University Risk Management: An embedded ERM program can help address the threats to an institution’s mission and strategic objectives
(As originally appeared in Internal Auditor Magazine, August 2010)
By Carol Willson, Associate Partner, Advisory Services, Ernst & Young LLP; Roxana Negoi, Manager, Advisory Services, Ernst & Young LLP; Anu S. Bhatnagar, Senior Staff Accountant, Ernst & Young LLP
Organizations around the world are facing challenging times due to continuing economic volatility, and facing new risks that cause them to continuously assess the potential impact, financial and otherwise, of market conditions on the performance of their operations. And universities are no exception.
Institutions of higher education have significant compliance requirements, and many have invested greatly in response to heightened expectations from stakeholders to stay competitively viable among other universities. However, many continue to approach risk and control requirements in silos, which leads to the creation of multiple frameworks for governance, infrastructure and processes; fragmented risk and control activities; potential gaps in overall risk coverage; and duplication of effort. Understandably, there is a resulting concern about compliance breaches.
Without a common basis for evaluation, audit committees struggle to determine the adequacy of risk and control efforts, and boards and executives want assurance that investments are appropriately focused, consistent with peers, and aligned to the institution’s unique risk issues.
Universities are also facing increased scrutiny from stakeholders regarding issues such as investments and spending, privacy, conflicts of interest, IT availability and security, fraud, research compliance, and transparency. Students, faculty members, staff, donors, and other interested parties are looking not only at what is being done, but how it is being done.
Although the approach to risk management varies from institution to institution, there are clearly some common challenges and trends. Overall, a growing number of universities are integrating a risk management framework into their strategic planning and decision-making processes, but sustaining a formal risk management and reporting process is a challenge.
The board of governors, president and other senior management members are often involved in ongoing risk identification and assessment, and are taking part in efforts to develop and implement both internal and external risk management processes and controls. The establishment of risk champions (members of the university beyond the administration who can champion risk management) is also increasing, which raises the awareness of risk, fosters better understanding of risk management programs and practices, and increases communication to relevant stakeholders.
Applying ERM to universities
Enterprise Risk Management (ERM) can be described as a strategic process affected by a university’s governance structure, management, administration and faculty. It is designed to:
- Help identify risks that may affect the institution
- Manage identified risks within the university’s risk appetite
- Provide assurance that the university can achieve its objectives
Having a clear understanding of a university’s internal and external challenges helps identify the implications to the organization’s overall strategy and operating plans, as well as areas or drivers of potential risk. The top challenges faced by universities today are:
The values of the university influence how risk is perceived, and it is important that the culture reflect a risk management philosophy. Having a strong ERM framework can provide a common understanding of risk across the organization, and help it achieve its strategic and academic objectives through focusing on the interrelated risks that could have the most significant impact.
An ERM framework drives the organization to integrate risk into its everyday planning and budgeting/forecasting process and operations, and strengthens its ability to deal with unexpected or stealth risks.
As in other organizations, a university’s risk management approach must grow and change with the environment in which it operates. An embedded, sustainable ERM approach allows management to assess, improve and monitor consistently the way the university manages its evolving risks.
A university risk management maturity model
There are three stages of maturity that can be applied to universities. The risk management maturity model can be used as a roadmap for evaluating an institution’s current state and defining next steps.
The Baseline Practices stage typically consists of fundamental compliance activities. Typically, there are no established risk management roles, responsibilities, processes or documentation, and most efforts are made in “silos.” Then, as the university improves its understanding of ERM and alters its practices accordingly, it progresses to an Improved Practices state.
In this “alignment” phase, the organization’s ERM efforts have moved beyond mere compliance. There is a certain level of risk ownership by the board of governors, but at this point the roles, responsibilities and process have not been defined clearly and completely.
Finally, in the Optimized Practices state, the university has reached a stage in which ERM processes and responsibilities are fully established and have become integrated into the organization’s strategy and day-to-day operations. The focus during this “integration” phase is on continuously re-evaluating risk and performance, and adjusting the response accordingly.
