NACUBO

My NacuboWhy Join: Benefits of Membership

E-mail:   Password:   

 Remember Me? | Forgot password? | Need an online account?

Business Officer Magazine
Loading

Risk Recognition

Their experience in enterprise risk management has led some campus administrators to establish a four-step assessment and monitoring process. Such deliberation helps ready institutions for self-identified vulnerabilities.

By Janice M. Abraham

Early adopters of enterprise risk management (ERM) brought this practice to their campuses in the early 2000s and sometimes stumbled as they worked through the first step: identifying risks across the enterprise. In the process, these leaders assembled campus groups that developed voluminous lists articulating myriad potential events, the scenarios of which "kept administrators up at night."

While the identification of potential risks was comprehensive, and addressed the complexity and evolving nature of colleges and universities, the ERM process collapsed under the very weight of the lists. Administrators became so inundated with frightful possibilities that their efforts became diluted and scattered; they were unable to find a path forward. In the confusion, they failed to address the subsequent and most important steps—assessing impact, developing responses, monitoring risk areas, and so forth. In the end, most business officers and risk managers, eager to start an ERM process, were left with lists and no action plans.

Fast-forward through the financial crisis, and we see that those early adopters have fine-tuned the process, shared best practices, and now have ERM policies and procedures that engage the campus, from the board of directors to individual departments.

Typical Risk Register for a University

The following list of potential risks and vulnerabilities is common among colleges and universities:

  • Adequacy of financial resources/business model.
  • Information technology infrastructure, systems, and support not maintained or upgraded.
  • Age and condition of facilities and physical plant infrastructure.
  • Recruitment and retention of top personnel.
  • Individual and institutional conflict of interest, employee misconduct, regulatory noncompliance.
  • Student behaviors/mental health.
  • Execution of strategic plan.

For example, Whitman College, Walla Walla, Wash., where I serve as a trustee, has drilled down into its Clery Act reports and is now better able to understand the trends for sexual assaults on campus. The chief business officer can be a useful partner to student services staff and Title IX coordinators to help analyze data (without revealing any confidential student information), so that campus leaders can identify potential correlation or causation as it relates to location, the characteristics of students involved in complaints, and the timing on the incidents. By using this analysis, campus leaders can better allocate training and prevention resources.

Duke University, Durham, N.C., and Virginia Tech, Blacksburg, Va., are two other examples of the many early adopters who now have active ERM programs. (see sidebars, ""Creating a Culture of Integrity" and "Technology Influences Risk Reporting," for details of some of the institutions' specific efforts.)

In most cases, senior leadership follows a four-step, collaborative ERM business process that includes:

1. Identifying risks across the entire enterprise.

a. Paying attention to the gaps between departments and programs.

b. Using risk registers that list the five to 10 key risks that are identified by senior administrators.

2. Assessing the impact of the risks and opportunities relative to the institution's operations and mission.

3. Developing and practicing response or mitigation plans.

4. Monitoring the identified risks, holding the risk owners accountable, and consistently scanning for emerging risks.

Culture and Simplicity

What have we learned from those early adopters? Their work reveals two primary lessons: Culture matters, and simplicity enables the ERM to take root. A robust ERM program begins with creating a culture throughout the institutional community that motivates individuals to engage in working together, across silos and within the gaps, to identify, assess, and manage risk—as well as opportunities—in support of the institution's mission.

Risk Register for Liberal Arts Colleges

For private colleges, some of the key risks differ from those identified by large, public institutions. Here are some typical list items:

  • Enrollment: student's perceived return on investment.
  • Succession planning for president/senior staff.
  • Facilities: age and condition not keeping pace with student demand and increased focus on the sciences.
  • Health and safety of students (focused on alcohol use and sexual assault).
  • Information technology infrastructure, security, and renewal.
  • Endowment growth.

A strong risk management culture is comfortable in the "gray areas," where some identified risks are probably not insurable, cross several different departments, or can be considered "sacred cows" and thus untouchable by the community.

In creating a culture focused on risk, establishing the right tone at the top does matter. In researching and writing Risk Management, an Accountability Guide for University and College Boards (AGB Press, 2013), it became clear to me that without champions at the senior administrative and board level, ERM programs flounder.

Another insight is that a culture that supports ERM assigns each risk to an owner, someone responsible for managing and tracking the risk so that accountability is established and roles are clear. When provosts own academic risks and the vice president for advancement owns the risks associated with development, the dynamics make for a more powerful and productive process than a scenario in which the CBO or risk manager controls the process.

Creating an environment that supports risk reporting involves several other actions described below.

Culture change requires consistent, constant communication about the top risks, plans to respond to risks, and the process used to scan emerging risks. Institutions that regularly report on risk to the appropriate board committees and broader community are further along in culture change than those that keep the process closed and out of sight. If private institutions are concerned about openly sharing the risks, take a lesson from the public universities that have been transparent on ERM programs for more than a decade. Daily we are reminded about how important open communication and transparency are as building blocks for creating a trusting community. Opening up the risk management process to share risk registers and plans that the campus has to reduce vulnerabilities creates a sense of trust and a culture of risk awareness.

