Please explain how ERM adoption and implementation in the higher education (HE) environment differs from the public company sector environment. Pick a specific company for comparison purposes and do a direct connection within your answer. Cite specific e

20200114014627chapter_9_erm
 

Please explain how ERM adoption and implementation in the higher education (HE) environment differs from the public company sector environment. Pick a specific company for comparison purposes and do a direct connection within your answer.

Cite specific examples from this reading.

No plagiarism, 500 words. use at least 3 references

I am uploading text book for your reference, use it as a reference and match scenarios with the specific company.

 

CHAPTER

9

Lessons from the Academy
ERM Implementation in the University Settin

g

ANNE E. LUNDQUIS

T

Western Michigan University

T
he tragedy at Virginia Tech, infrastructure devastation at colleges and uni-
versities in the New Orleans area in the aftermath of Hurricane Katrina,
the sexual abuse scandal at Penn State, the governance crisis at the Uni-

versity of Virginia, American University expense-account abuse, and other high-
profile university situations have created heightened awareness of the potentially
destructive influence of risk and crisis for higher education administrators.1 The
recent Risk Analysis Standard for Natural and Man-Made Hazards to Higher Educa-
tion Institutions (American Society of Mechanical Engineers–Innovative Technolo-
gies Institute 2010) notes that “resilience of our country’s higher education insti-
tutions has become a pressing national priority” (p. vi). Colleges and universitie

s

are facing increased scrutiny from stakeholders regarding issues such as invest-
ments and spending, privacy, conflicts of interest, information technology (IT

)

availability and security, fraud, research compliance, and transparency (Willson,
Negoi, and Bhatnagar 2010). A statement from the review committee assembled to
examine athletics controversies at Rutgers University is not unique to that situa-
tion; the committee found that “the University operated with inadequate interna

l

controls, insufficient inter-departmental and hierarchical communications, an
uninformed board on some specific important issues, and limited presidential
leadership” (Grasgreen 2013).

The situation at Penn State may be one of the clearest signals that risk man-
agement (or lack thereof) has entered the university environment and is here to
stay. In a statement regarding the report, Louis Freeh, chair of the independen

t

investigation by his law firm, Freeh Sporkin & Sullivan, LLP, into the facts and
circumstances of the actions of Pennsylvania State University, said the following:

In our investigation, we sought to clarify what occurred . . . and to examine the Uni-
versity’s policies, procedures, compliance and internal controls relating to identi-
fying and reporting sexual abuse of children. Specifically, we worked to identify
any failures or gaps in the University’s control environment, compliance programs
and culture which may have enabled these crimes against children to occur on
the Penn State campus, and go undetected and unreported for at least these past
14 years.

14

3

www.it-ebooks.info

144 Implementing Enterprise Risk

Management

The chair of Penn State’s board of trustees summed it up succinctly after the
release of the Freeh Report (Freeh and Sullivan 2012) regarding the university’s
handling of the sexual abuse scandal: “We should have been risk managers in

a

more active way” (Stripling 2012).

The variety, type, and volume of risks affecting higher education are numer-
ous, and the public is taking notice of how those risks are managed. Accreditation
agencies are increasingly requiring that institutions of higher education (IHEs)
demonstrate effective integrated planning and decision making, including using
information gained from comprehensive risk management as a part of the gover-
nance and management process.2 Credit rating agencies now demand evidence of
comprehensive and integrated risk management plans to ensure a positive credit
rating, including demonstration that the board of trustees is aware of, and involved
in, risk management as a part of its decision making.3 Through its Colleges and
Universities Compliance Project, the Internal Revenue Service (IRS) is considering
how to hold IHEs responsible for board oversight of risk, investment decisions,
and other risk management matters.4 The news media has a heightened focus on
financial, governance, and ethical matters at IHEs, holding them accountable for
poor decisions and thus negatively affecting IHE reputations. In response to this,
many IHEs have implemented some form of enterprise risk management (ERM)
program to help them identify and respond to risk.

THE HIGHER EDUCATION ENVIRONMENT
Colleges and universities have often perceived themselves as substantially differ-
ent and separate from other for-profit and not-for-profit entities, and the outside
world has historically viewed and treated them as such. Colleges and universities
have been viewed as ivory towers, secluded and separated from the corporate (and
thus the federal regulatory and, often, legal) world. Higher education was largely a
self-created, self-perpetuating, insular, isolated, and self-regulating environment.
In this culture, higher education institutions were generally governed under the
traditional, independent “silos of power and silence” management model, with
the right hand in one administrative area or unit often unaware of the left hand’s
mission, objectives, programs, practices, and contributions in another area.

John Nelson (2012), managing director for the Public Finance Group (Health-
care, Higher Education, Not-for-Profits) for Moody’s Investors Service, observed
that higher education culture is somewhat of a contradiction in that colleges and
universities are often perceived as “liberal,” whereas organizationally they tend
to be “conservative and inward-looking.”5 Citing recent examples at Penn State
and Harvard, he noted that colleges and universities can be “victims of their own
success”; a past positive reputation can prevent boards from asking critical ques-
tions, and senior leadership from sharing troubling information with boards, and
this can perpetuate a culture that isn’t self-reflective, thus increasing the likelihood
for a systemic risk management or compliance failure. The Freeh Report (2012)
is instructive regarding not only the Penn State situation, but the hands-off and
rubber-stamp culture of university boards and senior leaders more broadly. The
Freeh Report found that the Penn State board failed in its duty to make reason-
able inquiry and to demand action from the president, and that the president,
a senior vice president, and the general counsel did not perform their duties.

www.it-ebooks.info

LESSONS FROM THE ACADEMY 14

5

The report calls these inactions a “failure of governance,” noting that the “board
did not have regular reporting procedures or committee structure to ensure dis-
closure of major risks to the University” and that “Penn State’s ‘Tone at the Top’
for transparency, compliance, police reporting, and child protection was com-
pletely wrong, as shown by the inaction and concealment on the part of its most
senior leaders, and followed by those at the bottom of the University’s pyramid of
power.”

In his text regarding organizational structures in higher education, How Col-
leges Work, Birnbaum (1988) notes that, organizationally and culturally, colleges
and universities differ in many ways from other organizations. He attributes this
difference to several factors: the “dualistic” decision-making structure (comprised
of faculty “shared governance” and administrative hierarchy); the lack of metrics
to measure progress and assess accountability; and the lack of clarity and agree-
ment within the academic organization on institutional goals (based, in part, on
the often competing threefold mission of most academic organizations of teaching,
research, and service). Because of these organizational differences, Birnbaum notes
that the “processes, structures, and systems for accountability commonly used in
business firms are not always sensible for [colleges and universities]” (p. 27).

While noting that colleges and universities are unique organizations,
Birnbaum also observes that they have begun to adopt more general business prac-
tices, concluding that “institutions have become more administratively centralized
because of requirements to rationalize budget formats, implement procedures that
will pass judicial tests of equitable treatment, and speak with a single voice to pow-
erful external agencies” (p. 17).

This evolution to a more businesslike culture for IHEs has been evolving since
the 1960s and has brought significant societal changes while seeing the federal gov-
ernment, as well as state governments, begin to enact specific legislation affecting
colleges and universities.6 The proliferation of various laws and regulations, cou-
pled with the rise of aggressive consumerism toward the end of the 1990s, has led to
an increased risk of private legal claims against institutions of higher education—
and their administrators—as well as a proliferation of regulatory and compliance
requirements. Higher education is now generally treated like other business enter-
prises by judges, juries, and creative plaintiffs’ attorneys, as well as by administra-
tive and law enforcement agencies, federal regulators—and the public.

Mitroff, Diamond, and Alpaslan (2006) point out that despite their core edu-
cational mission, colleges and universities are really more like cities in terms of
the number and variety of services they provide and the “businesses” they are in.
They cite the University of Southern California (USC) as an example, noting that
USC operates close to 20 different businesses, including food preparation, health
care, and sporting events, and that each of these activities presents the university
with different risks. Jean Chang (2012), former ERM director at Yale University,
observed that IHEs are complicated businesses with millions of dollars at stake,
but they don’t like to think of themselves as “enterprises.”

Organizational Type Impacts Institutional Culture

While Birnbaum (1988) notes that IHEs differ in important ways from other orga-
nizational types, especially for-profit businesses, he also concludes that colleges

www.it-ebooks.info

146 Implementing Enterprise Risk Management

and universities differ from each other in important ways. Birnbaum outlines five
models of organizational functioning in higher education: collegial, bureaucratic,
political, anarchical, and cybernetic. In Bush’s (2011) text on educational leader-
ship, he groups educational leadership theories into six categories: formal, colle-
gial, political, subjective, ambiguity, and cultural. In their discussion of organiza-
tional structure, Bolman and Deal (2008) provide yet another method for analysis
of organizational culture, identifying four distinctive “frames” from which peop

le

view their world and that provide a lens for understanding organizational culture:
structural, human resources, political, and symbolic.

Each of these models can provide a conceptual framework by which to under-
stand and evaluate the culture of a college or university. Understanding the orga-
nizational type of a particular institution is imperative when considering issues
such as the process by which goals are determined, the nature of the decision-
making process, and the appropriate style of leadership to accomplish goals and
implement initiatives. What works in one university organizational type may not
be effective in another. The leadership style of senior administration may be oper-
ating from one frame or model while the culture of the faculty may be operating
from another, thus affecting policy and practice in positive or negative ways.

While not true across the board, for-profit organizations tend to operate fro

m

what Bush as well as Bolman and Deal refer to as the formal or structural models
and Birnbaum terms bureaucratic. The structural frame represents a belief in ratio-
nality. Some assumptions of the structural frame are that “suitable forms of coordi-
nation and control ensure that diverse efforts of individuals and units mesh” and
that “organizations work best when rationality prevails over personal agendas”
(Bolman and Deal 2008, p. 47). Understanding this cultural and framing difference
is important when considering the adoption and implementation of ERM in the
university environment, and can help to explain why many university administra-
tors and faculty are skeptical of the more corporate approach often taken in

ERM

implementation outside of higher education.

Bush observes that the collegial model has been adopted by most universities
and is evidenced, in part, by the extensive committee system. Collegial institu-
tions have an “emphasis on consensus, shared power, common commitments and
aspirations, and leadership that emphasizes consultation and collective responsi-
bilities” (Birnbaum, p. 86). Collegial models assume that professionals also have a
right to share in the wider decision-making process (Bush 2011, p. 73). Bush points
out that collegial models assume that members of an organization agree on orga-
nizational goals, but that often various members within the institution have differ-
ent ideas about the central purposes of the institution because most colleges and
universities have vague, ambiguous goals. Birnbaum describes the collegium (or
university environment) as having the following characteristics:

The right to participate in institutional affairs, membership in a congenial and sym-
pathetic company of scholars in which friendships, good conversation, and mutual
aid flourish, and the equal worth of knowledge in various fields that precludes
preferential treatment of faculty in different disciplines. (p. 87)

ERM (or risk management and compliance initiatives in general) tend to be
viewed as more corporate functions and to align with formal, structural, and
bureaucratic aims, goal setting, planning, and decision making. The chart in
Exhibit 9.1 outlines management practices and how they are viewed from the

www.it-ebooks.info

E
xh

ib
it

9.

