Dorothy Gjerdrum, ARM-P, CIRM

Dorothy is a managing director of the ERM Practice Group at Arthur J. Gallagher. She is also the senior managing director of Gallagher’s Public Sector Practice. She has more than 30 years of risk management experience and has been a speaker, author, and consultant on ERM since 2003. She has represented the U.S. at international meetings focused on the development of risk management standards since 2008.

As managing director of Gallagher’s ERM Practice Group, Dorothy leads the development of training and resource material focused on the implementation of ERM. She provides ERM consulting services to a variety of industries and clients, with expertise in K12 education (both public and private), higher education, public sector and nonprofit clients. A sample of ERM implementation and consulting projects include San Diego Zoo Global, the U of WY, the Pingry School, Chadwick School, San Francisco Unified School District, Dakota County MN, Maricopa County Community College District and Johnson County Community College District.

Prior to joining Gallagher, Dorothy was the risk manager of three self-insured pools for an association of county governments. During her tenure as a risk manager, she was recognized for her expertise in areas such as new coverage programs, the development of loss-focused training and prevention programs, reducing claims costs and innovative risk financing strategies. She helped form and served as a board member and treasurer of a reinsurance company for county association pools.

How do you currently use the ISO 31000 standard on your job?

I provide consulting services to clients and use the ISO 31000 standard as my model. I have used it to help clients identify gaps in current risk management programs, make plans to expand their risk management programs to incorporate ISO 31000 and as a guide for “best practices” in risk management.

I recently participated in a leadership meeting where we had to make a major structural service change. We used the risk assessment process from ISO 31000. It helped us to be better informed and consider both threats and opportunities associated with the change. I apply the standard in ways that are very formal and informal and it always helps me make better decisions and more informed choices.

Any advice on how to get upper-management buy-in for incorporating the standard into an organization’s risk management program?

Find out what upper-management cares about and the “language” they speak. This might be the language of finance (efficiencies and bond rating) or the language of planning (strategy and risk to achieving it). If they are reluctant or skeptical, try to elicit support for a pilot project to prove the concept. That can help build support. In addition to speaking their language, it would be helpful to know what their priorities are and then find ways that risk management can support those priorities and contribute to their success.

Other people can help you with this as well. When you find a “champion” or supporter, be sure you empower them to talk to others about what you’re doing, why it is important and what it can do for your organization.

Why did you become an ISO 31000 Faculty member?

My ERM clients needed training on how to implement ERM and how to educate others to support ERM. That’s why I approached PRIMA and PERI to develop this training. I love training people and sharing ERM so being an ISO 31000 Faculty member is a natural fit for me! I love the idea of a PRIMA faculty. I think it’s a great idea. We can support each other and build the practice as we go. That’s what public sector risk managers are good at!

Shannon Gunderman, CPCU, ARM, AIS, CWCP

Shannon is an executive director and senior consultant at Arthur J. Gallagher, where he divides his time between enterprise risk management consulting and Gallagher’s Public Sector & K-12 Education Practice. Shannon has over 22 years of risk management experience. His areas of expertise include project management, enterprise risk management, process improvement, predictive analytics, strategic planning, data analytics and visualization, litigation support, safety and HIPAA compliance, and claim management.

Prior to joining Gallagher, Shannon served as the administrative services director for Yuma County, Arizona, where he managed the county’s property, liability, unemployment and workers’ compensation insurance programs. He also designed the county’s award-winning enterprise risk management program using ISO 31000. The ground-breaking initiative involved leading and managing the project, conducting workshops, drafting training materials and forms, communicating with elected officials and employees at all organizational levels, and integrating the program with the county’s strategic planning and budgeting processes.

As a Lean Six Sigma Black Belt practitioner, Shannon has led several process improvement projects in the areas of administrative records management, customer service and the criminal justice system. His efforts identified significant programmatic inefficiencies and resulted in the implementation of several improvement plans.

Shannon is a certified public manager through Arizona State University and holds the CPCU, ARM, AIC, and CWCP designations. He is also a certified paralegal with the National Association of Legal Assistants.

