UNIVERSITY BUSINESS EXECUTIVE ROUNDTABLE€¦ · University Business Executive Roundtable, A...

UNIVERSITY BUSINESS EXECUTIVE ROUNDTABLE

Implementation of Enterprise Risk Management at Mid-Sized Institutions

Education Advisory Board 2445 M Street NW ● Washington, DC 20037

Telephone: 202-266-6400 ● Facsimile: 202-266-5700 ● www.educationadvisoryboard.com

2012

August

Custom Research Brief Research Associate David Godow Research Manager Lisa Geraci

2 of 14

Education Advisory Board

2445 M Street NW ● Washington, DC 20037


© 2012 The Advisory Board Company

3 of 14





Table of Contents

I. Research Methodology ...................................................................................................... 4

Project Challenge ............................................................................................................. 4

Project Sources ................................................................................................................. 4

Research Parameters ....................................................................................................... 5

II. Executive Overview .......................................................................................................... 6

Key Observations ............................................................................................................. 6

III. Development of Enterprise Risk Management Procedures .................................... 7

Impetus for ERM .............................................................................................................. 7

Governance of Initial Risk Policy and Inventory ........................................................ 7

IV. Improving Risk Identification Procedures ............................................................... 10

Consultants ..................................................................................................................... 10

Identification of Unit-level Risks ................................................................................. 10

V. Maintenance of Unit-Level Risk Management Practices ........................................ 12

Oversight of Unit-Level Risk........................................................................................ 12

Accountability Mechanisms ......................................................................................... 13

Networking Contacts .......................................................... Error! Bookmark not defined.

4 of 14





I. Research Methodology

Leadership at a member institution approached the Roundtable with the following questions:

Have administrators implemented enterprise risk management? If not, why?

What factors motivated development of enterprise risk management practices?

Did an independent risk committee manage the ERM process or an existing university

office? If a committee managed the process, what was its composition?

Did administrators produce a comprehensive ERM implementation plan? If so, would

contacts be willing to share these plans, as well as any other strategic documents or

charts?

Did contacts employ risk management consultants to develop ERM processes? If so, what

value did the consultants add?

How did contacts identify risks (e.g., through surveys or interviews)? By what process did

administrators rank risks by likelihood and impact?

What was the development process for unit-level risk treatment plans? How did

administrators reallocate funds between risk areas in reaction to risk treatment plans?

What strategies help administrators hold unit-level leaders accountable for

implementation of risk treatment and mitigation plans?

What was the role of senior administrators and the institution’s board during ERM

implementation? How did risk managers earn faculty buy-in for ERM?

Have administrators observed any quantifiable benefits from the implementation of ERM?

What improvements would administrators make to their own ERM development process?

Advisory Board’s internal and online research libraries

(www.educationadvisoryboard.com)

University Business Executive Roundtable, A Practical Approach to Institutional Risk

Management, Education Advisory Board (2012)

National Center for Education Statistics (NCES) (http://nces.ed.gov)

Contact institution Web sites

Project Challenge

Project Sources

http://www.educationadvisoryboard.com/

5 of 14





The Roundtable interviewed internal audit directors, directors of risk management, or other

individuals involved in enterprise risk management (ERM) implementation at six mid-sized

public institutions.

A Guide to the Institutions Profiled in this Brief

Institution Location Type Approximate

Total Enrollment

Maclean’s or CarnegieClassification

University A Ontario Public 20,000 Comprehensive

University B Ontario Public 20,000 Medical Doctoral

University C Ontario Public 10,000 Primarily Undergraduate

University D U.S. South

Public 10,000 Master’s Colleges &

Universities (larger programs)

University E Ontario Public 15,000 Comprehensive

University F Manitoba Public 10,000 Primarily Undergraduate

Source: Maclean’s, National Center for Education Statistics (U.S.)

Research Parameters

6 of 14





II. Executive Overview

A small staff team can quickly and inexpensively develop an enterprise risk management

(ERM) policy if the team researches policies and risk inventories at peer institutions;

consultants are useful but may not be worth the cost if administrators already have access to

peer policies. Emulation of existing policies can save months of surveys, interviews, and

committee meetings spent inventing new policies from scratch. If administrators are concerned

about the applicability of peer institution policies to their own institution, they can supplement

research with targeted interviews of senior staff or a short survey.

