12.1 THE UNIVERSITY OF CALIFORNIA AND THE OFFICE OF RISK SERVICES

The University of California System is one public university system that is part of California's three-tier public higher education system under the State's Master Plan for Higher Education.¹ University of California campuses are located in: Berkeley, Davis, Irvine, Los Angeles, Merced, Riverside, San Diego, San Francisco, Santa Barbara, and Santa Cruz. The system, including university campuses and medical centers, has an operating budget of over twenty-three billion dollars, employs approximately 190,000 employees, and has 230,000 students. In addition to operations in California, the University has employees, students, and/or research facilities in most countries around the world. Some of these foreign operations may be as large as an institute, a semester abroad program, or the presence could be as small as an archaeological dig.

The Office of Risk Services was formed in 2004 and is part of the University of California Office of the President.² Grace Crickette, Chief Risk Officer (CRO), was hired in 2004 to develop the enterprise risk management (ERM) initiative at UC. She had previously served for 16 years as VP of Risk Services for United Rentals, a large commercial equipment and tool rental company. Today Crickette has 23 direct reports in various specialties from safety, business continuity, environment, health, risk financing, laboratory safety, construction, travel, general and auto liability, workers' compensation, employment practices and professional liability.

Unlike for-profit enterprises that develop strategic statements, many public universities and systems rely upon mission statements to guide their initiatives and frame their business model. The University's mission has remained the same since 1883:

“The distinctive mission of the University is to serve society as a center of higher learning, providing long-term societal benefits through transmitting advanced knowledge, discovering new knowledge, and functioning as an active working repository of organized knowledge. That obligation, more specifically, includes undergraduate education, graduate and professional education, research, and other kinds of public service, which are shaped and bounded by the central pervasive mission of discovering and advancing knowledge.”

Each of the campuses in the system also has a mission statement, which helps to differentiate the institution for faculty, students, government, and the community. As with most public universities, the core mission of the University of California includes three basic components: education, community service, and research. For the University of California and its campuses, the largest source of funding is not tuitions, state allocations, or private donations but research grants. UC also manages several countrywide research grant programs.³

12.2 WHY ERM?

In the mid-1990s the control and financial management groups (now the CFO division⁴) became interested in the COSO framework that had just been developed by the Treadway Commission and PricewaterhouseCoopers. An early ERM initiative, it was developed by the accounting profession to better define financial controls, audits, and assurance against risk. In 1995 the UC Board of Regents adopted the COSO framework. In 2004 Grace Crickette was hired to begin the ERM initiative and in 2011, the regents expanded their original endorsement of the COSO framework to formally adopt ERM for the system.

When Grace was hired she explained to management that she would need six months to visit campuses and speak to individual departments to better understand the risks, operations, culture, and needs of the university system. It quickly became apparent that data was the most critical issue for the organization. Data collection, aggregation and management were decentralized and there was no clear data taxonomy that could be applied across the system. Crickette and management realized that in order to monitor operations they would need advanced tools to extract and analyze large quantities of disparate data. They soon purchased the COGNOS business intelligence system and adapted it to their need, establishing the first Safety Index dashboard. As the information from this dashboard was analyzed, new key performance indicators were developed that led to the birth of the university's Enterprise Risk Management Information System (ERMIS), a collection of dashboards, reports and modeling tools that help decision makers focus scarce resources.

A few months after her hiring, in February 2005, Crickette conducted the first UC Risk Summit for one hundred individuals involved in risk management at the various campuses and locations. By 2012 the annual Risk Summit attendance exceeded eight hundred. The Risk Summit is a three-day conference devoted to workshops, planning, and awards. In fact, the Risk Summit is the largest conference that is conducted by the University. In addition to educational sessions, awards are presented to campuses and operations that achieve the best results according to system-wide key performance indicators (KPIs). Campuses and operations compete for these coveted awards, which are prominently displayed in each chancellor's office. Awards include excellence in ERM, insurance programs, risk treatment, business continuity and emergency management, loss control, and healthcare and patient safety.

12.3 CRITICAL STRATEGIC RISKS

The University is funded through a variety of sources including federal and state/local government, private industry, research, clinical funding (medical centers) and student fees. Campuses' budgets often must direct these funds to the appropriate earmarks. Grant money, for example, must fulfil the specific requirements and rules. Unlike private sector funds where revenue can be put into a general fund and dedicated to strategic initiatives, universities must accede to targeted accounts funding. In contrast with businesses, general revenue represents a small portion of the system's overall operating budget. For UC the number one risk for the past three years has been budget impairment, meaning the overall budget is impaired because a significant amount of money cannot be used for general purposes because it is allocated towards specific projects, research, activities, or special purposes. Because of this and other reasons traditional strategic planning is not appropriate.