1

D
is

ti
n

ct
io

n
s

b
et

w
ee

n
St

ru
ct

u
ra

la
n

d
C

o
ll

eg
ia

l

E
le

m
en

ts
o

f
M

an
ag

em
en

t∗

E
le
m
en
ts
o
f
M
an
ag
em
en

t
F

o
rm

al
/S

tr
u

ct
u

ra
l

C
o

ll
eg

ia
l

/

H
u

m
an

R
es

o
u

r

c

es

B
o

lm
an

a

n
d

D
ea

l
B

u
sh

In
st

it
u

ti
o

n
al

B
ir

n
b

a

u
m

In
st
it
u
ti
o
n
al
B
o
lm
an
an
d
D
ea
l
B
u
sh
B
ir
n
b
au
m

L
ev

el
at

w
h

ic
h

g
o

al
s

ar
e

d
et

er
m

in
ed

In
st
it
u
ti
o
n
al
In
st
it
u
ti
o
n
al

th
ro

u
g

h
ag

re
em

e

n
t

an
d

c

o
n

se
n

su
s

P
ro

ce
ss

b
y

w
h
ic
h
g
o
al
s
ar
e
d
et
er
m
in
ed

V
er

ti
ca

la
n

d
la

te
ra

l

p

ro
ce

ss
es

Se
t

b
y

le
ad

er
s

B
as

e

d
o

n
o

r

g
an

iz
at

io
n

al
st

ru
ct

u
re

an
d

ro
le

s

A
g

re
em

en
t

A
g
re
em
en
t
C
o

n
se

n
su

s

R
el

at
io

n
sh

ip
b

e

t
w

ee
n

g
o
al
s
an
d

d
ec

is
io

n
s

O
rg

an
iz

at
io
n
s

ex
is

t
to

ac
h

ie
v

e
es

ta
b

li
sh

ed
g

o
al

s

D
ec

is
io
n
s

b
as

ed
o

n
g

o
al
s
C
o

n
sc

io
u

s
at

te
m

p
t

t

o
li

n
k

m
ea

n
s

to
en

d
s

an
d

re
so

u
rc

e

s
to

o
b

je
ct

iv
es

Sh
ar

ed
se

n
se

o
f

d
ir

ec
ti

o
n
an
d

c

o
m

m
it

m
en
t
D
ec
is
io
n
s
b
as
ed
o
n
g
o
al
s

St
ro

n
g
an
d

co
h

er
en

t
cu

lt
u

re
an

d
v

al
u

e
co

n
se
n
su

s
in

fo
rm

s
d

ec
is

io
n

s
N

at
u

r

e
o

f
th

e
d

ec
is
io
n

p
ro

ce
ss

R
at

io
n

al
;r

u
le

s,
p

o
li

ci
es

,a
n

d
st

an
d

ar
d

o
p

er
at

in
g

p
ro

ce
d

u
re
s
R
at
io
n

al
R

at
io
n
al

;c
o

m
p

li
an

c

e
w

it
h

ru
le

s
an

d
re

g
u

la
ti

o
n
s

E
g

al
it

ar
ia

n
is

m
;

te
am

s
C

o
ll
eg
ia

l
D

el
ib

er
at

i

v
e

co
n

se
n
su
s

N
at

u
re
o
f

st
ru

ct
u

re
O

rg
an
iz
at
io
n
s
in

cr
ea

se
ef

fi
ci

en
cy

an
d

en
h

a

n
ce

p
er

fo
rm

an
ce

th
ro
u
g

h
sp

ec
ia

li
za

ti
o

n
an

d
d

iv
is

io
n
o
f

la
b

o
r

O
b

je
ct
iv
e

re
al

it
y

;
h

ie
ra

rc
h

ic
al

D
es

ig
n

ed
to

ac
co

m
p
li
sh

la
rg

e-
sc

al
e

ta
sk

s
b

y
sy

st
em

at
ic

al
ly

c

o
o

r

d
in

at
in

g
th

e
w

o
rk

o
f
m
an

y
in

d
iv

i

d
u

al
s
O
rg
an
iz
at
io
n
s
ex
is
t
to

se
rv

e
h

u
m

a

n
n

ee
d

s;
m

u
st

b
e

a
g

o
o

d
fi

t
b

et
w
ee
n

o
rg

an
iz
at
io
n
an

d
p

eo
p

le

L
at

er
al

C
o
ll
eg

iu
m

St
y

le
o

f
le

a

d
er

sh
ip

E
st

a

b
li

sh
ed

au
th

o
ri

ty
L

ea
d

er
es

ta
b
li
sh

es
g

o
al
s
an
d
in

it
ia

t

e
s

p
o

li
cy

L
ea

d
er

is
co

n
ce

rn
ed

w
it

h
p

la
n

n
in

g
,

d
ir
ec
ti
n
g

,
o

rg
an
iz
at
io
n

,
st

af
fi

n
g
,a
n

d
ev

al
u
at
in
g

D
o

es
n

’t
co

n
tr

o
lo

r
o

v
er

ly
st

ru
ct
u
re

;
se

n
si

ti
v

e
to

b
o

th
ta

s

k
an

d
p
ro
ce

ss
;

u
se

o
f
te
am
s
L
ea
d
er

se
ek

s
to
p
ro

m
o

te
co

n
se
n
su
s
L
ea
d
er

is
“f

ir
st

am
o

n
g

eq
u

al
s,

”
co

n
su

lt
at

io
n
an
d

co
ll

ec
ti
v
e

re
sp

o
n

si
b

il
it

ie
s

∗
A

d
ap

te
d

fr
o

m
B

u
sh

(

2

01

1)
,1

99
(F

ig
u

re
9.

1)
.

147

www.it-ebooks.info

148 Implementing Enterprise Risk Management

formal/structural and collegial/human resources models. As will become clear
in the University of Washington ERM implementation case described in this chap-
ter, the culture of higher education in general, and the institution-specific culture
of the particular organization, cannot be ignored when adopting or implementing
an ERM program, and may be the most important element when making ERM
program, framework, and philosophy decisions.

Risks Affecting Higher Education

One way in which colleges and universities are becoming more like other organi-
zations is the type and variety of risks affecting them. Risk and crisis in higher edu-
cation may arise from a variety of sources: a failure of governance or leadership;
a business or consortium relationship; an act of nature; a crisis related to student
safety or welfare or that of other members of the community; a violation of federal,
state, or local law; or a myriad of other factors. The University Risk Management
and Insurance Association (URMIA 2007) cites several drivers that put increased
pressure and risk on colleges and universities, including competition for faculty,
students, and staff; increased accountability; external scrutiny from the govern-
ment, the public, and governing boards; IT changes; competition in the market-
place; and increased levels of litigation. A comprehensive, yet not exhaustive, list
of risks affecting higher education is outlined in Exhibit 9.2. Risks unmitigated at
the unit, department, or college level can quickly lead to high-profile institutional
risk when attorneys, the media, and the public get involved. Helsloot and Jong
(2006) observe that higher education has a unique risk as it relates to the genera-
tion and sharing of its core task: “to gather, develop, and disseminate knowledge”
(p. 154), noting that the “balance between the unfettered transfer of knowledge, on
the one hand, and security, on the other, is a precarious one” (p. 155).

EMERGENCE OF ERM IN HIGHER EDUCATION
In the corporate sector, interest in the integrated and more strategic concept of
enterprise risk management (ERM) has grown significantly in the past 15 years
(Arena, Arnaboldi, and Azzone 2010). Certain external factors affected the adop-
tion and implementation of ERM practices in corporations, including significant
business failures in the late 1980s that occurred as a result of high-risk financing
strategies (URMIA 2007). Governments in several European countries took actio

ns

and imposed regulatory requirements regarding risk management earlier than was
done in the United States, issuing new codes of practice and regulations such as the
Cadbury Code (1992), the Hampel Report (1998), and the Turnbull Report (1999). In
2002, the Public Company Accounting Reform and Investor Protection Act (other-
wise known as Sarbanes-Oxley, or SOX) was enacted in the United States. In 2007,
the Securities and Exchange Commission (SEC) issued guidance placing greater
emphasis on risk assessment and began to develop requirements for enterprise-
wide evaluation of risk. In February 2010, the SEC imposed regulations requiring
for-profit corporations to report in depth on how their organizations identify risk,
set risk tolerances, and manage risk/reward trade-offs throughout the enterprise.

While widespread in the corporate sector, in large part due to regulatory com-
pliance, ERM is fairly new in higher education. Gurevitz (2009) observes that

www.it-ebooks.info

LESSONS FROM THE ACADEMY 149

Exhibit 9.2 Risks Affecting Higher Education

Institutional Area Types of

Risk

Boards of Trustees and
Regents, President,
Senior Administrators

Accreditation
Board performance assessment
CEO assessment and compensation
Conflict of interest
Executive succession plan
Fiduciary responsibilities
IRS and state law requirements
Risk management role and responsibility

Business and

Financial

Affairs

Articulation agreements
Bonds
Budgets
Business ventures
Cash management
Capital campaign
Contracting and purchasing
Credit rating
Debt load/ratio
Endowment
Federal financial aid
Fraud
Gift/naming policies
Insurance
Investments
Loans
Outsourcing
Transportation and travel
Recruitment and admissions model

Compliance with
Federal, State, and
Local Laws, Statutes,
Regulations, and
Ordinances

Americans with Disabilities Act (ADA)/Section 50

4

Copyright and fair use
Drug-Free Schools and Communities Act
Family Educational Rights and Privacy Act (FERPA)
Health Insurance Portability and Accountability Act of

1996 (HIPAA)
Higher Education Opportunity Act IRS regulations
Integrated Postsecondary Education Data System (IPEDS)
Jeanne Clery Disclosure of Campus Security Policy and

Campus Crime Statistics Act (Clery Act)
National Collegiate Athletic Association

(NCAA)/National Association of Intercollegiate
Athletics (NAIA) regulations

Record retention and disposal
Tax codes
Whistle-blower policies

Campus Safety and
Security

Emergency alert systems for natural disaster or other
threat

Emergency planning and procedures
Incident response

(continued)

www.it-ebooks.info

150 Implementing Enterprise Risk Management

Exhibit 9.2 (Continued)

Institutional Area Types of Risk

Campus Safety and
Security (continued)

Infectious diseases
Interaction with local, state, and federal authorities
Minors on campus
Terrorism
Theft
Violence on campus
Weapons on campus
Weather

Information Technology Business continuity
Cyber liability
Electronic records
Information security
Network integrity
New technologies
Privacy
System capacity
Web page accuracy

Academic Affairs Academic freedom
Competition for faculty
Faculty governance issues
Grade tampering
Grants
Human subject, animal, and clinical research
Intellectual property
Internship programs
Joint programs/partnerships
Laboratory safety
Online learning
Plagiarism
Quality of academic programs
Student records
Study abroad
Tenure

Student Affairs Admission/retention
Alcohol and drug use
Clubs and organizations
Conduct and disciplinary system
Dismissal procedures
Diversity issues
Fraternities and sororities
Hate crimes
Hazing
International student issues
Psychological disabilities issues
Sexual assault
Student death
Student protest
Suicide

www.it-ebooks.info

LESSONS FROM THE ACADEMY 151

Exhibit 9.2 (Continued)
Institutional Area Types of Risk

Employment/

Human

Resources

Affirmative action
Background checks
Discrimination lawsuits
Employment contracts
Grievances
Labor laws
Performance evaluation
Personnel matters
Sexual harassment
Termination procedures
Unions
Workplace safety

Physical Plant Building and renovation
Fire
Infrastructure damage
Off-site programs
Public-private partnerships
Residence hall and apartment safety
Theft

Other Alumni
Athletics
External relations
Increased competition for students, faculty, and staff
Increased external scrutiny from the public, government,

and media
Medical schools, law schools
Vendors

educational institutions “have been slower to look at ERM as an integrated busi-
ness tool, as a way to help all the stakeholders—trustees, presidents, provosts,
CFOs, department heads, and frontline supervisors—identify early warning signs
of something that could jeopardize a school’s operations or reputation.” In 2000,
the Higher Education Funding Council of England enacted legislation requir-
ing all universities in England to implement risk management as a governance
tool (Huber 2009). In Australia, the Tertiary Education Quality Standards Agency
(TEQSA 2013) evaluates the performance of higher education providers against a
set of threshold standards and makes decisions in relation to their performance
in line with three regulatory principles, including understanding an institution’s
level of risk.

