The tragedy at Virginia Tech, infrastructure devastation at colleges and universities in the New Orleans area in the aftermath of Hurricane Katrina, the sexual abuse scandal at Penn State, the governance crisis at the University of Virginia, American University expense-account abuse, and other high-profile university situations have created heightened awareness of the potentially destructive influence of risk and crisis for higher education administrators.¹ The recent Risk Analysis Standard for Natural and Man-Made Hazards to Higher Education Institutions (American Society of Mechanical Engineers–Innovative Technologies Institute 2010) notes that “resilience of our country's higher education institutions has become a pressing national priority” (p. vi). Colleges and universities are facing increased scrutiny from stakeholders regarding issues such as investments and spending, privacy, conflicts of interest, information technology (IT) availability and security, fraud, research compliance, and transparency (Willson, Negoi, and Bhatnagar 2010). A statement from the review committee assembled to examine athletics controversies at Rutgers University is not unique to that situation; the committee found that “the University operated with inadequate internal controls, insufficient inter-departmental and hierarchical communications, an uninformed board on some specific important issues, and limited presidential leadership” (Grasgreen 2013).

The situation at Penn State may be one of the clearest signals that risk management (or lack thereof) has entered the university environment and is here to stay. In a statement regarding the report, Louis Freeh, chair of the independent investigation by his law firm, Freeh Sporkin & Sullivan, LLP, into the facts and circumstances of the actions of Pennsylvania State University, said the following:

In our investigation, we sought to clarify what occurred…and to examine the University's policies, procedures, compliance and internal controls relating to identifying and reporting sexual abuse of children. Specifically, we worked to identify any failures or gaps in the University's control environment, compliance programs and culture which may have enabled these crimes against children to occur on the Penn State campus, and go undetected and unreported for at least these past 14 years.

The chair of Penn State's board of trustees summed it up succinctly after the release of the Freeh Report (Freeh Sporkin & Sullivan 2012) regarding the university's handling of the sexual abuse scandal: “We should have been risk managers in a more active way” (Stripling 2012).

The variety, type, and volume of risks affecting higher education are numerous, and the public is taking notice of how those risks are managed. Accreditation agencies are increasingly requiring that institutions of higher education (IHEs) demonstrate effective integrated planning and decision making, including using information gained from comprehensive risk management as a part of the governance and management process.² Credit rating agencies now demand evidence of comprehensive and integrated risk management plans to ensure a positive credit rating, including demonstration that the board of trustees is aware of, and involved in, risk management as a part of its decision making.³ Through its Colleges and Universities Compliance Project, the Internal Revenue Service (IRS) is considering how to hold IHEs responsible for board oversight of risk, investment decisions, and other risk management matters.⁴ The news media has a heightened focus on financial, governance, and ethical matters at IHEs, holding them accountable for poor decisions and thus negatively affecting IHE reputations. In response to this, many IHEs have implemented some form of enterprise risk management (ERM) program to help them identify and respond to risk.

THE HIGHER EDUCATION ENVIRONMENT

Colleges and universities have often perceived themselves as substantially different and separate from other for-profit and not-for-profit entities, and the outside world has historically viewed and treated them as such. Colleges and universities have been viewed as ivory towers, secluded and separated from the corporate (and thus the federal regulatory and, often, legal) world. Higher education was largely a self-created, self-perpetuating, insular, isolated, and self-regulating environment. In this culture, higher education institutions were generally governed under the traditional, independent “silos of power and silence” management model, with the right hand in one administrative area or unit often unaware of the left hand's mission, objectives, programs, practices, and contributions in another area.

John Nelson, managing director for the Public Finance Group (Health care, Higher Education, Not-for-Profits) for Moody's Investors Service, observed that higher education culture is somewhat of a contradiction in that colleges and universities are often perceived as “liberal,” whereas organizationally they tend to be “conservative and inward-looking.”⁵ Citing recent examples at Penn State and Harvard, he noted that colleges and universities can be “victims of their own success”: a past positive reputation can prevent boards from asking critical questions, and senior leadership from sharing troubling information with boards, and this can perpetuate a culture that isn't self-reflective, thus increasing the likelihood for a systemic risk management or compliance failure. The Freeh Report (Freeh Sporkin & Sullivan 2012) is instructive regarding not only the Penn State situation, but the hands-off and rubber-stamp culture of university boards and senior leaders more broadly. The Freeh Report found that the Penn State board failed in its duty to make reasonable inquiry and to demand action from the president, and that the president, a senior vice president, and the general counsel did not perform their duties. The report calls these inactions a “failure of governance,” noting that the “board did not have regular reporting procedures or committee structure to ensure disclosure of major risks to the University” and that “Penn State's ‘Tone at the Top’ for transparency, compliance, police reporting, and child protection was completely wrong, as shown by the inaction and concealment on the part of its most senior leaders, and followed by those at the bottom of the University's pyramid of power.”