Crickette explained the different levels of strategy associated with the system. At the highest level, the State of California has a Master Plan, begun in 1960 for higher education, which includes goals for the 10 campuses of the University of California, 23 California State University campuses, and 108 campuses for the California Community College System. The Master Plan created a framework by which the California public higher education schools could establish courses of study (majors and minors) as well as allocation of funded research dollars, and university and community college matriculation and graduation goals. The governor appoints regents at the UC level and the regents are tasked with shared governance over the university's strategy.

Campuses focus strategy using long-term development plans that include campus footprint, buildings and infrastructure, and outreach. For example UC Santa Cruz determined there was a need to develop a mini-campus in Silicon Valley in order to build a stronger relationship with the university and high tech firms in the area. UC Riverside saw that there was a need for a medical school in the Riverside community because of the dearth of medical professionals and facilities in the area. Typically the long-term development plans are five years, sometimes longer. ERM is an integral part of these major long-term initiatives from the planning through the implementation stages. Risk identification, control and transfer, and monitoring become part of these long-term projects as they become campuses themselves or part of another institution.

Crickette emphasized that at UC, ERM integrates with large projects such as the medical school in Riverside. Also ERM has been instrumental as the system begins to migrate from a decentralized payroll system to a system-wide payroll system. ERM tools are also appropriately applied when a new initiative is proposed for a foreign country. Crickette suggested that long-term planning is the level where ERM has had the most success. In such projects,⁵ one or more senior executives will request an ERM review.

Smaller initiatives that hit the radar also conduct an ERM review but Crickette is pragmatic that not all projects receive such risk management attention. Often an ERM review is engaged when a scientist, administrator, or local risk management professional contacts the Office of Risk Services for advice to solve a problem. The key strategy at this level for the Office of Risk Services is to treat the problem as an opportunity, asking the question, “How do we get to yes?” After the problem is presented as an opportunity and analyzed as such, solutions are explored that often make what seemed like an impossible risk scenario a plausible and feasible opportunity.

At the next level are the grant programs, which are generally applied for by professors, departments, or schools. Grant recipients are involved with planning as they apply for and obtain funding. Generally an ERM review is not conducted at this level with risks associated with obtaining grants nor is it involved in the grant process itself. However the risk of the project or research funded by the grant are often the subject of an ERM review at the local campus level, sometimes with consultation from the Office of Risk Services. Researchers are required to gain permission from IRB (Institutional Review Boards) for any human subject research. ERM reviews are conducted for new laboratories, sites, experiments or other operations associated with the grant project. The Office of Risk Services provides tools that help people in various operations and disciplines identify, mitigate/prevent, finance, and monitor their inherent project and grant risks. Education and a wide variety of treatment options are available, depending upon the project. New tools and risk management processes have been developed for grants and projects that have unique risk opportunities and exposures to loss. When projects are implemented they are monitored using system-wide and institution-specific dashboards. The ERMIS draws data from systems at all the campuses and medical centers, and all campuses and medical centers have authorized users who are able to view and run reports on their data.

As previously mentioned, universities do not have traditional strategic plans. In addition to helping local campuses provide a strong ERM framework for their continuing operations, the ERM initiative also provides strategic planning tools for novel new initiatives. Project teams examine the risks of new initiatives. Enterprise risk management: identification, assessment, treatment and monitoring, become part of the project business plan. In effect, instead of assessing risk to strategy, strategic planning is embedded in the risk management process.

Universities in most states are facing shrinking state and direct federal governmental funding. They actively search for opportunities from grants, patents, commercial enterprises and services, and other alternative sources for operating revenue. The risks of not having adequate resources can impact community, teaching, and research activities and exacerbate crumbling infrastructure issues. It would be valuable for universities and others in the risk management and business communities to come together to evaluate the proposition that higher education is a business. This includes the entrepreneurial but competitive process of obtaining grants. Considering the university in business terms will raise many questions of ethics, community service obligations, conflicts of interest, freedom of speech, and other issues that may compromise university missions if not properly accounted for and controlled. However, the specter of a university system as large as California's without meaningful state financial support is a very real scenario.

