Discussion
Read Chapter 9 scenario, and address the following question
“UW adopted a committee structure to administer its ERM. Would such a structure work in private industry or is a Chief Risk Officer required?”
Instructions for Initial Posts:
After reading the scenario, start a new discussion thread to address the discussion topic.
Discussion Requirements:
Must:
- Be 4 paragraphs in length
- Be supported by the required textbook and at least two additional references
Points deducted if the submission:
- Does not use the required textbook as one of the two reference sources
You CANNOT use Wikipedia, LinkedIn articles, blogs, paid vendors, certification websites, or similar sources in academic writing. You CAN use reputable industry articles from publications similar to ComputerWeekly, PCMag, Wall Street Journal, New York Times, or similar sources. Academic journals and popular industry articles are accessible in the university’s library databases and Google Scholar. All references should not have a publication date older than 2005.
- 1. Does not respond to the question(s) thoroughly meaning with at least 4 paragraphs
- 2. Primarily consists of bullet points
- 3. Uses statements such as “I have gone through your post,” “I have gone through your discussion,” “adding a few more points,” “based on my knowledge,” “according to me,” “as per my knowledge,” or similar
- 4. Contains contractual phrases, as an example “shouldn’t” “couldn’t” or “didn’t,” or similar
- 5. Uses vague words or phrases such as “proper,” “appropriate,” “adequate,” “it is obvious,” “it is clear,” “in fact,” or similar to describe a process, function, or procedure
- As an example, “proper incident response plan,” “appropriate IT professional,” “adequate security,” or similar. These words are subjective because they have different meanings to different individuals.
School of Computer & Information Sciences
ITS 835
Chapter 9, “Lessons from the Academy:
ERM Implementation in the University Setting”
This is a narrated presentation.
Overview
•
Institutional Background
•
Emergence of ERM in Higher Education
•
Leadership from the Top
–
Create a Culture-Specific ERM Program
–
Scope of the Risk Framework
–
Organizational Structure
–
Philosophy of the Program
•
Evolution of ERM at UW
–
Compliance, Operation, and Finance Council (COFi)
–
Adopting and Adapting the COSO Model
•
Outcomes and Lessons Learned
•
Conclusion
Institutional Background
• Colleges and universities have often perceived themselves as substantially different and separate
from other for-profit and not-for-profit entities, and the outside world has historically viewed and
treated then as such.
• Higher education was largely a self-created, self-perpetuating, insular, isolated, and self-regulating
environment. In this culture, higher education institutions are generally governed under the
traditional, independent, “silos of power and silence” management model, which the right hand in
one administrative area or unit often unaware of the left hand’s mission, objectives, programs,
practices, and contributions in other areas.
• Organizational structures in higher education differ in many ways from other organizations. The
differences are attributed to dualistic decision-making structures, lack of metrics to measure progress
and assess accountability, and the lack of clarity and agreement within the academic organization on
institutional goals. Thereby making processes, structures, and systems for accountability commonly
used in business firms are not sensible for universities.
Emergence of ERM in Higher Education
Educational institutional “have been slower to
look at ERM as an integrated business tool, as
a way to help all the stakeholders – trustees,
presidents, provosts, CFOs, department heads,
and frontline supervisors – identify early
warning signs of something that could
jeopardize a school’s operations or reputation”
In the United States, engaging in risk
management efforts and programs for IHEs is
not specifically required by accrediting
agencies or the federal government
Board of Directors
•Accreditation
•Conflict of Interest
•Succession planning
Business Affairs
•Bonds
•Cash management
•Endowment
Campus Safety
•Emergency alert
•Incident response
•Infectious disease
Information
Technology
•Cyber Liability
•Electronic records
•Privacy
Academic Affairs
•Academic freedom
•Grade tampering
•Grants
Student Affairs
•Emergency alert
•Incident response
•Infectious disease
Human Resources
•Affirmative Action
•Grievance
•Labor Law
Physical Plant
•Fire
•Renovations
•Infrastructure Damage
Other
•Alumni
•Athletics
•External Relations
Leadership from the Top
• The role of the Strategic Risk Initiative Review Committee (SRIRC) is to continue investigating best
practices in university risk management and make recommendations about a structure and
framework for compliance that would fit the institutions culture.
• The SRIRC asked questions such as, Does this proposal add value? What obstacles are apparent and
how can they be addressed? How could this propose be improved?