How do you currently use the ISO 31000 standard on your job?

In my role as a senior consultant with Gallagher, I help a broad range of clients implement and improve their ERM programs by providing risk management advice and training, and developing educational resources based upon the methodology of ISO 31000. In my prior employment with Yuma County, I utilized the ISO 31000 standard to sell ERM to upper-management and then integrate it into daily operations and strategic planning.

Any advice on how to get upper-management buy-in for incorporating the standard into an organization’s risk management program?

It’s important that upper-management understands how risk impacts their organization’s objectives both positively and negatively, and how applying ISO 31000 to their risk management program can help to both preserve and create value.

Therefore, a risk manager’s ERM message should emphasize at least two things: 1) ERM is an effective method of identifying and treating risks that affect the organization’s ability to reach its strategic goals and 2) ERM is an invaluable tool that can be used to discover opportunity in risk, which can lead to improved operations and better allocation of resources.

Why did you become an ISO 31000 Faculty member?

I have been a risk management practitioner for over 22 years and feel that both ISO 31000 and the concept of ERM have done a lot to raise the profile of the risk management profession. Historically, risk managers have been viewed as procurers of insurance, safety inspectors, and claim adjusters. However, ERM and the ISO 31000 standard have begun to change the public’s perception of risk managers. Risk managers are now being viewed as valuable partners in the attainment of an organization’s critical objectives.

It’s an exciting time to be in the risk management field and I felt that with my knowledge, experience, training, and professional passion, I would be effective in teaching and advocating the important principles of ISO 31000.

Lisanne Sison

Lisanne Sison is a Managing Director at Arthur J. Gallagher & Co. Public Sector. She has more than 15 years of experience providing consulting services to a broad spectrum of entities that include state and local government departments and agencies, higher education institutions, not-for-profit organizations, health care institutions, technology companies, and K-12 private schools.

Lisanne has detailed experience related to ERM implementation and has played a key role in assisting her clients to implement various ERM frameworks. Her competencies include, but are not limited to, facilitation support and strategic planning assistance, risk identification, evaluation and quantification activities, the development of risk assessment tools and techniques, providing education and training on ERM frameworks and risk assessment techniques, and assisting with the development of ERM governance structures and new automated systems to help organizations proactively manage their risks using metrics.In addition to the technical duties described above, Lisanne has also provided facilitation support and strategic planning assistance to multiple committees, workgroups, and leadership groups across different organizations, to help guide their operations and/or their ERM programs.

In addition to her ERM expertise, Lisanne also has experience in a wide range of consulting projects covering business operation improvement and process reviews, audit assistance, regulatory compliance reviews (including research grant compliance requirements), procurement process reviews, business continuity management reviews, vendor selection assistance, and indirect cost rate development and activity based costing projects.

How do you currently use the ISO 31000 standard on your job?

As a consultant, I regularly use ISO 31000 as a road map to describe Enterprise Risk Management principles and processes. The standard is clear, straight forward, and the three parts to Figure 1 not only help communicate the key characteristics of ERM (e.g. – Creates and protects value, must be customized, must be dynamic, etc.), but also help illustrate what the process looks like in practice.

Any advice on how to get upper-management buy-in for incorporating the standard into an organization’s risk management program?

Organizations that lack a structured approach to identifying, prioritizing and evaluating uncertainty across their organization are often forced into either making decisions based on whoever has the loudest or most persistent voice in the organization, or reacting to an event that has already occurred. Both situations limit an organization’s ability to proactively align its risk management functions with the mission of the organization, resulting in increased cost, decreased efficiency, and diminished capacity to fulfil the organization’s purpose.

From my perspective, the purpose of Enterprise Risk Management is to provide a common ruler with which to measure uncertainty across an organization, and evaluate how effective the organization is at managing that uncertainty. By leveraging a consistent and rigorous approach, organizations, and especially senior leadership, are better prepared to identify key opportunities and threats to their mission, make better / more risk-aware decisions, and allocate their limited resources (e.g. – people, dollars and technology) to the areas of greatest need.