12.4 ERM ACCOMPLISHMENTS

The UC ERM Panel in 2008 developed their ERM maturity model based on the COSO framework and Standard and Poor's methodology. As a result of the maturity model initiative UC in 2010 was recognized by S&P for its ERM program, the first non-financial institution to be so acknowledged.

The 2011–2012 Annual Report of Risk Services recorded that the cost of risk had fallen from a high of $18.46 per $1,000 operating revenue in FY 2003–2004 to its current level, which is estimated at $12.30 per $1,000 operating revenue for FY 2011–2012. This represents cost avoidance of over $716 million over the last eight years.

In light of shrinking budgets, UC has embarked upon the Working Smarter initiative, a five-year plan to redirect $500 million in administrative budget dollars to academic and research missions. In 2011–2012 the Office of Risk Services calculated that its efforts had produced $88.4 million in cost savings that year alone through various initiatives and projects, including the continuing efforts to build a more robust ERMIS.

In a recent project the ERM team and UC campus police departments developed a streamlined reporting structure for incidents in the police function. UC police were required to report to federal, state and local government agencies, which required additional man-hours. The reporting framework removed six figures from the overall police budget and allowed campuses to redirect resources to focus on reducing crime rates on campus. This centralized reporting yielded an additional benefit by allowing the police greater visibility to essential information on campuses and within the system.

Study abroad program safety and the security of researchers in the field are of paramount concern. In a recent project in Israel, UC developed relationships with knowledgeable security organizations that provide students, faculty and others with information that is critical for avoiding dangerous situations in country, lowering the risks for all. Similar services are provided worldwide for university faculty, staff, and students, wherever they travel on university business.

The Office of Risk Services has implemented campus risk assessments that roll up to a system-wide assessment. System-wide key performance indicators are measured along with local performance indicators. The Risk Management Leadership Council, a system-wide group, meets twice a year in person and holds monthly meetings online to review KPIs, and share best practices for programs and mitigations. Other groups involved in risk management such as emergency management services, controllers, risk managers and their teams, and others also meet regularly throughout the year to do the same assessments and reviews.

As new initiatives are proposed by schools, professors, and others, the Office of Risk Services works with project leaders and risk practitioners to build out initiative-specific assessment tools, which can often be applied to future initiatives. In effect, enterprise risk management becomes part of project analysis, assessing risk of the venture at the scope and operational level. ERM helps project planners decide whether to conduct the project or not, or discovers or devises alternatives or additional resources that will be necessary to make the program successful.

Not every project gets an ERM review – that is a fact of life. However, ERM reviews are available to all. When the Office of Risk Services discovers new initiatives they reach out to the team to recommend an ERM review. Often teams do their own review or ask for assistance from the Office of Risk Services. The Office of Risk Services does not micromanage local campuses nor are campuses required to report their ERM review results to the system.

As with any large business or university system there are changes in leadership and key risk management personnel. The annual Risk Summit serves as a major gathering point for new and experienced risk owners to learn new things and get up to speed on current initiatives. Also, the Office of Risk Services provides ad hoc training and development for new employees who are associated with the risk management function at the campus and system level. Training includes videos, website tool orientation and meetings with key risk personnel at local campuses. New risk management personnel also receive training at the Office of Risk Services and at monthly risk management meetings.

12.5 ERM PROGRESS OVER TIME

The university had a systemic need for data quality improvement. The new ERMIS initiative combined data from over 30 separate systems and has educated risk owners about business intelligence at campus level and medical center level, including new ways of looking at old information. As the ERMIS was rolled out there were many questions at the local level about quality of data and not unexpected surprises about performance that either did not meet or exceeded commonly held beliefs about performance. One major issue was the need to develop a common taxonomy so that data could be properly calibrated and compared. While the data initiatives and other ERM processes did not uncover many surprising or new or novel risks, information about trends began to drive changes in risk treatment and mitigation strategies. Non-performing strategies were altered or replaced. Better data led to better risk understanding and identification and also produced changes in risk treatment, and mitigation that produced behavioral changes across the system.

While the core KPI measures have been consistent over time, the bar is raised every year and top performers continue to be awarded at the annual Risk Summit. However, as the ERM initiative has matured and more new initiatives have developed ERM strategies, new KPIs have been developed or refined. For example, the executive director for the Research Grants Program Office oversees large grant programs for the entire nation. The problem was that the executive director had experienced only the downside of risk and not upside. Because the Office of Risk Services had become known as a “problem solver” the executive director asked Crickette and her team for help. What the Office of Risk Services and the executive director discovered was that the grant programs had major administrative and infrastructure problems that required additional IT solutions to mitigate. Together with IT the Office of Risk Services and the executive director deployed tools to identify, mitigate and monitor risks to help mitigate the research data problem. As a result of the success of this initiative the executive director has agreed to visit campuses to explain how all can leverage the ERMIS to help them operate more efficiently.