In his text regarding organizational structures in higher education, How Colleges Work, Birnbaum (1988) notes that, organizationally and culturally, colleges and universities differ in many ways from other organizations. He attributes this difference to several factors: the “dualistic” decision-making structure (comprised of faculty “shared governance” and administrative hierarchy); the lack of metrics to measure progress and assess accountability; and the lack of clarity and agreement within the academic organization on institutional goals (based, in part, on the often competing threefold mission of most academic organizations of teaching, research, and service). Because of these organizational differences, Birnbaum notes that the “processes, structures, and systems for accountability commonly used in business firms are not always sensible for [colleges and universities]” (p. 27).

While noting that colleges and universities are unique organizations, Birnbaum also observes that they have begun to adopt more general business practices, concluding that “institutions have become more administratively centralized because of requirements to rationalize budget formats, implement procedures that will pass judicial tests of equitable treatment, and speak with a single voice to powerful external agencies” (p. 17).

This evolution to a more businesslike culture for IHEs has been evolving since the 1960s and has brought significant societal changes while seeing the federal government, as well as state governments, begin to enact specific legislation affecting colleges and universities.⁶ The proliferation of various laws and regulations, coupled with the rise of aggressive consumerism toward the end of the 1990s, has led to an increased risk of private legal claims against institutions of higher education—and their administrators—as well as a proliferation of regulatory and compliance requirements. Higher education is now generally treated like other business enterprises by judges, juries, and creative plaintiffs' attorneys, as well as by administrative and law enforcement agencies, federal regulators—and the public.

Mitroff, Diamond, and Alpaslan (2006) point out that despite their core educational mission, colleges and universities are really more like cities in terms of the number and variety of services they provide and the “businesses” they are in. They cite the University of Southern California (USC) as an example, noting that USC operates close to 20 different businesses, including food preparation, health care, and sporting events, and that each of these activities presents the university with different risks. Jean Chang, former ERM director at Yale University, observed that IHEs are complicated businesses with millions of dollars at stake, but they don't like to think of themselves as “enterprises.”⁷

EMERGENCE OF ERM IN HIGHER EDUCATION

In the corporate sector, interest in the integrated and more strategic concept of enterprise risk management (ERM) has grown significantly in the past 15 years (Arena, Arnaboldi, and Azzone 2010). Certain external factors affected the adoption and implementation of ERM practices in corporations, including significant business failures in the late 1980s that occurred as a result of high-risk financing strategies (URMIA 2007). Governments in several European countries took actions and imposed regulatory requirements regarding risk management earlier than was done in the United States, issuing new codes of practice and regulations such as the Cadbury Report (1992), the Hampel Report (1998), and the Turnbull Report (1999). In 2002, the Public Company Accounting Reform and Investor Protection Act (otherwise known as Sarbanes-Oxley, or SOX) was enacted in the United States. In 2007, the Securities and Exchange Commission (SEC) issued guidance placing greater emphasis on risk assessment and began to develop requirements for enterprise-wide evaluation of risk. In February 2010, the SEC imposed regulations requiring for-profit corporations to report in depth on how their organizations identify risk, set risk tolerances, and manage risk/reward trade-offs throughout the enterprise.

While widespread in the corporate sector, in large part due to regulatory compliance, ERM is fairly new in higher education. Gurevitz (2009) observes that educational institutions “have been slower to look at ERM as an integrated business tool, as a way to help all the stakeholders—trustees, presidents, provosts, CFOs, department heads, and frontline supervisors—identify early warning signs of something that could jeopardize a school's operations or reputation.” In 2000, the Higher Education Funding Council of England enacted legislation requiring all universities in England to implement risk management as a governance tool (Huber 2009). In Australia, the Tertiary Education Quality Standards Agency (TEQSA; 2013) evaluates the performance of higher education providers against a set of threshold standards and makes decisions in relation to their performance in line with three regulatory principles, including understanding an institution's level of risk.