In the United States, engaging in risk management efforts and programs for
IHEs is not specifically required by accrediting agencies or the federal govern-
ment. Perhaps because it is not required, ERM has not been a top focus for boards
and senior administrators at IHEs. Tufano (2011) points out that risk management
in the nonprofit realm, including higher education, is significantly less developed
than in much of the corporate world and often still has a focus on avoidance of
loss rather than setting strategic direction. Mitroff, Diamond, and Alpaslan’s (2006)

www.it-ebooks.info

152 Implementing Enterprise Risk Management

survey assessing the state of crisis management in higher education revealed that
colleges and universities were generally well prepared for certain crises, particu-
larly fires, lawsuits, and crimes, in part because certain regulations impose require-
ments. They were also well prepared for infrequently experienced but high-profile
situations such as athletics scandals, perhaps based on their recent prominence in
the media. However, they were least prepared for certain types of crises that were
frequently experienced such as reputation and ethics issues, as well as other non-
physical crises such as data loss and sabotage.7 A survey conducted by the Asso-
ciation of Governing Boards of Universities and Colleges and United Educators
(2009) found that, of 600 institutions completing the survey, less than half of the
respondents “mostly agreed” that risk management was a priority at their insti-
tution. Sixty percent stated that their institutions did not use a comprehensive,
strategic risk assessment to identify major risks to mission success. Recent high-
profile examples may be beginning to change that. The Freeh Report regarding
Penn State determined that “the university’s lack of a robust risk-management sys-
tem contributed to systemic failures in identifying threats to individuals and the
university and created an environment where key administrators could ‘actively
conceal’ troubling allegations from the board” (Stripling 2012).

ADOPTING AND IMPLEMENTING ERM IN
COLLEGES AND UNIVERSITIES
In 2001, PricewaterhouseCoopers and the National Association of College and
University Business Officers (NACUBO) sponsored a think tank of higher educa-
tion leaders to discuss the topic of ERM in higher education, likely in response to
widespread discussion in the for-profit sector and in anticipation of potential reg-
ulatory implications for higher education. The group included Janice Abraham,
then president and chief executive officer of United Educators Insurance, as well
as senior administrators from seven universities.8 The focus of their discussion
was on the definition of risk; the risk drivers in higher education; implementa-
tion of risk management programs to effectively assess, manage, and monitor risk;
and how to proactively engage the campus community in a more informed dia-
logue regarding ERM. Their conversation produced a white paper, “Developing
a Strategy to Manage Enterprisewide Risk in Higher Education” (Cassidy et al.
2001). In 2007, NACUBO and the Association of Governing Boards of Universities
and Colleges (AGB) published additional guidance in their white paper, “Meeting
the Challenges of Enterprise Risk Management in Higher Education.” The Uni-
versity Risk Management and Insurance Association (URMIA) also weighed in
with its white paper, “ERM in Higher Education” (2007). In 2013, Janice Abraham
wrote a text published by AGB and United Educators, entitled Risk Management:
An Accountability Guide for University and College Boards. These documents provide
guidance and information to institutions considering the implementation of an
ERM program and discuss the unique aspects of the higher education environment
when considering ERM implementation.

Several authors have discussed the transferability of the ERM model to higher
education, even with the cultural and organizational differences that abound
between the for-profit environment and higher education. URMIA (2007) con-
cluded that “the ERM process is directly applicable to institutions of higher

www.it-ebooks.info

LESSONS FROM THE ACADEMY 153

education, just as it is to any other ‘enterprise’; there is nothing so unique to the col-
lege or university setting as to make ERM irrelevant or impossible to implement”
(p. 17). Whitfield (2003) assessed the “feasibility and transferability of a general
framework to guide the holistic consideration of risk as a critical component of
college and university strategic planning initiatives” (p. 78) and concluded that
“the for-profit corporate sector’s enterprise-wide risk management framework is
transferable to higher education institutions” (p. 79).

National conferences for higher education associations such as NACUBO,
AGB, URMIA, and others had presentations on ERM. Insurers of higher educa-
tion, such as United Educators and Aon, as well as consultants such as Accenture
and Deloitte, among others, provided workshops to institutions and published
white papers of their own, such as the Gallagher Group’s “Road to Implemen-
tation: Enterprise Risk Management for Colleges and Universities” (2009). In the
early 2000s, many IHEs rushed to form committees to examine ERM and hired risk
officers in senior-level positions, following the for-profit model.9 However, when
specific regulations such as those imposed by the SEC for for-profit entities did not
emerge in the higher education sector, interest in highly developed ERM models at
colleges and universities began to wane. Gurevitz (2009) points out that the early
ERM frameworks weren’t written with higher education in mind and were often
presented “in such a complicated format that it made it difficult to translate the
concepts for many universities.”

Institutions with ERM programs have taken various paths in their selection
of models and methods and have been innovative and individualized in their
approaches. There is no comprehensive list of higher education institutions with
ERM programs, and not all IHEs with integrated models use the term ERM.
Exhibit 9.3 shows a snapshot of IHEs that have adopted ERM; a review of their
websites demonstrates the various risk management approaches adopted by IHEs
and the wide variability in terminology, reporting lines, structure, and focus. In
many instances, those IHEs with highly developed programs today had some form
of “sentinel event” (regulatory, compliance, student safety, financial, or other)
that triggered the need for widespread investigation and, therefore, the develop-
ment of more coordinated methods for compliance, information sharing, and deci-
sion making. In other situations, governing board members brought their business
experience with ERM to higher education, recognizing the “applicability and rel-
evance of using a holistic approach to risk management in academic institutions”
(Abraham 2013, p. 6).

Regardless of the impetus, the current focus appears to be on effectively link-
ing risk management to strategic planning. Abraham points out that many higher
education institutions are recognizing that an effective ERM program, with the
full support of the governing board, “will increase a college, university or system’s
likelihood of achieving its plans, increase transparency, and allow better allocation
of scarce resources. Good risk management is good governance” (p. 5). Ken Barnds
(2011), vice president at Augustana College, points out that “many strategic plan-
ning processes, particularly in higher education, spent an insufficient amount of
time thinking about threats and weaknesses.” Barnds believes that “an honest and
thoughtful assessment of the college’s risks . . . would lead [Augustana] in a pos-
itive, engaged, and proactive direction.” A recent Grant Thornton (2011) thought
paper urges university leaders to think about more strategic issues as part of their
risk management, including board governance, IRS scrutiny of board oversight

www.it-ebooks.info

E
xh
ib
it

9.
3

Sa
m

p
le

o
f
C
o
ll
eg

es
an

d
U

n
iv

er
si

ti
es

w
it

h
E

R
M

P
ro

g
ra

m
s

In
st
it
u
ti
o

n
T

it
le

o
f

P
er

so
n

w
it
h
E
R
M
R
es
p
o
n
si

b
il

it
y

W
eb

si
te

D
u

k
e

U
n

iv
er

si
ty

E
xe

cu
ti

v
e

D
ir

ec
to

r
o

f
In

te
rn

al
A

u
d

it
h

tt
p

:/
/

i

n
te

rn
al

au
d

it
s.

d
u

k
e.

ed
u

/
ri

sk
-a

ss
es

sm
en

t

/
in

d
ex

.p
h

p
E

m
o

ry
U

n
iv
er
si

t

y
C

h
ie

f
A

u
d

it
O

ff
ic

er
w

w
w

.e
m

o
ry

.e
d

u
/

E
M

O
R

Y
_R

E
P

O
R

T
/

s

t
o

ri
es

/

20

10

/

04
/

19
/

ri
sk

_
m

an
ag
em
en

t.
h

tm
l

G
eo

rg
ia

St
at

e
U

n
iv
er
si

ty
D

ir
ec

to
r,

E
n

te
rp

ri
se

R
is

k
M

an
ag
em
en
t
w
w
w

.g
su

.e
d
u
/
ac
co

u
n

ti
n

g
/

63
37

0.
h

tm
l

Io
w

a
St

at
e

U
n
iv
er
si
ty

A
ss

o
ci

at
e

V
ic

e
P

re
si

d
en

t
fo

r
B

u
d

g
et

an
d

P
la

n
n
in
g
w
w

w
.p

ro
v

o
st

.ia
st

at
e.

ed
u

/
w

h
at

-w
e-

d
o

/
er

m

Jo
h

n
so

n
&

W
al

es
D

ir
ec

to
r

o
f
C
o
m
p
li
an

ce
,I

n
te
rn
al

A
u

d
it

,a
n

d
R

is
k

M
an

ag
em

en
t
w
w

w
.jw

u
.e

d
u

/
co

n
te

n
t.

as
p

x?
id

=
57

82
5

M
ar

ic
o

p
a

C
o
u
n
ty
C
o
m

m
u

n
it

y
C
o
ll

eg
e

D
is

tr
ic

t
(M

C
C

C
D

)
D
ir
ec
to
r
o

f
E

n
te

rp
ri

se
R

is
k
M
an
ag
em
en
t
w
w

w
.m

ar
ic

o
p

a.
ed

u
/

p
u

b
li

cs
te

w
ar

d
sh

ip
/

g
o
v
er
n
an

ce
/

a

d
m

in
re

g
s/

au
xi

li
ar

y
/

4_
1

6

.p
h
p

O
h

io
U

n
iv
er
si

ty
A

ss
o

ci
at

e
V

ic
e

P
re

si
d

en
t

fo
r

R
is
k
M
an
ag
em
en

t
an

d
Sa

fe
ty

w
w

w
.o

h
io

.e
d
u
/
ri
sk
an
d

sa
fe

ty
/

u
rm

i

.h
tm

T
ex

a

s
A

&
M

U
n
iv
er
si
ty

Sy
st

em
O

ff
ic
e
o

f
R

is
k
M
an
ag
em
en
t
an
d

B
en

ef
it

s
A
d
m

in
is

tr
at

io
n
w
w

w
.t

am
u

s.
ed

u
/

o
ff

ic
es

/
ri

sk
/

ri
sk
m
an

ag
e/

g
u

id
e/

en
te

rp
ri

se
-r

is
k

–
m

an
ag
em
en

t/

U

n
iv
er
si

ty
o

f
A

la
sk

a
Sy

st
em

C
h

ie
f

R
is

k
O

ff
ic
er
w
w
w

.a
la

sk
a.

ed
u
/
ri

sk
sa

fe
ty
/
U
n
iv
er
si
ty
o
f

C
al

if
o

rn
ia

R
is

k
Se

rv
ic

es
,O

ff
ic
e
o
f
th
e
P
re
si
d
en
t
w
w
w

.u
co

p
.e

d
u

/
en

te
rp
ri
se

-r
is

k
-m

an
ag
em
en
t/
U
n
iv
er
si
ty
o

f
D

en
v

er
D

ir
ec
to
r
o
f
E
n
te
rp
ri
se
R
is
k
M
an
ag
em
en
t
w
w
w

.d
u

.e
d
u
/

in
te

rn
al

-a
u

d
it
/
in
te
rn

al
_a

u
d

it
/

fa
q

.h
tm

l
U

n
iv
er
si
ty
o

f
Io

w
a

Se
n

io
r

V
ic
e
P
re
si
d
en
t
o

f
F

in
an

ce
an

d
O

p
er
at
io
n
s
an
d

T
re

as
u

re
r

w
w

w
.u

io
w

a.
ed

u
/
∼
fu

sr
m

/
E

n
te
rp
ri
se
R
is
k
M
an
ag
em

en
t/

in
d

ex
.h

tm
l
U
n
iv
er
si
ty
o
f
M
ar

y
la

n
d
V
ic
e
P
re
si
d
en
t
fo

r
P

la
n
n
in
g
an

d
A

cc
o

u
n
ta
b
il
it

y
w

w
w

.u
m

ar
y

la
n

d
.e

d
u

/
ac

co
u

n
ta

b
il
it
y

-o
ld

/
ri

sk
-m

an
ag
em
en
t/
U
n
iv
er
si
ty
o
f

N
o

tr
e

D
am

e
D

ir
ec
to
r
o
f
R
is
k
M
an
ag
em
en
t
an
d
Sa
fe
ty

h
tt

p
:/

/
ri

sk
m

an
ag
em
en

t.
n

d
.e
d
u

/
ab

o
u
t/
U
n
iv
er
si
ty
o
f
V
er
m
o
n
t
Se
n
io
r

St
ra

te
g

is
t

fo
r
E
n
te
rp
ri
se
R
is
k
an

d
P

la
n
n
in

g
,O

ff
ic
e
o
f
th
e
V
ic
e
P
re
si
d
en
t
fo
r

F
in

an
ce

&
A

d
m
in
is
tr
at
io
n
w
w
w
.u

v
m

.e
d

u
/
∼
er

m
/

U
n
iv
er
si
ty
o
f
M
ar
y
la
n
d
V
ic
e
P
re
si
d
en
t
fo
r
P
la
n
n
in
g
an
d
A
cc
o
u
n
ta
b
il
it
y
w
w
w
.u
m
ar
y
la
n
d
.e
d
u
/
ac
co
u
n
ta
b
il
it
y
-o
ld
/
ri
sk
-m
an
ag
em
en
t/
U
n
iv
er
si
ty
o
f

W
as

h
in

g
to

n
R

is
k

A
n

al
y

st
h

tt
p
:/
/

f2
.w

as
h

in
g

to
n

.e
d
u
/

fm
/

er
m

Y
al

e
U
n
iv
er
si
ty
D
ir
ec
to
r
o
f

E
R

M
h

tt
p
:/
/

o
g

c.
y

al
e.

ed
u
/
ri
sk
m
an
ag
em
en
t

154

www.it-ebooks.info

LESSONS FROM THE ACADEMY 155

practices, investment performance in university endowments, indirect cost rates
in research, changes in employment practices, and outsourcing arrangements.