12.6 THE “UPSIDE OF RISK”

Many in the global risk management community struggle with defining scenarios that might be considered upside risks. UC has had success in identifying and capitalizing on upside risk opportunities.

The ERM initiative at UC is deployed in the context of creating a culture of yes. For example, as mentioned previously, budget impairment is a major risk to UC campuses and operations. The ERM budget changes worksheet and analysis tool was designed not only to help campuses determine the risks of budget cuts but also includes questions related to opportunities that could increase revenue or produce alternative revenue-generating opportunities.

Many of the ERM tools also analyze processes to determine where things are over-controlled. By eliminating duplication, introducing mechanizing processes, and streamlining operations, resources can be shifted from one area to another to increase opportunities.

The ERM initiative and tools are widely understood as a resource that can help a new venture determine how to develop a successful program and outcome. In a recent example, a scientist at a campus without a medical school wanted to develop more robust medical services without building the extensive infrastructure required for a full medical school. The scientist and local risk management team worked with the Office of Risk Services to develop a hybrid plan that did not involve developing a complete set of hospital services. The team was able to identify risks, resources, and available campus resources to create a viable plan.

Another case involves turning a liability expense into a profitable revenue-producing venture. The University of California, Davis has thousands of olive trees on campus. The problem is that olives fall on people and property and cause injury and damage. Olives on the ground also represent trip and fall hazards and sanitary issues. One local facilities person approached risk management with the idea that these olive trees could be harvested for their fruit to make into olive oil. At first the idea seemed far-fetched to all but the facilities manager. After an ERM review, the facilities manager approached a local olive oil company about the prospect of producing an actual product from the tree. The olive oil company took on the challenge and not only harvests the olives and processes the fruit into oil but is partnering with the university on a private labeled line of olive oil products that produces revenue for both the university and the olive oil company. While the net benefit of this project to the university has not yet been calculated, this endeavor represents a situation where what was considered to be a net-loss risk scenario was managed into something that not only mitigated the risk of loss but turned the risk into opportunity that could be exploited for its value-add to the organization and its stakeholders. As a byproduct the operation also provides a useful product from a renewable resource. This venture enhances the reputation of the university as an environmentally friendly community partner. For more information on this program see this Olive Center fact sheet: http://olivecenter.ucdavis.edu/news-events/news/files/Three%20Years%20of%20Achievement%202011.pdf

The olive tree also is a symbol of the University of California, Irvine. It has become a symbol for students from many faiths, cultures and political views who have come together to understand the Palestine–Israel conflict. For more information on the Olive Tree Initiative see the online video: http://www.uci.edu/video/olivetree/. One of the lessons learned from the olive trees on UC Irvine is that brand and reputation are not always tied to a slogan or vision but to an environment as symbolized by a tree, location, or other physical space. Nor are environmental factors the only non-verbal aspect of the image and branding associated with a company. Understanding the nature of the brand of any organization and how it is manifested for stakeholders is basic to the understanding of how the organization's value is understood by and transformed for its stakeholders.

12.7 CHALLENGES FACING HIGHER EDUCATION AND THE UNIVERSITY OF CALIFORNIA

Research risk has become and will continue to be a major enterprise risk for universities. In general, researchers feel their projects and endeavors have been over-controlled; those not in research feel that projects and endeavors are under-controlled. The challenge for UC and other universities is to develop tools that will optimize controls that streamline processes for researchers and provide adequate control measures and greater transparency for other stakeholders.

Another problem facing universities and UC is deferred maintenance. For example, the State of California will often budget for new projects but not provide resources for needed infrastructure maintenance.

Also, universities are for the most part open campuses. General safety and security has become a heightened concern in the wake of recent events at other campuses and schools.

Finally, leadership changes are always an issue. Grace is preparing to welcome the university's third president since she joined the university in 2004. Fortunately the shared governance of regents and university presidents has a good understanding of ERM and there has been little disruption associated with leadership changes. Since the writing of this case study, Crickette herself has left the University.

