Issue 7 (February 2014)


The Near Future Lasts Forever: Enterprise Risk Management at the Public University

Brian Whitener and Dan Nemser


“. . . rara avis in terris nigroque simillima cygno —Juvenal
                                                             [“a rare bird in the lands, and very like a black swan”]




“[P]eople at The University of California, where I serve as Chief Risk Officer, are risk takers,” wrote Grace Crickette on the Harvard Business Review blog last year. The goal of the CRO, however, is to “make everyone a risk manager.”[1] Linking risk managers to risk takers is not as paradoxical as it might seem at first, as both are tied to a corporate strategy that is being adopted at an increasing number of universities around the country. The University of California is at the forefront of the push to adopt this strategy, known as Enterprise Risk Management (ERM).[2] In this piece, we trace the rise of risk as the critical logic of the contemporary public university, located at the intersection of two trajectories: financialization and militarization. It is important to do so now, given the arrival of Janet Napolitano, the former head of the Department of Homeland Security, at the very top of the UC administration hierarchy.

We begin by historicizing risk. The emergence of ERM is tied to two parallel shifts that began in the 1970s, at the end of the post-war boom. The first is the shift from the large-scale pooling of risks common to the welfare state to neoliberal forms of individualized risk such as 401ks, personal health plans, and adjustable rate mortgages.[3] The second is the turn to finance as a means of compensating for failing accumulation. With financialization, a new formation of risk emerges: the risk of the near future, of Juvenal’s rarest of birds, the black swan.[4]

“Black swan” was a term used in 2001 by Nassim Nicholas Taleb to describe catastrophic events—particularly financial ones—that occur without warning and partake in a characteristic particular to fields involving organic and non-organic matter (e.g. economics, biology, history): extreme discontinuity.[5] Simply put, black swans are events that are nearly impossible to predict based upon known conditions; they exist, then, neither in the present nor the future, but rather in the ever-receding horizon of the near future. Taleb’s theory circulated widely and served, especially in the aftermath of 2008, both as an explanation of financial crises and as an analysis of the emergence of this new form of financialized risk. Indeed, many of the innovations underpinning the post-‘73 regime of finance-led accumulation, such as derivatives, swaps, and options, attempt to profit from or protect against near-future events, thus turning this temporal space into an important object of knowledge. The problem, of course, for both accumulation and prediction is that the near future lasts forever, that its horizon never arrives or if it does it always does so in an unpredictable fashion.

The rise of near-future risk coincided with important changes in both the material environment and the social formation. As the economy shifted away from production and toward increasingly fragile financialized systems of accumulation—subject to decisive disruption by a single event—the infrastructure girding these systems also grew less stable. On the one hand, the state has turned away from traditional forms of non-derivative risk sharing (e.g. insurance, defined benefit pensions, and government-backed mortgages). On the other, the built environment has been concentrated in environmentally precarious areas (e.g. oceanfront highrises in Florida, mansions in Malibu, or even simply lower Manhattan), while the supply chains for delivering commodities to market have become more complex and elongated. Heightened fragility means a greater likelihood of events deemed catastrophic in a system that is losing the capacity to absorb them. In the moment of finance’s ascension, predicting and protecting against interruptive risks, both systemic and local, have become critical to operating and maintaining the system.[6]

But this new notion of risk has another fold. In 1986, a young insurance company employee named Karen Clark wrote what has come to be a well-known paper in the world of catastrophic risk management.[7] Clark’s concern was the possibility of a natural disaster so large it would cause losses greater than the entire capitalization of the U.S. insurance industry. In the wake of Hurricane Andrew, which hit Florida in the summer of 1992—in a sense fulfilling Clark’s prophecy—catastrophic risk and its “management” became a central concern in the insurance, finance, and logistics industries.

After the attacks on the World Trade Center and the ENRON scandal in 2001, these financial and actuarial concerns with catastrophe were transformed into social theory. Richard Posner, conservative jurist and University of Chicago professor, was one of the first authors to extend the notion of catastrophic risk into a totalization of the present. For Posner, society is inherently unstable and is defined by its exposure to unforeseeable catastrophes that might occur at any moment—including everything from asteroids, plagues, and natural disasters to biological warfare, terrorism, and political violence.[8] Posner argues that the state must dedicate itself to predicting, policing, and protecting against these rara avis that inhabit the murky swamp of the near future.