Regardless of terminology, there is an increased priority on taking a more
enterprise-wide approach to risk management and moving from a compliance-
driven approach to a comprehensive, strategic approach across and throughout
the organization that is used to positively affect decision making and impact mis-
sion success and the achievement of strategic goals. Tufano (2011) points out
that even in the corporate environment, top leaders are not inclined to work
through a detailed step-by-step risk management process, but rather take a top-
level approach. In the university environment, this means asking three fundamen-
tal questions: What is our mission? What is our strategy to achieve it? What risks
might derail us from achieving our mission? Richard F. Wilson, president of Illinois
Wesleyan University, may best summarize the current perspective of senior-level
higher education administrators:

When I first started seeing the phrase “enterprise risk management” pop up in
higher education literature, my reaction was one of skepticism. It seemed to me yet
another idea of limited value that someone had created a label for, to make it seem
more important than it really was. Although some of that skepticism remains, I find
myself increasingly in sympathy with some of its basic tenets . . . [especially] the
analysis that goes into decisions about the future. Most institutions are currently
engaged in some kind of strategic planning effort driven, in part, by the need to
protect their financial viability and vitality for the foreseeable future. . . . Bad plans
and bad execution of good ideas can put an institution at risk fairly quickly in the
current environment. Besides examining what we hope will happen if a particular
plan is adopted, we should also devote time to the consequences if the plan does
not work. I still cannot quite get comfortable incorporating enterprise risk man-
agement into my daily vocabulary, but I have embraced the underlying principles.
(Wilson 2013)

THE UNIVERSITY OF WASHINGTON: A JOURNEY
OF DISCOVERY
The University of Washington (UW) has a robust enterprise risk management
(ERM) program that is moving into its seventh year. The program began with
what administrators10 at UW call a “sentinel event,” settling a Medicare and
Medicaid overbilling investigation by paying the largest fine by a university for a
compliance failure—$35 million. This led the new president, Mark Emmert, to for-
mally charge senior administrators in 2005 with the task of identifying best prac-
tices for “managing regulatory affairs at the institutional level by using efficient
and effective management techniques” (UW ERM Annual Report 2008, p. 4). At
the outset in 2006, the objective for UW was to “create an excellent compliance
model built on best practices, while protecting its decentralized, collaborative, and
entrepreneurial culture” (Collaborative ERM Report 2006, p. vi). The ERM pro-
cess at UW has been what Ann Anderson, associate vice president and controller,
terms “a journey of discovery.” ERM has developed and evolved at UW, mov-
ing from what UW administrators describe as an early compliance phase, through

www.it-ebooks.info

156 Implementing Enterprise Risk Management

a governance phase to a mega-risk phase. Currently, the University of Washing-
ton is focused on two objectives: (1) strengthening oversight of top risks, and (2)
enhancing coordination and integration of ERM activities with decision-making
processes at the university. This case study will describe the decision-making and
implementation process at UW, as well as outline various tools and frameworks
that UW adopted and adapted for use not only in the higher education setting in
general, but to fit specifically within the university’s decentralized culture.

Institutional Profile

Founded in 1861, the University of Washington is a public university enrolling
some 48,000 students and awarding approximately 10,000 degrees annually (see
Exhibit 9.4). The institution also serves approximately 47,000 extension students.
There are nearly 650 student athletes in UW’s 21 Division I men’s and women’s
teams. There is a faculty/staff of over 40,000, making UW the third-largest
employer in the state of Washington. The university is comprised of three cam-
puses with 17 major schools and colleges and 13 registered operations abroad. It
has a $5.3 billion annual budget, with $1.3 billion in externally funded research and
$2.6 billion in clinical medical enterprise. UW has been the top public university
in federal research funding every year since 1974 and has been among the top five
universities, public and private, in federal funding since 1969. The university has
an annual $9.0 billion economic impact on the state of Washington.

Culture at UW

When appointed to serve on the President’s Advisory Committee on ERM
(PACERM) in 2007, Professor Daniel Luchtel commented, in the context of talking
about risk assessments, that “the number of issues and their complexity is stun-
ning. The analogy that comes to mind is trying to get a drink of water from a fire
hose” (2007 ERM Annual Report, p. 4). As with most higher education institutions,
especially research universities, along with the core business of the teaching and
learning of undergraduate and graduate students, the faculty are focused on the
creation of new knowledge. “The University of Washington is a decentralized yet
collaborative entity with an energetic, entrepreneurial culture. The community
members are committed to rigor, integrity, innovation, collegiality, inclusiveness,
and connectedness” (Collaborative Enterprise Risk Management Final Report
2006, p. v).

Faculty innovation and the idea of compliance don’t always go hand in hand
in higher education, and UW is no exception. Research associate professor David
Lovell, vice-chair of the Faculty Senate in 2007–2008, expresses it well:

“Compliance” [is] not necessarily a good word for faculty members. . . . What lies
behind [that] is the high value faculty accord to personal autonomy. . . . The notion
of a culture of compliance sounds like yet another extension of impersonal, corpo-
rate control, shrinking the arena of self-expression in favor of discipline and con-
formity. . . . Over the last ten months, I’ve come to understand that you’re not here
to get in our way, but to make it possible for us faculty legally to conduct the work
we came here to do. . . . I hope that working together, we can try to spread such
understanding further, so that we can make compliance—or whatever term you
choose—less threatening to faculty and frustrating to staff. (Annual ERM Report
2008, pp. 6–7)

www.it-ebooks.info

LESSONS FROM THE ACADEMY 157

26.3% ASIAN AMERICANS

UNDER

GRADUATE

32,291

48,022 students were enrolled at the UW in the fall of 2009
STUDENTS

GRADUATE

11,592

PROFESSIONAL

1,907

11% ASIAN AMERICANS

11.7% UNDERREPRESENTED MINORITIES

8.3% UNDERREPRESENTED MINORITIES

5.2% INTERNATIONAL STUDENTS

13.6% INTERNATIONAL STUDENTS

19.2% ASIAN AMERICANS

7.4% UNDERREPRESENTED MINORITIES

WO

MEN

55.8%

WOMEN

54%

WOMEN

52.4%

MEN

47.6%

MEN

46%

MEN

44.2%
1.6% INTERNATIONAL STUDENTS

GATES CAMBRIDGE

SCHOLARS

4MARSHALL

SCHOLARS
7RHODES

SCHOLARS
SCHOLARS

46

35

Exhibit 9.4 University of Washington Student Profile
From University of Washington Fact Book: http://opb.washington.edu/content/factbook.

Organizationally, the institution is divided into silos, which has historically
focused risk mitigation within those silos.

Implementation History at UW

On April 22, 2005, President Mark Emmert sent an e-mail to the deans and cabinet
members in which he said: “With the most recent example of compliance issues, we
have again been reminded that we have not yet created the culture of compliance
that we have discussed on many occasions.” He went on to say that “the creation
of a culture of compliance needs to be driven by our core values and commitment
to doing things the right way, to being the best at all we do. . . . We need to know

www.it-ebooks.info

158 Implementing Enterprise Risk Management

that the manner in which we manage regulatory affairs is consistent with the best
practices in existence.”

The Sentinel Event: Largest Fine at a Medical School
The Collaborative Enterprise Risk Management Report for the University of Wash-
ington (2006) began with the following: “Over the past few years, the UW has
been confronted by a series of problems with institution-wide implications, includ-
ing research compliance, financial stewardship, privacy matters, and protection of
vulnerable populations” (p. v). The situation with the highest impact on the uni-
versity began when Mark Erickson, a UW compliance officer, filed a complaint
alleging fraud in the UW’s Medicare and Medicaid billing practices. The 1999 com-
plaint prompted a criminal investigation, guilty pleas from two doctors, and a
civil lawsuit resulting in the $35 million settlement, the largest settlement made
by an academic medical center in the nation. The federal prosecutor claimed that
“many people within the medical centers were aware of the billing problems”
and that “despite this knowledge, the centers did not take adequate steps to cor-
rect them” (Chan 2004). UW’s 2006 ERM Annual Report acknowledges that, in
addition to the direct cost of the fines, there were also indirect costs in terms of
additional resources for reviews of university procedures, increased rigor and fre-
quency of audits, and an incalculable damage to the university’s reputation. The
federal prosecutor acknowledged that UW’s efforts to reform its compliance pro-
gram have been “outstanding” (Chan 2004). He further noted that since the law-
suit was filed, the university “has radically restructured their compliance office.
The government is very pleased with the efforts the UW is taking to take care of
these errors.”

Leadership from the Top: President Outlines the Charge

At the time of the medical billing scandal, Lee L. Huntsman was president of
UW. Huntsman had formerly been the acting provost, associate dean for scien-
tific affairs at the school of medicine, and a professor of bioengineering. The UW
Board of Regents had appointed Huntsman in a special session when Richard
McCormick, the incumbent, accepted the presidency at Rutgers. Huntsman served
for 18 months as president and continued as Special Assistant to the President and
Provost for Administrative Transition until 2005 and as a senior adviser to the uni-
versity for several more years. Mark A. Emmert, former chancellor of Louisiana
State University and a UW alumnus, was appointed as the 30th president of UW
and professor with tenure at the Evans School on June 14, 2004.

In April 2005, President Emmert charged V’Ella Warren, Vice President
for Financial Management, and David Hodge, Dean of the College of Arts and
Sciences, with conducting a preliminary review of best practices in compliance
and enterprise risk management in corporate and higher education institutions.
Warren engaged the Executive Director of Risk Management, Elizabeth Cherry,
and the Executive Director of Internal Audit, Maureen Rhea, to conduct a literature
search on enterprise risk management, particularly in higher education. Cherry
and Rhea engaged Andrew Faris, risk management analyst, to assist, and the three
spent nearly two years (from 2004 to 2006) conducting the literature search and
finding out how risk management was functioning on other campuses. As they

www.it-ebooks.info

LESSONS FROM THE ACADEMY 159

conducted their research, they continued to report their findings to Vice President
Warren. They also piloted the risk assessment process with various departments
at UW.

