INSTITUTION-WIDE RISK MANAGEMENT...

February 13, 2006

COLLABORATIVE ENTERPRISE RISK MANAGEMENT1

For the University of Washington

Final Report

“Without … guidance,” states a McKinsey survey, “An [organization’s]… risk strategy will be made—andrepeatedly redefined accidentally—by dozens of everyday financial and business decisions.”2

TABLE OF CONTENTS

List of Figures ................................................................................................................. ii

List of Tables.................................................................................................................. iii

Foreword: President Emmert’s Charge .......................................................................... iv

Introduction: Reputation, Resources and Risk............................................................ v-vi

Chapter I: Framework

Key Terms and Questions..........................................................................................1

Enterprise Risk Management.....................................................................................2

Centralized Compliance Management.......................................................................5

Summary....................................................................................................................6

Chapter II: Peer Universities

General Comments ....................................................................................................7

Stanford University....................................................................................................7

University of Texas System.......................................................................................9

University of Minnesota ..........................................................................................10

University of Pennsylvania......................................................................................12

Summary..................................................................................................................14

Chapter III: University of Washington

Current Philosophy..................................................................................................15

Current Approach to Risk Management..................................................................15

Current Organization ...............................................................................................16

Future Risks.............................................................................................................17

Current Model Weaknesses .....................................................................................18

Lessons Learned ......................................................................................................18

Chapter IV: A Collaborative ERM for the UW

i

Guiding Principals ...................................................................................................21

Recommended Actions............................................................................................21

Program Effectiveness .............................................................................................25

Chapter V: Conclusion...................................................................................................28

Appendix I......................................................................................................................29

Endnotes.........................................................................................................................30

LIST OF FIGURES

Figure Number

1. Risk Cycle ....................................................................................................................1

2. Risk Map.......................................................................................................................4

3. University of Minnesota Compliance Risk Map ........................................................11

4. University of Minnesota Compliance Program Oversight..........................................12

5. Approaches to Compliance.........................................................................................14

6. Root Causes for Noncompliance at the UW...............................................................18

ii

LIST OF TABLES

Table Number

1. Survey of recent fines, penalties and repayments made by researchuniversities ..................................................................................................................vi

2. UW Compliance Areas……………………………………………………………… 22

iii

FOREWORD

President Emmert’s Charge

On April 22, 2005, President Mark Emmert sent an email to Deans and Cabinet members in which he said:

“With the most recent example of compliance issues, we have again been reminded that we have not yet createdthe culture of compliance that we have discussed on many occasions. …Clearly, the creation of a culture ofcompliance needs to be driven by our core values and commitment to doing things the right way, to being the bestat all we do. …we need to know that the manner in which we manage regulatory affairs is consistent with thebest practices in existence.

Compliance cannot and will not be compromised for the sake of expediency. On the other hand, there is no reasonwhy effective compliance cannot be assured in a manner that promotes effective use of people’s time and energy.We do not need or want another layer of bureaucracy. …or regulatory police. But neither can we…acceptanything less than complete confidence that we are in compliance with all the regulations within which wemust operate.

To this end, we need...to move forward with the process we started last fall… to develop proposals regarding bestpractices in this regard…[T]he preliminary assessment provides a useful framework for shaping a university-wide effort and discussion about actions needed…I am, therefore, asking V’Ella [Warren] and David Hodge toimmediately begin working through this framework to determine if it provides the elements and process that weneed to move forward.”

iv

INTRODUCTION: REPUTATION, RESOURCES AND RISK

“…the University of Washington will be one of a very few places where the biggest, most compli-cated, most challenging questions and problems of the 21st century are addressed—questions thatcross the boundaries of science, policy, and humanistic understanding and that engage the world.…That, I believe, is our special work.”

President Mark Emmert, Address to the University Community, 11/04

The University of Washington (UW) is a decentralized yet collaborative entity with an energetic, entrepreneurialculture. The community members are committed to rigor, integrity, innovation, collegiality, inclusiveness andconnectedness. “We should acknowledge that these values are important to the institution’s continued excel-lence…”3

In attempting to reach that state of excellence, community members strive to set the highest standards of behaviorfor themselves. In so doing, they are pursuing shared objectives, which include meeting the expectations of spon-sors, donors, and other stakeholders, conducting the University’s business with integrity and sustaining the institu-tion’s culture and values.

