Learning to Harmonize
To manage for potential threats, Emory University worked from the most basic operational level upward to fine-tune a strategy that’s now part of its overall planning process.
By Shulamith Klein, Michael Mandl, and Stephen Sencer
The ERM process began at Emory when a number of developments, some national in scope and others unique to our campus, focused attention on corporate governance. On the national level, notorious corporate governance failures such as Enron and WorldCom had heightened scrutiny of all large corporations, including nonprofits. In addition, several higher education institutions had been publicly criticized for failing to handle adverse events effectively, with the allegedly inadequate response gaining as much or more attention as the underlying event.
At Emory, a new executive team—the president, provost, and executive vice president for finance and administration arrived within the same year—was developing a comprehensive strategic plan and launching a capital campaign. Senior leadership wanted donors and other stakeholders to be confident that Emory was a worthy investment. Furthermore, Emory's leaders wanted a set of principles and practices in place to ensure adequate financial controls and to guide the university's response to adverse events.
As it happened, the chair of Emory's audit and compliance committee, a bank executive, was familiar with ERM's merits. His portrayal of ERM appealed to Emory's president, an engineer by training who was attracted to ERM's systematic approach to a historically intuitive exercise, and to Emory's executive vice president for finance and administration, who focused on unanticipated events that could hurt the university's effectiveness. Both believed that ERM would provide immediate and tangible value to Emory, and they asked a team of administrative leaders to create a process.
Because ERM is relatively new to higher education administration, we couldn't find an off-the-shelf product to incorporate into Emory's practices. (For more about ERM, see "Ensemble Performance.") A literature review—including Committee of Sponsoring Organizations of the Treadway Commission (COSO) materials, white papers, and material available on the Internet about other higher education ERM practices—revealed that many models exist for ERM. None of these sources, however, nor the several consultants eager to ply their trade, provided an existing protocol that Emory felt would result in a practical yet substantive ERM process conducive to widespread involvement and organizational ownership.
We did, however, have a clear idea of what we wanted ERM to accomplish, which we captured in a set of five objectives. First, the ERM process should identify the risks, particularly those that could significantly interfere with Emory's mission. Second, it should assess the major risks, identify vulnerabilities, and help management decide either to accept the existing risk level or invest additional resources to mitigate it. Third, it should detail a plan for operational and communication responses to potential adverse events. Fourth, it should build processes to implement these plans. Finally, ERM should help eliminate surprises.
Building an ERM Team
A university environment does not generally lend itself to top-down instructions, and an ERM process that dictated, rather than persuaded, could have been a waste of time. Moreover, if the initial goals were too abstract, ERM would fail to garner the broad support needed to have a significant impact. In an effort to engage as many people as possible in a productive manner, we created an ERM organizational structure with each group having distinct and clearly defined roles and deliverables:
- An ERM executive committee, chaired by the president and consisting of senior executives, including the CEO of Emory Healthcare, which sets the general direction and reviews the entire range of risks facing Emory.
- An ERM steering committee, consisting of operational vice presidents and other senior administrators, which is the central coordinating body for the ERM process.
- Eight ERM subcommittees, each consisting of a handful of administrators organized around subject matter areas—academic and student affairs, campus safety and physical plant, finance and investment, governance and corporate affairs, health care, human resources, information technology, and research—whose members identify, analyze, and communicate about risks in their respective areas.
The steering committee, whose members have broad exposure to the range of risks facing the institution, was the core working group that led the development of the ERM process. Relying on a group of senior administrators rather than one individual or office was an effective decision, so that ERM did not become the "turf" of a single department. Shared ownership and accountability motivated the entire committee to produce.
Getting to Guiding Principles
Setting the right tone about Emory's tolerance for risk was critically important. With the teams in place, the first step was to agree on a set of guiding principles. After several iterations, the principles emerged, beginning with a general statement about risk:
Risk, in one form or another, is present in virtually all worthwhile endeavors. We recognize that not all risk is bad and our goal is not to eliminate all risk, for by doing so we would cease all productive activity. Rather, our goal is to assume risk judiciously, mitigate it when possible, and prepare ourselves to respond effectively and efficiently when necessary.
This attitude was liberating. Many administrators assumed that executive leadership wanted to eliminate risk, an assumption that raised unneeded bureaucratic obstacles. By starting the process with a declaration that not all risk is bad, the guiding principles changed the tone of risk discussions.