Based on their findings and discussions with Vice President Warren, a draft
report was compiled to provide initial guidance of the development of a UW-
specific framework. The report provided an overview of various approaches to
compliance, described best practices at four peer universities (University of Texas
system, University of Minnesota, University of Pennsylvania, and Stanford Uni-
versity), identified the common problems encountered in several recent compli-
ance problems at UW, and offered suggestions for actions that UW might take in
the effective management of compliance and risk. President Emmert then charged
Warren and Hodge to cochair the recommended Strategic Risk Initiative Review
Committee (SRIRC). The role of the SRIRC was to continue to investigate best prac-
tices in university risk management and make recommendations about a structure
and framework for compliance that would fit the UW culture. In a memo to the
SRIRC regarding that review, Warren and Hodge noted that they had “developed
a framework for university-wide risk and compliance management which builds
on [UW]’s decentralized and collaborative character.” President Emmert also made
it clear that the proposed model should be driven by UW’s core values as well as
promote “effective use of people’s time and energy.” In a memo to the deans and
cabinet members in 2005, President Emmert declared that UW did not “want or
need another layer of bureaucracy.”

The SRIRC was comprised of broad university representation, including
the Executive Vice President, the Associate Vice President for Medical Affairs,
the Senior Assistant Attorney General, the Vice Provost-elect for Research, the
Vice Provost for Planning and Budgeting, the Chancellor of the University of
Washington–Tacoma, the Athletic Director, the Dean of the School of Public

Health

and Community Medicine, the Provost and Vice President for Academic Affairs,
the Dean of the School of Nursing, the Special Assistant to the President for Exter-
nal Affairs, the Vice President of Student Affairs, two faculty members, and two
students. Meeting throughout the fall semester, the SRIRC reviewed the prelim-
inary research material provided by Hodge and Warren and their team and dis-
cussed a variety of issues, including the structure for risk management, how risk
assessment has been and could be conducted, communication issues, methods for
reporting risks, ways to report progress, and others. For each initiative, they asked
the following three questions: Does this proposal add value? What obstacles are appar-
ent and how can they be addressed? How could this proposal be improved?

In addition to formal meetings, Cherry, Rhea, and Faris conducted one-on-one
meetings with the SRIRC members to gather more information about how they
viewed implementation at the university. Because one of the recommenda-
tions was the creation of a Compliance Council, meetings were also conducted
throughout the campus with director-level personnel to survey their interests
and suggestions regarding that aspect of the proposed model. Prior to the formal
implementation of the ERM program, resources were also dedicated to create an
infrastructure to sustain the recommended model. Faris’s role as risk manager
was formally revised to create a full-time ERM analyst position within the Office
of Financial Management in the Finance and Facilities division and a half-time
ERM project manager position was created, filled by Kerry Kahl.

www.it-ebooks.info

160 Implementing Enterprise Risk Management

Advisory Committee Recommendations: Create a
Culture-Specific ERM Program

In February 2006, Hodge and Warren put forth to President Emmert a Collabora-
tive Enterprise Risk Management Proposal developed by the SRIRC. The proposal
recommended that “the UW adopt an integrated approach to managing risk and
compliance, commonly called enterprise risk management (ERM).” They acknowl-
edged that the proposed changes were not intended to “replace what already
works across the university,” but rather to “augment the existing organization with
thoughtful direction, collaboration, and communication on strategic risks” (Collab-
orative ERM Final Report, February 13, 2006). At the outset, the SRIRC acknowl-
edged that the structure and priorities of the ERM program would likely evolve
and develop over time, but the members of the committee were confident that
they had created a “strong, yet flexible framework within which to balance risk
and opportunity” (February 14, 2006, memo to President Emmert).

While the report acknowledged the impetus for the creation of the ERM pro-
gram (the $35 million compliance failure fine), it focused on the positive impact
an ERM program could have for UW, beyond addressing compliance concerns.
The report defined key terms and made recommendations based on three basic
parameters: scope of the framework, organizational structure for the framework,
and philosophy of the program. Each aspect was framed in the context of the liter-
ature review and campus comparisons; UW-specific recommendations were put
forth based on SRIRC discussion and analysis.

Scope of the Risk Framework

The report reviewed and discussed the various approaches taken by organizations
in practicing risk management, from a basic practice of risk transfer through insur-
ance to a more integrated institution-wide approach. It acknowledged that, prior
to implementation, some key decisions would need to be made: Would the scope
of the program be institution-wide or targeted at the school, college, or unit level?
Would it include all risks (compliance, finances, operations, and strategy) or be
focused on certain categories of risk? ERM was cited as “the most advanced point
on the continuum,” a model that integrates risk into the organization’s strategic
discussions. The report also summarized a Centralized Compliance Management
approach. This model, rather than encompassing all risks, would focus primarily
on legal and regulatory compliance. It was noted that “while both are university-
wide approaches, they vary in a number of important aspects, including scope,
objective, and benefits” (p. 6).

The report also summarized the ERM models at four IHEs, based on interviews
with compliance and audit managers at those institutions. Noting that all four were
institution-wide approaches, Pennsylvania and Texas were identified as having
adopted a more corporate philosophy; Minnesota, a compliance approach with a
centralized style; and Stanford, a collaborative ERM approach (see Exhibit 9.5). The
report recommended developing a “collaborative, institution-wide risk manage-
ment model” for UW, one that “ensures that UW creates an excellent compliance
model based on best practices, while protecting its decentralized, collaborative,
and entrepreneurial culture” (p. 28).

www.it-ebooks.info

LESSONS FROM THE ACADEMY 161

Minnesota

Stanford

Pennsylvania

Texas

•

•
•
•

Washington

Enterprise

Risk
Management

Centralized

Compliance

Management

Control

Collaboration

Exhibit 9.5 UW’s Approach to Risk Management Compared to Other Institutions
From University of Washington Collaborative Enterprise Risk Management Final Report, February 13,
2006.

Organizational Structure

Based on a review of the literature and discussions with risk and audit managers
at other universities, the report also summarized various models and structures
for organizing the risk management activities. One method was to appoint a cen-
tral risk officer with institution-wide oversight and responsibility. With this model,
key decisions would need to be made regarding reporting lines and the placement
of that position within the organization. The report also outlined UW’s current
approach to risk management, noting that it had moved beyond the insurance
approach, “which is usually reactive and ad hoc,” but also observing that respon-
sibility for specific risks was currently distributed among the institution’s orga-
nizational silos (p. 15). It further noted that “the UW does not formally integrate
risk and compliance into its strategic conversations at the university-wide level”
(p. 15). While acknowledging the good progress being made in several areas
(including UW Medicine, the newly restructured Department of Audits, and the
Office of Risk Management), the report highlighted the weaknesses of the current
approach, including the fact that “due to the size, decentralization, and complexity
of the institution, a proliferation of compliance, audit, and risk management activ-
ities has grown up around separate and distinct risk areas, each largely operating
in a self-defined stovepipe” (p. 18).

Philosophy of the Program

The report also discussed the philosophy of a proposed risk management pro-
gram, asking whether the preferred approach should focus on enforcing law and
regulation—a compliance or control approach—or be one that “encouraged coop-
eration between faculty and staff to develop flexible compliance approaches—a
collaborative approach” (p. 2). After sharing the findings from the literature review

www.it-ebooks.info

162 Implementing Enterprise Risk Management

and the institutional profiles of the peer institutions, the report outlined three guid-
ing principles to shape the evolution of compliance and risk management at UW:
(1) foster an institution-wide perspective, (2) ensure that regulatory management
is consistent with best practices, and (3) protect UW’s decentralized, collaborative,
entrepreneurial culture. In light of these principles, the report made the following
eight recommendations, detailing the key elements and implementation sugges-
tions for each:

1. Integrate key risks into the decision-making deliberations of senior leaders
and Regents.

2. Create an integrated, institution-wide approach to compliance.
3. Ensure that good information is available for the campus community.
4. Create a safe way for interested parties to report problems.
5. Minimize surprises by identifying emerging compliance and risk issues.
6. Recommend solutions to appropriate decision makers.
7. Check progress on compliance and risk initiatives.
8. Maintain a strong audit team.

EVOLUTION OF ERM AT UW
The SRIRC report acknowledged that the ERM concept was not new, but that it has
not been fully implemented at many organizations, especially in higher education.
The development of risk management within an organization was discussed, not-
ing that the management of risk develops along a continuum, with early mod-
els focused on hazard risks only and mitigation being accomplished primarily
through the purchase of insurance. As risk models evolve at an organization, other
risk types are added to the model and more cross-functional participation by other
units begins to occur. Ultimately, strategic risks are added to the conversation and
there is an integration of information from all units across the university. It is at
this point that risk can be viewed as both an opportunity and a threat and where
mitigation priorities can be more clearly linked to the strategic objectives of the
organization.

In 2006, when the ERM program and model were proposed, UW viewed itself
as being in the middle of the continuum (see Exhibit 9.6). The report noted:

Although many operational units, committees, and administrative bodies handled
the risks faced in their own environments well, there is little cross-functional shar-
ing of information. The opportunity aspect of risk is therefore not fully utilized
by the University and risk mitigation priorities are not consistently driven by the
institution’s strategic objectives. (p. 4)

The 2012 ERM Annual Report observes that “the ERM program has continued
to evolve, developing structural mechanisms to support the 8 initial recommenda-
tions” (p. 2).

Faris and Kahl commented that the first few years of implementation of ERM
at UW were focused on risk assessments. They spent most of their time (both work-
ing with the ERM committees and in their roles as ERM staff) performing risk

www.it-ebooks.info

LESSONS FROM THE ACADEMY 163

UW Evolution of ERM

Risk

Categories

Strategic – Mega

Financial

Operational

Compliance

Separate Partial Full
Functions – – – – – Integration – – – – –

Degree of Cross – Functional Integration

What we have accomplished

Where UW’s program is headed

Exhibit 9.6 Evolution of ERM at the

University of Washington

From University of Washington 2009 ERM Annual Report, p. 4.

assessments using the risk mapping process (e.g., writing a risk statement, ranking
the risks for likelihood and impact, plotting the risks on a 5 × 5 map). In the first
four or five years, they conducted nearly 35 risk assessments across the univer-
sity. Based on broad cross-functional topics identified by the President’s Advisory
Committee on ERM (PACERM), the risk assessments were facilitated by Faris and
Kahl with temporary teams put together to meet three to five times over the course
of the year to write risk statements, rank them, and put together suggestions for
mitigation.

The first five years of ERM at UW were “formative” and focused on the fol-
lowing key activities:

� Developing a common language around risk
� Conducting individual risk assessments
� Focusing discussion and mitigation on financial and enrollment challenges
� Comparing financial strength (as gauged by Moody’s Investors Service)

against peers
� Drafting an initial compendium of enterprise-wide success metrics

Well-written, clear annual reports to the president, the Board of Regents, and
the UW community helped to connect the dots and keep the strategic overar-
ching goals front and center, even as employees at the unit level were continu-
ously engaged in the more operational aspects of ERM. Exhibit 9.7 summarizes
the implementation time line from the formalized inception of ERM at UW to the
present. A review of the chart shows how the UW has continued to focus on mov-
ing from an initial focus on hazard risk to a more integrated, strategic approach to
enterprise risk management.

www.it-ebooks.info

164 Implementing Enterprise Risk Management

Exhibit 9.7 University of Washington ERM Implementation Time Line

Academic
Year Initiatives∗

2005–2006 President Emmert charged administrators with review of best practices and
development of broad institutional compliance/risk framework for UW.

Warren and Hodge drafted report with overview of institution-wide
approaches, best practices at four peer universities, common compliance
problems faced by UW, and suggestions for next steps.

2006–2007 Developed a central focus and common language for evaluating risk across
the university.

ERM structure formed (including PACERM, Compliance Council).
First UW-wide risk map was compiled.
Office of Risk Management dedicated one FTE to ERM initiative.
Dedicated $4.8 million in funds for integrity/compliance/stewardship

initiatives, including animal care, student life counseling, human subjects,
global activities, and IT security.

Information about ERM program included in reinsurance renewal
discussions with international underwriters.

First Annual Report to the Board of Regents.
2007–2008 Identified key strategic and mega risks for the institution.