Consultants are a good source of best practices and pre-built ERM frameworks and assisted

most contact institutions during their respective ERM development processes. Additionally,

consultants can help to educate skeptical administrators or faculty about the definition of ERM

and allay any concerns about the ERM implementation process. Consultants’ experience

implementing ERM at other universities encourages academics to take ERM seriously.

However, consultants are not always an economical solution if staff or administrators can

perform their own research. Several contacts note that administrators can assemble sample

risk inventories and ERM procedures from peer institutions by themselves without hiring

consultants. Additionally, one contact institution ultimately did not implement consultants’

proprietary ERM frameworks in order to avoid recurring consulting engagements to update

and refine the frameworks.

At some institutions, standing executive committees or ad hoc committees composed of

senior administrators develop ERM procedures or oversee their implementation; no

institution has created a separate, dedicated risk committee. The involvement of senior

administrators from around the university ensures that the risk inventory is complete and

includes risks that affect multiple divisions or units. Committees responsible for ERM

generally include the president, vice presidents, deans, and, occasionally, associate vice-

presidents and directors of non-academic units. Committee membership ranges from

approximately 10 to 25, which promotes diversity of opinion without excessive bureaucracy.

Previous EAB research suggests that risk committees that exceed 25 members encourage

excessively detailed discussion of minor, non-strategic risks. A single risk officer can conduct

targeted interviews with senior administrators to garner diverse input without the inefficiency

of large committee meetings.

Senior administrators should assign a university-wide risk owner who works at least half-

time on ERM to encourage ERM compliance and active risk mitigation among unit-level

mangers. Several contact institutions have successfully adopted an ERM policy and created an

initial risk inventory, but have struggled to update and monitor unit-level risk management

regularly due to a lack of accountability. Contacts attribute this failure to a lack of clearly

defined reporting responsibilities and a lack of ERM staff resources; only one institution

employs a full-time, dedicated director or risk management to oversee ERM. The remaining

institutions assign ERM duties to an existing staff member in the finance and administration

unit, such as the internal auditor of budget director. A dedicated director of risk management

is more likely to enforce risk mitigation practices, require units to submit annual reports on

new risks, and provide useful updates to senior leaders.

Key Observations

7 of 14





III. Development of Enterprise Risk Management Procedures

Primary Motivations for ERM Implementation are Board Pressure, Regulation

Across profiled institutions, administrators developed an ERM implementation plan in

response to board pressure. Board members with corporate backgrounds often have extensive

experience with ERM and expect their institutions to consider risk in a systematic way.

Additionally, ERM implementation exerts a self-reinforcing effect on the rest of the higher

education industry; as the number of universities considering ERM increases, the pressure on

the remaining boards to address risk management also rises.

Canadian universities also face increased pressure from government regulation.

Administrators and board members at University C, for example, expressed concern over the

implications of federal Bill C-45 (the “Westray Bill”), passed in 2004, which renders employers

criminally liable for negligence in cases of harm to employees or the public. Administrators

also wished to avoid liability under the Ontario provincial government’s Bill 168, the

Occupational Health and Safety Amendment Act of 2009, which requires employers to

establish workplace violence and harassment policies and to assess the risk of workplace

violence formally.

Though boards provide much of the impetus for institution of ERM, they generally do not

actively participate in policy development.

Most Institutions Charge a Single Staff Member with Initial ERM Implementation

At three profiled institutions, a single staff member – usually the internal auditor– or small

team developed the initial ERM policy and risk inventory. Under this system, the staff member

with oversight of ERM devotes ½ or less of his or her time to ERM activities. By contrast,

committees of senior administrators at University A and University D participated directly in

development of risk inventories and policies. The below table describes oversight of the initial

policy and risk inventory development processes; it also lists, where applicable, the officer or

committee that currently manages ERM.

