Pacific northwest enterprise risk forum

CHAPTER 9 Lessons from the Academy ERM Implementation in the University Setting ANNE E. LUNDQUIST Western Michigan University The tragedy at Virginia Tech, infrastructure devastation at colleges and universities in the New Orleans area in the aftermath of Hurricane Katrina, the sexual abuse scandal at Penn State, the governance crisis at the University of Virginia, American University expense-account abuse, and other highprofile university situations have created heightened awareness of the potentially destructive influence of risk and crisis for higher education administrators.1 The recent Risk Analysis Standard for Natural and Man-Made Hazards to Higher Education Institutions (American Society of Mechanical Engineers–Innovative Technologies Institute 2010) notes that “resilience of our country’s higher education institutions has become a pressing national priority” (p. vi). Colleges and universities are facing increased scrutiny from stakeholders regarding issues such as investments and spending, privacy, conflicts of interest, information technology (IT) availability and security, fraud, research compliance, and transparency (Willson, Negoi, and Bhatnagar 2010). A statement from the review committee assembled to examine athletics controversies at Rutgers University is not unique to that situation; the committee found that “the University operated with inadequate internal controls, insufficient inter-departmental and hierarchical communications, an uninformed board on some specific important issues, and limited presidential leadership” (Grasgreen 2013). The situation at Penn State may be one of the clearest signals that risk management (or lack thereof) has entered the university environment and is here to stay. In a statement regarding the report, Louis Freeh, chair of the independent investigation by his law firm, Freeh Sporkin & Sullivan, LLP, into the facts and circumstances of the actions of Pennsylvania State University, said the following: In our investigation, we sought to clarify what occurred . . . and to examine the University’s policies, procedures, compliance and internal controls relating to identifying and reporting sexual abuse of children. Specifically, we worked to identify any failures or gaps in the University’s control environment, compliance programs and culture which may have enabled these crimes against children to occur on the Penn State campus, and go undetected and unreported for at least these past 14 years. 143 www.it-ebooks.info 144 Implementing Enterprise Risk Management The chair of Penn State’s board of trustees summed it up succinctly after the release of the Freeh Report (Freeh and Sullivan 2012) regarding the university’s handling of the sexual abuse scandal: “We should have been risk managers in a more active way” (Stripling 2012). The variety, type, and volume of risks affecting higher education are numerous, and the public is taking notice of how those risks are managed. Accreditation agencies are increasingly requiring that institutions of higher education (IHEs) demonstrate effective integrated planning and decision making, including using information gained from comprehensive risk management as a part of the governance and management process.2 Credit rating agencies now demand evidence of comprehensive and integrated risk management plans to ensure a positive credit rating, including demonstration that the board of trustees is aware of, and involved in, risk management as a part of its decision making.3 Through its Colleges and Universities Compliance Project, the Internal Revenue Service (IRS) is considering how to hold IHEs responsible for board oversight of risk, investment decisions, and other risk management matters.4 The news media has a heightened focus on financial, governance, and ethical matters at IHEs, holding them accountable for poor decisions and thus negatively affecting IHE reputations. In response to this, many IHEs have implemented some form of enterprise risk management (ERM) program to help them identify and respond to risk. THE HIGHER EDUCATION ENVIRONMENT Colleges and universities have often perceived themselves as substantially different and separate from other for-profit and not-for-profit entities, and the outside world has historically viewed and treated them as such. Colleges and universities have been viewed as ivory towers, secluded and separated from the corporate (and thus the federal regulatory and, often, legal) world. Higher education was largely a self-created, self-perpetuating, insular, isolated, and self-regulating environment. In this culture, higher education institutions were generally governed under the traditional, independent “silos of power and silence” management model, with the right hand in one administrative area or unit often unaware of the left hand’s mission, objectives, programs, practices, and contributions in another area. John Nelson (2012), managing director for the Public Finance Group (Healthcare, Higher Education, Not-for-Profits) for Moody’s Investors Service, observed that higher education culture is somewhat of a contradiction in that colleges and universities are often perceived as “liberal,” whereas organizationally they tend to be “conservative and inward-looking.”5 Citing recent examples at Penn State and Harvard, he noted that colleges and universities can be “victims of their own success”; a past positive reputation can prevent boards from asking critical questions, and senior leadership from sharing troubling information with boards, and this can perpetuate a culture that isn’t self-reflective, thus