By communicating the value of effective risk management that is aligned with strategy and integrated with the decision-making process, they can get beyond seeing risk management as just a line item expense for insurance, and view risk management as a valued partner that is integral to the success of the organization.

Why did you become an ISO 31000 Faculty member?

Risk Management has often had a reputation as the department of “no”, or being the last hurdle to jump through on a checklist that requires a certificate of insurance before you get to the “fun” stuff. But I view Risk Management as a tool for organizations to take more risk in a smart way. You can’t innovate or evolve without taking risk, and I see ERM as an effective tool that enables organizations to better manage uncertainty in pursuit of their mission and objectives. I am honored to have the opportunity to share my knowledge and experience in a way that helps to simplify ERM as a discipline and gives Risk Managers the tools they need to elevate their engagement and enhance their value to their organizations.

Scott Wightman, ARM

Scott is the director of public sector and higher education practices for Arthur J. Gallagher & Co. in St. Louis, Missouri where he is responsible for managing a team of 13 professionals dedicated to serving more than 480 clients in K12 education, 40 higher education institutions and numerous cities, counties and special districts.

His previous experience involves serving as the first risk manager for a regional department store chain and then as director of risk management for Saint Louis University.

Scott’s professional accomplishments include leading the formation of the Missouri United School Insurance Council (MUSIC) in partnership with the Missouri Chapter of the Association of School Business Officials (MoASBO) and implementing numerous ERM programs in partnership with Dorothy Gjerdrum. Active with the University Risk Management and Insurance Association (URMIA), Scott has developed a comprehensive sample inventory of compliance and risk sources, organized under the headings of tax and finance, safety and security, research and healthcare, student disclosures and services and employment.

Scott has a Bachelor of Science degree in business administration from the University of Missouri and holds his ARM designation.

How do you currently use the ISO 31000 standard on your job?

I use the standard to help our clients broaden their view of risk management and to embed its principles into their organizations. It is very gratifying to see their reaction to the standard’s simplicity and direction in communicating its benefits.

Any advice on how to get upper-management buy-in for incorporating the standard into an organization’s risk management program?

The standard fits perfectly into existing management programs and always provides the missing piece of the puzzle – analyzing and measuring risks associated with the meeting of organizational objectives identified in the broader management process. This is the gateway to educating senior managers on the proper role and position of risk management within the enterprise.

Why did you become an ISO 31000 Faculty member?

It is an exciting time in the history of risk management in the public and higher education sectors. The standard provides a wonderful tool for elevating the practice within the organization. Risk managers belong at the table when senior management is considering major new initiatives and the understanding of ERM principles and practices is key to the invitation. I became a faculty member to help them get to that table.

Tim Wiseman, MBA, ARM-E

Tim is the university risk officer for the University of Oklahoma with duties on the Norman, Oklahoma City (Health Sciences) and Tulsa campuses. Tim is also a contributing faculty member for Public Risk Management Association (PRIMA) Enterprise Risk Management (ERM) education program and board member for the University Risk Management and Insurance Association (URMIA). He has previously served in risk management positions with the University of Wyoming as chief risk officer from 2019-2024 and East Carolina University (assistant vice chancellor for enterprise risk management and military affairs) from 2009-2019.  Tim earned the Associate in Risk Management - Enterprise-Wide Risk Management (ARM-E) designation in 2012, and is a certified defense financial manager (RET), with a B.S. in business administration from the University of Arkansas, an MBA from Syracuse University, and an M.S. in national resource strategy from the Industrial College of the Armed Forces. A recognized ERM practitioner, he presents regularly in auditing, financial and risk management forums. Prior to entering the risk management field, Tim served in various command and staff positions for 26 years as a finance officer and resource manager in the U.S. Army including service as a congressional budget liaison.

How do you currently use the ISO 31000 standard on your job?

I currently use the ISO 31000 as the basic point of departure for any risk discussions and activities.  Having a standard that has been designed and vetted outside of my organization is very valuable as it helps usher in acceptance of the principles and ideas associated with formal risk management for our organization.  I have also found the definitions and tools included in the ISO suite of references extremely useful.   Additionally, the principles serve as great descriptors to form the basis for organizational self-evaluation as to the maturity of ERM processes and holistic implementation of an effective ERM program. In short, it is a mainstay.