While its institutional history is somewhat different, the Enterprise Risk Management framework is located within this same terrain of near-future risk. The pre-history of ERM can be traced back to a SEC strategy to regulate illegal campaign contributions by corporations in the wake of the Watergate scandal.[9] At the recommendation of a government panel, the Committee of Sponsoring Organizations (COSO) created an internal control framework, which introduced accounting controls into other parts of organizations. This framework quickly became a corporate standard for internal control and, significantly, was adopted by the University of California, Berkeley in 1996. The Sarbanes-Oxley Act of 2002, passed in the wake of the ENRON, Tyco, and WorldCom scandals, formally required public companies to have systems of internal controls in an attempt to prevent future financial crises. Two years later, in 2004, the COSO internal control framework was updated and converted into an ERM framework. Speaking in broad terms, COSO was focused on spotting and protecting against bad, risky, or illegal behavior inside organizations; ERM is focused on anticipating volatility and risk coming (primarily) from outside the organization. That is, if COSO broadened the accounting notion of internal controls out of accounting departments and across entire organizations,[10] ERM both extends the limits of the “organization” into the external environment and incorporates the social theory of catastrophic near-future risk.

ERM thus operationalizes the logic of near-future risk in order to address not only catastrophic events but also any small fluctuation in the external environment that could impact accumulation (either negatively as an interruption or positively as an opportunity to be exploited for profit). When ERM is applied to nominally public enterprises like universities this expansive notion of external environment as well as the focus on micro-fluctuations have very specific consequences. In the following, we explore how ERM in each of these aspects shapes the ongoing financialization and militarization of the University of California.

Let’s first examine this expansion of risk into the near future to include catastrophe and micro-fluctuations. UC Berkeley recommends, as a guide for ERM practitioners, Protiviti’s Guide to Enterprise Risk Management, which specifically addresses this issue:

Most companies focus on traditional risks that have been known for some time. Few companies have a systemic process for anticipating new and emerging risks. Therefore, many companies often learn of critical risks too late or by accident, spawning the “fire fighting” and crisis management which drains resources and creates new vulnerabilities. The strategic lens of ERM broadens the traditional risk management focus on low-probability and catastrophic risks to a more expansive view on reducing the risk of erosion of critical resources of enterprise value. ERM assists management with improving the consistency of operating performance by increasing the emphasis on reducing earnings volatility, avoiding earnings-related surprises, and managing key performance (KPI) shortfalls.[11]

In other words, ERM addresses not only low-probability, catastrophic risk but also what Protiviti calls “erosion,” that is, the loss of organizational capability for a sustained response to ongoing low-level risk. In each case, the impetus for the concern with these risks is clearly financial, to “avoid earnings-related surprises” and reduce “earnings volatility.” At UC, the implementation of ERM has had the specific aim of preventing interruptions to accumulation by “reducing the cost of risk” as well as by improving the university’s credit rating and standing with institutional investors in order to reduce borrowing costs:

ERM is considered to be so important to the success of an organization that credit rating agencies such as Moody’s and Standard & Poor’s now consider it in their evaluation of UC’s creditworthiness. UC’s ability to borrow is crucial to its success; in 2011 UC’s total debt exceeded $14 billion. A 0.1% decrease in interest rates that UC pays on its debt load represents over $14 million in potential savings. Ratings agencies grant favorable credit ratings to institutions that demonstrate stewardship and trustworthiness. UC’s proactive approach to ERM helps it maintain its excellent credit rating. The rating agency Standard and Poor’s has recognized UC for its ERM program, the first time a non-financial institution has been so recognized.[12]

We would argue that this need to focus on near-future risk and turn to ERM to prop up UC’s credit rating is a result of the specific form that the financial capture of the U.S. university has taken in the last decade. That is, large public universities, primarily through selling construction bonds, have become a key site for a particular type of finance capital associated with institutional investors. Institutional investors are channeled by law into safer investments and thus seek investments, like bonds, with steady, predictable payouts. As such, unlike venture capital or portfolio investment, bond payments are sensitive to minor fluctuations in local conditions over extended periods of time. For this reason, the thrust of ERM—not just for universities, but in ways particular to them—is not limited to catastrophic near-future risks (such as, for instance, riots); it also targets the most banal oscillations in or interruptions of daily operations that can end up reducing profitability. ERM demands that public institutions attend to every event, every fluctuation, every butterfly flapping its wings over Sproul Plaza.