increasing the likelihood for a systemic risk management or compliance failure. The Freeh Report (2012) is instructive regarding not only the Penn State situation, but the hands-off and rubber-stamp culture of university boards and senior leaders more broadly. The Freeh Report found that the Penn State board failed in its duty to make reasonable inquiry and to demand action from the president, and that the president, a senior vice president, and the general counsel did not perform their duties. www.it-ebooks.info LESSONS FROM THE ACADEMY 145 The report calls these inactions a “failure of governance,” noting that the “board did not have regular reporting procedures or committee structure to ensure disclosure of major risks to the University” and that “Penn State’s ‘Tone at the Top’ for transparency, compliance, police reporting, and child protection was completely wrong, as shown by the inaction and concealment on the part of its most senior leaders, and followed by those at the bottom of the University’s pyramid of power.” In his text regarding organizational structures in higher education, How Colleges Work, Birnbaum (1988) notes that, organizationally and culturally, colleges and universities differ in many ways from other organizations. He attributes this difference to several factors: the “dualistic” decision-making structure (comprised of faculty “shared governance” and administrative hierarchy); the lack of metrics to measure progress and assess accountability; and the lack of clarity and agreement within the academic organization on institutional goals (based, in part, on the often competing threefold mission of most academic organizations of teaching, research, and service). Because of these organizational differences, Birnbaum notes that the “processes, structures, and systems for accountability commonly used in business firms are not always sensible for [colleges and universities]” (p. 27). While noting that colleges and universities are unique organizations, Birnbaum also observes that they have begun to adopt more general business practices, concluding that “institutions have become more administratively centralized because of requirements to rationalize budget formats, implement procedures that will pass judicial tests of equitable treatment, and speak with a single voice to powerful external agencies” (p. 17). This evolution to a more businesslike culture for IHEs has been evolving since the 1960s and has brought significant societal changes while seeing the federal government, as well as state governments, begin to enact specific legislation affecting colleges and universities.6 The proliferation of various laws and regulations, coupled with the rise of aggressive consumerism toward the end of the 1990s, has led to an increased risk of private legal claims against institutions of higher education— and their administrators—as well as a proliferation of regulatory and compliance requirements. Higher education is now generally treated like other business enterprises by judges, juries, and creative plaintiffs’ attorneys, as well as by administrative and law enforcement agencies, federal regulators—and the public. Mitroff, Diamond, and Alpaslan (2006) point out that despite their core educational mission, colleges and universities are really more like cities in terms of the number and variety of services they provide and the “businesses” they are in. They cite the University of Southern California (USC) as an example, noting that USC operates close to 20 different businesses, including food preparation, health care, and sporting events, and that each of these activities presents the university with different risks. Jean Chang (2012), former ERM director at Yale University, observed that IHEs are complicated businesses with millions of dollars at stake, but they don’t like to think of themselves as “enterprises.” Organizational Type Impacts Institutional Culture While Birnbaum (1988) notes that IHEs differ in important ways from other organizational types, especially for-profit businesses, he also concludes that colleges www.it-ebooks.info 146 Implementing Enterprise Risk Management and universities differ from each other in important ways. Birnbaum outlines five models of organizational functioning in higher education: collegial, bureaucratic, political, anarchical, and cybernetic. In Bush’s (2011) text on educational leadership, he groups educational leadership theories into six categories: formal, collegial, political, subjective, ambiguity, and cultural. In their discussion of organizational structure, Bolman and Deal (2008) provide yet another method for analysis of organizational culture, identifying four distinctive “frames” from which people view their world and that provide a lens for understanding organizational culture: structural, human resources, political, and symbolic. Each of these models can provide a conceptual framework by which to understand and evaluate the culture of a college or university. Understanding the organizational type of a particular institution is imperative when considering issues such as the process by which goals are determined, the nature of the decisionmaking process, and the appropriate style of leadership to accomplish goals and implement initiatives. What works in one university organizational type may not be effective in another. The leadership style of senior administration may be operating from one frame or model while the culture of the faculty may be operating from another, thus affecting policy and practice in positive or negative ways. While not true across the board, for-profit