Operational Oversight of ERM Development and Implementation Process1

Institution Officer(s) or Committee(s) with

Oversight of Policy Development Officer(s) or Committee(s) with

Current Oversight

University A Senior Management Team (President, Vice Presidents,

Assoc./Asst. Vice Presidents, Deans) Planning Director

University B Director of VP-Finance’s Staff, Committee of Administrative Staff2

Director of VP-Finance’s Staff

University C Director of the President’s Office Director of Risk Management /

Presidential Council

1 Titles have been altered to protect contact institution anonymity. 2 The internal auditor directed the ERM development process until 2010, when the director assumed control; most policy

development occurred under the director.

Impetus for ERM

Governance of Initial Risk Policy

and Inventory

8 of 14





University D Presidential Council (President,

Vice Presidents, Deans) / Independent Risk Committee

Financial Development Director / Presidential Council

University E Budget Director Budget Director

University F Internal Auditor and Associate Vice President

Internal Auditor

A Small Staff Team Can Efficiently Develop ERM Policy but is Vulnerable to Work Overload

One or two staff members from the administration and finance division1 developed ERM

procedures at University C, University E, and University F. A small team can efficiently

implement an initial risk plan and assemble an initial risk inventory because they operate

without the extensive, bureaucratic deliberation associated with a committee. Additionally,

administrators need not hire a full-time, dedicated risk manager if they assign ERM

development duties to staff members with some excess work capacity; administrators at

contact institutions typically choose a director-level staff member within the finance and

administration office. Contacts at University C suggest that administrators develop an ERM

procedure quickly and with as few resources as possible; a small staff team can fulfill this goal.

The ERM development team may base its risk inventory and policy documents either on

research into other institutions’ policies or templates provided by consultants. Like other

major policy documents, a committee of senior administrators and/or the board approve

inventories and ERM policy documents once they are complete.

Though a small ERM development team generally operates efficiently, a surge in non-ERM

workload can significantly delay ERM implementation. For example, though University B

began its ERM implementation process in 2008, staff did not develop a formal risk inventory

until 2011 due to repeated interruptions. In 2008, the internal auditor who had been assigned

ERM implementation duties was needed to manage university financial services due to staff

turnover. In 2010, administrators assigned risk management duties to the director of the office

of the vice president of finance and administration. The director again put aside ERM

development in summer 2011 to prepare continuity plans in case of a possible staff strike. In

order to increase the comprehensiveness of the risk inventory and spread the workload more

evenly, the director has enlisted several colleagues into an informal committee. Appointment

of a single risk officer dedicated to ERM implementation can avoid these problems.

1 The internal auditor at the University F received research support from an associate vice president.

9 of 14





Committees of Administrators Can Develop Effective ERM Policies if they Remain Small, Avoid Reduplication of Work

At University A, University B, and University D, one or more committees of administrators

developed the initial risk inventory and management procedures. As committees typically

include administrators from multiple divisions, the risk inventories the committees produce

include risks from across the university’s business. Similarly, contacts at University A note

that a diversity of backgrounds and opinions leads to deeper understanding of each risk and a

more complete mitigation strategy that takes into account how multiple units can contribute to

a single risk.

No contact institution developed an independent risk committee to develop ERM. Instead, a

standing committee of senior administrators (e.g., the president’s advisory council at

University D) or an ad hoc committee of between 10 to 25 administrators oversee the process.

Membership includes the president, vice presidents, and deans; University A’s committee also

includes associate vice presidents. In general, the membership of ERM development

committees at profiled institutions is generally the same as that of stand-alone risk committees

at larger institutions.

The below diagram describes the development of the risk inventory at University D.

Committees may rely on a member of the administration and finance division (e.g., business

and financial development at University D) to conduct surveys or interviews, which

committee members then discuss.

Development of Risk Inventory at the University D

Avoid Large Committees of More than 25 Individual to Limit Bureaucratic Inefficiencies

Because most contact institutions employ one administrator to oversee initial ERM policy and

inventory development, they have avoided a common problem uncovered in previous EAB

research1: an unwieldy and overly bureaucratic risk committee. Many larger research

universities form committees of 25-50 representatives2 including both senior administrators

and frontline staff. These committees typically make decisions slowly and include an overly

broad series of risks in their final risk inventory.

1 See A Practical Approach to Institutional Risk Management (UBER, 2012) 2 Ibid.

Risk Interviews

Independent Risk

Committee


Assign Risk Owners

A finance and administration staff member conducts about 20 interviews with vice presidents, deans, and the president, surfacing 125 potential enterprise risks.