In the United States, engaging in risk management efforts and programs for IHEs is not specifically required by accrediting agencies or the federal government. Perhaps because it is not required, ERM has not been a top focus for boards and senior administrators at IHEs. Tufano (2011) points out that risk management in the nonprofit realm, including higher education, is significantly less developed than in much of the corporate world and often still has a focus on avoidance of loss rather than setting strategic direction. Mitroff, Diamond, and Alpaslan's (2006) survey assessing the state of crisis management in higher education revealed that colleges and universities were generally well prepared for certain crises, particularly fires, lawsuits, and crimes, in part because certain regulations impose requirements. They were also well prepared for infrequently experienced but high-profile situations such as athletics scandals, perhaps based on their recent prominence in the media. However, they were least prepared for certain types of crises that were frequently experienced such as reputation and ethics issues, as well as other nonphysical crises such as data loss and sabotage.⁸ A survey conducted by the Association of Governing Boards of Universities and Colleges and United Educators (2009) found that, of 600 institutions completing the survey, less than half of the respondents “mostly agreed” that risk management was a priority at their institution. Sixty percent stated that their institutions did not use a comprehensive, strategic risk assessment to identify major risks to mission success. Recent high-profile examples may be beginning to change that. The Freeh Report regarding Penn State determined that “the university's lack of a robust risk-management system contributed to systemic failures in identifying threats to individuals and the university and created an environment where key administrators could ‘actively conceal’ troubling allegations from the board” (Stripling 2012).

ADOPTING AND IMPLEMENTING ERM IN COLLEGES AND UNIVERSITIES

In 2001, PricewaterhouseCoopers and the National Association of College and University Business Officers (NACUBO) sponsored a think tank of higher education leaders to discuss the topic of ERM in higher education, likely in response to widespread discussion in the for-profit sector and in anticipation of potential regulatory implications for higher education. The group included Janice Abraham, then president and chief executive officer of United Educators Insurance, as well as senior administrators from seven universities.⁹ The focus of their discussion was on the definition of risk; the risk drivers in higher education; implementation of risk management programs to effectively assess, manage, and monitor risk; and how to proactively engage the campus community in a more informed dialogue regarding ERM. Their conversation produced a white paper, “Developing a Strategy to Manage Enterprisewide Risk in Higher Education” (Cassidy et al. 2001). In 2007, NACUBO and the Association of Governing Boards of Universities and Colleges (AGB) published additional guidance in their white paper, “Meeting the Challenges of Enterprise Risk Management in Higher Education.” The University Risk Management and Insurance Association (URMIA) also weighed in with its white paper, “ERM in Higher Education” (2007). In 2013, Janice Abraham wrote a text published by AGB and United Educators, entitled Risk Management: An Accountability Guide for University and College Boards. These documents provide guidance and information to institutions considering the implementation of an ERM program and discuss the unique aspects of the higher education environment when considering ERM implementation.

Several authors have discussed the transferability of the ERM model to higher education, even with the cultural and organizational differences that abound between the for-profit environment and higher education. URMIA (2007) concluded that “the ERM process is directly applicable to institutions of higher education, just as it is to any other ‘enterprise’; there is nothing so unique to the college or university setting as to make ERM irrelevant or impossible to implement” (p. 17). Whitfield (2003) assessed the “feasibility and transferability of a general framework to guide the holistic consideration of risk as a critical component of college and university strategic planning initiatives” (p. 78) and concluded that “the for-profit corporate sector's enterprise-wide risk management framework is transferable to higher education institutions” (p. 79).

National conferences for higher education associations such as NACUBO, AGB, URMIA, and others had presentations on ERM. Insurers of higher education, such as United Educators and Aon, as well as consultants such as Accenture and Deloitte, among others, provided workshops to institutions and published white papers of their own, such as the Gallagher Group's “Road to Implementation: Enterprise Risk Management for Colleges and Universities” (Gallagher Higher Education Practice 2009). In the early 2000s, many IHEs rushed to form committees to examine ERM and hired risk officers in senior-level positions, following the for-profit model.¹⁰ However, when specific regulations such as those imposed by the SEC for for-profit entities did not emerge in the higher education sector, interest in highly developed ERM models at colleges and universities began to wane. Gurevitz (2009) points out that the early ERM frameworks weren't written with higher education in mind and were often presented “in such a complicated format that it made it difficult to translate the concepts for many universities.”