The UW’s excellence is reflected in the institution’s reputation, “the bottom line” which links us to the commu-nity. Each individual contributes to that reputation and benefits from the contributions of others. For example, onecan argue that groundbreaking research enhances both the reputation of the researcher and the UW. This is turncreates a positive mindset among stakeholders about the institution. This confidence in the excellence of theUniversity inspires donors to invest in scholarships or professorships. It convinces the most talented students toaccept admission. It persuades a brilliant poet or scientist to join the faculty. It drops the institution down the listof audit candidates compiled by federal auditors.

The opposite can also be true. This shared reputation can slide into a downward spiral. When this happens, stake-holders lose confidence in the ability of the institution to serve as a good steward of the public trust. In reachingthis conclusion, sponsors, donors and other interested parties are looking not only at what is done, but how it isdone. Reputation can be tarnished by noncompliance with law or regulation despite good programmatic results. Itis, therefore, in the interest of everyone in the UW community to minimize and manage risks that affect the qual-ity and reputation of the University.

Over the past few years, the UW has been confronted by a series of problems with institution-wide implications,including research compliance, financial stewardship, privacy matters, and protection of vulnerable populations.This led President Mark Emmert to comment in an email on April 22, 2005: “With the most recent example ofcompliance issues, we have again been reminded that we have not yet created the culture of compliance that wehave discussed on many occasions.…the creation of a culture of compliance needs to be driven by our values andcommitment to doing things the right way, to being the best at all we do. …we need to know that the manner inwhich we manage regulatory affairs is consistent with the best practices in existence, both in terms of how weassure compliance and also in terms of how we serve our faculty, staff and students. Compliance cannot and willnot be compromised for the sake of expediency.”4

One of the unfortunate results of noncompliance is its nexus with resources, either directly or indirectly. A surveyof recent fines, penalties, and repayments made by research universities provides perspective on the magnitude ofthis direct exposure:5

v

Table 1

Survey of recent fines, penalties and repayments made by research universities

(Dollars in Millions)

UW medical billing $35.0

Minnesota misuse of federal grants 32.0

Texas medical billing 20.0

Thomas Jefferson medical billing 12.0

Yale medical credit balances 5.6

Northwestern effort reporting fraud 5.5

South Florida improper research charge 4.1

Johns Hopkins effort reporting 2.6

Stanford inflated overhead costs 1.2

Chicago research fraud and abuse 0.7

Duke sexual harassment 0.5

Michigan conflict of interest 0.1

Indirect connections also exist. For example, it is clear that costs rise if sponsors ratchet up compliance require-ments or increase the rigor and frequency of audits, demanding significant resources to respond to external re-views of University procedures.

At the end of the day, however, it is not about resources, but the leadership role that the University can play indiscovery and teaching. The report of the UW Medicine Board Review Committee suggests that the stakes arehigh:: “Even as this cloud disperses, the institution still faces risks; UW Medicine cannot afford to be vulnerableto another Federal inquiry that finds shortcomings in the faculty’s commitment to compliance with laws andregulations….UW Medicine’s growing leadership role in national medical research, global health, and many otherareas could be threatened…”6 This is true of the broader university, too.

The objective of this paper is to ensure that the UW creates an excellent compliance model built on bestpractices, while protecting its decentralized, collaborative and entrepreneurial culture. This paper lays out aconceptual framework for thinking about risk management. The framework is followed by information on modelsused by other universities, including four case studies. An evaluation of the UW’s current situation comes next.Finally, the paper argues that a collaborative, institution-wide model works the best, and proposes recommenda-tions for implementing that approach.

vi

CHAPTER 1: FRAMEWORK

There are two models which might serve as a framework for the UW. The first is enterprise risk management(ERM) which views risk holistically rather than functionally, covers all risk types, and takes an institution-wideperspective. This approach integrates risk into the strategic deliberations of senior leaders and Board members.The second is a centralized compliance model which ensures that the Federal Sentencing Guidelines are met. Thisapproach, while institution-wide, focuses exclusively on compliance.

While centralized compliance management and enterprise risk management are both university-wide, they vary ina number of important aspects. First, their scopes differ. Integrated compliance programs are concerned aboutcompliance with law and regulation; ERM focuses broadly across all risks: compliance, finance, operations, andstrategic. Second, their objectives differ. Integrated compliance programs are about the control of the institution’sactivities. ERM, on the other hand, integrates risk into an institution’s strategic plans with the goal of achieving anappropriate balance of risk and return. Third, their benefits differ. Integrated compliance programs, if based on theFederal Sentencing Guidelines, provide potential protection from federal penalties. ERM does not necessarilyprovide that benefit, although it may if integrated compliance programs, such as the one emerging in UW Medi-cine, are sheltered under its umbrella. The distinctive benefits of ERM include improved communication on riskamong senior leaders and Board members which leads to more informed decisions, better allocation of resources,and stronger governance practices.7

Before discussing these two approaches, this section will address the parameters of the risk management frame-work. Then the main distinctions between the two models are summarized. Definition of key terms follows.Finally, enterprise risk management and centralized compliance management are discussed.