Expanded Compliance Council to form COFi.
Rolled out Enterprise Risk Management Toolkit for units to do

self-assessments.
UW Medicine and Department of Athletics presented annual reports on their

compliance programs and ongoing efforts to minimize risks and address
current issues.

Continued development of the Institutional Risk Register.
Internal Audit department expanded from nine to 15 staff.

2008–2009 Focused on financial crisis and demographics.
PACERM formed two mega-risk subgroups to apply ERM processes at a

strategic level: extended financial crisis and faculty recruitment and
retention.

HR advance planning for economic downturn and major reduction in state
funding.

Office of Risk Management conducted first Employment Practices Liability
Seminar.

ERM web pages were enhanced.
Hired a new Executive Director for Audits.
Second ERM Report to the Board of Regents.

2009–2010 Development of the UW Integrated Framework based on COSO model.
PACERM focused discussion on how to remain competitive.
Initial exploration of enterprise-wide dashboard of success metrics.
Use of risk assessments in business case alternatives and research proposals.

2010–2011 PACERM evaluated the university’s academic personnel profile and oversaw
major information technology projects.

Assessed institutional financial strength in comparison to peers (Moody’s).
More than 200 ERM Toolkits provided to universities and companies.

2011–2012 Development of enterprise-wide dashboard of success metrics.
UW’s work recognized as a “Best Practice” by the Association of Governing

Boards for Universities and Colleges (AGB).

∗All initiatives, including others not detailed in this chart, are outlined in more detail in the UW ERM
Annual Reports, available at the website: http://f2.washington.edu/fm/erm.

www.it-ebooks.info

LESSONS FROM THE ACADEMY 165

ERM STRUCTURE AT UW
The organizational structure for ERM at UW arose out of the initial recommen-
dations of the SRIRC. In its aggregate, the UW ERM program is comprised of the
following areas, working together to create an effective structure: UW units; ERM
staff; Compliance, Operations, and Finance Council (COFi Council); President’s
Advisory Committee on ERM (PACERM); Internal Audit; and the UW President
and Provost (see Exhibit 9.8).

UW Units

At the unit level, staff and faculty take ownership of the activities that give rise
to risk. They conduct risk and opportunities identification and self-assessments.
They develop strategies and take action to mitigate and monitor risk. They are
encouraged to share a summary of their risk assessments with the Office of Risk
Management.

ERM Program Staff

There are 1.5 full-time equivalent (FTE) ERM program staff located in the office of
the associate vice president/controller for UW. This staff supports the work of the
various committees and units, in part by establishing the ERM framework, stan-
dards, and templates. They monitor and participate in risk assessments for the pur-
pose of providing the enterprise view. They provide administrative support and

University President and Provost UW Environment (e.g., right side of cube)

President’s Advisory Committee
on Enterprise Risk Management (PACERM)

Entity Level
(e.g., top-down view of strategic risks,

mega risks, and opportunities)

Compliance, Operations, Finance Council (COFi)

Division or Function Level
(e.g., middle up, cross-functional view of

compliance, operations, and financial risks)

Research
Academic

Affairs
Athletics

Health

Care

Risk and

Safety
Finance

Information

Technology

Human
Resources

Eight functional areas of risk

Core Functions Support Services

Attorney
General

Risk
Management

Environmental
Health & Safety

Unit Level
(e.g., bottom-up view of risks and opportunities)

Examples of UW Units

Exhibit 9.8 University of Washington ERM Structure
From University of Washington 2010 ERM Annual Report, p. 10.

www.it-ebooks.info

166 Implementing Enterprise Risk Management

summary information and analyses to the ERM committees. They also provide
professional development in a train-the-trainer format.

Compliance, Operations, and Finance Council (COFi)

The COFi Council, led by the Executive Director of Audits, takes a middle-up,
cross-functional view of risks and opportunities, particularly items that have
university-wide potential impact or where supervisory authority for various
aspects of the risk reside in different departments or divisions across the univer-
sity. The COFi Council has oversight of risk assessments at the division or func-
tional level. It provides approval of methods to monitor risks and identifies topics
for outreach, particularly items that have university-wide potential impact or that
involve cross-departmental or divisional silos. The six primary goals of the COFi
Council are to:

1. Engage in a continual, cross-functional process that results in effective prior-
itization of institutional responses to compliance, financial, and operational
risks, and consider the impact to strategic and reputational risks.

2. Ensure that the institutional perspective is always present in risk and com-
pliance management discussions.

3. Identify strategies to address emerging risks and compliance management
issues.

4. Support risk and compliance management training and outreach efforts
throughout the university.

5. Provide external auditors and regulators with information about the uni-
versity’s risk and compliance programs.

6. Avoid the creation of additional bureaucracy by minimizing redundancy
and maximizing resources.

President’s Advisory Committee on ERM (PACERM)

PACERM, cochaired by the Provost and the Senior Vice President for Finance and
Facilities, has oversight of risk assessments at the entity level. Taking a top-down
view of risks and opportunities, PACERM advises the university president and
other senior leaders on the management of risks and opportunities that may signif-
icantly impact strategic goals and/or priorities. They review the ERM dashboard
(e.g., key risk indicators and key performance indicators). According to V’Ella
Warren and Ana Mari Cauce, cochairs of PACERM in 2008–2009, PACERM “is the
one place where participants set aside their individual organizational perspectives,
and really think about the major risks and opportunities from an institution-wide
view” (2009 ERM Annual Report, p. 6).

Internal Audit

Internal Audit provides independent verification and testing of internal controls.
The department also provides administrative support and summary information
to the COFi Council.

www.it-ebooks.info

LESSONS FROM THE ACADEMY 167

UW President and Provost

The President and Provost play a key role in acknowledging, validating, and sup-
porting the ERM program. They verbally refer to key documents such as the ERM
framework, PACERM and COFi Council charters and assessments, and the ERM
dashboard. They provide entity-level reporting to the Regents.

UW’S ERM MODEL
After a careful review of models in the corporate sector and within higher educa-
tion, UW settled on the following regarding its ERM model:

� Assess risks in the context of strategic objectives, and identify interrelation
of risk factors across the institution, not only by function.

� Cover all types of risk: compliance, financial, operational, and strategic.
� Foster a common awareness that allows individuals to focus attention on

risks with strategic impacts.
� Enhance and strengthen UW’s culture of compliance while protecting the

decentralized, collaborative, entrepreneurial nature of the institution.

Adopting and Adapting the COSO Model

UW has defined ERM according to its interpretation of the Committee of Spon-
soring Organizations (COSO) model, adapting the framework to fit the university
environment and the UW in particular (see Exhibit 9.9). COSO describes ERM

University of Washington

Enterprise Risk Management – Integrated Framework

O
pe

ra
tio

ns
ERM

Process

Risk
Categories

Leadership, Culture, Values

Strategic

Goals

Risk / Opportunity

Identification

Risk / Opportunity

Assessment

A
lte

rn
a
tiv

e
s

U
n
it L

e
v
e
l

D
iv

is
io

n
o

r F
u
n
c
tio

n
L

e
v
e
l

E
n
tity

L
e
v
e
l

Response

Control Activities

Information &

Communication

Monitoring &

Measuring

UW
E

nv
iro

nm
en

t

Co
m

pl
ia

nc
e

Fi
na

nc
ia

l
St
ra

te
gi

c

M
eg

a

Exhibit 9.9 University of Washington’s ERM Integrated Framework
From University of Washington Enterprise Risk Management Toolkit, p. 7. Copyright 2007, University
of Washington.

www.it-ebooks.info

168 Implementing Enterprise Risk Management

as “a process, effected by an entity’s board of directors, management, and other
personnel, applied in strategy setting and across the enterprise, designed to
identify potential events that may affect the entity, and manage risk to be within
its risk appetite, to provide reasonable assurance regarding the achievement of
entity objectives” (COSO 2004). Adopted in 2009–2010, the 2010 ERM Annual
Report notes:

The UW ERM Integrated Framework offers a schema to integrate the views of risk
that have historically been addressed in silos or through a fragmented approach.
The ERM framework bridges the gap between lower-level issues and upper-level
issues, and it allows us to be explicit about the multiple levels on which the ERM
process is deployed as a risk and/or opportunity management mechanism. (p. 4)

Risk Categories
The top of the cube identifies risk types, including compliance, operations, and
financial risks. Strategic risks can impact the mission. Mega risks are major external
events over which the institution has no control, but for which the institution can
prepare.

UW Environment
The right side of the cube views the organizational structure at three levels: entity,
which entails all operations and programs; division or function, looking at a major
risk in depth; and unit, where individual departments can use the tools to assess
their risks. A fourth level of ERM used in the UW environment is to evaluate
alternatives.

ERM Process
The front of the cube outlines the traditional eight steps from the COSO model,
including setting the tone and context for ERM at the top, identifying risks in con-
junction with strategic goals, and through the complete cycle with implementation
and follow-up.

The report notes:

UW’s “cube” integrates the several ERM facets into a whole, and enables ERM to
be applied in a very intentional manner: Starting any new risk assessment requires
identifying the appropriate level of the organization or environment at which the
assessment will be made; focusing on which set of risks (compliance—strategic—
mega risks) to cover; and applying all the steps in the ERM cycle to ensure a com-
plete assessment and follow through.

The UW views ERM as integrating risk discussions into strategic deliberations
and identifying the interrelation of risk factors across activities. Using the COSO
model, its eight-step process involves the following (see Exhibit 9.10):

1. Leadership, culture, and values. Setting the tone at the top.
2. Strategic goals. At the entity or institutional level (top down), the division

or function level (risk topic across shared goals of VPs and deans—”middle
up”), the unit level (such as a department, school, or college—bottom up),
or the alternatives level (investment alternatives or business options).

www.it-ebooks.info

LESSONS FROM THE ACADEMY 169

ERM PROCESS

Leadership, Culture

and Values
Strategic

Goals
Risk
Identification
Risk
Assessment

Controls

Response

Monitoring and

Measuring

Information and

Communication

Exhibit 9.10 University of Washington ERM Process
From University of Washington Enterprise Risk Management Toolkit, p. 8. Copyright 2007, the
University of Washington.

3. Risk identification. In the appropriate context, name the harm, loss, or com-
pliance violation to avoid, as well as the opportunities to be identified.
This typically begins with listing broad risk activities or subject areas. Risks
can be identified at the entity, division, functional, unit, or alternatives
level. This process includes the use of risk statements and opportunity
identification.

4. Risk assessment. In the appropriate context, analyze the risk or opportunity
in terms of likelihood and impact (see Exhibit 9.11). Create a risk map, rank-
ing or prioritizing risks to inform decisions regarding response. For oppor-
tunities, rate the likelihood of occurrence on a scale of 1 to 5 (1 = rare, not
expected to occur in the next five years; 5 = almost certain, expected to occur
more than once per year). Also rank the positive impact, considering what
impact the opportunity would have on the institution’s ability to achieve
goals or objectives (1 = insignificant, with little or no impact on objectives
and no impact to reputation and image; 5 = outstanding, could significantly
enhance the capability to meet objectives and could significantly enhance
reputation and image).

5. Response. Selecting the appropriate response involves comparing the cost
of implementing the option against benefits derived from it. Responses
include avoid, mitigate, transfer, or accept the risk. For opportunities, the
response can be exploit, enhance, share, or ignore.

6. Controls. Document internal controls for top risks, and rank for effective-
ness. For UW, internal controls are narrowly defined to describe the meth-
ods used by staff or faculty that help ensure the achievement of goals and
objectives, such as policies, procedures, training, and operational and phys-
ical barriers.

www.it-ebooks.info

170 Implementing Enterprise Risk Management

IM
P

A
C

T

Catastrophic
– 5 –

Disastrous
– 4 –

Serious
– 3 –

Minor
– 2 –

Insignificant
– 1 –

5
4
3
2
1

Rare
– 1 –

10

8

6
4
2

Unlikely
– 2 –

15

12

9
6
3

Possible
– 3 –

20

16

12
8
4

Likely
– 4 –

25

20
15
10
5

Almost Certain
– 5 –

LIKELIHOOD

Risk Level

Extreme

High

Substantial

Medium

Low

Score Range

19.5 – 25

12.5 – 19.4

9.5 – 12.4

4.5 – 9.4

1 – 4.4

Exhibit 9.11 University of Washington Risk Assessment: Likelihood and Impact
From University of Washington Enterprise Risk Management Toolkit, p. 17. Copyright 2007, the
University of Washington.

