Strategy to Implement Enterprise Risk Management Programs at Colleges and Universities By Betty J. Simkins, PhD, and Keri Dawson
“Colleges and universities have traditionally perceived themselves as substantially different and separate from other for-profit and not-for-profit entities, and the “outside world” has historically viewed and treated them as such. Today’s risk managers know all too well what others in higher education administration are coming to realize: in addition to an increased focus on, and accountability for, student safety and welfare, colleges and universities face many of the same pressures and exposures to risk as those in the corporate world.” …. Anne E. Lundquist (2011)1
E
ven though colleges and universities have been traditionally perceived as different from other commercial entities, the fact remains that the risks they face are very similar to those in the corporate world.
Most universities, like corporate organizations, have implemented risk management initiatives in a decentralized manner. The various internal units function independently and are not always coordinated in their approach to address risk issues. This lack of a cohesive Enterprise Risk Management (ERM) program could hinder business performance.2
To help avoid such a scenario, this article explores how universities, like corporate organizations, can build a more integrated and effective ERM program that drives value for stakeholders, reduces the cost of risk and helps achieve strategic objectives. It draws lessons from corporate organizations to demonstrate the benefits of a university-wide risk management program, best practices in building such a program and the role of technology in doing so.
ABOUT THE AUTHORS
Betty Simkins, PhD, Williams Companies Professor of Business and Professor of Finance, Oklahoma State University. Dr. Simkins conducts research, teaches and consults in the areas of enterprise risk management, risk management and energy finance. Keri Dawson, VP Industry Solutions and Advisory Services, MetricStream. Ms. Dawson leads the integration and continued growth of MetricStream’s cloud-based content and consulting services.
THE IMPORTANCE OF A UNIVERSITY-WIDE RISK MANAGEMENT PROGRAM Let’s take a quick look at the corporate world. Today, most organizations are bound to have a risk governance program in place to ensure that they are compliant with regulatory requirements and to protect the interests of stakeholders. However, the recent financial crisis has led to greater governmental concern, monitoring and regulation around managing risk in corporations. The need for improved risk management has never been greater. In fact organizations with better risk management strategies are known to have better value. The hallmark of an effective risk management strategy is the ability to take a holistic view of risks across the enterprise and link it with corporate governance. That’s where ERM becomes important – it helps organizations achieve top-level oversight into risks across the enterprise and leverage this risk intelligence in strategic decision-making, as discussed by Fraser and Simkins (2010).3 Despite this advantage, ERM was not always a top organizational priority. The traditional approach to managing risks was more fragmented. Most units in an organization looked at risks in silos. Their focus was narrow and mainly on insurable risks like market risk or credit risk. 14 COLLEGE & UNIVERSITY AUDITOR
The newer and more effective ERM paradigm is more integrated and comprehensive. It enables the senior management and board of directors to have greater oversight of risks and build a strong risk awareness culture. Risk management is seen as an ongoing process that requires all business units to be involved. Visionary organizations that have adopted this approach to ERM as an integral part of their business processes and strategy are reaping significant benefits. An ERM survey conducted by the Conference Board of Canada has indicated that ERM can be used to enhance corporate governance and the board’s confidence in management. It can also help generate risk intelligence to drive improvements in corporate performance and reputation.4 Other research5 demonstrates that ERM adds significant business value. In the Conference Board of Canada survey, 98 percent of respondents indicated that ERM provides organizations with a “higher ability to anticipate and respond to risk events, thereby mitigating the downward variability to stakeholders.” The survey also found that ERM shows promise as a mechanism to increase employee engagement. An integrated, enterprise-wide risk management program with top-level oversight is critical if universities want to successfully manage, anticipate and
Similar benefits can be realized from an ERM program in universities. For instance, ERM can reduce the cost of risk and thereby help achieve strategic objectives. To explain this a little more in detail – the cost of risk is defined as the total cost of losses, risk control costs and finance and administration costs associated with risk management. The implementation of an enterprise-wide risk management program is viewed positively by credit rating agencies, which in turn, has a positive impact on the university’s credit rating. A higher credit rating translates to better interest rates and, therefore, a reduction in the interest costs borne by the university on loans.