Any advice on how to get upper-management buy-in for incorporating the standard into an organization’s risk management program?

The principles, framework, and process outlined in the standard provide a foundation from which the case for implementing an effective enterprise-wide risk management program can be made.  The solid presentation of the framework and process in the standard also elevates the conversations about risk to the strategic level without ignoring or lessening the importance of traditional risk management.  Having a clear model shifts the conversation with senior executives and board members from debates about what constitutes a risk to those with a focus on objective-setting and risk-informed strategic decision making.

The “buy-in” is achieved by the stability that having an accepted standard brings to the process.  Interpretational dissonance is reduced as a result, and executive-level dialogue becomes far more efficient and effective – translating to a more efficient use of limited resources.

Why did you become an ISO 31000 Faculty member?

I have a passion for applying contemporary risk management principles and the ISO 31000 framework to public sector, higher education and non-profit organizations.  These sectors can benefit tremendously from a more formal approach to enterprise-wide risk (and opportunity) management and reducing institutional total cost of risk.

Over the past few decades, the emphasis on risk management and governance has been primarily focused on the private/corporate sector.  I see the opportunity now to take the best practices in enterprise risk management exercised in the corporate sector, modify them appropriately for application in the public sector, higher education and non-profit environments, and apply the practices for positive effect.

The ISO 31000 is a cornerstone reference to facilitate the transition for organizations to a more formal and effective holistic risk management approach and the related benefits that will accompany that change.  I felt that my experiences guiding two large universities through the implementation of an enterprise risk management program over the past decade plus along with my experiences in managing change and transformation in large governmental organizations would be of benefit to students/trainees.

Sean Catanese

Sean has been the ERM program manager for King County, Washington, since 2014. He has developed King County’s ERM program from a nascent concept into a highly-sought resource in the toolbox of decision makers across the county’s diverse agencies and well beyond. Sean is a regular contributor to works developing the profile and understanding of ERM, with a specific focus on how public sector agencies can engage its concepts and improve their performance and decision-making with its help.

Prior to joining King County in 2014, Sean spent several years as an analyst and senior ERM consultant, serving a wide range of clients in public and private higher education, public safety, and municipal government, among others.

How do you currently use the ISO 31000 standard on your job?

Bringing a large, complex organization into practical use of enterprise risk management principles isn’t easy, but it’s absolutely worthwhile. The ISO 31000 standard is a key anchor point for the conversations with leadership and mid-level managers alike. For leadership, it helps to know that we’re not starting a large effort from scratch. Others have been here, their expertise is documented, and we can use it to make a meaningful difference. For mid-level managers, the standard gives us a structure and considerations for implementation. It describes real tools and analytic methods that make a difference. It makes the effort to integrate risk management into all our work more than just another directive from leadership.

Any advice on how to get upper-management buy-in for incorporating the standard into an organization’s risk management program?

Risk management as a practice is often perceived as the part of the organization that keeps the other parts out of trouble or the part that comes in to clean up afterward. Sometimes it’s even limited to just buying insurance and handling claims. ISO 31000 helps us reframe that limited perspective. With the right approach, risk management can also be about finding the right opportunities to take the right risks to fulfill our mission and meet our constituents’ needs. And that approach still keeps us on a path to identify and avoid the worst downside risks, too.

When we tell the story of our risk management journey, it’s about more than losses, claims, and countermeasures. It’s an opportunity to inspire decision-makers across the organization to seek that next right action, that next objective, with the confidence that there are tools and systems supporting them along the way.

Why did you become an ISO 31000 Faculty member?

Risk management in the public sector especially is at a crossroads. It’s not an easy position to be in these days, and risk managers need all the help they can get. We’re seeing generational shifts in our workforces and changing priorities and needs among our constituents. I’ve been very fortunate to be part of an organization that has embraced this approach to risk management, and I have a vested interest in seeing other public agencies improve as they find opportunities to make it real for them, too.