12.8 RECOMMENDATIONS FOR OTHERS ENGAGED WITH ERM

For those new to ERM or who have been hired into an organization beginning an ERM project or have been appointed from within a company to lead an ERM initiative, Crickette provides the following advice. Even if you are a tenured employee with the company, spend the first few months visiting the operations of the organization to discover what type of ERM program would be appropriate for the organization to develop at this time. An outsider when she was hired, Crickette told management that she would need to spend her first six months on the job visiting campuses and medical centers and interviewing key personnel to determine what flavor of ERM would be appropriate for UC. Crickette took heed from her former boss at United Rentals who said, “Your desk is a dangerous place to do your job”.

Instead of asking “What keeps you up at night?”, she recommended that new enterprise risk officers ask these two questions: “What information do you need to be able to know you are operating at optimum?” and “What does success look like?” Naturally the persons interviewed will try to turn the conversation to risks they face, but Crickette suggested that the risk manager eventually steer the conversation towards understanding, “How do you know whether you are doing well or not?”, and “What are the results you want to see?” For example, one issue that Crickette discovered when she interviewed human resources was that there was limited analysis from data on the retention of new employees after the first 90 days of hire. The question that needed to be asked was, “What does a new hire need to do to be considered a successful hire?”, or; “What does successful hire's performance look like?”

In her first conversation with campuses she asked, “Do you have accurate and timely data that shows whether you are doing well or not?” The answers she received uncovered the need for a robust system-wide ERMIS solution.

There are many ERM initiatives that have stalled in other organizations. ERM leaders complain of ERM fatigue. Fatigue can come from many sources: the original problems or pains have been mitigated, there are more pressing issues, new leadership has a new agenda, or the ERM team cannot articulate the value of the program in a meaningful way. The question is how does the organization sustain its ERM program long term? Crickette said that the UC ERM initiative remains strong eight years out. She explained that a major reason for this is that the initiative is in a continuous improvement mode. This means that her team and local risk managers are always looking for ways of improving risk management practices at the local level and at the department level. New tools are being developed, assessed, and strengthened all the time for issues such as security, medical safety, and fiscal controls. As new projects are envisioned tools are developed for these projects and what is learned in one project is often transferred to other projects. In a continually learning environment it is not likely that initiatives, tools or metrics will become stale.

At the same time the ERM initiative has become solutions focused and is the go-to facility to provide ideas, tools, and strategies for getting even complex or unique projects to yes. Rather than being the risk management department, the Office of Risk Services has worked hard with local campuses and operations to develop their own self-sustaining efforts in ERM. The annual Risk Summit goes a long way in articulating value through its awards program and system-wide key performance indicators which are now well understood and have become part of the accountability equation at all levels of the organization.

Crickette speculated that one reason why ERM programs become fatigued or stale is that many just focus on risk assessment, risk inventory analysis, and treatment. Identified risk owners come into risk boards and report and go back to their respective operations. Crickette suggested that this is not sustainable over time. While there needs to be a core identification, management, and monitoring function in place, the ERM initiative needs to continually look inside the organization for opportunities to tailor ERM processes to specific operation. What this means is that the initiative must work to improve the tools and build new ones for each segment of the operation. The CRO and team must help individual risk owners identify risks on their own and come up with their own risk treatments, and where necessary, work with the ERM team to develop new tools or other alternatives. In the end, this culture of yes enables the organization to understand risk and even increases the capabilities of the enterprise to take more risk – a greater but more understood risk appetite.

The ability to articulate value is critical to the long-term success of any ERM initiative. Crickette said that one of her major initiatives in articulating value is the cost of borrowing. The university has 10 billion dollars of debt, which means that even a few basis points of increase in borrowing cost can add millions of dollars of expense that could have been spent in other areas. The ERMIS reduces redundancy in IT systems – it is a flexible system that can be applied to numerous programs, departments, divisions and campuses in ways that reduce the cost of data aggregation, analysis and reporting and creates processes for new ventures and long-term projects.

But sometimes an ERM initiative goes off the rails or new leadership wants things done a different way. Crickette suggested that if the ERM program is experiencing fatigue, get up from your desk and tailor – reinvent the program. Ask new questions. Look for immediate wins at the operational level. Pick a department and work hard to get wins – partner with business partners – show on the ground value. Crickette said that if UC determined that a new approach to ERM was warranted, she would treat this as a completely new initiative and go on the road again to visit campuses to understand better the needs of the organization related to this change in thinking.

12.9 WHERE FURTHER RESEARCH AND ANALYSIS IS NEEDED

Medical schools have initiated programs to help new physicians develop a caring and empathetic bedside manner while remaining consummate professionals. These initiatives have also found their way into hospital programs and continuing education for tenured physicians. Crickette would like to see a similar initiative engaged with faculty, students, and higher education in general. She suggested that emotional intelligence and the concept of care in the educational endeavor could be improved.