Institutions that relied on large committees to identify, monitor, and report risks were less successful in advancing the four steps than those that organized a small (three to five administrators) senior group to assess risks, assign ownership, monitor progress, and report out.

Learning from the early adopters to not overwork step No. 1, identification of risks, has led institutions to use risk registers developed by others as a starting point. As unique as each campus is, risks faced by colleges and universities are similar enough to allow the initial ERM program to leverage the hard work of others and build from there, broadening the circle of engagement and risk identification (step No. 4) in subsequent years. (See sidebars, "Typical Risk Register for a University" and "Risk Register for Liberal Arts Colleges" for more detail.)

As institution leaders have used enterprise risk management more widely, two issues have emerged as the next frontier in advancing its value as a business tool: more robust discussion on risk tolerance, and the use of data and analytics to respond to risks.

The Committee of Sponsoring Organi-zations of the Treadway Commission (COSO) and the International Organization for Standardization (ISO) have done good work and analysis in the 2009 framework (ISO 31000) to establish frameworks for ERM. Many campus risk managers use these frameworks to structure their processes.

Keeping the process simple and streamlined, but open and transparent, is the magic sauce for effective ERM. Starting with a small number of risks, and growing the circle wider each year as the risk culture expands, facilitates greater success.

The ERM Process

In most cases, senior leadership follows a four-step, collaborative ERM business process that includes:

1. 
Identifying risks across the entire enterprise.

a. 
Paying attention to the gaps between departments and programs.

b. 
Using risk registers that list the five to 10 key risks that are identified by senior administrators.

2. 
Assessing the impact of the risks and opportunities relative to the institution's operations and mission.

3. 
Developing and practicing response or mitigation plans.

4. 
Monitoring the identified risks, holding the risk owners accountable, and consistently scanning for emerging risks.

The Next Frontier for ERM

As institution leaders have used enterprise risk management more widely, two issues have emerged as the next frontier in advancing its value as a business tool: more robust discussion on risk tolerance, and the use of data and analytics to respond to risks.

How much can you take? For-profit companies, the earliest adopters of ERM, have an easier task of developing risk tolerance. The effort focuses on: "How much money/market share are we willing to lose?"

On the other hand, mission-driven institutions, with long-term time horizons and limited or shrinking resources, have a much more difficult challenge in developing the right level of risk tolerance. Risk tolerance is important, as a successful ERM program is a tool for resource allocation: balancing limited resources against the top priorities, or put another way, "How much of our scarce resources should we put into this project to move the risks to a position we can tolerate?" Business offices are well-situated to lead these discussions for administrators, in assessing how much risk is appropriate for the institution.

Drilling down to the details.  The increasing availability and sophistication of data-driven decision making is driving the evolution of ERM on campuses. The business office, used to tracking and analyzing data, can be a key partner in helping other offices understand and respond to the data that drives key risks. 

For example, student behavior appears on most ERM risk registers, encompassing many key areas of vulnerability: reputation, compliance, and operations. Campuses are using data collection and analysis to help better understand the risk, and craft more targeted responses. As noted in the Whitman College example, the Clery Report and individual incident reports can be analyzed to better understand where and when sexual assaults are occurring and the common characteristics of the assaults (using anonymous data while identifying attributes of the involved students). Then training, oversight, and response can be shifted to vulnerable populations and locations based on the analysis.

Duke University and Virginia Tech are models to follow on creating the risk reporting culture, keeping it simple, and using data and technology for decision making.

JANICE M. ABRAHAM is president and chief executive officer, United Educators, Bethesda, Md.

^ Top

Creating a Culture of Integrity

A recent report to Congress ("Recalibrating Regulation of Colleges and Universities") from the Senate Task Force on Federal Regulation of Higher Education, stated that the U.S. Department of Education alone has about 2,000 pages of mandates that apply to institutions of higher education, resulting from more than 80 different federal statutes that regulate our work. "In 2012 alone," the report states, "the Department released approximately 270 'Dear Colleague' letters and other electronic announcements—this means that more than one new directive or clarification was issued every working day of the year."

It's no wonder that "compliance fatigue" sets in when it comes to following—and even keeping track of—the many government regulations that affect our work. Though some regulation is necessary and even desirable, there is a growing sense that other requirements are imposed without any meaningful calibration of the value they add to the federal government's oversight or our own best practices. The ever-increasing compliance pressure comes at a time when colleges and universities are scrutinized more than ever for anything that goes wrong on campus.

Amid this pervasive feeling of fatigue, what strategies can we use to encourage employees to do things right? What can we do to inspire a culture of compliance at every level of the organization?

