School of Computer & Information Sciences
ITS 835
Chapter 9, “Lessons from the Academy:
ERM Implementation in the University Setting”
This is a narrated presentation.
Overview
• Institutional Background
• Emergence of ERM in Higher Education
• Leadership from the Top
– Create a Culture-Specific ERM Program
– Scope of the Risk Framework
– Organizational Structure
– Philosophy of the Program
• Evolution of ERM at UW
– Compliance, Operation, and Finance Council (COFi)
– Adopting and Adapting the COSO Model
• Outcomes and Lessons Learned
• Conclusion
Institutional Background
• Colleges and universities have often perceived themselves as substantially different and separate
from other for-profit and not-for-profit entities, and the outside world has historically viewed and
treated then as such.
• Higher education was largely a self-created, self-perpetuating, insular, isolated, and self-regulating
environment. In this culture, higher education institutions are generally governed under the
traditional, independent, “silos of power and silence” management model, which the right hand in
one administrative area or unit often unaware of the left hand’s mission, objectives, programs,
practices, and contributions in other areas.
• Organizational structures in higher education differ in many ways from other organizations. The
differences are attributed to dualistic decision-making structures, lack of metrics to measure progress
and assess accountability, and the lack of clarity and agreement within the academic organization on
institutional goals. Thereby making processes, structures, and systems for accountability commonly
used in business firms are not sensible for universities.
Emergence of ERM in Higher Education
Educational institutional “have been slower to
look at ERM as an integrated business tool, as
a way to help all the stakeholders – trustees,
presidents, provosts, CFOs, department heads,
and frontline supervisors – identify early
warning signs of something that could
jeopardize a school’s operations or reputation”
In the United States, engaging in risk
management efforts and programs for IHEs is
not specifically required by accrediting
agencies or the federal government
Board of Directors
•Accreditation
•Conflict of Interest
•Succession planning
Business Affairs
•Bonds
•Cash management
•Endowment
Campus Safety
•Emergency alert
•Incident response
•Infectious disease
Information
Technology
•Cyber Liability
•Electronic records
•Privacy
Academic Affairs
•Academic freedom
•Grade tampering
•Grants
Student Affairs
•Emergency alert
•Incident response
•Infectious disease
Human Resources
•Affirmative Action
•Grievance
•Labor Law
Physical Plant
•Fire
•Renovations
•Infrastructure Damage
Other
•Alumni
•Athletics
•External Relations
Leadership from the Top
• The role of the Strategic Risk Initiative Review Committee (SRIRC) is to continue investiga ...
School of Computer & Information SciencesITS 835Chapte
1. School of Computer & Information Sciences
ITS 835
Chapter 9, “Lessons from the Academy:
ERM Implementation in the University Setting”
This is a narrated presentation.
Overview
• Institutional Background
• Emergence of ERM in Higher Education
• Leadership from the Top
– Create a Culture-Specific ERM Program
– Scope of the Risk Framework
– Organizational Structure
– Philosophy of the Program
• Evolution of ERM at UW
– Compliance, Operation, and Finance Council (COFi)
– Adopting and Adapting the COSO Model
2. • Outcomes and Lessons Learned
• Conclusion
Institutional Background
• Colleges and universities have often perceived themselves as
substantially different and separate
from other for-profit and not-for-profit entities, and the outside
world has historically viewed and
treated then as such.
• Higher education was largely a self-created, self-perpetuating,
insular, isolated, and self-regulating
environment. In this culture, higher education institutions are
generally governed under the
traditional, independent, “silos of power and silence”
management model, which the right hand in
one administrative area or unit often unaware of the left hand’s
mission, objectives, programs,
practices, and contributions in other areas.
• Organizational structures in higher education differ in many
ways from other organizations. The
differences are attributed to dualistic decision-making
structures, lack of metrics to measure progress
3. and assess accountability, and the lack of clarity and agreement
within the academic organization on
institutional goals. Thereby making processes, structures, and
systems for accountability commonly
used in business firms are not sensible for universities.
Emergence of ERM in Higher Education
Educational institutional “have been slower to
look at ERM as an integrated business tool, as
a way to help all the stakeholders – trustees,
presidents, provosts, CFOs, department heads,
and frontline supervisors – identify early
warning signs of something that could
jeopardize a school’s operations or reputation”
In the United States, engaging in risk
management efforts and programs for IHEs is
not specifically required by accrediting
agencies or the federal government
Board of Directors
4. •Accreditation
•Conflict of Interest
•Succession planning
Business Affairs
•Bonds
•Cash management
•Endowment
Campus Safety
•Emergency alert
•Incident response
•Infectious disease
Information
Technology
•Cyber Liability
•Electronic records
•Privacy
Academic Affairs
•Academic freedom
•Grade tampering
5. •Grants
Student Affairs
•Emergency alert
•Incident response
•Infectious disease
Human Resources
•Affirmative Action
•Grievance
•Labor Law
Physical Plant
•Fire
•Renovations
•Infrastructure Damage
Other
•Alumni
•Athletics
•External Relations
6. Leadership from the Top
• The role of the Strategic Risk Initiative Review Committee
(SRIRC) is to continue investigating best
practices in university risk management and make
recommendations about a structure and
framework for compliance that would fit the institutions culture.