organizations tend to operate from what Bush as well as Bolman and Deal refer to as the formal or structural models and Birnbaum terms bureaucratic. The structural frame represents a belief in rationality. Some assumptions of the structural frame are that “suitable forms of coordination and control ensure that diverse efforts of individuals and units mesh” and that “organizations work best when rationality prevails over personal agendas” (Bolman and Deal 2008, p. 47). Understanding this cultural and framing difference is important when considering the adoption and implementation of ERM in the university environment, and can help to explain why many university administrators and faculty are skeptical of the more corporate approach often taken in ERM implementation outside of higher education. Bush observes that the collegial model has been adopted by most universities and is evidenced, in part, by the extensive committee system. Collegial institutions have an “emphasis on consensus, shared power, common commitments and aspirations, and leadership that emphasizes consultation and collective responsibilities” (Birnbaum, p. 86). Collegial models assume that professionals also have a right to share in the wider decision-making process (Bush 2011, p. 73). Bush points out that collegial models assume that members of an organization agree on organizational goals, but that often various members within the institution have different ideas about the central purposes of the institution because most colleges and universities have vague, ambiguous goals. Birnbaum describes the collegium (or university environment) as having the following characteristics: The right to participate in institutional affairs, membership in a congenial and sympathetic company of scholars in which friendships, good conversation, and mutual aid flourish, and the equal worth of knowledge in various fields that precludes preferential treatment of faculty in different disciplines. (p. 87) ERM (or risk management and compliance initiatives in general) tend to be viewed as more corporate functions and to align with formal, structural, and bureaucratic aims, goal setting, planning, and decision making. The chart in Exhibit 9.1 outlines management practices and how they are viewed from the www.it-ebooks.info Exhibit 9.1 Distinctions between Structural and Collegial Elements of Management∗ Elements of Management Formal/Structural Collegial/Human Resources Bolman and Deal Bush Institutional Birnbaum Institutional Bolman and Deal Bush Birnbaum Level at which goals are determined Institutional Institutional through agreement and consensus Process by which goals are determined Vertical and lateral processes Set by leaders Based on organizational structure and roles Agreement Agreement Consensus Relationship between goals and decisions Organizations exist to achieve established goals Decisions based on goals Conscious attempt to link means to ends and resources to objectives Shared sense of direction and commitment Decisions based on goals Strong and coherent culture and value consensus informs decisions Nature of the decision process Rational; rules, policies, and standard operating procedures Rational Rational; compliance with rules and regulations Egalitarianism; teams Collegial Deliberative consensus Nature of structure Organizations increase efficiency and enhance performance through specialization and division of labor Objective reality; hierarchical Designed to accomplish large-scale tasks by systematically coordinating the work of many individuals Organizations exist to serve human needs; must be a good fit between organization and people Lateral Collegium Style of leadership Established authority Leader establishes goals and initiates policy Leader is concerned with planning, directing, organization, staffing, and evaluating Doesn’t control or overly structure; sensitive to both task and process; use of teams Leader seeks to promote consensus Leader is “first among equals,” consultation and collective responsibilities ∗Adapted from Bush (2011), 199 (Figure 9.1). 147 www.it-ebooks.info 148 Implementing Enterprise Risk Management formal/structural and collegial/human resources models. As will become clear in the University of Washington ERM implementation case described in this chapter, the culture of higher education in general, and the institution-specific culture of the particular organization, cannot be ignored when adopting or implementing an ERM program, and may be the most important element when making ERM program, framework, and philosophy decisions. Risks Affecting Higher Education One way in which colleges and universities are becoming more like other organizations is the type and variety of risks affecting them. Risk and crisis in higher education may arise from a variety of sources: a failure of governance or leadership; a business or consortium relationship; an act of nature; a crisis related to student safety or welfare or that of other members of the community; a violation of federal, state, or local law; or a myriad of other factors. The University Risk Management and Insurance Association (URMIA 2007) cites several drivers that put increased pressure and risk on colleges and universities, including competition for faculty, students, and staff; increased accountability; external scrutiny from the government, the public, and governing boards; IT changes; competition in the marketplace; and increased levels of litigation. A comprehensive, yet not exhaustive, list of risks affecting higher education is outlined in Exhibit 9.2. Risks unmitigated at the unit, department, or