In addition, the principles contain several operational commands, the most important of which address how Emory deals with adverse events. Again, this required balancing various pressures. Among the key principles:
- All individuals are empowered to report problems and concerns early on, without fear of retribution.
- Investigations of adverse occurrences, complaints, and concerns are conducted with integrity and continue until the fact-finding process is concluded.
- Communication with the campus community and the public at large is proactive, honest, and respectful of individual privacy.
Assessing the Risks
Next, we conducted a risk assessment. The search for an existing generic list of risks facing higher education institutions was fruitless. (In hindsight, this may be attributable to Emory's initial focus on operational risks.) Our philosophy was to start with the university functions and work up toward strategic analysis. ERM literature often takes the opposite approach, encouraging an initial engagement at the strategic level. Concerned that such an approach would be too abstract, Emory decided to stay with the bottom-up approach.
Each of the ERM subcommittees was then asked to brainstorm and develop a list of every risk within its domain, ranked as to likelihood of the adverse occurrence and severity of the harm should the event occur. Groups were instructed not to worry about overlapping risks and to think expansively with the knowledge that others—the ERM steering committee—would weed out duplications. With that instruction, the subcommittees identified some 555 risks, each of which was rated on a four-point scale for both severity and likelihood.
Initially, that number was daunting, but close examination revealed duplications as well as efforts to draw unnecessary distinctions. "Breach of confidentiality" in its many forms is a good example of what came to be known as the "taxonomy" challenge. The risks on a university campus do not fall neatly into buckets; our subcommittees identified several "species" of confidentiality breaches. At the "genus" level, so to speak, a breach of confidentiality might be described as any unauthorized release of confidential information and could occur in many environments (such as health care, research, or student records). At the "species" level, however, an administrator charged with managing a potential breach of confidentiality knows that the seriousness and consequences may be very different depending on the cause and context.
Understanding the need to balance these taxonomic challenges, the steering committee culled through the list, eliminating duplicates and editing descriptions for consistency, reducing the list to 141. The committee then reassessed the frequency and severity of each risk. Doing so, we found that giving equal weight to both likelihood and severity inaccurately skewed the rankings, as it overrated risks that are certain to occur yet have a moderate impact to the university, and underrated risks that are unlikely to occur yet would have a catastrophic impact.
For example, petty theft happens frequently and is a problem we would like to eliminate, but its impact on the university will never be crippling. Conversely, an influenza pandemic is unlikely but would be catastrophic. Because the latter is more critical for ERM purposes, a multiplier was applied to the severity factor.
A list of 141 risks, however, was considered too cumbersome, so we shared only the top 50 risks (as ranked through the frequency and severity analysis) with executive leadership, who fortunately found little to change. Had there been glaring omissions or perceived overinflation of risks, the process itself would have become suspect and ERM as a tool would have lost credibility.
A Detailed Analysis Plan
Once we had the list of key risks, the difficult part began. For the process to work, we needed a written analysis of each risk; without a written document, it would be too easy to avoid difficult issues. But, the steering committee was hypersensitive about asking administrators to engage in internal memo-writing without solid justification. Instead, we developed a process that combines a written analysis with a face-to-face dialogue between the authors of the analyses and the ERM executive committee.
First, we identify a risk management process owner for each risk. The RMPO (an acronym that entered the Emory lexicon) is defined as the person on campus "sufficiently familiar with the risk and best positioned to execute a comprehensive risk management plan." Notably, an RMPO is not necessarily the "owner" of the risk, in that often the RMPO may not have operational responsibility with respect to the risk.
Second, we instruct each RMPO to prepare a risk management plan of no more than two pages. The plans follow a template that describes (1) the risk, its components, and examples; (2) the steps being taken to manage the risk at an acceptable level; (3) the operational response to an adverse occurrence; and (4) the communication response to an adverse occurrence. We decided to limit plans to a rigid format, recognizing that if left open-ended, some were likely to be lengthy yet still fail to answer the key questions.
Effectively selling the ERM concept to the RMPOs and asking them to prepare risk management plans was crucial; without buy-in from the RMPOs, the process would flounder. Our president became our chief advocate. He conducted the first meeting, introduced the ERM concept and details, and demonstrated that he understood and valued the process. His grasp of the small details convinced the RMPOs that the process had his support and, perhaps more to the point, that their failure to fulfill obligations would come to his attention.