If Everyone must become a Risk Manager, as the university’s CRO demands, that’s because from the perspective of ERM risk comes in many forms and can show up at any time. The UC’s Office of Risk Services (ORS) keeps a running list in which risks are classified by type and organized into a table along with suggested “mitigations” and monitoring technologies.[13] The list is updated every 6-12 months on the basis of suggestions by UC employees.

As risk has permeated the social field, risk management has simultaneously been decentralized. Introducing ERM is an attempt not only to restructure the institution but also to discipline its workers. At the same time, a closer look at this typology of risk reveals a further implication of installing ERM at the heart of the public university. As ERM conceptualizes risk as located in the near future, the objects of management necessarily include financial flows as well as the far more mundane assortment of bodies and objects that inhabit and circulate through the built environment of the campus. So the sharp eyes of risk managers are drawn to not only the immaterial flows of finance capital but also the students and workers whose labor makes the university operate. The slogan of the UC students and workers who fought privatization in 2009—“we are the crisis!”—was, in this sense, dead on, especially in its deployment of the continuous present tense as a counter to the institution’s near future policing. In the university restructured according to the logic of ERM, students and workers have become the personification of near-future risk.

The risk assessment overview from UC Santa Cruz, one of the resources available at the UC administration’s ERM site,[14] clarifies the extension of risk to the everyday and the student body, in both singular and plural senses:


nemser whitener 1
nemser whitener 2


As the table indicates, in the near future risk cannot be entirely eliminated. Moreover, some degree of risk is not only acceptable but even desirable within the ERM framework. Speeches by celebrities, even controversial ones, might enhance the university’s brand, while concerts could improve student satisfaction. Rather than avoidance or elimination, then, ERM aims to optimize risk, weighing and evaluating the configuration of risk factors against objectives to ensure the most advantageous outcome. This model can be extended to every sphere of university management—ERM makes the institution willing to ignore some risks (e.g. noncompliance with graduate student/worker contracts or violence against students) and take others on directly so as to profit from them (e.g. certain investment strategies or partnerships).

Equally clear in the table is how the university sees students. The event examples highlight at least three risk factors: size (the bigger the event, the more severe the risk); politics (the more political or controversial, the more severe); and composition (the makeup of the crowd: just students, or possible “outside agitators” as well). But the bottom line is that risk is both expressed through and embedded in the student body (in both the singular and the plural sense). The crowd, especially, appears as something of a natural force, a potential disaster. It is an engineering problem that, like a dammed up river, is generally manageable but in the right circumstances could easily overflow.[15]

The figure of the crowd is important within the university’s approach not only to ERM but also to campus policing. At times, UCPD’s crowd management policy treats the collective student body as a uniform entity, defining the task of the police as the need “to objectively discern at what juncture a demonstration leaves the realm of legal protest and becomes an abridgement of the rights of others.”[16] Elsewhere, however, this monolithic crowd takes on a far more fragmented and complex form:

Although crowds tend to be categorized as either lawful or unlawful, they are often a blend of both and the individuals involved can engage in various behaviors. These behaviors can vary from lawful assembly to individual criminal acts to civil disobedience to rioting. If feasible, UCPD officers should identify and isolate unlawful behavior.[17]

The crowd management policy expands on this nuanced approach in a chart (see below) that in many ways resembles the risk assessment above. Every situation, from “lawful assembly” to “riot,” requires some form of policing, but the response has to be calibrated to the specific dynamics of the event. Since near-future risk is everywhere, the police must constantly be everywhere as well. Given the full spectrum of situations and responses, it is also clear that some amount of risk is acceptable as long as it is effectively managed. Even the instance of “unlawful behavior,” for example, does not require an event to be shut down. After all, policing itself introduces a certain amount of risk: “Tactics employed may evoke a positive or negative response (e.g., a strong ‘show of force’ may calm and disperse a crowd or incite them). The intervention strategies agencies utilize will depend upon available resources and the totality of the circumstances.”[18] From event planning and logistics to quick decisions about dispersal orders and the use of less-lethal weapons, UCPD officers—like every other university employee, but in very specific and often violent ways—must become risk managers of the near future.