college level can quickly lead to high-profile institutional risk when attorneys, the media, and the public get involved. Helsloot and Jong (2006) observe that higher education has a unique risk as it relates to the generation and sharing of its core task: “to gather, develop, and disseminate knowledge” (p. 154), noting that the “balance between the unfettered transfer of knowledge, on the one hand, and security, on the other, is a precarious one” (p. 155). EMERGENCE OF ERM IN HIGHER EDUCATION In the corporate sector, interest in the integrated and more strategic concept of enterprise risk management (ERM) has grown significantly in the past 15 years (Arena, Arnaboldi, and Azzone 2010). Certain external factors affected the adoption and implementation of ERM practices in corporations, including significant business failures in the late 1980s that occurred as a result of high-risk financing strategies (URMIA 2007). Governments in several European countries took actions and imposed regulatory requirements regarding risk management earlier than was done in the United States, issuing new codes of practice and regulations such as the Cadbury Code (1992), the Hampel Report (1998), and the Turnbull Report (1999). In 2002, the Public Company Accounting Reform and Investor Protection Act (otherwise known as Sarbanes-Oxley, or SOX) was enacted in the United States. In 2007, the Securities and Exchange Commission (SEC) issued guidance placing greater emphasis on risk assessment and began to develop requirements for enterprisewide evaluation of risk. In February 2010, the SEC imposed regulations requiring for-profit corporations to report in depth on how their organizations identify risk, set risk tolerances, and manage risk/reward trade-offs throughout the enterprise. While widespread in the corporate sector, in large part due to regulatory compliance, ERM is fairly new in higher education. Gurevitz (2009) observes that www.it-ebooks.info LESSONS FROM THE ACADEMY 149 Exhibit 9.2 Risks Affecting Higher Education Institutional Area Types of Risk Boards of Trustees and Regents, President, Senior Administrators Accreditation Board performance assessment CEO assessment and compensation Conflict of interest Executive succession plan Fiduciary responsibilities IRS and state law requirements Risk management role and responsibility Business and Financial Affairs Articulation agreements Bonds Budgets Business ventures Cash management Capital campaign Contracting and purchasing Credit rating Debt load/ratio Endowment Federal financial aid Fraud Gift/naming policies Insurance Investments Loans Outsourcing Transportation and travel Recruitment and admissions model Compliance with Federal, State, and Local Laws, Statutes, Regulations, and Ordinances Americans with Disabilities Act (ADA)/Section 504 Copyright and fair use Drug-Free Schools and Communities Act Family Educational Rights and Privacy Act (FERPA) Health Insurance Portability and Accountability Act of 1996 (HIPAA) Higher Education Opportunity Act IRS regulations Integrated Postsecondary Education Data System (IPEDS) Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act (Clery Act) National Collegiate Athletic Association (NCAA)/National Association of Intercollegiate Athletics (NAIA) regulations Record retention and disposal Tax codes Whistle-blower policies Campus Safety and Security Emergency alert systems for natural disaster or other threat Emergency planning and procedures Incident response (continued) www.it-ebooks.info 150 Implementing Enterprise Risk Management Exhibit 9.2 (Continued) Institutional Area Types of Risk Campus Safety and Security (continued) Infectious diseases Interaction with local, state, and federal authorities Minors on campus Terrorism Theft Violence on campus Weapons on campus Weather Information Technology Business continuity Cyber liability Electronic records Information security Network integrity New technologies Privacy System capacity Web page accuracy Academic Affairs Academic freedom Competition for faculty Faculty governance issues Grade tampering Grants Human subject, animal, and clinical research Intellectual property Internship programs Joint programs/partnerships Laboratory safety Online learning Plagiarism Quality of academic programs Student records Study abroad Tenure Student Affairs Admission/retention Alcohol and drug use Clubs and organizations Conduct and disciplinary system Dismissal procedures Diversity issues Fraternities and sororities Hate crimes Hazing International student issues Psychological disabilities issues Sexual assault Student death Student protest Suicide www.it-ebooks.info LESSONS FROM THE ACADEMY 151 Exhibit 9.2 (Continued) Institutional Area Types of Risk Employment/Human Resources Affirmative action Background checks Discrimination lawsuits Employment contracts Grievances Labor laws Performance evaluation Personnel matters Sexual harassment Termination procedures Unions Workplace safety Physical Plant Building and renovation Fire Infrastructure damage Off-site programs Public-private partnerships Residence hall and apartment safety Theft Other Alumni Athletics External relations Increased competition for students, faculty, and staff Increased external scrutiny from the public, government, and media Medical schools, law schools Vendors educational institutions “have been slower to look at ERM as an integrated business tool, as a way to help all the stakeholders—trustees, presidents, provosts, CFOs, department heads, and frontline supervisors—identify early warning signs of something that could jeopardize a school’s operations or reputation.” In 