Risk Assessment Reaches a New Level
The University of Missouri System is taking a top-down approach to enterprise risk management, focusing on large-scale institutional risks and opportunities.
By Natalie Krawitz, Nilufer Joseph, and Ed Knollmeyer
Not long after Gary Forsee, former chief executive officer of Sprint Nextel, was appointed president of the University of Missouri System in February 2008, he charged the vice president for finance and administration with the task of studying how the university might approach enterprise risk management (ERM). As a system of four distinct research universities, with a statewide land grant mission and a health system with owned hospitals at its campus in Columbia, a primary challenge for the university was how to approach ERM without creating a new and expensive organizational structure at a time of serious constraints on resources. To develop an ERM plan, the vice president for finance and administration enlisted the help of the university's director of financial services and director of risk and insurance management.
Learning From Others
Our first step, which we took in fall 2008, was to ask corporate friends for information about how they had approached, developed, and implemented their ERM programs. Specifically, we were interested in best practices and lessons learned from organizations with multiple locations and large numbers of customers. We interviewed ERM directors at Sprint and electric utility provider AmerenUE and also visited with Brian Kinman, PricewaterhouseCoopers' practice leader for corporate ERM.
One observation we made early on is that ERM in the corporate sector is often located managerially in the treasury function. This is consistent with the corporate focus on managing risk to achieve performance and profitability targets and prevent loss of resources. This approach concentrates on assessing and mitigating strategic risk and its impact on stakeholder value.
Among the good ideas and lessons we learned from the corporate models were the following:
- The importance of the "tone at the top" (i.e., support from the CEO) and the idea of forming an oversight committee or executive leadership team representing all areas of the organization. The leadership at this level enables appropriate visibility, provides for ongoing active discussion about risk, and identifies the top strategic risks of the corporation.
- The value of second-tier committees, consisting of risk "owners" from key areas of the organization, in assessing the risks for which they have responsibility. These representatives from areas such as internal audit, corporate governance, corporate security, legal, and business continuity also coordinate strategies to mitigate risk and are responsible for managing the status of each risk.
- The usefulness of risk matrices, or "heat maps"—visual means for evaluating the severity and probability of occurrence of each risk. Each organizational segment evaluates its risks using such a heat map. The oversight committee uses these matrices to identify risks that overlap and to rank the risks in order of their broad significance across the organization.
Some of the tools and techniques we plan to use at University of Missouri are modified versions of what we gleaned from our corporate sector review.
At the same time as we looked to the corporate world for examples, we also reviewed approaches taken by higher education institutions to understand how ERM was similar to, yet different from, their other risk management initiatives. We discovered a range of ERM approaches. For instance, some institutions have opted for low-tech solutions, relying on meetings and training classes, while others have adopted data- and technology-intensive models.
Like many higher education institutions, the University of Missouri already has a number of risk management initiatives in place. Included are internal audit, pre- and post-award research compliance, institutional review boards for human and animal subjects research, the office of risk and insurance management, environmental health and safety, campus police, conflict of interest committees, and crisis management committees. The challenge for us, as for many institutions and systems, is how to leverage all these into an integrated ERM program.
Reviewing Standard Models
Several ERM standards and models are in wide use today (see examples in the December 2008 issue of Business Officer, described in the articles "Ensemble Performance" and "Learning to Harmonize"). These include the Australian model and the Standard and Poor's standard, which applies to insurance companies and pools. The most recognized ERM model is the enterprise risk management framework, developed in 2004 by the Committee of Sponsoring Organization (COSO) and adopted by institutions such as the University of California, Texas State University, and University of Texas systems.
As outlined in COSO's executive summary, "Enterprise Risk Management-Integrated Framework," ERM is:
- A process, ongoing and flowing through an entity.
- Effected by people at every level of an organization.
- Applied in strategy setting.
- Applied across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risk.
- Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite.
- Able to provide reasonable assurance to an entity's management and board of directors.
- Geared to achievement of objectives in one or more separate but overlapping categories.
The COSO framework (available at www.coso.org) is a robust, detailed, data- and technology-driven people-intensive framework. It provides a multileveled, often bottom-up, process-oriented model for evaluating risk at all levels of the organization. While it can provide comprehensive data analysis and foster a high degree of accountability, it can be quite complex, not very user-friendly, and more challenging to effectively communicate to all levels of the organization. The danger with a model like COSO is that an institution can potentially find itself identifying hundreds of risks, yet struggling to prioritize them. (A task force at Maricopa County Community College, Tempe, Arizona, identified 80 risks; using information from stakeholder interviews, the University of California developed a list of more than 550 possible leading indicators of risk.)
