Enterprise risk management (ERM) is one of the most powerful demonstrations of AI's potential at every level of use. From reviewing a single incident report to co-developing an institutional risk strategy, AI can serve as a force multiplier for administrators responsible for protecting their communities.
We use a three-level framework to illustrate how the same discipline (risk management) can leverage AI at increasing levels of sophistication.
The Three Levels
| Level | Role | Description | Frequency | Impact |
|---|---|---|---|---|
| 1 | Task Tool | "Do this thing for me." | Most Frequent | Low Impact |
| 2 | Problem Solver | "I know what I need. Go build it." | Less Frequent | High Impact |
| 3 | Operating Partner | "Help me think through this challenge." | Infrequent | Major Impact |
Each level builds on the last. Most people start at Level 1, and many never move beyond it. The real institutional value unlocks at Levels 2 and 3.
Level 1: Incident Report Review
The prompt: "Review this communication and identify any compliance, liability, or regulatory notification requirements we need to act on."
The Scenario
Imagine a California community college discovers that a spreadsheet containing student financial aid verification data was accidentally emailed to the wrong external recipient. The file included names, Social Security numbers, dates of birth, addresses, and FAFSA income information for 847 students. The external company says they will delete it, but no written confirmation has been received.
What AI Identifies
When you provide this type of incident documentation to a top-tier AI model, it can quickly surface:
Regulations Triggered
- CA Civil Code 1798.29 (SSN + name = mandatory notification)
- FERPA (education records disclosed to unauthorized party)
- GLBA/FTC Safeguards Rule (financial aid data)
Immediate Liability Gaps
- No written confirmation of deletion from the external recipient
- No contractual relationship with the recipient, limiting legal leverage
- The file was unencrypted and unprotected
Action Required
- Report to Federal Student Aid immediately
- Send a formal written deletion request via legal counsel
- Notify the cyber liability insurance carrier
- Preserve all logs and documentation
Why This Matters
A new administrator might spend hours researching which regulations apply to this scenario. AI can surface the key issues in minutes, allowing the team to focus on response rather than research. This is Level 1 at its best: saving time on a discrete, well-defined task.
Level 2: Comprehensive Risk Register
The prompt: "Create a comprehensive enterprise risk register for a California community college district. Deliver as an Excel workbook with scoring criteria, controls mapping, and departmental ownership."
What AI Produces
At Level 2, you are asking AI to build something substantial. A well-prompted risk register request to a top-tier model can produce:
A structured register tracking risks across multiple categories:
- Cybersecurity and Data Privacy
- Campus Safety and Security
- Regulatory Compliance
- Financial Sustainability
- Human Resources
- Technology Infrastructure
- Facilities and Operations
- Reputational Risk
- Strategic Risk
For each risk entry, the register includes:
- Risk ID and category
- Detailed risk description
- Likelihood score (1-5 scale)
- Impact score (1-5 scale)
- Inherent risk score (Likelihood x Impact)
- Current controls in place
- Control effectiveness rating
- Residual risk score
- Target risk level
- Gap analysis
- Risk velocity (increasing, stable, or decreasing)
- Risk owner (by position)
- Review frequency
- Next review date
- Mitigation status notes
Impact Scale Framework
The register also includes a calibrated impact scale designed for community college operations:
| Score | Level | Financial | Operational | Reputational | Compliance |
|---|---|---|---|---|---|
| 5 | Catastrophic | >20% budget | Campus closure >1 week | National media; loss of community trust | Loss of accreditation; Title IV ineligibility |
| 4 | Major | 10-20% budget | Campus closure 1-7 days | Regional media; enrollment impact | Federal investigation; OCR resolution agreement |
| 3 | Moderate | 5-10% budget | Department closure; multiple services affected | Negative local media; stakeholder complaints | Regulatory warning; audit finding |
| 2 | Minor | 1-5% budget | Brief interruption; single service affected | Limited complaints; internal concern only | Minor compliance gap; self-reported |
| 1 | Negligible | Less than 1% budget | No significant operational impact | No external awareness | Observation only; best practice recommendation |
Executive Summary Dashboard
The AI-generated register can also include an executive summary suitable for board presentation, with key risk indicators, risk counts by category, and a list of risks requiring board attention.
Why This Matters
Building a comprehensive risk register from scratch would traditionally take weeks of consultant engagement or months of internal effort. With Level 2 AI use, an experienced administrator can produce a professional-grade starting point in hours, then refine it with institutional knowledge and stakeholder input.
Level 3: Enterprise Risk Strategy
The prompt: "You are an industry-leading expert in risk management and highly experienced working with California Community Colleges. I want to think through an enterprise risk strategy with you as a thought partner. Consider a community college district of 15,000 students with two campuses. Work with me as if I were new to the role as a CBO in charge of risk. Where do I start?"
What AI Delivers
At Level 3, AI becomes a strategic thought partner. Rather than completing a task or building a deliverable, it engages in genuine strategic dialogue. A top-tier model responds with structured, expert-level guidance:
"First: Understand What You Are Inheriting"
Before building anything new, you need to know what already exists:
- Is there a current risk register? Many community college districts have one gathering dust somewhere, often created for accreditation and never touched since.
- What does your insurance program look like? JPA membership (SWACC, ASCIP, or other associations)? Self-insured retention levels? Coverage gaps?
- Who "owns" risk today? Risk management in community college districts is often fragmented across Facilities, HR, IT, Student Services, and Finance with no central coordination.
Building an ERM Program from Scratch
The AI continues with a comprehensive framework covering:
1. Governance Structure: Who owns risk decisions and how information flows through the organization.
| Role | Responsibility |
|---|---|
| Board of Trustees | Policy oversight, risk appetite definition, annual review |
| Chancellor | Accountable for overall ERM program effectiveness |
| CBO | Program owner, drives execution and coordination |
| Risk Council | Cross-functional leadership team, meets quarterly |
| Risk Owners | VPs and Directors who own and manage specific risks |
2. Risk Categories: A taxonomy organizing risks into manageable categories aligned with community college district operations, including Strategic, Operational, Financial, Compliance, Reputational, Human Capital, Technology, and Health and Safety.
3. Risk Assessment Methodology: A consistent scoring framework using Likelihood (1-5) and Impact (1-5) to produce inherent risk scores, then factoring in controls to arrive at residual risk.
4. Prioritization and Resource Allocation: Guidance on how to allocate limited resources across competing risk areas, including cyber threats, campus safety, regulatory compliance, and third-party liability.
Why This Matters
This is where AI delivers its greatest value. A new CBO can have a strategic conversation with an AI that draws on patterns from hundreds of institutional risk programs, accreditation standards, and regulatory frameworks. The AI does not replace the expertise of a human risk consultant, but it provides an informed starting point for strategic thinking that would otherwise require expensive external advisors or years of personal experience.
Connecting the Levels
The power of this framework is that all three levels reinforce each other:
- Level 1 tasks (incident review, compliance checks) generate data that feeds into the Level 2 risk register
- The Level 2 risk register provides structure and scoring that informs Level 3 strategic discussions
- Level 3 strategic decisions shape the priorities and categories used in Level 2 and the types of Level 1 reviews conducted
When your institution uses AI across all three levels, you create a feedback loop that continuously improves your risk posture.
Getting Started
- Pick one incident or compliance question and try a Level 1 review with AI
- Assess your current risk register (or lack thereof) and consider a Level 2 build
- Schedule a strategic conversation with AI about your top institutional risk concern
- Document what you learn and share it with your risk council or leadership team
The goal is not to replace human judgment. The goal is to amplify it with AI at every level of complexity.