2000, the Higher Education Funding Council of England enacted legislation requiring all universities in England to implement risk management as a governance tool (Huber 2009). In Australia, the Tertiary Education Quality Standards Agency (TEQSA 2013) evaluates the performance of higher education providers against a set of threshold standards and makes decisions in relation to their performance in line with three regulatory principles, including understanding an institution’s level of risk. In the United States, engaging in risk management efforts and programs for IHEs is not specifically required by accrediting agencies or the federal government. Perhaps because it is not required, ERM has not been a top focus for boards and senior administrators at IHEs. Tufano (2011) points out that risk management in the nonprofit realm, including higher education, is significantly less developed than in much of the corporate world and often still has a focus on avoidance of loss rather than setting strategic direction. Mitroff, Diamond, and Alpaslan’s (2006) www.it-ebooks.info 152 Implementing Enterprise Risk Management survey assessing the state of crisis management in higher education revealed that colleges and universities were generally well prepared for certain crises, particularly fires, lawsuits, and crimes, in part because certain regulations impose requirements. They were also well prepared for infrequently experienced but high-profile situations such as athletics scandals, perhaps based on their recent prominence in the media. However, they were least prepared for certain types of crises that were frequently experienced such as reputation and ethics issues, as well as other nonphysical crises such as data loss and sabotage.7 A survey conducted by the Association of Governing Boards of Universities and Colleges and United Educators (2009) found that, of 600 institutions completing the survey, less than half of the respondents “mostly agreed” that risk management was a priority at their institution. Sixty percent stated that their institutions did not use a comprehensive, strategic risk assessment to identify major risks to mission success. Recent highprofile examples may be beginning to change that. The Freeh Report regarding Penn State determined that “the university’s lack of a robust risk-management system contributed to systemic failures in identifying threats to individuals and the university and created an environment where key administrators could ‘actively conceal’ troubling allegations from the board” (Stripling 2012). ADOPTING AND IMPLEMENTING ERM IN COLLEGES AND UNIVERSITIES In 2001, PricewaterhouseCoopers and the National Association of College and University Business Officers (NACUBO) sponsored a think tank of higher education leaders to discuss the topic of ERM in higher education, likely in response to widespread discussion in the for-profit sector and in anticipation of potential regulatory implications for higher education. The group included Janice Abraham, then president and chief executive officer of United Educators Insurance, as well as senior administrators from seven universities.8 The focus of their discussion was on the definition of risk; the risk drivers in higher education; implementation of risk management programs to effectively assess, manage, and monitor risk; and how to proactively engage the campus community in a more informed dialogue regarding ERM. Their conversation produced a white paper, “Developing a Strategy to Manage Enterprisewide Risk in Higher Education” (Cassidy et al. 2001). In 2007, NACUBO and the Association of Governing Boards of Universities and Colleges (AGB) published additional guidance in their white paper, “Meeting the Challenges of Enterprise Risk Management in Higher Education.” The University Risk Management and Insurance Association (URMIA) also weighed in with its white paper, “ERM in Higher Education” (2007). In 2013, Janice Abraham wrote a text published by AGB and United Educators, entitled Risk Management: An Accountability Guide for University and College Boards. These documents provide guidance and information to institutions considering the implementation of an ERM program and discuss the unique aspects of the higher education environment when considering ERM implementation. Several authors have discussed the transferability of the ERM model to higher education, even with the cultural and organizational differences that abound between the for-profit environment and higher education. URMIA (2007) concluded that “the ERM process is directly applicable to institutions of higher www.it-ebooks.info LESSONS FROM THE ACADEMY 153 education, just as it is to any other ‘enterprise’; there is nothing so unique to the college or university setting as to make ERM irrelevant or impossible to implement” (p. 17). Whitfield (2003) assessed the “feasibility and transferability of a general framework to guide the holistic consideration of risk as a critical component of college and university strategic planning initiatives” (p. 78) and concluded that “the for-profit corporate sector’s enterprise-wide risk management framework is transferable to higher education institutions” (p. 79). National conferences for higher education associations such as NACUBO, AGB, URMIA, and others had presentations on ERM. Insurers of higher education, such as United Educators and Aon, as well as consultants such as Accenture and Deloitte, among others, provided workshops to institutions and published white papers of their own, such as the Gallagher Group’s “Road to Implementation: Enterprise Risk Management for