An ad hoc committee of academic affairs, student affairs, and advancement staff assess the risks between June and August using a point-based matrix (see p. 14)

Administrators can limit the need for interviews by sourcing risk inventories from peer institutions or purchasing an inventory from a consulting firm.

A standing committee of vice-presidents and deans evaluates the committee’s analysis and identifies the top five enterprise risks; these are forwarded to the board.

The risk committee assigns a risk owner to manage each risk. For example, the chief business officer is responsible for minimizing the effects of a decrease in state funding.

10 of 14





IV. Improving Risk Identification Procedures

Increase Process Efficiency through Consulting Engagements or Peer-Sourced Risk Registers

As university administrators often lack risk management experience, many turn to consultants

for help in implementing an ERM policy framework. Additionally, consulting firms generally

also offer sample risk inventories or custom risk identification services. Four profiled

institutions engaged consultants to help implement ERM; University A, University B, and

University E retained Deloitte Consulting and University C engaged Marsh Risk Consulting.

Consultants Provide an Initial Risk Management Blueprint: Proprietary ERM

frameworks offered by consultants include suggested policies for risk identification,

staffing, unit-level risk mitigation, periodic risk inventory updates, and other factors.

Contacts at University C note that pre-made frameworks are helpful if administrators

do not have previous risk management experience. However, administrators at

University B and University E elected not to use their Deloitte frameworks.

Administrators at University B were concerned that use of the proprietary Deloitte

framework would lock administrators into further Deloitte engagements in the

future, while administrators at University E considered the model overly complex

and resource-intensive for a small university.

Consultants Offer Peer-Sourced Risk Inventories but are Costlier than Internal

Research: Consultants can help an institution develop its first risk inventory by

sharing sample institutional risk inventories from other client institutions. Sample

inventories typically include the 20 to 30 most important risks identified by other

institutions during previous consulting engagements. However, contacts at

University E and University F suggest that consultant-sourced risk inventories may

be more expensive than they are worth if administrators can obtain sample risk

inventories from other institutions.

If a client wishes, consultants can also interview or survey an institution’s own

stakeholders to develop a customized risk inventory; at University B, Deloitte

consultants surfaced 120 long-term risks based on its interviews with university staff.

Consultants Add Credibility to an ERM Initiative: Beyond practical advice,

consultants can help convince skeptical administrators or faculty that an ERM policy

is a valuable investment. Contacts at University A note that Deloitte’s experience

with other universities helped convince deans that their colleagues at other

institutions had accepted and benefited from an ERM process.

If Staff Resources are Available, Interviews Offer Better Information than Surveys and Create Buy-In

Though most ERM implementation teams assessed unit-level risks through surveys, several

contacts strongly recommend interviews as a superior source of information. In particular,

administrators at University B and University E experimented with both surveys and

interviews but assert that interviews provide much more detailed information and, in some

cases, led to greater enthusiasm for ERM among unit leaders. Face-to-face conversations allow

ERM implementation teams to explain the purpose of ERM and respond to resistance from

academic deans.

Consultants

Identification of Unit-level Risks

11 of 14





Though interviews are valuable during creation of an initial risk inventory, risk managers may

not have enough time to conduct a full series of interviews every time they update the

inventory.

Prioritize Risks through a Matrix Evaluating Likelihood and Impact

Across institutions, administrators rank risk priority during a survey or interview through a

standard risk matrix. Unit-level managers assign a numerical score to the likelihood a risk will

occur and its potential impact –both factors are generally rated on a scale of one to three or one

to five. Senior administrators then calculate the product of the two scores to rank the risk on

the final register. For example, a risk with a likelihood of three and an impact of five would

receive a score of 15. The higher a risk’s score, the higher its position on the risk inventory and

the more attention it receives from risk managers.

Administrators can enhance risk prioritization and increase faculty buy-in by assessing risk

velocity, accounting for different types of risk impact, and correcting for bias.

Assess Risk Velocity: Though two risks may have identical likelihood and impact,

one may materialize much more quickly than the other; this is the risk’s onset speed

or velocity. To ensure that administrators consider the higher velocity risk first,

administrators at the University D include a numerical score for velocity within the

priority matrix.