Universities without a robust risk management framework are increasingly exploring and implementing new ERM processes, and making risk management an integral part of their planning and decision-making processes. Those universities that have already adopted ERM are altering their approach accordingly to reach an optimal state.
Current trends include raising awareness through activities such as seeking internal and external stakeholder input, increasing communications of relevant risk management initiatives such as campus emergency communications, identifying risk champions to foster and develop new programs and processes, and involving university executives and the board in risk identification and assessment.
Who’s responsible for risk management?
Risk management is everyone’s responsibility. Every stakeholder’s role must be defined clearly. The board of governors, senior administration, and risk management and internal audit teams are responsible for understanding principal risks in their areas, and for making effective risk management decisions.
Board of governors - The board’s overall risk management mandate is to assess and recommend improvements on how the principal risks of the university are being managed through an effective risk management and internal control system that will help the university achieve its mission.
Board members are responsible for:
- Determining a risk-adjusted strategy
- Facilitating and encouraging a risk management culture
- Approving risk measurements, risk appetite and tolerance levels
- Ensuring the university’s senior administrators have an approach to identifying emerging issues and possible impacts on university operations and business risks
- Reviewing controls and compliance with the university’s administration and audit teams, and seeking input on university and administrative best practices
- Understanding and providing oversight on the quality of the university’s overall risk management program implementation and execution
In determining its risk oversight structure, the board should identify where within its governance practices it addresses risk management matters from an enterprise-wide perspective. In most cases, the audit committee and the finance and administration vice presidents assume responsibility for risk oversight, including:
- Continuously re-evaluating risk monitoring processes
- Reviewing and approving governance practices, policies, priorities and procedures against best practices.
- Ensuring that audit committee and executing members have instituted processes to identify and inform the board of key strategic, reputational, operational, compliance and financial risks the organization faces
- Advising and counselling the deans, professors and functional unit heads
The board’s role is to focus on the overall approach to risk management, rather than on the administrative details. The more tactical aspects of the risk strategy are generally the responsibility of the university’s team of senior administrators.
Senior administration - Overseeing the university’s compliance with generally accepted accounting principles, practices and requirements, and evaluating the university’s finance and accounting practices, risk management and internal controls to ensure that they are appropriate and adequate is the responsibility of senior administration.
Their other responsibilities can include:
- Encouraging the right risks to drive business performance
- Identifying and prioritizing key risks, and aligning university resources accordingly
- Improving alignment and coordination among risk and control activities
- Leveraging best practices on managing and controlling key risks
- Maintaining appropriate oversight of key controls
- Monitoring and escalating risks
Senior administrators are responsible for the management of the day-to-day functioning of the university, including strategic, financial, operational and compliance activities.
Risk management and internal audit The risk management and internal audit teams play an important role in university risk management.
In general, internal audit’s responsibilities can include:
- Understanding the university’s challenges and key objectives, and establishing an appropriate, detailed internal audit plan
- Helping the university’s management and the board understand, assess and manage the organization’s risk through consistent communication and reporting
- Ensuring that processes are addressing changes and the associated risks adequately and are working as intended, especially during times of change
In general, risk management’s responsibilities can include:
- Facilitating the completion of an enterprise risk assessment (ERA) and identifying risk mitigation and monitoring practices required for the university
- Developing an ERM framework, approach and program that will sustain risk management activities and better coordinate them, where appropriate
- Ensuring sufficient transparency of relevant risk management practices residing at the university either by way of training, awareness programs or communication
In addition to the board and senior administrative members, internal auditors play a crucial role in a university risk management strategy — regardless of whether the risk management group reports directly to the internal audit function.
Improving risk management practices
The steps required to improve a university’s risk management practices can be broken down into three general phases. The core risk management group should start by assessing the current situation to define and prioritize the key risks that could prevent strategic objectives from being achieved. The group should then review the design and operation of the risk management and internal control framework to determine the areas where incremental enhancements would provide the greatest benefits. Once the necessary improvements and processes are in place, they must be monitored and modified, if necessary, to ensure that they are relevant and effective, and that risks are being managed appropriately.