Colleges and Universities” (2009). In the early 2000s, many IHEs rushed to form committees to examine ERM and hired risk officers in senior-level positions, following the for-profit model.9 However, when specific regulations such as those imposed by the SEC for for-profit entities did not emerge in the higher education sector, interest in highly developed ERM models at colleges and universities began to wane. Gurevitz (2009) points out that the early ERM frameworks weren’t written with higher education in mind and were often presented “in such a complicated format that it made it difficult to translate the concepts for many universities.” Institutions with ERM programs have taken various paths in their selection of models and methods and have been innovative and individualized in their approaches. There is no comprehensive list of higher education institutions with ERM programs, and not all IHEs with integrated models use the term ERM. Exhibit 9.3 shows a snapshot of IHEs that have adopted ERM; a review of their websites demonstrates the various risk management approaches adopted by IHEs and the wide variability in terminology, reporting lines, structure, and focus. In many instances, those IHEs with highly developed programs today had some form of “sentinel event” (regulatory, compliance, student safety, financial, or other) that triggered the need for widespread investigation and, therefore, the development of more coordinated methods for compliance, information sharing, and decision making. In other situations, governing board members brought their business experience with ERM to higher education, recognizing the “applicability and relevance of using a holistic approach to risk management in academic institutions” (Abraham 2013, p. 6). Regardless of the impetus, the current focus appears to be on effectively linking risk management to strategic planning. Abraham points out that many higher education institutions are recognizing that an effective ERM program, with the full support of the governing board, “will increase a college, university or system’s likelihood of achieving its plans, increase transparency, and allow better allocation of scarce resources. Good risk management is good governance” (p. 5). Ken Barnds (2011), vice president at Augustana College, points out that “many strategic planning processes, particularly in higher education, spent an insufficient amount of time thinking about threats and weaknesses.” Barnds believes that “an honest and thoughtful assessment of the college’s risks . . . would lead [Augustana] in a positive, engaged, and proactive direction.” A recent Grant Thornton (2011) thought paper urges university leaders to think about more strategic issues as part of their risk management, including board governance, IRS scrutiny of board oversight www.it-ebooks.info Exhibit 9.3 Sample of Colleges and Universities with ERM Programs Institution Title of Person with ERM Responsibility Website Duke University Executive Director of Internal Audit http://internalaudits.duke.edu/risk-assessment/index.php Emory University Chief Audit Officer www.emory.edu/EMORY_REPORT/stories/2010/04/19/risk_ management.html Georgia State University Director, Enterprise Risk Management www.gsu.edu/accounting/63370.html Iowa State University Associate Vice President for Budget and Planning www.provost.iastate.edu/what-we-do/erm Johnson & Wales Director of Compliance, Internal Audit, and Risk Management www.jwu.edu/content.aspx?id=57825 Maricopa County Community College District (MCCCD) Director of Enterprise Risk Management www.maricopa.edu/publicstewardship/governance/adminregs/ auxiliary/4_16.php Ohio University Associate Vice President for Risk Management and Safety www.ohio.edu/riskandsafety/urmi.htm Texas A&M University System Office of Risk Management and Benefits Administration www.tamus.edu/offices/risk/riskmanage/guide/enterprise-riskmanagement/ University of Alaska System Chief Risk Officer www.alaska.edu/risksafety/ University of California Risk Services, Office of the President www.ucop.edu/enterprise-risk-management/ University of Denver Director of Enterprise Risk Management www.du.edu/internal-audit/internal_audit/faq.html University of Iowa Senior Vice President of Finance and Operations and Treasurer www.uiowa.edu/∼fusrm/EnterpriseRiskManagement/index.html University of Maryland Vice President for Planning and Accountability www.umaryland.edu/accountability-old/risk-management/ University of Notre Dame Director of Risk Management and Safety http://riskmanagement.nd.edu/about/ University of Vermont Senior Strategist for Enterprise Risk and Planning, Office of the Vice President for Finance & Administration www.uvm.edu/∼erm/ University of Maryland Vice President for Planning and Accountability www.umaryland.edu/accountability-old/risk-management/ University of Washington Risk Analyst http://f2.washington.edu/fm/erm Yale University Director of ERM http://ogc.yale.edu/riskmanagement 154 www.it-ebooks.info LESSONS FROM THE ACADEMY 155 practices, investment performance in university endowments, indirect cost rates in research, changes in employment practices, and outsourcing arrangements. Regardless of terminology, there is an increased priority on taking a more enterprise-wide approach to risk management and moving from a compliancedriven approach to a comprehensive, strategic approach across and throughout the organization that is used to positively affect decision making and impact mission success and the achievement of strategic goals. Tufano (2011) points out that even in the corporate environment, top leaders are not inclined