Recognizing these issues, we decided to take a more customized approach, factoring in what we'd learned from our investigations.
Designing Our Approach
At the University of Missouri, we have chosen a more top-down, broad-based approach, focusing on large-scale institutional risks and opportunities. In many ways, this is similar to the corporate approach. Specifically, we've decided to view ERM in the context of the five areas of risk that can affect the organization's ability to meet its objectives: strategic, financial, operational, compliance, and reputational. We recognize that the aforementioned risk categories exist in a certain hierarchical structure for the university, with the overarching reputational risk being driven by the other four contributing risks. (See Figure 1 for a visual depiction of the risk hierarchy.)
Our goal is to develop an ERM program for the university that will embed the concept of "management of risk" into the overall strategic planning processes, break down traditional silos, and unite separate initiatives under a common umbrella. While corporate ERM programs focus on events that could potentially jeopardize stockholder value, the focus of the university's ERM program will be on those events that can have a significant impact on the institution's ability to carry out its missions of teaching, research, service, and economic development. Examples might include:
- Significant changes in state support or student enrollments.
- Extraordinary financial market downturns that decrease funding available for scholarships and significantly increase required contributions to benefits programs.
- A pandemic that would affect our students, faculty and staff, members of the local community, and our owned hospitals and clinics.
Central to the University of Missouri ERM framework is an advisory committee. The ERM advisory committee will be a standing committee, with membership appointed by, and reporting directly to, the president. It will include senior officials from across the university. The advisory committee will review the large-scale risks for the university and serve as a strategic body responsible for developing and managing a comprehensive University of Missouri integrated ERM plan. Less significant risks will continue to be the responsibility of operational, functional, and risk management units throughout the university. In addition to the ERM advisory committee, risk coordinator committees will be designated for each identified large-scale risk. Each of these committees will serve as a strategic body responsible for developing and managing a comprehensive plan for each designated large-scale risk. (See Figure 2 to view the ERM organizational structure for the University of Missouri.)
Developing Tools to Determine Risk
The use of a heat map or risk matrix is an example of how the university plans to adapt corporate best practices into its ERM program. We looked at a variety of heat maps cited in the literature, ranging from those used in higher education, such as the one in use at Maricopa County Community College, to those employed by the public and private sectors. Some were too simplistic, offering only four quadrants, which we felt gave far too little flexibility. Others, patterned from the COSO model, were far too complex, relying on risk footprints and multilayered, detailed risk maps. What we've arrived at is a model that is simple to understand but will provide enough flexibility through an increased number of variables.
A second tool that the university plans to use is a risk ratings calculator that will enable us to combine an analytical, quantitative approach with the qualitative heat map in order to rank risk. The calculator, based on a similar tool used by AmerenUE, assigns a numerical value to both the probability and the impact of each risk. As a prioritization tool, the calculator allows us to assign an overall value to each strategic risk.
An illustration of the calculator and risk maps (see Figure 3), shows, for example, that if Risk A has a 50-50 chance of occurring within the next three years and carries an estimated negative financial impact of $10 million to $25 million, the probability score for Risk A would be 4 and its impact score would be 3, with an overall risk rating of 7.7. Risk B, on the other hand, has a 15 percent probability of occurrence during the next 3 to 10 years and an estimated negative financial impact of $25 million to $75 million. Risk B would have a probability rating of 3 and an impact score of 4, with an overall risk rating of 8.8. Therefore, Risk B would have a higher priority based on its risk value.
Test-Driving Our Plan
Currently the University of Missouri ERM plan is in the final stages of design. The next step is to test the design this summer with a broad-based group of representatives from each of our campuses and to identify the members of the ERM advisory committee. Through a 90- to 180-day pilot program, targeted for fall 2009, the university will then seek to perfect the model.
The pilot should help identify and address any issues with regard to:
- Degree of synergy developed by using an integrated systemwide approach versus a campus-based approach.
- Optimum size and composition of the risk coordinator committees.
- Tools and process used to evaluate and rank risks.
The ultimate challenge will be to develop an ERM program that achieves the goal of identifying and mitigating large-scale risks while minimizing administrative bureaucracy and added cost.
NATALIE "NIKKI" KRAWITZ is vice president for finance and administration; NILUFER JOSEPH is director of financial services; and ED KNOLLMEYER is director of risk and insurance management for the University of Missouri System, Columbia.
NACUBO RESOURCE For additional ERM articles and resources, visit NACUBO's resource page for Business and Policy Areas.