Forces are amassing on all sides, pulling universities in many directions: towards vocational education to serve employers today, more quality research that can serve humanity in all areas, and stronger pedagogy to help students become better problem solvers and decision makers. Society wants universities to be effective community players who are instrumental in resolving persistent societal issues such as poverty and discrimination. In the world arena universities are called upon to serve as leaders in ecology, political science, and human rights. The role that higher educational institutions play in this new century will in part be promulgated by faculty, students and administrators. If faculty and administration can learn one thing from colleagues in medicine it is the importance of “bedside manner” – the development of a professional but caring relationship with those with whom they serve and interact. The gruff doctor and curmudgeonly professor have become relics of a bygone age. To capitalize on the opportunities for the future, both medicine and the university require continuous improvement in emotional intelligence and bedside manner.

APPENDIX A: UC ENTERPRISE RISK MANAGEMENT TOOLS

UC has and continues to develop enterprise risk identification, assessment, treatment, and monitoring tools. As the ERM program evolves additional tools and methodologies will be developed.

At the beginning of the ERM process, individual campuses and organizations within the University are tasked with identifying goals and objectives within the strategic mission of their organization:

“The UC ERM Program uses the term ‘Goals’ to mean general statements of long-term outcomes in support of the campus/unit mission; goals are broad in scope. ‘Objectives’ are statements of short-term outcomes generally achievable in one year or less. The best objectives are measurable with an achievable end state indicating that the objective has been achieved.”

These tools and documents were available on the UC Office of Risk Services website as of 3/6/13. http://www.ucop.edu/enterprise-risk-management/index.html. These documents are freely available to adapt to your needs but are not available for commercial sale. Please reference “University of California Office of Risk Services” as the original source.

• COSO Framework.
• Balanced scorecard.
• Campus charter committee worksheet and invitation letter.
• Medical center charter.
• Dashboard description.
• Risk planning tool.
• Budget changes worksheet and analysis tool.
• Protected health information analysis tool.
• Risk control structures assessment tool.
• Program risk review tool.
• Higher Ed risk assessment tool.
• Risk ranking tool.
• Risk inventory.
• Control self-assessment tool.
• IT assessment tool.
• Hazard vulnerability assessment tool.
• Sample ERM case study.
• ERM maturity levels framework and associated tools.
• ERMIS (ERM information system) tools, information, and guidelines.
• UC Tracker: compliance with SAS 112/115.
• UC Ready: business continuity planning tool.
• New initiative risk workbook.
• Library collections risk model.
• UC Action: risk control monitoring tool.
• Risk assessment toolbox.
• Unit risk workbook: campus level.
• Risk management leadership council: structure and duties.
• Risk summit: description.
• ERM bulletins, panel report on status of ERM at UC, webinars, sample ERM documentation.

QUESTIONS FOR STUDENTS AND PRACTITIONERS

1. If you were to develop a preliminary set of specifications for a request for proposal for an ERMIS, what would be the questions you might ask? If you have a particular organization in mind, what enterprise-specific questions would you add?
2. In what areas of relationships between universities, students and the community could the “bedside manner” or communication between stakeholders be improved? If you were assigned the initiative for improving communication, how would you begin the process, and what resources would you engage?
3. Go to the Office of Risk Services Website at UC – see the URL in Appendix A – and download the COSO framework document. Explain in layperson's terms what this framework could mean to an organization that embarks upon a new ERM initiative.
4. UC has demonstrated how an organization can capitalize on “the upside of risk”. Provide two other examples from industry, government, or academe of such risk transformations.
5. Pick another university. Review the information on the website, including mission statements, academics, administration, risk management and develop a set of preliminary key performance indicators that you believe might be appropriate to discuss with the leadership and others at the university. If the university has developed and publicly provides key performance indicators, critique these metrics for their understandability, applicability, measurability, and long-term viability.
6. The annual Risk Summit is a cornerstone of the UC ERM plan. Develop a proposal for senior leadership to create such a forum for a for-profit organization. Consider all stakeholders and list the benefits for each. Estimate the value of such a program over time, both quantitatively and qualitatively.
7. Universities are open campuses but recent events have made that proposition difficult to manage. Research and report what universities have done in recent years to balance safety and security with the needs for an open and accessible university campus. Be specific and also indicate how these practices could also be transferred to other than university settings.