to work through a detailed step-by-step risk management process, but rather take a toplevel approach. In the university environment, this means asking three fundamental questions: What is our mission? What is our strategy to achieve it? What risks might derail us from achieving our mission? Richard F. Wilson, president of Illinois Wesleyan University, may best summarize the current perspective of senior-level higher education administrators: When I first started seeing the phrase “enterprise risk management” pop up in higher education literature, my reaction was one of skepticism. It seemed to me yet another idea of limited value that someone had created a label for, to make it seem more important than it really was. Although some of that skepticism remains, I find myself increasingly in sympathy with some of its basic tenets . . . [especially] the analysis that goes into decisions about the future. Most institutions are currently engaged in some kind of strategic planning effort driven, in part, by the need to protect their financial viability and vitality for the foreseeable future. ... Bad plans and bad execution of good ideas can put an institution at risk fairly quickly in the current environment. Besides examining what we hope will happen if a particular plan is adopted, we should also devote time to the consequences if the plan does not work. I still cannot quite get comfortable incorporating enterprise risk management into my daily vocabulary, but I have embraced the underlying principles. (Wilson 2013) THE UNIVERSITY OF WASHINGTON: A JOURNEY OF DISCOVERY The University of Washington (UW) has a robust enterprise risk management (ERM) program that is moving into its seventh year. The program began with what administrators10 at UW call a “sentinel event,” settling a Medicare and Medicaid overbilling investigation by paying the largest fine by a university for a compliance failure—$35 million. This led the new president, Mark Emmert, to formally charge senior administrators in 2005 with the task of identifying best practices for “managing regulatory affairs at the institutional level by using efficient and effective management techniques” (UW ERM Annual Report 2008, p. 4). At the outset in 2006, the objective for UW was to “create an excellent compliance model built on best practices, while protecting its decentralized, collaborative, and entrepreneurial culture” (Collaborative ERM Report 2006, p. vi). The ERM process at UW has been what Ann Anderson, associate vice president and controller, terms “a journey of discovery.” ERM has developed and evolved at UW, moving from what UW administrators describe as an early compliance phase, through www.it-ebooks.info 156 Implementing Enterprise Risk Management a governance phase to a mega-risk phase. Currently, the University of Washington is focused on two objectives: (1) strengthening oversight of top risks, and (2) enhancing coordination and integration of ERM activities with decision-making processes at the university. This case study will describe the decision-making and implementation process at UW, as well as outline various tools and frameworks that UW adopted and adapted for use not only in the higher education setting in general, but to fit specifically within the university’s decentralized culture. Institutional Profile Founded in 1861, the University of Washington is a public university enrolling some 48,000 students and awarding approximately 10,000 degrees annually (see Exhibit 9.4). The institution also serves approximately 47,000 extension students. There are nearly 650 student athletes in UW’s 21 Division I men’s and women’s teams. There is a faculty/staff of over 40,000, making UW the third-largest employer in the state of Washington. The university is comprised of three campuses with 17 major schools and colleges and 13 registered operations abroad. It has a $5.3 billion annual budget, with $1.3 billion in externally funded research and $2.6 billion in clinical medical enterprise. UW has been the top public university in federal research funding every year since 1974 and has been among the top five universities, public and private, in federal funding since 1969. The university has an annual $9.0 billion economic impact on the state of Washington. Culture at UW When appointed to serve on the President’s Advisory Committee on ERM (PACERM) in 2007, Professor Daniel Luchtel commented, in the context of talking about risk assessments, that “the number of issues and their complexity is stunning. The analogy that comes to mind is trying to get a drink of water from a fire hose” (2007 ERM Annual Report, p. 4). As with most higher education institutions, especially research universities, along with the core business of the teaching and learning of undergraduate and graduate students, the faculty are focused on the creation of new knowledge. “The University of Washington is a decentralized yet collaborative entity with an energetic, entrepreneurial culture. The community members are committed to rigor, integrity, innovation, collegiality, inclusiveness, and connectedness” (Collaborative Enterprise Risk Management Final Report 2006, p. v). Faculty innovation and the idea of compliance don’t always go hand in hand in higher education, and UW is no exception. Research associate professor David Lovell, vice-chair of the Faculty Senate in 2007–2008, expresses it well: “Compliance” [is] not necessarily a good word for faculty members. . . . What lies behind [that] is the high value faculty accord to personal autonomy. ... The notion of a culture of compliance sounds like yet another extension