Institutions with ERM programs have taken various paths in their selection of models and methods and have been innovative and individualized in their approaches. There is no comprehensive list of higher education institutions with ERM programs, and not all IHEs with integrated models use the term ERM. Exhibit 40.3 shows a snapshot of IHEs that have adopted ERM; a review of their websites demonstrates the various risk management approaches adopted by IHEs and the wide variability in terminology, reporting lines, structure, and focus. In many instances, those IHEs with highly developed programs today had some form of “sentinel event” (regulatory, compliance, student safety, financial, or other) that triggered the need for widespread investigation and, therefore, the development of more coordinated methods for compliance, information sharing, and decision making. In other situations, governing board members brought their business experience with ERM to higher education, recognizing the “applicability and relevance of using a holistic approach to risk management in academic institutions” (Abraham 2013, p. 6).

Regardless of the impetus, the current focus appears to be on effectively linking risk management to strategic planning. Abraham points out that many higher education institutions are recognizing that an effective ERM program, with the full support of the governing board, “will increase a college, university or system's likelihood of achieving its plans, increase transparency, and allow better allocation of scarce resources. Good risk management is good governance” (p. 5). Ken Barnds (2011), vice president at Augustana College, points out that “many strategic planning processes, particularly in higher education, spent an insufficient amount of time thinking about threats and weaknesses.” Barnds believes that “an honest and thoughtful assessment of the college's risks would lead [Augustana] in a positive, engaged, and proactive direction.” A recent Grant Thornton (2011) thought paper urges university leaders to think about more strategic issues as part of their risk management, including board governance, IRS scrutiny of board oversight practices, investment performance in university endowments, indirect cost rates in research, changes in employment practices, and outsourcing arrangements.

Regardless of terminology, there is an increased priority on taking a more enterprise-wide approach to risk management and moving from a compliance-driven approach to a comprehensive, strategic approach across and throughout the organization that is used to positively affect decision making and impact mission success and the achievement of strategic goals. Tufano (2011) points out that even in the corporate environment, top leaders are not inclined to work through a detailed step-by-step risk management process, but rather take a top-level approach. In the university environment, this means asking three fundamental questions: What is our mission? What is our strategy to achieve it? What risks might derail us from achieving our mission? Richard F. Wilson, president of Illinois Wesleyan University, may best summarize the current perspective of senior-level higher education administrators:

When I first started seeing the phrase “enterprise risk management” pop up in higher education literature, my reaction was one of skepticism. It seemed to me yet another idea of limited value that someone had created a label for, to make it seem more important than it really was. Although some of that skepticism remains, I find myself increasingly in sympathy with some of its basic tenets [especially] the analysis that goes into decisions about the future. Most institutions are currently engaged in some kind of strategic planning effort driven, in part, by the need to protect their financial viability and vitality for the foreseeable future. Bad plans and bad execution of good ideas can put an institution at risk fairly quickly in the current environment. Besides examining what we hope will happen if a particular plan is adopted, we should also devote time to the consequences if the plan does not work. I still cannot quite get comfortable incorporating enterprise risk management into my daily vocabulary, but I have embraced the underlying principles. (Wilson 2013)

THE UNIVERSITY OF WASHINGTON: A JOURNEY OF DISCOVERY

The University of Washington (UW) has a robust enterprise risk management (ERM) program that is moving into its seventh year. The program began with what administrators¹¹ at UW call a “sentinel event,” settling a Medicare and Medicaid overbilling investigation by paying the largest fine by a university for a compliance failure—$35 million. This led the new president, Mark Emmert, to formally charge senior administrators in 2005 with the task of identifying best practices for “managing regulatory affairs at the institutional level by using efficient and effective management techniques” (UW 2008, p. 4). At the outset in 2006, the objective for UW was to “create an excellent compliance model built on best practices, while protecting its decentralized, collaborative, and entrepreneurial culture” (UW 2006, p. vi). The ERM process at UW has been what Ann Anderson, associate vice president and controller, terms “a journey of discovery.” ERM has developed and evolved at UW, moving from what UW administrators describe as an early compliance phase, through a governance phase to a mega-risk phase. Currently, the University of Washington is focused on two objectives: (1) strengthening oversight of top risks and (2) enhancing coordination and integration of ERM activities with decision-making processes at the university. This case study will describe the decision-making and implementation process at UW, as well as outline various tools and frameworks that UW adopted and adapted for use not only in the higher education setting in general, but to fit specifically within the university's decentralized culture.

Culture at UW

When appointed to serve on the President's Advisory Committee on ERM (PACERM) in 2007, Professor Daniel Luchtel commented, in the context of talking about risk assessments, that “the number of issues and their complexity is stunning. The analogy that comes to mind is trying to get a drink of water from a fire hose” (UW 2007, p. 4). As with most higher education institutions, especially research universities, along with the core business of the teaching and learning of undergraduate and graduate students, the faculty are focused on the creation of new knowledge. “The University of Washington is a decentralized yet collaborative entity with an energetic, entrepreneurial culture. The community members are committed to rigor, integrity, innovation, collegiality, inclusiveness, and connectedness” (UW 2006, p. v).