Account for Different Types of Risk Impact: Administrators can build additional

buy-in among faculty by accounting for a risk’s impact in multiple areas of the

university space.1 For example, risk managers at one private research university ask

staff to separately list a risk’s impact on humans (faculty, staff, administrators), assets,

and on the University’s mission. This information satisfies faculty who worry about

intangible, unquantifiable costs to the University’s people or its mission.

Additionally, risk managers can increase the rigor of each type of impact by listing a

definition for each numerical score. For example, a score of “1” for human impact

may refer to injuries that are treatable with first aid, while a score of “2” refers to

injuries or illnesses that require medical care but do not result in permanent

disability.

Ask Staff to Evaluate Likelihood and Senior Administrators to Evaluate Impact in

order to Eliminate Bias: Though unit-level staff typically evaluate both the likelihood

and impact of a risk, they tend to overestimate the impact of any risks that affect their

job duties. Nonetheless, staff have the best understanding of the likelihood of a risk

due to their practical knowledge of operations. By contrast, senior administrators

may underestimate risk likelihood due to their lack of familiarity with front-line

operations; on the other hand, they often have the best knowledge of how a risk will

actually affect the institution. Previous EAB research into ERM practices suggests that

risk managers can ameliorate these biases by asking senior administrators to evaluate

the impact of a risk and staff to evaluate the likelihood.

1 A Practical Approach to Institutional Risk Management (UBER, 2012)

12 of 14





Unit-Level Administrators (Deans, AVPs, or Directors)


Board of Trustees

V. Maintenance of Unit-Level Risk Management Practices

Risk Managers Update Unit-Level Plans through an Annual Survey

Three profiled institutions –University C, University D and University E – have completed

risk inventories, prioritized risks, and begun continuous risk mitigation. Typically, a single

university risk management officer monitors ERM implementation across the university.1 The

officer nominally reports to a committee of senior executives or the board. Officers typically

survey unit-level managers each year to update the risk inventory and track risk mitigation

progress; he or she might also conduct in-person or phone interviews at smaller institutions.

Afterwards, the officer compiles and analyzes the information and presents the results to

senior leadership or the board in a formal report or presentation.

Formalize a Risk Reporting Hierarchy to Encourage Front-Line Staff to Report Risks

Administrators at University C have established a formal risk reporting hierarchy to include

new risks in the inventory as they arise.

Risk Reporting Process at University C

At University C, each employee is expected to report serious risks to his or her supervisor. If

the risk is impactful enough, the supervisor will notify his or her own supervisor. If the risk is

serious enough, successive supervisors will pass it up to a senior administrator (e.g., a vice-

president); the administrator decides if the risk poses a serious threat to the university as a

whole and justifies inclusion on the enterprise risk inventory. If so, he or she forwards the risk

to the risk management office for addition to the inventory.

The system allows staff considerable flexibility in how they approach risks and ensures that

only the most serious risks are passed on to higher-level administrators. However, contacts

note that supervisors are not proactive in informing administrators about serious risks.

Moreover, rank-and-file personnel may underestimate the impact of a risk entirely. The risk

management office supplements the reporting system through semi-annual surveys that

assesses mitigation progress and surfaces any new risks.

Academic-Friendly, Syndicated Surveys Encourage Diligent Risk Reporting

To ensure that unit-level managers regularly and completely report new risks and mitigate old

risks, administrators should create a single risk assessment and treatment worksheet for all

unit managers. Risk managers can also create workbooks that allow senior administrators to

categorize risks for new strategic initiatives, risks to the higher education industry in general,

1 In some cases, this may be the same as the staff members who initially developed the ERM process. See the table on pp. 7-8.

Oversight of Unit-Level Risk

Ris

k M

anag

em

ent

Off

ice

Semi-Annual Report

Risk Surveys

New potential risks reported up

the hierarchy until they reach the appropriate

authority.

13 of 14





or risks to particular programs. A universal risk worksheet or survey also decreases the

amount of time required to process and analyze unit-level risk updates.