At Duke University, we looked at whether our compliance foundation could be made stronger by asking ourselves some basic questions:

  • Is there an unequivocal tone at the top that supports compliance and integrity? Does that attitude include the actions and words of the senior leadership?
  • Do people at every level of the organization feel comfortable speaking up when something does not seem right?
  • What can we learn from successes at other organizations that could improve our own processes? What can we learn from their failures?

Executive-level Support

The right tone at the top is easy to claim, but what does it look like in action? One of the distinguishing features of Duke's risk, ethics, and compliance approach is the personal involvement of the university's president, executive vice president, and provost in decisions about risk and compliance. These individuals participate in a robust risk-assessment process that results in key risks being identified and owners being assigned to mitigate those risks. The audit committee of the board of trustees closely tracks those mitigation efforts. The expectation is that key compliance and other risks are to be identified and addressed, and those owning the risks are accountable if they fail to do it.

Empowering People to Speak Up

Medical schools and hospitals have for more than a decade known that empowering every level of a patient care team—including nurses—to speak up results in fewer clinical errors. Lower-level employees are not only protected from retaliation when they report issues, they may even be rewarded for their efforts via recognition ceremonies and evaluations.

That said, it is rarely easy for individuals to speak up when they think something might be going wrong, especially when those hearing the information are superiors who hold positions of power and influence in the organization. Consequently, getting the word out regularly to employees that they will be protected, and creating anonymous hotlines or other alternative reporting paths, can help employees question whether they should report something that they may have seen or heard. It's also important to get the word out to managers who need to understand that they are expected to support an employee who comes forward with a concern, rather than viewing that employee as a complainer.

Revealing Gaps in the System

Another approach an institution can take is to look at problems that have occurred elsewhere. After the claims of sexual abuse of minors became public at another university in 2011, we formed a work group to review the policies and practices at Duke. Involving individuals from our summer programs, athletics, study abroad, and even science labs, we began to identify gaps on our own campus. Based on our findings, we put in place consistent policies (and auditing) for those activities. By detecting shortfalls in our own policies, we were able to learn before we had a crisis on our own campus.

There are multiple approaches to encouraging a culture of integrity, compliance, and best practices. Involving employees at all levels of campus—from leaders at the top of the organization to rank-and-file employees at its lower levels—can strengthen a university's resolve to get it right.

PAMELA BERNARD is vice president and general counsel, Duke University, Durham, N.C.

^ Top

Technology Influences Risk Reporting

In an age of exponential electronic communication methods, traditional reporting channels are not sufficiently comprehensive or effective. Phone and e-mail have been overtaken by texting, mobile apps, and all varieties of social media. Consequently, institutions must adapt to and anticipate the way their respective communities are most likely to provide—and receive—information.

At Virginia Tech, we've found that no single method reaches everyone. Each channel of communication has different characteristics, and it can take multiple touch points to get across your particular message. We know fully well that students, staff, and other stakeholders are already relying on social media for communication and crowd-sourced information for decision making in their daily lives. Committing to the utilization of social media channels enhances operational situational awareness, resulting in reduced response times to emerging issues and concerns.

Adapting to the Audience

As emergency management and safety professionals, we need to adapt to these changes for our own purposes. But, others anywhere in the community also need effective access to the right information for effective decision making. Some key benefits from gathering information in nontraditional ways play out when students are in crisis, during unfolding events, or while a developing situation requires clear awareness. We have observed individuals self-report personal issues of concern on platforms such as Yik Yak, and watched the community of users provide positive options including where on campus to seek assistance.

Social media platforms provide an opportunity to develop a one-to-one virtual relationship, establishing a conduit to share information.

In addition, we learned the reach of Twitter, when our new president, Timothy Sands, arrived in 2014 and immediately made strong connections with students through his Twitter feed. This activity generated such a huge amount of messaging that we now have Twitter feeds for facilities issues and we support other "nontraditional" communication and reporting tools with mobile apps.

At Virginia Tech, apps provide for the delivery of "just-in-time" emergency preparedness information, as well as allow the user to send nonemergency information including text, pictures, and video directly to the Virginia Tech Police Department Dispatch Center. Note that when considering alternate reporting methods, if there is an expectation created that the reporting channel will be monitored, then there must be an analogous commitment to these protocols.

Make Reporting Easier

Aside from information gathering, other communication methods are useful to reach out for public comment as well as report out important news in public spaces, where large numbers of people can learn about significant developments. Social media platforms provide an opportunity to develop a one-to-one virtual relationship, establishing a conduit to share information. Critical communications can be delivered directly rather than lost in a sea of e-mail messages or other campus notices.

Higher education encompasses a diverse environment, with each of us having our own communication preferences. It is important for an emergency manager to recognize this need and develop messaging and reporting strategies that incorporate multiple channels.

MICHAEL MULHARE is director of emergency management at Virginia Tech (Virginia Polytechnic Institute and State University), Blacksburg, Va.

^ Top