Faculty innovation and the idea of compliance don't always go hand in hand in higher education, and UW is no exception. Research associate professor David Lovell, vice-chair of the Faculty Senate in 2007–2008, expresses it well:

“Compliance” [is] not necessarily a good word for faculty members. What lies behind [that] is the high value faculty accord to personal autonomy. The notion of a culture of compliance sounds like yet another extension of impersonal, corporate control, shrinking the arena of self-expression in favor of discipline and conformity. Over the last ten months, I've come to understand that you're not here to get in our way, but to make it possible for us faculty legally to conduct the work we came here to do. I hope that working together, we can try to spread such understanding further, so that we can make compliance—or whatever term you choose—less threatening to faculty and frustrating to staff. (UW Annual ERM Report 2008, pp. 6–7)

Organizationally, the institution is divided into silos, which has historically focused risk mitigation within those silos.

Organizational Structure

Based on a review of the literature and discussions with risk and audit managers at other universities, the report also summarized various models and structures for organizing the risk management activities. One method was to appoint a central risk officer with institution-wide oversight and responsibility. With this model, key decisions would need to be made regarding reporting lines and the placement of that position within the organization. The report also outlined UW's current approach to risk management, noting that it had moved beyond the insurance approach, “which is usually reactive and ad hoc,” but also observing that responsibility for specific risks was currently distributed among the institution's organizational silos (UW 2006, p. 15). It further noted that “the UW does not formally integrate risk and compliance into its strategic conversations at the university-wide level” (p. 15). While acknowledging the good progress being made in several areas (including UW Medicine, the newly restructured Department of Audits, and the Office of Risk Management), the report highlighted the weaknesses of the current approach, including the fact that “due to the size, decentralization, and complexity of the institution, a proliferation of compliance, audit, and risk management activities has grown up around separate and distinct risk areas, each largely operating in a self-defined stovepipe” (p. 18).

EVOLUTION OF ERM AT UW

The SRIRC report acknowledged that the ERM concept was not new, but that it has not been fully implemented at many organizations, especially in higher education. The development of risk management within an organization was discussed, noting that the management of risk develops along a continuum, with early models focused on hazard risks only and mitigation being accomplished primarily through the purchase of insurance. As risk models evolve at an organization, other risk types are added to the model and more cross-functional participation by other units begins to occur. Ultimately, strategic risks are added to the conversation and there is an integration of information from all units across the university. It is at this point that risk can be viewed as both an opportunity and a threat and where mitigation priorities can be more clearly linked to the strategic objectives of the organization.

In 2006, when the ERM program and model were proposed, UW viewed itself as being in the middle of the continuum (see Exhibit 40.6). The report noted:

Although many operational units, committees, and administrative bodies handled the risks faced in their own environments well, there is little cross-functional sharing of information. The opportunity aspect of risk is therefore not fully utilized by the University and risk mitigation priorities are not consistently driven by the institution's strategic objectives. (p. 4)

The 2012 ERM Annual Report observes that “the ERM program has continued to evolve, developing structural mechanisms to support the 8 initial recommendations” (UW 2012, p. 2).

Faris and Kahl commented that the first few years of implementation of ERM at UW were focused on risk assessments. They spent most of their time (both working with the ERM committees and in their roles as ERM staff) performing risk assessments using the risk mapping process (e.g., writing a risk statement, ranking the risks for likelihood and impact, plotting the risks on a 5 × 5 map). In the first four or five years, they conducted nearly 35 risk assessments across the university. Based on broad cross-functional topics identified by the President's Advisory Committee on ERM (PACERM), the risk assessments were facilitated by Faris and Kahl with temporary teams put together to meet three to five times over the course of the year to write risk statements, rank them, and put together suggestions for mitigation.

The first five years of ERM at UW were “formative” and focused on the following key activities:

• Developing a common language around risk
• Conducting individual risk assessments
• Focusing discussion and mitigation on financial and enrollment challenges

  

• Comparing financial strength (as gauged by Moody's Investors Service) against peers
• Drafting an initial compendium of enterprise-wide success metrics

Well-written, clear annual reports to the president, the Board of Regents, and the UW community helped to connect the dots and keep the strategic overarching goals front and center, even as employees at the unit level were continuously engaged in the more operational aspects of ERM. Exhibit 40.7 summarizes the implementation time line from the formalized inception of ERM at UW to the present. A review of the chart shows how the UW has continued to focus on moving from an initial focus on hazard risk to a more integrated, strategic approach to enterprise risk management.