7. Information and communication. Communicate with stakeholders and take
action (the transition from analysis to action). Designate a risk owner for
each of the top risks.

8. Monitoring and measuring. Monitor performance to confirm achievement
of goals and objectives, and monitor risk to track activities that prevent
achievement of goals and objectives.

Tools and Techniques

As its ERM program has developed and evolved, UW has learned from its expe-
rience and is positioned to share information not only internally, but with oth-
ers in higher education as well. The university has developed a comprehensive
Enterprise Risk Management Toolkit, copyrighted in 2007, with the second edition
released in 2010. The second edition includes an expanded section on the ERM pro-
cess and has new material on evaluating opportunities. It is comprised of a manual
and a set of spreadsheets that provides a framework for assessing and understand-
ing institutional risks. The UW allows access to the Toolkit for UW staff, faculty,
and students, federal agencies, Washington State agencies, and other institutions
of higher education at no charge through the UW Center for Commercialization
Express Licensing Program.

As is typical with most universities, the tools utilized by UW for conducting
the risk assessment process are Microsoft Office products. Excel is used to catalog

www.it-ebooks.info

LESSONS FROM THE ACADEMY 171

risk assessment inventories and Word for report writing. While the administrators
have explored many options for software to aid in the process (and to potentially
provide outcomes such as dashboards), they find that, having been developed in
the corporate for-profit environment, none of those options are particularly suited
to capturing the needs of the higher education environment. They note, however,
that at the unit level, many departments are investing in unit-specific software to
aid in their data management. For example, the Finance and Budgeting Office is
investigating software to run stress tests and financial simulations, and the Human
Resources Office is examining payroll software. This allows the units to be able to
more quickly evaluate risk specific to their areas, but UW finds that its ability to
aggregate risks for examination at the entity level can be accomplished effectively
with its low-tech process.

OUTCOMES AND LESSONS LEARNED
UW administrators can chart the evolution of their ERM program and the effec-
tiveness it has on the university. They note that the early wins were at the unit
level, when specific departments, such as Information Security and Environmental
Health and Safety, integrated the ERM process with their well-established strategic
planning processes. Those units used the risk assessment tools to identify and rank
risks that could hinder or prevent the achievement of their strategic goals. Integra-
tion of ERM at the entity level is happening more slowly, but issues that impact
everyone at the UW, such as faculty recruitment and retention or responding to
the external financial crisis, now can happen in a more integrated fashion as the
understanding of ERM evolves. For several years, due to severe budget reductions,
the Office of Planning and Budgeting consciously added some questions about
risk assessment into the budget request process. Vice presidents and deans were
asked to address the impact of budget reductions in terms of risk. This happened,
in part, because two key members of the Budget and Planning Office, as well as
the Provost, have been involved with the PACERM.

UW administrators have a few other observations about their process and how
and why it has worked. First, they note that they were aware from the outset that
the environment at UW is highly decentralized and that appointing an “ERM czar”
or chief risk officer (CRO) wouldn’t fit with the culture. They made a deliberate
choice not to formalize ERM through a senior-level position, but rather to engage
in implementation through a committee structure. Second, they involved faculty
members from the beginning. This helped with a sense of shared purpose. Faculty
members came to see the business side of academia, and staff and administrators
better understood the point of view of scholars engaged in teaching and learning.
Third, the senior leadership has stayed dedicated to the ERM process, even with
transitions in the president and other senior administrators. The 2011 ERM Annual
Report points out the benefits to the UW of the ERM approach:

The value of ERM is both qualitative (e.g., risk and opportunity maps) and quanti-
tative (e.g., dashboards to contextualize and display metrics). Qualitative benefits
accumulate because the risk mapping process allows groups throughout the Uni-
versity to collectively prioritize issues, and ensure that the effort and resources
involved in root cause analysis, measurement, and monitoring are applied only

www.it-ebooks.info

172 Implementing Enterprise Risk Management

to the most significant concerns. Each iteration of the ERM process results in
new capabilities, and insight gained into maintaining the University’s competitive
advantage—particularly from managing our financial risks and strategic opportu-
nities better than our peers. (p. 5)

UW has been strategic, deliberate, and inclusive as it continues on its journey
to develop and enhance its ERM program, learning lessons from what works and
adapting new strategies in order to improve or modify its program. ERM began
at UW in 2006 “by establishing a collaborative approach and structure to consider
broad perspectives in identifying and assessing risk” (2012 Annual Report, p. 3).
This strategy has helped UW overcome some of the traditional challenges fac-
ing universities when implementing ERM, including addressing concerns about
the real effectiveness of risk assessment, getting agreement on definitions of risk
assessment impact, identifying risk owners, and moving beyond the “risk discus-
sion” to focus on mitigation (2012 Annual Report, p. 3). In her November 2012 pre-
sentation on UW’s ERM program to the Pacific Northwest Enterprise Risk Forum,
Ann Anderson, Associate VP and Controller, outlined the following seven key
lessons that UW has learned by engaging in ERM for almost eight years:

1. Clarify the roles of the various risk committees.
2. Develop a “work plan” for the committees.
3. Develop engaging agendas, focused at the appropriate level.
4. Don’t overemphasize “lowest common denominator” risks.
5. Gather data/information to develop expertise on specific risks.
6. Avoid discussing low-level, narrow risks—too time-consuming!
7. Don’t get into the weeds with implementation and process. Delegate actions

to responsible parties.

WHAT NEXT?: CURRENT PRIORITIES
AND FUTURE DIRECTION
As the 2010 ERM Annual Report points out, the process of involving people in
risk assessments, even with the most well-developed risk assessment tools, is only
part of the process. “Successfully maintaining a large-scale organizational initia-
tive such as ERM requires a comprehensive, broad based approach that is widely
understood and used regularly to clearly articulate where risks and opportunities
exist throughout the University” (p. 4). As ERM moves forward at UW, the focus is
on a “greater refinement of institutional success metrics, increased assessments of
risks identified, and continued expansion across the university to incorporate risk
assessment into decision-making and strategic planning” (2012 Annual Report,
p. 2). The objectives for 2013–2014 are: (1) strengthen oversight of the top risks and
(2) enhance coordination and integration of ERM activities with decision-making
processes. Several initiatives will help UW achieve these objectives, including seek-
ing input and approval from the PACERM in order to elevate the monitoring of
the top risks; a comparison of the institutional-level risks with unit-level risks; the
development of quantitative visual representations of the risks, metrics, and tar-
gets; engaging the community more broadly in risk management; integrating risk

www.it-ebooks.info

LESSONS FROM THE ACADEMY 173

management with the budget and planning cycle for the university; a retrospec-
tive analysis of risks and mitigation investments; and a forward-looking analysis
to highlight gaps and areas of concern. They are also in the process of developing
specific deliverables and measures as indicators of success, such as executive-level
risk registers, dashboards of key risks, and a foundation and structure to integrate
risk maps and dashboards with the planning and budgeting cycle.

CONCLUSION
UW’s ERM implementation process and lessons learned are consistent with the
guidance offered by the National Association of College and University Attorneys
(NACUA). In a 2010 conference presentation, NACUA identified the following
eight critical success factors:

1. Establish the right vision and realistic plan.
2. Obtain senior leadership buy-in and direction.
3. Align with mission and strategic objectives.
4. Attack silos at the outset.
5. Set objectives and performance indicators.
6. Stay focused on results.
7. Communicate vision and key outcomes.
8. Develop a sustainable process versus a one-time project.

While complex and time-consuming, effective development of a culture-
specific ERM program can have positive outcomes for colleges and universities.
Institutions such as UW that view ERM as a long-term investment in institutional
health, rather than a fad or simply a set of tools (such as spreadsheets and heat
maps), position themselves well not only to respond to the external demands from
credit ratings agencies, accreditors, and federal regulators, but to situate them-
selves to make key strategic decisions, informed by both quantitative and qual-
itative data, to enhance their organization, leading to increased enrollment and
graduation and strategic disbursement of resources for teaching and research, as
well as increasing the likelihood that, due to their integrated, proactive approach,
they will avoid future compliance scandals. Perhaps the two most important deliv-
erables on UW’s 2013–2014 agenda are those that demonstrate its awareness of
the importance of the human resources component in its collegial environment:
outreach to faculty and other administrators to obtain broader validation of risks
and to identify additional mitigation activities, and an iterative process to involve
senior leaders, the Provost, the President, and the Regents in monitoring the top
risks. Through this process, UW is building a culture not only of compliance, but
of shared responsibility for the future health of the university.

QUESTIONS
1. How does ERM adoption and implementation in the higher education environment

differ from the for-profit environment?
2. What type of culture is at the University of Washington? Why is culture important to

consider when implementing ERM?

www.it-ebooks.info

174 Implementing Enterprise Risk Management

3. What were some of the key factors in the early stages of UW’s ERM adoption and imple-
mentation that led to its current success within the organization?

4. Why did UW decide to adopt a committee structure to administer its ERM program
rather than designate a senior level Chief Risk Officer?

5. Who are some of the key players involved in the decision-making about the ERM model
and its current administration?

NOTES
1. Many colleges and universities were affected by Hurricane Katrina in the New Orleans

area (see the American Association of University Professors [AAUP] Special Commit-
tee Report on Hurricane Katrina and New Orleans Universities at https://portfolio
.du.edu/downloadItem/92556). The independent report by Louis Freeh and his law
firm, Freeh Sporkin & Sullivan, LLP, documents the facts and circumstances of the
actions of Pennsylvania State University surrounding the child abuse committed by
a former employee, Gerald A. Sandusky (available at http://progress.psu.edu/the-
freeh-report). The AAUP’s Committee on College and University Governance
reported on breakdowns in governance at the University of Virginia as the
board attempted to remove president Sullivan (www.aaup.org/report/college-
and-university-governance-university-virginia-governing-board). American Univer-
sity trustees removed then president Ladner in 2005 after investigation of expense
abuses of university funds (http://usatoday30.usatoday.com/news/education/2005-
10-11-au-president_x.htm). The most tragic of these situations was, of course, the shoot-
ings at Virginia Tech on April 16, 2007. On December 9, 2010, the U.S. Department of
Education issued a final ruling that Virginia Tech had violated the Clery Act by fail-
ing to issue a “timely warning” to students and other members of the campus commu-
nity following the initial shootings early on the morning of April 16, 2007. In comment-
ing on the verdict, Stetson Professor of Law Peter Lake stated, “Higher education is
under the microscope now. The accountability level has definitely changed” (S. Lipka,
“Jury Holds Virginia Tech Accountable for Students’ Deaths, Raising Expectations at
Colleges,” Chronicle of Higher Education, March 14, 2010).

2. In order to disperse federal financial aid and grant degrees, institutions in the
United States are accredited by one of several accrediting bodies. One example of
the way in which accreditors are emphasizing risk management in their review is the
Southern Association of Colleges and Schools Commission on Colleges (SACS COC)
(www.sacscoc.org/) Standard 3.10.4: The institution demonstrates control over all of
its physical and financial resources. The University of Virginia demonstrates evidence
of this standard on its website by articulating the organizational structure and inte-
grated policies and procedures related to internal and external audit, internal controls,
fixed assets, procurement, facilities management, and risk management, among others
(www.virginia.edu/sacs/standards/3-10-4.html).