mitigate their risks. The key to achieving these benefits is to realize that, like corporate organizations, universities must stop approaching risks in an ad hoc and fragmented manner. An integrated, enterprise-wide risk management program with top-level oversight is critical if universities want to successfully manage, anticipate and mitigate their risks. IMPLEMENTING A SUCCESSFUL ERM PROGRAM ERM in a corporate organization invariably requires a change in enterprise culture. The ERM program needs to be championed at the highest level.
ERM Best Practices Outlined by the Association of Governing Boards of Universities and Colleges
In a university, there are no easy steps for the implementation of • Define risk broadly such a program. But a good thing to do is to study ERM best prac• Recognize both the tices in the industry (see box alongside) and use the ERM Six Step approach which is discussed in greater detail below. opportunities and downsides of risk 1. Risk identification – Identify all risks Universities need to look at risks in a broad and strategic • Develop a culture of evaluating manner to ensure that nothing is overlooked. and identifying risk at multiple levels 2. Risk assessment – Quantify critical risks After all potential risks have been identified, the university • Look at the total cost of risk should hold a vote among senior management to arrive at the • Boards and presidents should top 10 risks. Voting can be done using the Delphi method collaborate wherein a group decision-making process is conducted anonymously, thereby removing the possibility of voters (Source: Enterprise Risk Management: influencing the outcome. Voting on risk helps prioritize risk. Best Practices for Boards, Presidents, But the more important step is to quantify risks in terms of and Chancellors – http://agb.org/ their impact and likelihood or probability of occurrence. This sites/agb.org/files/u3/AGB_UE_ bestpractices.pdf) will enable the university to determine the most appropriate risk mitigation strategies, in line with their risk exposure. 3. Risk analysis – Define interrelationships among all risks There is a definite relationship among risks and stakeholders have to be aware of the impact of these interrelationships across the university. The probability of risk occurrence and the quantification of its impact have a key role to play in the analysis.
15 COLLEGE & UNIVERSITY AUDITOR
4. Implementation – Implement risk controls and risk responses The implementation of risk controls and responses are dependent on the university’s ability to absorb potential risk losses and track the costs and benefits associated with managing such risks. Identifying the probability and impact of risks helps in forming an enterprise risk map. After forming the risk map, the necessary controls and risk responses can be implemented. 5. Monitoring – Gather risk information Monitoring risks is an ongoing activity. It is important to remember that risks are not static. The magnitude and probability of risks are dependent on risk mitigation initiatives as well as external factors. Therefore, there has to be an ongoing process to assess risks and their impact throughout the university. 6. Evaluation – Compare risks to the strategic plan It is critical to evaluate the significant risks facing a university and to see how they fit in with strategic objectives. Since it isn’t possible to avoid all risks, a better option would be to identify the key risks and assess them so that the university is well-prepared to handle the eventual impact. In summary, universities should ensure that they have a continuous and ongoing process of risk identification.
In summary, universities should ensure that they have a continuous and ongoing process of risk identification. The risks identified should be ranked in order of importance based on parameters such as risk severity, probability, frequency and bottom-line impact. Universities should then implement a robust, enterprise-wide risk management program that is fully backed by the senior management.