One of the most important elements for a successful risk management function is ongoing. It involves creating and maintaining a strong risk management culture and incorporating the implications of risk management into regular, everyday decision-making. This type of environment can be facilitated through visible executive support for risk management programs, clear expectations, transparent communication and reporting, clearly defined roles and responsibilities, strong governance, and regular self-assessments to review risk exposure.
Phase 1: Defining and prioritizing the risks that matter for the university
Before undertaking efforts to enhance the way risk is managed, it is important to understand the institution’s key risks by conducting an ERA. Defining the risks that matter is a critical step to understanding the key controls and decision-making processes, and developing an enterprise-wide view of risk. The ERA is conducted as a facilitated self-assessment, provides insight regarding the significant risks faced, and links them to objectives, initiatives and business processes. Although the approach is performed using standard tools and processes, the output must be validated and prioritized by senior management and the board.
The risk assessment methodology assists with:
- Providing an insightful point of view on significant risks inherent to institutions of higher education
- Efficiently capturing insight from across the university using a combination of surveys and structured interviews
- Validating and prioritizing key risks for monitoring and testing
- Defining opportunities for improvements to internal controls and management activities
- Developing the foundational elements of a process that can be embedded and sustained within existing processes
During the ERA, the university should consider four risk pillars: strategic risk, operational risk, financial risk and compliance risk. These four categories should all be reviewed at the university, faculty and functional levels.
Seeking external perspectives on university risk can also be useful. For example, groups such as the National Association of College and University Business Officers, the Association of College and University Auditors and other sector-specific organizations are good resources.
Phase 2: Evaluating the university’s competencies to manage risk
The Risk Management Performance Assessment phase builds on the results of the assessment completed in the first phase and provides a snapshot of the university’s risk management competencies. It is designed to identify opportunities for alignment and coordination across traditional organizational boundaries, and to determine how well the functional and business operational areas manage risks.
In general, this phase offers an overall review of:
- Responsibilities for key risks across functional activities and business processes
- The degree of alignment and coordination across the organization
- The maturity of risk management foundational components such as governance, infrastructure, operations and people
While performing the review, the following elements should be considered:
- Risk strategy – Risk tolerance and appetite, alignment of risk management to university objectives, and risk-related policies and procedures
- Risk management and assurance processes – Risk assessment, risk communication, and reporting (e.g., dashboards)
- Governance structure – Sponsorship by board of governors; risk ownership, accountability, and related roles and responsibilities; appropriate technology (e.g., institution’s intranet and databases); early warning systems; and analytical and modelling tools
- Culture and capability – Measurement, reward, training and behaviour
This phase helps management recognize how to make incremental enhancements to the existing infrastructure to embed and sustain risk management activities within the normal course of operations.
Phase 3: Building an enterprise approach to risk
The last phase involves defining and prioritizing opportunities for improvement, developing specific plans to improve and monitor significant risks, and then enforcing adherence to the established policies and procedures. All efforts to expand risk management competencies should:
- Be practical
- Be embedded within existing functions and processes where possible
- Support coordination and alignment for risk management and internal control
- Incorporate leading practices
- Be coordinated across the entire organization
- Support effective decision-making
- Align to industry standards and published frameworks
Established control activities are only effective if they are implemented and monitored. Once the initial direction for risk management is set, it is important to verify that everyone is complying with the processes and that the changing exposures to risk are assessed consistently and modified as required.
Benefits of ERM
The decentralized nature of universities and the increasing competition over faculty, students and funds amplifies their requirement for adopting an integrated risk management framework. Universities must build on their present risk management culture, identify internal and external forces that could limit the ability to achieve strategic objectives, assess risks using the appropriate tools, develop an appropriate risk plan, implement the necessary controls and communications, and monitor ongoing risk management activities.
Regardless of a university’s current risk management philosophy and practices, reviewing the risk management framework and adopting an embedded approach to the ERM process and culture will help the university’s board and administration make informed decisions that are aligned with its risk tolerance and strategy, remain confident of compliance with regulatory requirements, and achieve the transparency and outcomes desired by stakeholders.
To comment on this article, email the authors at firstname.lastname@example.org.