3. The recent Special Comment by Moody’s, “Governance and Management: The Under-
pinnings of University Credit Ratings,” declares that “governance and management
assessments often account for a notch or more in the final rating outcome compared
with the rating that would be indicated by purely quantitative ratio analysis” (Kedem
2010, p. 1). In Moody’s consideration of five broad factors that contribute to its eval-
uation of governance and management, the report cites “oversight and disclosure
processes that reduce risk and enhance operational effectiveness” (p. 2). The report
further notes: “Effective internal controls and timely external disclosure about stu-
dent outcomes, research productivity, financial performance, and organizational effi-
ciency will become the hallmark of effective university leadership and will become

www.it-ebooks.info

LESSONS FROM THE ACADEMY 175

increasingly critical in mitigating new risks to individual universities and the sector
overall” (p. 3).

4. One significant area of change has been the Internal Revenue Service’s increased over-
sight of compliance issues affecting tax-exempt entities, including colleges and univer-
sities. In 2008, under prompting by members of the U.S. Senate Finance Committee, the
IRS developed a 33-page compliance questionnaire (IRS Form 14018) and sent it to a
cross section of 400 institutions of higher education. The form focused on a number of
potentially sensitive subjects, including the types and amounts of executive compen-
sation, the investment and use of endowment funds, and the relationship between an
institution’s exempt activities and other taxable business activities. The IRS also revised
its Form 990, “Return of Organization Exempt from Income Tax,” beginning with the
2008 tax year. The purpose of the changes is to increase the transparency and account-
ability of tax-exempt organizations and to ensure compliance with the Internal Revenue
Code by requiring more detailed information in several categories. The changes focus
not only on revenue, investment, and spending issues, but also on governance, conflicts
of interest, and whistle-blower policies and procedures.

5. Based on a March 13, 2012, phone interview.
6. The Higher Education Act, up for renewal again in 2014, is a law almost 50 years old

that governs the nation’s student-aid programs and federal aid to colleges. It was signed
into law in 1965 as part of President Johnson’s Great Society agenda of domestic pro-
grams, and it has been reauthorized nine times since then, most recently in 2008. Addi-
tional examples at the federal level include Section 504 of the Rehabilitation Act of 1973,
the Americans with Disabilities Act (ADA) (1990), Family Educational Rights and Pri-
vacy Act (FERPA) (1974, 1998, 2009), Health Insurance Portability and Accountability
Act (HIPAA) (1996), Clery Act (1990), and Campus Sex Crimes Prevention Act (2000),
among others. Lawsuits brought against institutions of higher education in which they
and/or certain administrators at those institutions are accused of violating a particular
federal law or a related legal right can lead to case decisions that impact that institution
and perhaps others. Lawsuits can also have a significant impact even if they result in a
settlement rather than a court decision. In May 2006, a group of 12 current and former
deaf students at Utah State University sued the institution in U.S. District Court alleg-
ing that it had violated the Rehabilitation Act and the ADA by failing to provide enough
fully qualified interpreters. The lawsuit also named the Utah State Board of Regents as
defendants. After negotiations, the lawsuit was settled in April 2007 with the univer-
sity agreeing to hire qualified, full-time interpreters at a ratio of one translator for every
two deaf students. The lawsuit, the issues it raised, and its ultimate resolution received
significant media attention, as well as attention from various organizations around the
country promoting the interests of students who are deaf or have hearing deficiencies.

7. Mitroff, Diamond, and Alpaslan (2006) note that “colleges and universities are in the
very early stages of establishing their crisis management programs, and much remains
to be done. The recent experience in New Orleans and elsewhere suggests that develop-
ing and maintaining a well-functioning crisis management program is an operational
imperative for college and university leaders” (p. 67).

8. One of those administrators was Elizabeth Cherry, Director of Risk Management, from
the University of Washington (UW). As will be discussed in the case study, the UW was
embroiled in several high-profile risk situations at the time and was undergoing the first
of several presidential transitions.

9. See A. P. Liebenberg and R. E. Hoyt, “The Determinants of Enterprise Risk Management:
Evidence from the Appointment of Chief Risk Officers,” Risk Management and Insurance
Review 6:1 (2003): 37–52. Their study uses a logistic model to examine the characteristics
of firms that adopt ERM programs, most of which signal the fact that they have an ERM
program through the hiring of a CRO.

www.it-ebooks.info

176 Implementing Enterprise Risk Management

10. Many thanks to Andrew Faris, Enterprise Risk Management Analyst at the Uni-
versity of Washington, and Kerry Kahl, ERM Project Manager at UW. They pro-
vided information via an interview in April 2012 that is incorporated throughout this
case study. Additional information for the case study comes from Annual Reports,
memos, and other documents found on the University of Washington ERM website:
http://f2.washington.edu/fm/erm.

REFERENCES
Abraham, Janice. 2013. Risk Management: An Accountability Guide for University and College

Boards. Washington, DC: Association of Governing Boards of Universities and Colleges
and United Educators.

American Society of Mechanical Engineers–Innovative Technologies Institute, LLC. 2010. A
Risk Analysis Standard for Natural and Man-Made Hazards to Higher Education Institutions.
Washington, DC: American National Standards Institute.

Arena, M., M. Arnaboldi, and G. Azzone. 2010. “The Organizational Dynamics of Enterprise
Risk Management.” Accounting, Organizations and Society 35:7, 659–675.

Association of Governing Boards of Universities and Colleges and United Educators. 2009.
The State of Enterprise Risk Management at Colleges and Universities Today. Available at
www.agb.org.

Barnds, W. Kent. 2011. “The Risky Business of the Strategic Planning Process.” University
Business. Available at www.universitybusiness.com/article/risky-business-strategic-
planning-process.

Birnbaum, Robert. 1988. How Colleges Work: The Cybernetics of Academic Organization and Lead-
ership. San Francisco: Jossey-Bass.

Bolman, Lee G., and Terrence E. Deal. 2008. Reframing Organizations: Artistry, Choice and
Leadership. San Francisco: Jossey-Bass.

Bush, Tony. 2011. Theories of Educational Leadership and Management (4th ed.). London: Sage
Publications.

Cassidy, D. L., L. L. Goldstein, S. L. Johnson, J. A. Mattie, and J. E. Morley Jr. 2001. “Devel-
oping a Strategy to Manage Enterprisewide Risk in Higher Education.” National Asso-
ciation of College and University Business Officers and PricewaterhouseCoopers. Avail-
able at www.nacubo.org/documents/business_topics/PWC_Enterprisewide_Risk_in_
Higher_Educ_2003 .

Chan, Sharon Pian. 2004. “UW Failed to Address Overbilling, Probe Finds.” Seattle
Times, May 1, 2004. Available at http://seattletimes.com/html/localnews/2001917467_
uwmed01m.html.

Chang, Jean. 2012. Skype interview, March 2.
Committee of Sponsoring Organizations of the Treadway Commission. 2004. Enterprise

Risk Management—Integrated Framework. Available at www.idkk.gov.tr/html/themes/
bumko/dosyalar/yayin-dokuman/COSOERM .

Committee of Sponsoring Organizations of the Treadway Commission. 2011. Internal
Control—Integrated Framework. Available at www.coso.org/documents/coso_framework
_body_v6 .

Freeh, Sporkin & Sullivan, LLP. 2012. “Report of the Special Investigative Counsel Regard-
ing the Actions of the Pennsylvania State University to Related the Child Sexual Abuse
Committed by Gerald A. Sandusky,” July 12. Available at http://progress.psu.edu/the-
freeh-report.

Gallagher Higher Education Practice. 2009. “Road to Implementation: Enterprise Risk
Management for Colleges and Universities.” Arthur Gallagher & Co. Available at
www.nacua.org/documents/ERM_Report_GallagherSep09 .

www.it-ebooks.info

LESSONS FROM THE ACADEMY 177

Grant Thornton LLP. 2011. “Best-Practice Tips for Boards, Presidents and Chancel-
lors Regarding Enterprise Risk Management.” OnCourse, January. Retrieved from
www.grantthornton.com/staticfiles/GTCom/Not-for-profit%20organizations/
On%20Course/On%20Course%20-%20Jan%2011%20-%20FINAL .

Grasgreen, Allie. 2013. “Report Shows How Rutgers Botched Handling of Former Coach,
Reiterates 5-year-old Recommendations to Improve Athletics.” Inside Higher Education.
Available at www.insidehighered.com/news/2013/07/23/report-shows-how-rutgers-
botched-handling-former-coach-reiterates-5-year-old.

Gurevitz, Susan. 2009. “Manageable Risk.” University Business. Available at www.university
business.com/article/manageable-risk.

Helsloot, I., and W. Jong. 2006. “Risk Management in Higher Education and Research in the
Netherlands.” Journal of Contingencies and Crisis Management 14:3.

Huber, C. 2009. “Risks and Risk-Based Regulation in Higher Education Institutions.” Ter-
tiary Education and Management 15:2.

Kedem, K. 2010. “Special Comment: Governance and Management: The Underpinnings of
University Credit Ratings.” Moody’s Investors Service, Report 128850.

Mitroff, I. I., M. A. Diamond, and M. C. Alpaslan. 2006. “How Prepared Are America’s
Colleges and Universities for Major Crises?: Assessing the State of Crisis Management.”
Change 38:1, 61–67.

National Association of College and University Business Officers and the Association of
Governing Boards of Universities and Colleges. 2007. “Meeting the Challenges of Enter-
prise Risk Management in Higher Education.” Available at www.ucop.edu/riskmgt/
erm/documents/agb_nacubo_hied .

Nelson, John. 2012. Phone interview, March 13.
Stripling, Jack. 2012. “Penn State Trustees Were Blind to Risk, Just Like Many Boards.”

Chronicle of Higher Education, July 12. Available at http://chronicle.com/article/Penn-
State-Trustees-Were-Blind/132943/.

Tertiary Education Quality Standards Agency. 2013. Available at www.teqsa.gov.au/
Tufano, Peter. 2011. “Managing Risk in Higher Education.” Forum Futures. Available at

http://net.educause.edu/ir/library/pdf/ff1109s .
University Risk Management and Insurance Association. 2007. “ERM in Higher Education.”

Available at www.urmia.org/library/docs/reports/URMIA_ERM_White_Paper .
Whitfield, R. N. 2003. “Managing Institutional Risks: A Framework.” Doctoral dissertation.

Retrieved from ProQuest Dissertation and Theses database, AAT 3089860.
Willson, C., R. Negoi, and A. Bhatnagar. 2010. “University Risk Management.” Internal Audi-

tor 67:4, 65–68.
Wilson, Richard. 2013. “Managing Risk.” Inside Higher Education, May 20. Available at

www.insidehighered.com/blogs/alma-mater/managing-risk.

ABOUT THE CONTRIBUTOR
Anne E. Lundquist has had 20 years of increasing administrative responsibilities in
higher education, having served as the dean of students at four liberal arts colleges.
She received a BA in religious studies from Albion College and an MFA in creative
writing from Western Michigan University. Currently, she is a PhD candidate in
the Educational Leadership program at Western Michigan University with a con-
centration in higher education administration, where she works with the vice pres-
ident of student affairs on student affairs assessment and strategic planning and
with the internal auditor and University Strategic Planning Committee on ERM
implementation. Her dissertation research study is titled “Enterprise Risk Man-
agement (ERM) in Colleges and Universities: Administration Processes Regarding

www.it-ebooks.info

178 Implementing Enterprise Risk Management

the Adoption, Implementation and Integration of ERM.” Using her expertise in
several areas, she has presented and been the author of articles on risk manage-
ment, institutional liability, students with psychiatric disabilities, assessment and
strategic planning, intercultural competence, and the development and implemen-
tation of integrated community standards/restorative justice judicial models. She
is the coauthor of The Student Affairs Handbook: Translating Legal Principles into Effec-
tive Policies (LRP Publications, 2007). She has had three recent risk management
publications in peer-reviewed journals: URMIA Journal (2011, 2012) and New Direc-
tions for Higher Education, Special Issue, Disability and Higher Education (with Allan
Shackelford, July 2011).

Special thanks to Andrew Faris, Enterprise Risk Management Analyst at the
University of Washington, for sharing information about the university’s ERM pro-
cess, answering questions, and providing material for the case study.

www.it-ebooks.info