Extending the limits of the university also has implications for policing. Under ERM, the university is a fragile system of accumulation exposed to outside flows and, as such, requires a police force capable not only of playing defense but of going on the offensive as well. This shift can be seen in campus police forces around the country—from publics like Wayne State to privates like University of Chicago, Case Western, and Yale—many of which are larger and better funded than those in the communities around them. In the context of state budget cuts and the spread of ERM logics, campus police forces (especially in former urban cores or rural areas) have become para-state actors, charging themselves with broad range of responsibilities and responses. In Berkeley, the para-statal nature of the UCPD is dwarfed by that of the Oakland Police Department, but the recalibration of its mandate from protecting the campus from the surrounding area to making incursions into it can be seen in the increasing level of coordination between UCPD and other regional police forces, such as “mutual aid” arrangements and revolving personnel doors.[19]

Restructured by ERM, the public university is simultaneously on the offensive and the defensive: exploiting some near-future risks for profit, prestige, or pleasure and crushing others to ensure the continued flow and ongoing regulation of accumulation. It is in this context of a mutually reinforcing financialization and militarization that Janet Napolitano takes up her position at the top of the UC administration hierarchy. If Napolitano, with her extensive background in national security and no experience in education, was initially decried by critics as something like Juvenal’s black swan, a rare bird that had somehow wandered out of its usual habitat, the rise of ERM suggests that this assessment could not have been more wrong. Napolitano is not the rara avis—we are.





Dan Nemser is an Assistant Professor of Spanish at the University of Michigan, Ann Arbor.

Brian Whitener is writing a dissertation on the rise of finance in Latin America at the University of Michigan, Ann Arbor. Recent projects include De gente común: Arte, política y rebeldía social (Universidad Autónoma de la Ciudad de México), The Unreal, Silver-Plated Book (Departamento de Ficción), and Genocide in the Neighborhood (ChainLinks).



2. “While the University of California is best known for stellar academics and groundbreaking research, in some circles it is becoming equally well known as a leader in enterprise risk management. From Harvard University to Singapore’s largest healthcare organization, there are dozens of public and private institutions now learning from UC and hoping to achieve similar results.”

3. Tom Baker and Jonathan Simon (eds.), Embracing Risk: The Changing Culture of Insurance and Responsibility (Chicago: University of Chicago Press, 2002).

4. Our notion of “near future” is derived from the science fiction wherein “near future” is a genre of works defined by their concern with tracing the consequences of trends with a given moment of contemporary society. Near future novels are distinguished from other science fiction (like far future) by their working of the temporal penumbra of the present; as such, they are about prediction and projection.

5. Nassim Nicholas Taleb, Fooled By Randomness: The Hidden Role of Chance in the Markets and in Life (New York: Texere, 2001).

6. If there is any doubt as to near future risk’s links to the rise of finance, see the opening pages of Erik Banks’ classroom text for the Wiley Finance series, Catastrophic Risk: Analysis and Management (2005): “Risk can also be classified in pure or speculative form. Pure risk is any exposure that results either in a loss or in no loss, but can never generate a gain; speculative risk is an exposure that can result in a gain, a loss, or no loss. In general, operating risks are often pure risks (e.g., if an assembly line fails to function as expected a loss results, and if it functions as it should no loss occurs), while financial risks are often speculative risks (e.g., if interest rates rise the cost of funding rises and a loss occurs, if interest rates decline the cost of funding declines and a saving, or ‘gain,’ results)” (3).

7. Karen M. Clark, “A Formal Approach to Catastrophe Risk Assessment and Management,” Proceedings of the Casualty Actuarial Society 73.140 (1986): 69-92.

8. Richard A. Posner, Catastrophe: Risk and Response (New York: Oxford University Press, 2004).

9. Robert R. Moeller, COSO Enterprise Risk Management: Establishing Effective Governance, Risk, and Compliance Processes (Hoboken, NJ: Wiley, 2011), 149-50.

10. “Report on Implementation of COSO Internal Control-Integrated Framework, [UC] Office of the President,” 14 Sept. 1995,

11.‎, p. 3

12. University of California, CFO Division, Office of Risk Services Annual Report 2011/2012, pgs. 2-3,‎

15. UCLA anthropology professor Jeffrey Brantingham has worked closely with LAPD to develop and implement predictive policing using data to model the spatial distribution of crime in the city. His model is based on the assumption that crime follows the same patterns as earthquakes. The catastrophic and the everyday merge into one.

16. UCPD’s most recent crowd management policy, updated in March 2013, is available here:‎, p. 16

17. Ibid., p. 7

18. Ibid., p. 14

19. Joaquin Palomino has documented numerous instances in which OPD officers who have lost their jobs for lying under oath, falsifying police reports, and conducting illegal searches and seizures were later hired by UCPD. “When Cops Lie,” East Bay Express, 28 Aug. 2013,