ERM adoption

School of Computer & Information Sciences

ITS 835

Chapter 9, “Lessons from the Academy:

ERM Implementation in the University Setting”

This is a narrated presentation.

Overview

• Institutional Background

• Emergence of ERM in Higher Education

• Leadership from the Top – Create a Culture-Specific ERM Program

– Scope of the Risk Framework

– Organizational Structure

– Philosophy of the Program

• Evolution of ERM at UW – Compliance, Operation, and Finance Council (COFi)

– Adopting and Adapting the COSO Model

• Outcomes and Lessons Learned

• Conclusion

Institutional Background

• Colleges and universities have often perceived themselves as substantially different and separate

from other for-profit and not-for-profit entities, and the outside world has historically viewed and

treated then as such.

• Higher education was largely a self-created, self-perpetuating, insular, isolated, and self-regulating

environment. In this culture, higher education institutions are generally governed under the

traditional, independent, “silos of power and silence” management model, which the right hand in

one administrative area or unit often unaware of the left hand’s mission, objectives, programs,

practices, and contributions in other areas.

• Organizational structures in higher education differ in many ways from other organizations. The

differences are attributed to dualistic decision-making structures, lack of metrics to measure progress

and assess accountability, and the lack of clarity and agreement within the academic organization on

institutional goals. Thereby making processes, structures, and systems for accountability commonly

used in business firms are not sensible for universities.

Emergence of ERM in Higher Education

Educational institutional “have been slower to

look at ERM as an integrated business tool, as

a way to help all the stakeholders – trustees,

presidents, provosts, CFOs, department heads,

and frontline supervisors – identify early

warning signs of something that could

jeopardize a school’s operations or reputation”

In the United States, engaging in risk

management efforts and programs for IHEs is

not specifically required by accrediting

agencies or the federal government

Board of Directors

•Accreditation

•Conflict of Interest

•Succession planning

Business Affairs

•Bonds

•Cash management

•Endowment

Campus Safety

•Emergency alert

•Incident response

•Infectious disease

Information Technology

•Cyber Liability

•Electronic records

•Privacy

Academic Affairs

•Academic freedom

•Grade tampering

•Grants

Student Affairs

•Emergency alert

•Incident response

•Infectious disease

Human Resources

•Affirmative Action

•Grievance

•Labor Law

Physical Plant

•Fire

•Renovations

•Infrastructure Damage

Other

•Alumni

•Athletics

•External Relations

Leadership from the Top

• The role of the Strategic Risk Initiative Review Committee (SRIRC) is to continue investigating best

practices in university risk management and make recommendations about a structure and

framework for compliance that would fit the institutions culture.

• The SRIRC asked questions such as, Does this proposal add value? What obstacles are apparent and

how can they be addressed? How could this propose be improved?

• Prior to formal implementation of the ERM program, resources were also dedicated to create an

infrastructure to sustain the recommended model.

• Prior to the implementation, some key decisions would need to be made: Would the scope of the

program be institution-wide or targeted at the school, college, or unit level? Would it include all risks

(compliance, finance, operations, and stratgey) or be on the continuum,” a model that integrates risks

into the organizational strategic discussion.

Create a Culture-Specific ERM Program

• UW adopted an integrated approach to managing risks and compliance, commonly called enterprise risk

management (ERM).” It acknowledged that the proposed changed were not intended to “replace what

already works across the university,” but rather to “argument the existing organization with thoughtful

direction, collaboration, and communication on strategic risks.”

• Defined key terms and made recommendations based on three basic parameters: scope of the framework,

organizational structure for the framework, and philosophy of the program.

Scope of the Risk Framework

• Centralized Compliance Management approach. The model encompasses all risks, would focus primarily on

legal and regulatory compliance.

• “Collaborative, institution-wide risk management model, that “ensures that UW creates an excellent

compliance model based on best practices, while protecting its decentralized, collaborative, and

entrepreneurial culture.”

Organizational Structure

• UW’s current approach to risk management, noting it had moved beyond the insurance approach, “which is

usually reactive and ad hoc,” but also observing that responsibility for specific risks was currently distributed

amongst the institutions organizational silos.

• Highlighted the weaknesses of the current approach, including the fact that “due to the size,

decentralization, and complexity of the institution, a proliferating of compliance, audit, and risk

management activities has grown up around separate and distinct risk areas, each largely operating in a self-

defined stovepipe.”

Philosophy of the Program

• Institutional profile report outlined three guiding principles to shape the evolution of compliance and risk

management at UW.

• Foster an institution-wide perspective

• Ensure that regulatory management is consistent with best practices

• Protect decentralized, collaborative entrepreneurial culture

Evolution of ERM at UW

• Although many operational units, committees, and

administrative bodies handled the risks faced in their

own environment well, there is little cross-functional

sharing of information. The opportunity aspect of risk is

therefore not fully utilized by the University and risk

mitigation priorities are not consistently driven by the

institutions strategic objectives.

• ERM at UW were formative and focused on:

• Developing a common language around risk

• Conducting individual risk assessments

• Focusing discussion and mitigation on financial

challenges

• Drafting an initial compendium of enterprise-wise

success metrics

Compliance, Operation, and Finance Council (COFi)

• The COFi Council has oversight of risk assessments at the division or functional level. It provides approval of

methods to monitor risks and identifies topics for outreach, particularly items that have university-wide

potential impact or that involve cross-departmental or divisions silos. The six primary goal of the COFi

Council are to:

• Engage in continual, cross-functional process that results in effective prioritization of institutional

responses to compliance, financial, and operational risks, and consider the impact to strategic and

reputational risks.

• Ensure that the institutional perspective is always present in risk and compliance management discussions.

• Identify strategies to address emerging risks and compliance management issues.

• Support risk and compliance management training and outreach efforts throughout the university.

• Provide external auditors and regulators with information about the university’s risk and compliance

programs.

• Avoid the creation of additional bureaucracy by minimizing redundancy and maximizing resources.

Adopting and Adapting the COSO Model

• UW had define ERM according to its interpretation of the Committee of Sponsoring Organizations (COSO)

model, which describes ERM as “a process, effected by entity’s board of directors, management, and other

personnel, applied in strategy setting and across the enterprise, designed to identify potential events that

may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance

regarding the achievement of entity objectives”

• COSO model is an eight-step process

1. Leadership, culture, and values

2. Strategic goals

3. Risk identification

4. Risk assessment

5. Response

6. Controls

7. Information and communication

8. Monitoring and measuring

Outcomes and Lessons Learned

• The value of ERM is both quantitative (e.g. risk and opportunity maps) and qualitative (e.g. dashboard to

contextualize and display metrics). Each iteration of the ERM process results in new capabilities, and insight

gained into managing financial risks and strategic opportunities

• Key lessons learned

• Clarify the roles of various risk committees

• Develop a work plan for the committee

• Develop engaging agenda, focused at the appropriate level

• Don’t overemphasize lowest common denominator risks

• Gather data/information to develop expertise on specific risks

• Avoid discussing low-level, narrow risks

• Don’t get into the weeds with implementation and process

Conclusion