Powered by

Enterprise Risk Management in College Athletics

By Paul Pogge, North Carolina

As it has evolved over time, intercollegiate athletics has witnessed an exponential growth not only in the number of people involved and the complexity of operations, but also in the prevalence and significance of risks organizations face. The consequences of failures to address some of these risks have also been amplified by an increasingly litigious society in which high profile organizations are often the targets of lawsuits and significant monetary judgements. Now more than ever, therefore, it is imperative for an athletic department to develop and execute a sound enterprise risk management strategy to help better protect the organization and those it serves. I am grateful to Athletic Director U for their continued contributions to our industry and for their invitation to share some insights we learned in the course of our enterprise risk management efforts at North Carolina.


After Bubba Cunningham’s arrival as Carolina’s new Director of Athletics in 2012, we initiated the development of a comprehensive enterprise risk management strategy for UNC Athletics. It was an enormous task that benefitted from the contributions of many, including some long-tenured UNC team members and some of us who were new to the organization. Balancing traditions and institutional history with evolving elements in the surrounding environment, legal and otherwise, was an exciting challenge.


The first practical step was to conduct a thorough assessment of vulnerabilities, challenges, and inefficiencies throughout the Department’s operations. The task was a time-consuming one given that Carolina has over 800 student-athletes, 28 sports programs, approximately 300 full time staff members, several hundred thousand ticket buyers each year, and many other internal and external constituents with whom we interact on a regular basis. Additionally, before a massive capital project undertaking designed to promote equity and enhance our student-athletes’ experiences, Carolina had a number of aging facilities which, at the time, had some areas of structural vulnerability.


The scope of the project alone immediately demonstrated that establishing a truly effective enterprise risk management framework would require an organization-wide collaboration. A crucial early part of the initial assessment, therefore, consisted of obtaining feedback directly from individuals who worked in or often interacted with each particular unit of the Department. This firsthand feedback about potential risks and inefficiencies was essential. Not only was the candor of so many helpful in gaining a more accurate understanding of the current environment, it was also very beneficial to brainstorm and think creatively together about potential issues that could materialize in different situations.


While cataloging firsthand feedback from those intimately familiar with the nuances of each unit’s operations, a simultaneous analysis was conducted of industry best practices in various areas, legal case law relevant to different facets of the Department’s operations, and applicable legal statutes. This helped formulate a definition of the ideal, most operationally-beneficial, and legally sound structure in each area, while also revealing any gaps that may exist between such a standard and our current practices. In many cases, those gaps alone could lead to the manifestation of various risks.


Over the course of the process, we developed a lengthy list of potential risks we faced. The list was meant to be an exhaustive accounting of all matters we might need to address. Once this list was developed and the thorough evaluation was complete, the risks were categorized. Some of the main categories we used included (1) risks to safety and security; (2) health risks; (3) financial risks; (4) risks of operational inefficiencies; (5) public relations risks; and (6) a general category of “other” risks. (Under the leadership of Marielle van Gelder, we are fortunate to have an outstanding compliance staff at Carolina which is very proactive in monitoring for risks in their area. Therefore, risks exclusively associated with NCAA Compliance were not included in this project, though it has always been and continues to be important to ensure our enterprise risk management strategies compliment their work.)


With the list of risks grouped together by theme, we then prioritized the items in each category. In developing each of these hierarchies, it was helpful to ask the following questions: (1) Which risks could cause death or serious injury? (2) Which risks could cause other significant health challenges? (3) Which risks could potentially lead to a successful legal claim against us or other legal actions? (4) Which risks and inefficiencies were inhibiting maximum fiscal performance? (5) Which risks threatened the sustainability and cohesiveness of our operations? (6) Which risks could tarnish the image of the Department or the University? All of these questions were also asked in light of the overarching objectives of maximizing the student-athlete experience, positioning our coaches for success, and ensuring positive engagement with fans and supporters. It was clear that in some cases, it would necessitate a careful balance to achieve all desired outcomes to the fullest extent possible.


After categorizing and prioritizing the risks, we then discussed ways to address each risk. Generally, fixes fell into the broad categories of: (1) adjustments to operations and other requirements which would need to be codified in revised policies and procedures; (2) enhanced training for applicable student-athletes and staff; (3) directives from the appropriate supervisor(s) to cease, modify, or begin certain practices; and (4) “one-time fixes” to facilities or other areas requiring a specific remedy. Some of the initiatives had associated fiscal requirements, which were estimated and assigned.


With an extensive list of risk mitigation needs and solutions developed, Bubba, Vince Ille, Karlton Creech, and I spent considerable time determining the sequence of initiatives comprising the entire enterprise risk management effort. Change management is often a difficult task which requires collaboration, trust, and willingness to embrace new ways of doing things. Establishing credibility early on by demonstrating the success of some new initiatives is beneficial, as is consistent and thorough communication with impacted individuals throughout the process. As we moved towards a more legally sound structure designed to mitigate the many risks we faced, receiving feedback and ideas from staff members throughout the Department helped ensure appropriate adjustments were made. To be successful, I believe a risk management structure has to be firm in its principles yet nimble in certain areas of its application. The balance is a tricky one to develop sometimes, and collaboration with those executing the strategies each day is essential.


The expansive risk assessment, development of strategy, and subsequent implementation took several years. It continues to evolve as new risks emerge and circumstances change. On a regular basis, supervisors of units are asked to consult with their respective teams and gather proposed changes to policies, procedures, and practices. Our Office of University Counsel, Office of Student Affairs, Equal Opportunity and Compliance Office, Title IX Office, and Department of Public Safety are among a number of units routinely consulted on campus for their ideas and input. Colleagues with the FBI, local law enforcement, and other external entities provide valuable suggestions and information on a regular basis as well.


Most importantly, we now have a regular schedule of enterprise risk management initiatives that are completed at specific times throughout the year. Some take place on a regular basis, even daily. Some occur once a year. Ultimately, each unit supervisor is responsible for ensuring all of the elements in their areas are completed each month.


Risk can never be completely eliminated, especially across an organization as large and dynamic as a college athletic department. To maximize risk mitigation efforts, though, we have learned the importance of continually thinking creatively about new risks which may emerge, monitoring carefully in attempts to quickly identify issues which do arise, and ensuring systems are in place to promptly communicate important information to the appropriate parties who will properly address the issues. We consistently remind each other that risk management is a responsibility shared by all and that not only is communication regarding potential issues encouraged, it is expected.


While enterprise risk management involves a complex balance of legal requirements, operational elements, financial considerations, and the desires of many different constituents we wish to serve, it is an essential effort for athletic departments wishing to truly maximize the fulfillment of their mission. At Carolina, many have contributed to the implementation and execution of a robust enterprise risk management strategy. Though it is an ever-present reminder about the importance of accountability, hopefully this structure and our collective efforts have elicited an even greater confidence and pride in our operations.