type or purpose to create a more comprehensive, consistent, and effective approach to how they manage risk. In short, it can help your institution implement ERM. It is designed to be customized to your specific organizational culture, operations and environment. It assumes that you are already managing risk and that the purpose of managing risk is to create and protect value. Based on those premises, it provides a framework for managing risk that can be integrated into your current operations and that will continually improve over time. 

To stay relevant, how we manage risk must be updated from time to time in order to be responsive to environmental and organizational changes and the goals of your operation. ISO 31000: 2018 is designed to do exactly that — to move your risk management program from how we might imagine it, to risk management reality.

For more information about implementing ERM, or a complimentary Strategic Risk Assessment (an introduction to key risks customized for your school), please contact your Gallagher representative and ask about our ERM Practice Group. We offer ERM consulting, training and implementation expertise. To find out more, visit

To order the ISO 31000: 2018 standard, go to


Content for this newsletter was provided by Dorothy Gjerdrum, ARM-P.

Dorothy Gjerdrum is the Senior Managing Director of Gallagher’s Public Sector Practice and a Managing Director of Gallagher’s Enterprise Risk Management Practice. She has been an ERM consultant for K-12 public and private schools, public entities, higher education institutions, and nonprofits since 2003. She helped write the ISO 31000 standard and is currently engaged in the international work group that is writing the implementation handbook.