• Prior to formal implementation of the ERM program, resources were also dedicated to create an
infrastructure to sustain the recommended model.
• Prior to the implementation, some key decisions would need to be made: Would the scope of the
program be institution-wide or targeted at the school, college, or unit level? Would it include all risks
(compliance, finance, operations, and stratgey) or be on the continuum,” a model that integrates risks
into the organizational strategic discussion.
Create a Culture-Specific ERM Program
• UW adopted an integrated approach to managing risks and compliance, commonly called enterprise risk
management (ERM).” It acknowledged that the proposed changed were not intended to “replace what
already works across the university,” but rather to “argument the existing organization with thoughtful
direction, collaboration, and communication on strategic risks.”
• Defined key terms and made recommendations based on three basic parameters: scope of the framework,
organizational structure for the framework, and philosophy of the program.
Scope of the Risk Framework
• Centralized Compliance Management approach. The model encompasses all risks, would focus primarily on
legal and regulatory compliance.
• “Collaborative, institution-wide risk management model, that “ensures that UW creates an excellent
compliance model based on best practices, while protecting its decentralized, collaborative, and
entrepreneurial culture.”
Organizational Structure
• UW’s current approach to risk management, noting it had moved beyond the insurance approach, “which is
usually reactive and ad hoc,” but also observing that responsibility for specific risks was currently distributed
amongst the institutions organizational silos.
• Highlighted the weaknesses of the current approach, including the fact that “due to the size,
decentralization, and complexity of the institution, a proliferating of compliance, audit, and risk
management activities has grown up around separate and distinct risk areas, each largely operating in a self-
defined stovepipe.”
Philosophy of the Program
• Institutional profile report outlined three guiding principles to shape the evolution of compliance and risk
management at UW.
• Foster an institution-wide perspective
• Ensure that regulatory management is consistent with best practices
• Protect decentralized, collaborative entrepreneurial culture
Evolution of ERM at UW
• Although many operational units, committees, and
administrative bodies handled the risks faced in their
own environment well, there is little cross-functional
sharing of information. The opportunity aspect of risk is
therefore not fully utilized by the University and risk
mitigation priorities are not consistently driven by the
institutions strategic objectives.
• ERM at UW were formative and focused on:
• Developing a common language around risk
• Conducting individual risk assessments
• Focusing discussion and mitigation on financial
challenges
• Drafting an initial compendium of enterprise-wise
success metrics
Compliance, Operation, and Finance Council (COFi)
• The COFi Council has oversight of risk assessments at the division or functional level. It provides approval of
methods to monitor risks and identifies topics for outreach, particularly items that have university-wide
potential impact or that involve cross-departmental or divisions silos. The six primary goal of the COFi
Council are to:
• Engage in continual, cross-functional process that results in effective prioritization of institutional
responses to compliance, financial, and operational risks, and consider the impact to strategic and
reputational risks.
• Ensure that the institutional perspective is always present in risk and compliance management discussions.
• Identify strategies to address emerging risks and compliance management issues.
• Support risk and compliance management training and outreach efforts throughout the university.
• Provide external auditors and regulators with information about the university’s risk and compliance
programs.
• Avoid the creation of additional bureaucracy by minimizing redundancy and maximizing resources.
Adopting and Adapting the COSO Model
• UW had define ERM according to its interpretation of the Committee of Sponsoring Organizations (COSO)
model, which describes ERM as “a process, effected by entity’s board of directors, management, and other
personnel, applied in strategy setting and across the enterprise, designed to identify potential events that
may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance
regarding the achievement of entity objectives”
• COSO model is an eight-step process
1. Leadership, culture, and values
2. Strategic goals
3. Risk identification
4. Risk assessment
5. Response
6. Controls
7. Information and communication
8. Monitoring and measuring
Outcomes and Lessons Learned
• The value of ERM is both quantitative (e.g. risk and opportunity maps) and qualitative (e.g. dashboard to
contextualize and display metrics). Each iteration of the ERM process results in new capabilities, and insight
gained into managing financial risks and strategic opportunities
• Key lessons learned
• Clarify the roles of various risk committees
• Develop a work plan for the committee
• Develop engaging agenda, focused at the appropriate level
• Don’t overemphasize lowest common denominator risks
• Gather data/information to develop expertise on specific risks
• Avoid discussing low-level, narrow risks
• Don’t get into the weeds with implementation and process
Conclusion