ERM STRUCTURE AT UW

The organizational structure for ERM at UW arose out of the initial recommendations of the SRIRC. In its aggregate, the UW ERM program is comprised of the following areas, working together to create an effective structure: UW units; ERM staff; Compliance, Operations, and Finance (COFi) Council; President's Advisory Committee on ERM (PACERM); Internal Audit; and the UW President and Provost (see Exhibit 40.8).

Compliance, Operations, and Finance (COFi) Council

The COFi Council, led by the Executive Director of Audits, takes a middle-up, cross-functional view of risks and opportunities, particularly items that have university-wide potential impact or where supervisory authority for various aspects of the risk reside in different departments or divisions across the university. The COFi Council has oversight of risk assessments at the division or functional level. It provides approval of methods to monitor risks and identifies topics for outreach, particularly items that have university-wide potential impact or that involve cross-departmental or divisional silos. The six primary goals of the COFi Council are to:

Academic Year	Initiatives*
2005–2006	President Emmert charged administrators with review of best practices and development of broad institutional compliance/risk framework for UW. Warren and Hodge drafted report with overview of institution-wide approaches, best practices at four peer universities, common compliance problems faced by UW, and suggestions for next steps.
2006–2007	Developed a central focus and common language for evaluating risk across the university. ERM structure formed (including PACERM, Compliance Council). First UW-wide risk map was compiled. Office of Risk Management dedicated one FTE to ERM initiative. Dedicated $4.8 million in funds for integrity/compliance/stewardship initiatives, including animal care, student life counseling, human subjects, global activities, and IT security. Information about ERM program included in reinsurance renewal discussions with international underwriters. First Annual Report to the Board of Regents.
2007–2008	Identified key strategic and mega risks for the institution. Expanded Compliance Council to form COFi. Rolled out Enterprise Risk Management Toolkit for units to do self-assessments. UW Medicine and Department of Athletics presented annual reports on their compliance programs and ongoing efforts to minimize risks and address current issues. Continued development of the Institutional Risk Register. Internal Audit department expanded from nine to 15 staff.
2008–2009	Focused on financial crisis and demographics. PACERM formed two mega-risk subgroups to apply ERM processes at a strategic level: extended financial crisis and faculty recruitment and retention. HR advance planning for economic downturn and major reduction in state funding. Office of Risk Management conducted first Employment Practices Liability Seminar. ERM web pages were enhanced. Hired a new Executive Director for Audits. Second ERM Report to the Board of Regents.
2009–2010	Development of the UW Integrated Framework based on COSO model. PACERM focused discussion on how to remain competitive. Initial exploration of enterprise-wide dashboard of success metrics. Use of risk assessments in business case alternatives and research proposals.
2010–2011	PACERM evaluated the university's academic personnel profile and oversaw major information technology projects. Assessed institutional financial strength in comparison to peers (Moody's). More than 200 ERM Toolkits provided to universities and companies.
2011–2012	Development of enterprise-wide dashboard of success metrics. UW's work recognized as a “Best Practice” by the Association of Governing Boards for Universities and Colleges (AGB).

*All initiatives, including others not detailed in this chart, are outlined in more detail in the UW ERM Annual Reports, available at http://f2.washington.edu/fm/erm.

1. Engage in a continual, cross-functional process that results in effective prioritization of institutional responses to compliance, financial, and operational risks, and consider the impact to strategic and reputational risks.
2. Ensure that the institutional perspective is always present in risk and compliance management discussions.
3. Identify strategies to address emerging risks and compliance management issues.
4. Support risk and compliance management training and outreach efforts throughout the university.
5. Provide external auditors and regulators with information about the university's risk and compliance programs.
6. Avoid the creation of additional bureaucracy by minimizing redundancy and maximizing resources.

PRESIDENT'S ADVISORY COMMITTEE ON ERM (PACERM)

PACERM, cochaired by the Provost and the Senior Vice President for Finance and Facilities, has oversight of risk assessments at the entity level. Taking a top-down view of risks and opportunities, PACERM advises the university president and other senior leaders on the management of risks and opportunities that may significantly impact strategic goals and/or priorities. They review the ERM dashboard (e.g., key risk indicators and key performance indicators). According to V'Ella Warren and Ana Mari Cauce, cochairs of PACERM in 2008–2009, PACERM “is the one place where participants set aside their individual organizational perspectives, and really think about the major risks and opportunities from an institution-wide view” (UW 2009, p. 6).