• The SRIRC asked questions such as, Does this proposal add
value? What obstacles are apparent and
how can they be addressed? How could this propose be
improved?
• Prior to formal implementation of the ERM program,
resources were also dedicated to create an
infrastructure to sustain the recommended model.
• Prior to the implementation, some key decisions would need to
be made: Would the scope of the
program be institution-wide or targeted at the school, college,
or unit level? Would it include all risks
(compliance, finance, operations, and stratgey) or be on the
continuum,” a model that integrates risks
into the organizational strategic discussion.
Create a Culture-Specific ERM Program
7. • UW adopted an integrated approach to managing risks and
compliance, commonly called enterprise risk
management (ERM).” It acknowledged that the proposed
changed were not intended to “replace what
already works across the university,” but rather to “argument
the existing organization with thoughtful
direction, collaboration, and communication on strategic risks.”
• Defined key terms and made recommendations based on three
basic parameters: scope of the framework,
organizational structure for the framework, and philosophy of
the program.
Scope of the Risk Framework
• Centralized Compliance Management approach. The model
encompasses all risks, would focus primarily on
legal and regulatory compliance.
• “Collaborative, institution-wide risk management model, that
“ensures that UW creates an excellent
compliance model based on best practices, while protecting its
decentralized, collaborative, and
entrepreneurial culture.”
Organizational Structure
8. • UW’s current approach to risk management, noting it had
moved beyond the insurance approach, “which is
usually reactive and ad hoc,” but also observing that
responsibility for specific risks was currently distributed
amongst the institutions organizational silos.
• Highlighted the weaknesses of the current approach, including
the fact that “due to the size,
decentralization, and complexity of the institution, a
proliferating of compliance, audit, and risk
management activities has grown up around separate and
distinct risk areas, each largely operating in a self-
defined stovepipe.”
Philosophy of the Program
• Institutional profile report outlined three guiding principles to
shape the evolution of compliance and risk
management at UW.
• Foster an institution-wide perspective
• Ensure that regulatory management is consistent with best
practices
• Protect decentralized, collaborative entrepreneurial culture
9. Evolution of ERM at UW
• Although many operational units, committees, and
administrative bodies handled the risks faced in their
own environment well, there is little cross-functional
sharing of information. The opportunity aspect of risk is
therefore not fully utilized by the University and risk
mitigation priorities are not consistently driven by the
institutions strategic objectives.
• ERM at UW were formative and focused on:
• Developing a common language around risk
• Conducting individual risk assessments
• Focusing discussion and mitigation on financial
challenges
• Drafting an initial compendium of enterprise-wise
success metrics
Compliance, Operation, and Finance Council (COFi)
• The COFi Council has oversight of risk assessments at the
division or functional level. It provides approval of
10. methods to monitor risks and identifies topics for outreach,
particularly items that have university-wide
potential impact or that involve cross-departmental or divisions
silos. The six primary goal of the COFi
Council are to:
• Engage in continual, cross-functional process that results in
effective prioritization of institutional
responses to compliance, financial, and operational risks, and
consider the impact to strategic and
reputational risks.
• Ensure that the institutional perspective is always present in
risk and compliance management discussions.
• Identify strategies to address emerging risks and compliance
management issues.
• Support risk and compliance management training and
outreach efforts throughout the university.
• Provide external auditors and regulators with information
about the university’s risk and compliance
programs.
• Avoid the creation of additional bureaucracy by minimizing
redundancy and maximizing resources.
11. Adopting and Adapting the COSO Model
• UW had define ERM according to its interpretation of the
Committee of Sponsoring Organizations (COSO)
model, which describes ERM as “a process, effected by entity’s
board of directors, management, and other
personnel, applied in strategy setting and across the enterprise,
designed to identify potential events that
may affect the entity, and manage risk to be within its risk
appetite, to provide reasonable assurance
regarding the achievement of entity objectives”
• COSO model is an eight-step process
1. Leadership, culture, and values
2. Strategic goals
3. Risk identification
4. Risk assessment
5. Response
6. Controls
7. Information and communication
8. Monitoring and measuring
12. Outcomes and Lessons Learned
• The value of ERM is both quantitative (e.g. risk and
opportunity maps) and qualitative (e.g. dashboard to
contextualize and display metrics). Each iteration of the ERM
process results in new capabilities, and insight
gained into managing financial risks and strategic opportunities
• Key lessons learned
• Clarify the roles of various risk committees
• Develop a work plan for the committee
• Develop engaging agenda, focused at the appropriate level
• Don’t overemphasize lowest common denominator risks
• Gather data/information to develop expertise on specific risks
• Avoid discussing low-level, narrow risks
• Don’t get into the weeds with implementation and process
Conclusion