Third, face-to-face dialogue occurs with presentations to the ERM executive committee—effectively, the president's cabinet—at least once a year. Groups of similar risks are presented at the same time in quarterly "risk hearings," each about three hours in length. Each risk is allotted one PowerPoint slide and five minutes of presentation, followed by five minutes of questions and answers. Rigorous enforcement of that rule allows 12 to 15 risks to be presented at each sitting and allows all 50 risks to be covered in four quarterly sessions.
The first risk hearing was devoted to the subject area of campus safety and physical plant. We selected this topic because the Virginia Tech tragedy was still a fresh memory, and, as expected, there was frank discussion about Emory's preparedness and our processes for preventing such an event. Student mental health and related possible violent acts are a prime example of the need for ERM.
Preventing a tragedy from occurring requires groups from across the enterprise—the institution—to collaborate. At Emory, the ERM process generated a threat assessment team, with representatives from law enforcement, student affairs, public relations, general counsel, student mental health, and others, who meet regularly for confidential review of potentially threatening circumstances. That sort of collaboration has traditionally been a challenge for the decentralized university, and ERM facilitates a mechanism for crossing departmental "silos."
The risk hearings are the most effective part of the entire process. For executive leadership, it is an opportunity to learn about a range of risks, assess them in relation to each other, and probe weaknesses or strengths unmediated by intervening managers. For the RMPOs, it is a chance to have the ear of the president and his senior advisers on an issue that the RMPO knows best and typically deals with on a daily basis.
Fourth, at the conclusion of each risk hearing, the executive committee identifies any gaps between Emory's risk tolerance and our current status with respect to specific risks. From this information, RMPOs are directed to prepare an action plan for closing the gaps that they will present to the committee at the next meeting.
Finally, we periodically re-evaluate the list of risks. Inherent in the ERM framework is the recognition that priorities change over time; therefore, the risks are expected to shift in response to changes in the operating environment.
A Process for Sharing Knowledge
Emory's ERM process development has been a learning experience. The lessons we have learned likely have value to any higher education institution attempting a similar process.
- We found it necessary to repeatedly explain ERM. Administrators make decisions that involve risk every day, so incorporating risk in the analysis is not a new concept, and it can be insulting to suggest to an experienced administrator that considering risk in an institution's decision making is a novel idea. Our approach was to implement a process that had immediate benefits and that involved specific inputs from various individuals. We set reasonable expectations, and people were involved in ways that made sense to them.
- The ERM literature has its share of "consultant-speak." We made a significant effort to translate ERM to an audience with limited time and energy to devote to an enterprisewide initiative. Clear instructions, requests for specific deliverables, and the use of templates were helpful. Even if people did not grasp the concept initially, they understood their personal obligations.
- Because we were asking for a significant commitment from many across the institution, the president's active involvement was critical. Everyone knew that the president was enthusiastic about ERM and was expecting results.
Emory's ERM process primarily focuses on operational risks and does not attempt to replace the valuable strategic planning processes that Emory, like most other higher education institutions, engages in regularly. Indeed, campus leaders can overemphasize strategic planning at the expense of the critical day-to-day operations. Failure to attend to the latter—and to manage the risks inherent in those operations—can disrupt in an instant the most carefully constructed strategic plan. ERM at Emory plays an important role in sharing knowledge about specific operational risks and collectively developing and communicating an appropriate risk tolerance.
SHULAMITH KLEIN is senior director, Office of Risk and Insurance Services, Emory Healthcare and Emory University, Atlanta. MICHAEL MANDL is executive vice president and STEPHEN SENCER is deputy general counsel at Emory University.
- IRS Releases Final Report on College and University Compliance Project
- NACUBO Seeks Input on Ethics, Fraud, and Controls
- FY13 Implementation Reminder for Independent Institutions
- CAO and CBO Collaborations: Leveraging Institutional Capacity to Impact Effectiveness
August 5-6, 2013
- 2013 Planning and Budgeting Forum
September 16-17, 2013
- WEBCAST: Improve Your NFP Audit and Accounting Guide IQ
Wednesday, June 26, 2013 1:00 PM ET
- ON-DEMAND: The Higher Education Accounting Forum Online
- ON-DEMAND: OD: The Cashless and Paperless Business Office
- ON-DEMAND: Affordable Care Act: Implementation Roadmap for Colleges and Universities
- A Guide to College and University Budgeting: Foundations for Institutional Effectiveness, 4th ed. - by Larry Goldstein
- NACUBO's Guide to Unitizing Investment Pools - by Mary S. Wheeler
- Managing and Collecting Student Accounts and Loans - by David R. Glezerman and Dennis DeSantis