Team Approach Strengthens ERM Efforts
Spotlight: Research Universities, from "Business Briefs" department in February 2010 issue of Business Officer
By Kerry Kahl
At the University of Washington (UW), Seattle, we've found that two heads are better than one when it comes to developing and implementing an effective enterprise risk management (ERM) program.
Like many other colleges and universities, we've developed a risk assessment model based on Committee of Sponsoring Organizations of the Treadway Commission (COSO) guidelines. To move forward with this established framework for approaching ERM, we put together an advisory committee of senior institutional leaders. The group was charged with identifying risk topics for assessment based on recommendations from the vice president for finance and the dean of UW's largest college, arts and sciences.
Committee members include the provost, several deans and vice presidents, and faculty and student leaders. The committee began by focusing on internal controls and identifying risk topics as diverse as student safety, IT security, cash handling, pollution, asbestos, technology investments, and study abroad programs.
Putting Teams on Task
While the committee focuses on prioritizing each year's broad risk-assessment topics, the campus staff are actually closer to the day-to-day activity in each particular area and better able to assess specific risks and report back to the committee.
The committee identifies risk “owners” to lead assessment teams for particular topics. For example, the head of environmental health and safety leads assessments for occupational health and safety, pollution, and asbestos. Other stakeholders are invited to join teams based on their knowledge and experience in the particular risk area.
ERM staff orient the assessment teams to the ERM cycle and assessment process. We also provide the teams with template documents to record the results of their work. That allows us to maintain consistent reporting, and use standard rating scales to compare the top risks from each assessment across the institution.
The teams then begin their work. For example, the assessment team looking into pollution risks identified vulnerabilities in the areas of compliance (indoor air quality, chemical use, and contaminated soil), finance (citations and fines), operations (permits and licenses, security, and workspace), and strategy (investing in sustainable business practices). They wrote specific risk statements, then continued through the ERM cycle to analyze and rank each statement.
Effective Group Efforts
Since the committee's formation in 2006, we've convened 20 such assessment teams. We've seen two benefits with every ERM group:
- Teams “get it” about their areas of expertise. That makes this approach simple and easy to apply.
- It is a neutral process. No matter how divergent team members' views are on the risk topic, everyone contributes to the list of risk statements in a matter-of-fact way; ratings are anonymous; and each individual's professional judgment is valued equally in the combined ratings of “likelihood” and “impact.”
The first few assessments were challenging as we learned to define the scope of each risk topic and develop standard steps to guide each team through its unique assessment work. Establishing standard rating scales and templates for reporting has made it easier to repeat the assessment process as new risk teams come on board.
For more information, you may contact me at the University of Washington.
SUBMITTED BY Kerry Kahl, senior director, enterprise risk management, University of Washington, Seattle