UW'S ERM MODEL

After a careful review of models in the corporate sector and within higher education, UW settled on the following regarding its ERM model:

• Assess risks in the context of strategic objectives, and identify interrelation of risk factors across the institution, not only by function.
• Cover all types of risk: compliance, financial, operational, and strategic.
• Foster a common awareness that allows individuals to focus attention on risks with strategic impacts.
• Enhance and strengthen UW's culture of compliance while protecting the decentralized, collaborative, entrepreneurial nature of the institution.

Adopting and Adapting the COSO Model

UW has defined ERM according to its interpretation of the Committee of Sponsoring Organizations (COSO) model, adapting the framework to fit the university environment and the UW in particular (see Exhibit 40.9). COSO describes ERM as “a process, effected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives” (COSO 2004). Adopted in 2009–2010, the 2010 ERM Annual Report notes:

The UW ERM Integrated Framework offers a schema to integrate the views of risk that have historically been addressed in silos or through a fragmented approach. The ERM framework bridges the gap between lower-level issues and upper-level issues, and it allows us to be explicit about the multiple levels on which the ERM process is deployed as a risk and/or opportunity management mechanism. (p. 4)

OUTCOMES AND LESSONS LEARNED

UW administrators can chart the evolution of their ERM program and the effectiveness it has on the university. They note that the early wins were at the unit level, when specific departments, such as Information Security and Environmental Health and Safety, integrated the ERM process with their well-established strategic planning processes. Those units used the risk assessment tools to identify and rank risks that could hinder or prevent the achievement of their strategic goals. Integration of ERM at the entity level is happening more slowly, but issues that impact everyone at the UW, such as faculty recruitment and retention or responding to the external financial crisis, now can happen in a more integrated fashion as the understanding of ERM evolves. For several years, due to severe budget reductions, the Office of Planning and Budgeting consciously added some questions about risk assessment into the budget request process. Vice presidents and deans were asked to address the impact of budget reductions in terms of risk. This happened, in part, because two key members of the Budget and Planning Office, as well as the Provost, have been involved with the PACERM.

UW administrators have a few other observations about their process and how and why it has worked. First, they note that they were aware from the outset that the environment at UW is highly decentralized and that appointing an “ERM czar” or chief risk officer (CRO) wouldn't fit with the culture. They made a deliberate choice not to formalize ERM through a senior-level position, but rather to engage in implementation through a committee structure. Second, they involved faculty members from the beginning. This helped with a sense of shared purpose. Faculty members came to see the business side of academia, and staff and administrators better understood the point of view of scholars engaged in teaching and learning. Third, the senior leadership has stayed dedicated to the ERM process, even with transitions in the president and other senior administrators. The 2011 ERM Annual Report points out the benefits to the UW of the ERM approach:

The value of ERM is both qualitative (e.g., risk and opportunity maps) and quantitative (e.g., dashboards to contextualize and display metrics). Qualitative benefits accumulate because the risk mapping process allows groups throughout the University to collectively prioritize issues, and ensure that the effort and resources involved in root cause analysis, measurement, and monitoring are applied only to the most significant concerns. Each iteration of the ERM process results in new capabilities, and insight gained into maintaining the University's competitive advantage—particularly from managing our financial risks and strategic opportunities better than our peers. (p. 5)

UW has been strategic, deliberate, and inclusive as it continues on its journey to develop and enhance its ERM program, learning lessons from what works and adapting new strategies in order to improve or modify its program. ERM began at UW in 2006 “by establishing a collaborative approach and structure to consider broad perspectives in identifying and assessing risk” (2012 Annual Report, p. 3). This strategy has helped UW overcome some of the traditional challenges facing universities when implementing ERM, including addressing concerns about the real effectiveness of risk assessment, getting agreement on definitions of risk assessment impact, identifying risk owners, and moving beyond the “risk discussion” to focus on mitigation (2012 Annual Report, p. 3). In her November 2012 presentation on UW's ERM program to the Pacific Northwest Enterprise Risk Forum, Ann Anderson, Associate VP and Controller, outlined the following seven key lessons that UW has learned by engaging in ERM for almost eight years:

1. Clarify the roles of the various risk committees.
2. Develop a “work plan” for the committees.
3. Develop engaging agendas, focused at the appropriate level.
4. Don't overemphasize “lowest common denominator” risks.
5. Gather data/information to develop expertise on specific risks.
6. Avoid discussing low-level, narrow risks—too time-consuming!
7. Don't get into the weeds with implementation and process. Delegate actions to responsible parties.