THE ROLE OF TECHNOLOGY IN EFFECTIVE ERM Technology can help universities build a truly robust, sustainable and holistic ERM program. It can also help in simplifying and strengthening ERM processes such as capturing risk likelihood and impact, performing risk-control assessments, mapping risks and controls to regulatory mandates and providing real-time oversight into overall risk exposure. Achieving these objectives requires moving away from decentralized, point solutions (e.g., spreadsheets, email) toward a more unified and sophisticated ERM framework. Below are the key capabilities and benefits of such a framework: Brings together all ERM processes, entities and data in a single point of reference A unified framework is capable of integrating all risks (e.g., IT risk, reputation risk, audit risk) in a single system for greater risk oversight. It is also able to consolidate all ERM processes – including risk and control selfassessments, compliance management, policy management, Key Risk Indicators (KRIs) monitoring, capital allocation and reporting – in a common, scalable infrastructure. This kind of centralized ERM framework provides multiple benefits. It strengthens risk transparency and accountability, standardizes risk language across the enterprise and breaks down risk siloes to facilitate real-time collaboration and communication. Provides a centralized data model to strengthen risk transparency One of the key benefits of technology – especially an advanced system – is its ability to map risk data to compliance regulations, as well as business functions and processes, controls, control tests, issues and action plans, KRIs and other critical data. This integrated mapping model helps universities gain a truly comprehensive and in-depth picture of their risks, which in turn helps senior management make more informed and risk intelligent strategic decisions. Streamlines ERM processes Technology can enable a systematic, workflow-based approach to the full range of ERM processes – right from risk scoping and documentation, to risk process mapping, risk-control assessments, risk mitigation, risk monitoring and risk reporting. This kind of streamlining significantly improves the efficiency of ERM processes and helps minimize redundancies. Tracks regulatory intelligence Since ERM processes are closely linked to regulatory requirements, an ERM technology framework should be able to monitor changes and updates across relevant regulations. One of the ways of doing so is by integrating the system with regulatory sources and feeds to filter information and route it to the responsible personnel. 16 COLLEGE & UNIVERSITY AUDITOR
Workflows also need to be triggered to manage regulatory impact analyses, compliance reviews and control assessments and updates. Built on enterprise-ready architecture A truly advanced ERM technology system is enterprise-ready – configurable, reliable, scalable, extensible and user-friendly. It integrates with other enterprise applications to push and pull relevant risk data. It is also able to streamline ERM workflows, automate reporting and analytics, provide robust security mechanisms and offer relevant content such as industry standards and ERM best practices to help universities derive maximum value from their ERM program. A robust ERM program along with good governance and oversight will assist universities in managing risks effectively and have a positive impact on business performance.
CONCLUSION The key to effective ERM in universities is to keep it simple but sustainable, ensuring a continuous and ongoing process for the review of risk. It is also important to ensure that the ERM objectives within the university have a broad buy-in and are aligned to operations and strategy across business units. A robust ERM program along with good governance and oversight will assist universities in managing risks effectively and have a positive impact on business performance. n
1. “Enterprise Risk Management in Higher Education: A Review of the Literature Reveals What We Know (And What We Don’t)” by Anne E. Lundquist, University Risk Management and Insurance Association (URMIA), 2011. 2. Refer to “The State of Enterprise Risk Management at Colleges and Universities Today,” Association of Governing Boards of Universities and Colleges, 2009 3. See Enterprise Risk Management: Today's Leading Research and Best Practices for Tomorrow’s Executives, Edited by John R.S. Fraser and Betty J. Simkins, John Wiley & Sons, Inc., January 2010. 4. See Improving the Value of Enterprise Risk Management to Help Manage Corporate Reputation, Daniel Rogers, Betty Simkins, Karen Thiessen, Conference Board of Canada Research Report, October 2010, Publication 11-085 and Enterprise Risk Management: A Review of Prevalent Practices, by Joseph Rizzi, Betty Simkins and Karen Schoening-Thiessen, Conference Board of Canada Research Report, January 2011, Publication 11-165 5. “Does Gender Diversity on the Board of Directors Improve Risk Governance?”, Betty J. Simkins, Ilene H. Lang and Heather Foust-Cummings, Risk Watch, January 2012, 14-17.
17 COLLEGE & UNIVERSITY AUDITOR