of impersonal, corporate control, shrinking the arena of self-expression in favor of discipline and conformity. ... Over the last ten months, I’ve come to understand that you’re not here to get in our way, but to make it possible for us faculty legally to conduct the work we came here to do. ... I hope that working together, we can try to spread such understanding further, so that we can make compliance—or whatever term you choose—less threatening to faculty and frustrating to staff. (Annual ERM Report 2008, pp. 6–7) www.it-ebooks.info LESSONS FROM THE ACADEMY 157 26.3% ASIAN AMERICANS UNDERGRADUATE 32,291 48,022 students were enrolled at the UW in the fall of 2009 STUDENTS GRADUATE 11,592 PROFESSIONAL 1,907 11% ASIAN AMERICANS 11.7% UNDERREPRESENTED MINORITIES 8.3% UNDERREPRESENTED MINORITIES 5.2% INTERNATIONAL STUDENTS 13.6% INTERNATIONAL STUDENTS 19.2% ASIAN AMERICANS WOMEN 7.4% UNDERREPRESENTED MINORITIES 55.8% WOMEN 54% WOMEN 52.4% MEN 47.6% MEN 46% MEN 44.2% 1.6% INTERNATIONAL STUDENTS GATES CAMBRIDGE SCHOLARS MARSHALL 4 SCHOLARS RHODES 7 SCHOLARS SCHOLARS 46 35 Exhibit 9.4 University of Washington Student Profile From University of Washington Fact Book: http://opb.washington.edu/content/factbook. Organizationally, the institution is divided into silos, which has historically focused risk mitigation within those silos. Implementation History at UW On April 22, 2005, President Mark Emmert sent an e-mail to the deans and cabinet members in which he said: “With the most recent example of compliance issues, we have again been reminded that we have not yet created the culture of compliance that we have discussed on many occasions.” He went on to say that “the creation of a culture of compliance needs to be driven by our core values and commitment to doing things the right way, to being the best at all we do. . . . We need to know www.it-ebooks.info 158 Implementing Enterprise Risk Management that the manner in which we manage regulatory affairs is consistent with the best practices in existence.” The Sentinel Event: Largest Fine at a Medical School The Collaborative Enterprise Risk Management Report for the University of Washington (2006) began with the following: “Over the past few years, the UW has been confronted by a series of problems with institution-wide implications, including research compliance, financial stewardship, privacy matters, and protection of vulnerable populations” (p. v). The situation with the highest impact on the university began when Mark Erickson, a UW compliance officer, filed a complaint alleging fraud in the UW’s Medicare and Medicaid billing practices. The 1999 complaint prompted a criminal investigation, guilty pleas from two doctors, and a civil lawsuit resulting in the $35 million settlement, the largest settlement made by an academic medical center in the nation. The federal prosecutor claimed that “many people within the medical centers were aware of the billing problems” and that “despite this knowledge, the centers did not take adequate steps to correct them” (Chan 2004). UW’s 2006 ERM Annual Report acknowledges that, in addition to the direct cost of the fines, there were also indirect costs in terms of additional resources for reviews of university procedures, increased rigor and frequency of audits, and an incalculable damage to the university’s reputation. The federal prosecutor acknowledged that UW’s efforts to reform its compliance program have been “outstanding” (Chan 2004). He further noted that since the lawsuit was filed, the university “has radically restructured their compliance office. The government is very pleased with the efforts the UW is taking to take care of these errors.” Leadership from the Top: President Outlines the Charge At the time of the medical billing scandal, Lee L. Huntsman was president of UW. Huntsman had formerly been the acting provost, associate dean for scientific affairs at the school of medicine, and a professor of bioengineering. The UW Board of Regents had appointed Huntsman in a special session when Richard McCormick, the incumbent, accepted the presidency at Rutgers. Huntsman served for 18 months as president and continued as Special Assistant to the President and Provost for Administrative Transition until 2005 and as a senior adviser to the university for several more years. Mark A. Emmert, former chancellor of Louisiana State University and a UW alumnus, was appointed as the 30th president of UW and professor with tenure at the Evans School on June 14, 2004. In April 2005, President Emmert charged V’Ella Warren, Vice President for Financial Management, and David Hodge, Dean of the College of Arts and Sciences, with conducting a preliminary review of best practices in compliance and enterprise risk management in corporate and higher education institutions. Warren engaged the Executive Director of Risk Management, Elizabeth Cherry, and the Executive Director of Internal Audit, Maureen Rhea, to conduct a literature search on enterprise risk management, particularly in higher education. Cherry and Rhea engaged Andrew Faris, risk management analyst, to assist, and the three spent nearly two years (from 2004 to 2006) conducting the literature search and finding out how risk management was functioning on other campuses. As they www.it-ebooks.info LESSONS FROM THE ACADEMY 159 conducted their research, they continued to report their findings to Vice President Warren. They also piloted the risk assessment process with various departments at UW. Based on their findings and discussions with Vice President Warren, a draft report was compiled to provide initial guidance