WHAT NEXT? CURRENT PRIORITIES AND FUTURE DIRECTION

As the 2010 ERM Annual Report points out, the process of involving people in risk assessments, even with the most well-developed risk assessment tools, is only part of the process. “Successfully maintaining a large-scale organizational initiative such as ERM requires a comprehensive, broad based approach that is widely understood and used regularly to clearly articulate where risks and opportunities exist throughout the University” (p. 4). As ERM moves forward at UW, the focus is on a “greater refinement of institutional success metrics, increased assessments of risks identified, and continued expansion across the university to incorporate risk assessment into decision-making and strategic planning” (2012 Annual Report, p. 2). The objectives for 2013–2014 are: (1) strengthen oversight of the top risks and (2) enhance coordination and integration of ERM activities with decision-making processes. Several initiatives will help UW achieve these objectives, including seeking input and approval from the PACERM in order to elevate the monitoring of the top risks; a comparison of the institutional-level risks with unit-level risks; the development of quantitative visual representations of the risks, metrics, and targets; engaging the community more broadly in risk management; integrating risk management with the budget and planning cycle for the university; a retrospective analysis of risks and mitigation investments; and a forward-looking analysis to highlight gaps and areas of concern. They are also in the process of developing specific deliverables and measures as indicators of success, such as executive-level risk registers, dashboards of key risks, and a foundation and structure to integrate risk maps and dashboards with the planning and budgeting cycle.

CONCLUSION

UW's ERM implementation process and lessons learned are consistent with the guidance offered by the National Association of College and University Attorneys (NACUA). In a 2010 conference presentation, NACUA identified the following eight critical success factors:

1. Establish the right vision and realistic plan.
2. Obtain senior leadership buy-in and direction.
3. Align with mission and strategic objectives.
4. Attack silos at the outset.
5. Set objectives and performance indicators.
6. Stay focused on results.
7. Communicate vision and key outcomes.
8. Develop a sustainable process versus a one-time project.

While complex and time-consuming, effective development of a culture- specific ERM program can have positive outcomes for colleges and universities. Institutions such as UW that view ERM as a long-term investment in institutional health, rather than a fad or simply a set of tools (such as spreadsheets and heat maps), position themselves well not only to respond to the external demands from credit ratings agencies, accreditors, and federal regulators, but to situate themselves to make key strategic decisions, informed by both quantitative and qualitative data, to enhance their organization, leading to increased enrollment and graduation and strategic disbursement of resources for teaching and research, as well as increasing the likelihood that, due to their integrated, proactive approach, they will avoid future compliance scandals. Perhaps the two most important deliverables on UW's 2013–2014 agenda are those that demonstrate its awareness of the importance of the human resources component in its collegial environment: outreach to faculty and other administrators to obtain broader validation of risks and to identify additional mitigation activities, and an iterative process to involve senior leaders, the Provost, the President, and the Regents in monitoring the top risks. Through this process, UW is building a culture not only of compliance, but of shared responsibility for the future health of the university.

REFERENCES

ABOUT THE AUTHOR

Anne E. Lundquist, PhD, Assistant Vice President for Campus Strategy at Anthology (she/her/hers), is a third-generation educated researcher, poet, yogi, and social justice advocate who draws on her 30-year career in higher education to help campuses use data for change. Previously, Anne served as Director of Strategic Planning and Assessment for the Division of Student Affairs at Western Michigan University as well as senior student affairs officer at four liberal arts colleges. She has taught diverse subject matter, including educational leadership, institutional effectiveness, higher education law, writing, and literature. Anne's areas of scholarship and interest include strategic planning, enterprise risk management, student success, and equity-minded assessment. Her dissertation research study is entitled “Enterprise Risk Management (ERM) in Colleges and Universities: Administration Processes Regarding the Adoption, Implementation and Integration of ERM.” Using her expertise in several areas, she has presented and been the author of articles on risk management, institutional liability, students with psychiatric disabilities, assessment and strategic planning, intercultural competence, and the development and implementation of integrated community standards/restorative justice judicial models. She is the coauthor of The Student Affairs Handbook: Translating Legal Principles into Effective Policies (LRP Publications, 2007). She holds an MFA in Creative Writing and a PhD in Educational Leadership, Higher Education, from Western Michigan University. She earned her BA in Religious Studies and English from Albion College.