Academic deans in particular may be unwilling to report all of their risks accurately and

comprehensively if they view ERM in an adversarial manner. To create greater buy-in among

academics, administrators can add fields describing the potential positive effects of an

initiative or project as well as its risks. For example, if the university uses the common

“likelihood” and “impact” criteria for risk assessment, the survey can also include likelihood

and impact fields describing the positive benefit of the project. As a result, administrators

receive an assessment both of the potential benefits and costs of a project.1

Limit Board Involvement to All but the Most Serious Risks

Previous EAB research suggests that boards should only involve themselves in the assessment

and mitigation of truly systemic and existential risks (e.g., sustainability of university pricing

model, declining public perception of degree value); based on EAB review of risk registers at

U.S. institutions, these represent between five and 15 percent of risks. The board audit

committee should manage these risks as necessary.

Boards should receive periodic updates regarding serious but non-existential institutional

risks (e.g., failure to meet enrollment, retention, or liquidity targets) from the university risk

manager. The only contact institution that has formalized reports to the board is University C,

where updates occur semi-annually. Boards may become impatient without a formal reporting

structure; the board audit committee at University A has requested a more rigorous reporting

structure for both unit-level risks and risks that concern the board.

Unit-level risks (e.g., regulatory compliance failures, misappropriation of research funds,

improper receipt of gifts) are not appropriate for board review. If necessary, unit-level risk

owners should coordinate with the university risk manager. At institutions where the risk

manager reports to a committee of senior administrators, the committee may also give

guidance to the unit-level owner.

Unit-Level Managers Are Held Accountable for ERM during Performance Evaluations

Administrators have not linked submission of or progress towards unit-level risk mitigation

plans to any formal incentive or discipline system. Instead, senior administrators evaluate

unit-level risk management efforts during standard annual performance evaluations. A unit-

level manager’s supervisor includes any risk management-related successes or failures along

with other general performance feedback. Contacts at University C and University E suggest

that this is sufficient to hold unit-level managers accountable and that additional evaluation

processes might be excessively expensive and bureaucratic at a small or mid-sized university.

Create a Single Risk Management Owner and Institute an Annual Reporting Requirement

Contacts at University A, University C, and University D advocate a formalized risk

management structure to ensure accountability. Administrators at both institutions have

struggled to update their risk management inventory and track mitigation progress

consistently due to the lack of a single ERM owner. At both institutions, a director-level staff

member works part-time on ERM; neither has hired a formal director of risk management. A

risk management director is more likely to have the time and experience to encourage unit-

1 A Practical Approach to Institutional Risk Management (UBER, 2012)

Accountability Mechanisms

14 of 14





level risk owners to write a plan, follow it, and send regular progress updates. Although

University A will soon allocate ERM duties to a new director of planning and analysis, the

director may not have enough time to manage ERM effectively.

The university risk manager should require units to report annually on the progress they have

made towards their risk treatment plans. The risk manager, in turn, should distill any

important information (e.g., new risks, major progress towards risk treatment) into an annual

report to a standing executive committee or the board.

Align Resource Allocation and Risk Management

Previous EAB research suggests that administrators should aim to reallocate unit budgets

based on risk, though no profiled institutions have yet done so. Administrators at one

Canadian institution have integrated strategic planning, risk management, and resource

planning functions to guide funds towards strategic goals. The integrated planning and

budgeting office reports potential risks to senior administrators as administrators attempt to

align each year’s budget with strategic priorities. Though combination of risk management

and resource allocation requires extensive reconfiguration of the finance and administration

division, it represents the most comprehensive integration of ERM into the university.

Integration of Strategic Planning, Risk Management, and Budgeting at the University of Alberta

Increase international enrollment to 15 and 30 percent of the undergraduate and graduate student bodies, respectively.

University lacks an “international-friendly” web presence and lacks seamless integration of application, acceptance, and payment.

Re-allocate $3.5 million to redesign the university web presence, including the registrar’s webpage.

Strategic Goal Risk Budget Response

UNIVERSITY BUSINESS EXECUTIVE ROUNDTABLE€¦ · University Business Executive Roundtable, A...

Documents

Transcript of UNIVERSITY BUSINESS EXECUTIVE ROUNDTABLE€¦ · University Business Executive Roundtable, A...