Key Terms and Questions

Before describing these two models in more detail, some key concepts that guide an institution’s posture regard-ing risk are provided. First, risk is defined. Second, the risk cycle is explained. Third, the difference between therole of audit, risk management and compliance functions is described. The differences between the two modelsare then summarized. Finally, enterprise risk management and centralized compliance management are discussed.

Risks are the uncertainties that may impact an institution’s ability to reach its goals. Risk management at its coreconsists of four actions, which are referred to as the risk cycle: identification, assessment, mitigation, and moni-toring, which are performed iteratively. This risk cycle resembles the plan-do-check-act cycle that characterizesgood management practice.

Figure 1

Risk Cycle

Collaborative Enterprise Risk Management 1

Audit, risk management, and compliance are often separate functions that cover one or more parts of the riskcycle. Auditors identify, assess and monitor risks. They do not cross the line into management or mitigation ofrisks, believing that this act impairs their objectivity. Auditors have traditionally focused on financial, complianceand operational risks, but do not comment on the quality of the academy’s work, such as delivery of patient careor academic misconduct. Auditors are trained and certified accountants and information technology professionals.Risk managers cover all four steps in the complete risk cycle, including mitigation. Many risk managers havelegal or insurance backgrounds. Due to this experience, risk managers rely on data and statistical analysis toinform their mitigation plans. For some time, hospitals have practiced rigorous risk management, driven by con-cern with patient safety and accreditation. Like risk managers, compliance officers also cover the full risk cycle.Sometimes the role of the compliance officer is advisory, although it may include decision-making and enforce-ment, particularly in hospital settings. Compliance officers can either cover broad institutional compliance, or amore narrow compliance area such as research. Frequently compliance officers are attorneys or auditors.

There are three basic parameters that shape the risk management framework: scope, organization and philosophy.

The first parameter is the scope of the risk framework--both coverage and risk type. Will the pro-gram be institution-wide or targeted at a school, college or unit? Will it include all risks (compli-ance, finances, operations, and strategy) or be focused on a particular category of risk, such asresearch compliance?

The second parameter is the organizational structure for administering the risk program. Willthere be a central officer with oversight responsibility for compliance management? If so, willthat officer have a separate identity, or will s/he be part of another central function, such as auditor the Office of Research? If there is a separate identity, where will the central compliance officerreport, such as Board of Regents’ Audit Committee, President, or Treasurer of the Board? Will allcompliance officers be part of that central function, or will some be distributed throughout the in-stitution’s operational units? If there is no central compliance function, how will the distributedcompliance functions of the institution be coordinated? If policy, advocacy, operations and

The third parameter is the philosophy of the program. Is the preferred approach focused on en-forcing law and regulation—a control model? Or does the best approach encourage cooperationbetween faculty and staff to develop flexible compliance approaches--a collaborative model?What role does the compliance officer play--a truant officer or a trusted advisor? If the model iscollaborative, what are the consequences for a member of the community who willfully operatesoutside the agreed boundaries, and who administers these consequences?

Enterprise Risk Management

All universities practice risk management, but their practices vary. The risk management approach chosen by aninstitution ranges from insurance to enterprise risk management over a continuum of practices.

The first or basic practice is risk transfer through insurance. Management of risk at this point on the continuum isusually ad hoc and reactive.

A second and more robust approach to risk management proactively identifies and mitigates specific risks, such assafety issues for human research subjects. These individual risk management functions are usually distributedthroughout an organization, resulting in risk silos or stovepipes. A risk silo frequently works well within its ownwalls, but does not have strong communication lines to other parts of the organization. This may yield suboptimaldecisions.

The most advanced point on the continuum is called strategic or enterprise risk management (ERM), which inte-grates risk into the organization’s strategic discussions and is the first model for consideration as a UW frame-work. It is the process by which leaders do two things—assess major risks and decide what to do about them. Thisassessment is done in the context of the organization’s strategic objectives. Enterprise risk management8 views theuniversity as a portfolio of activities with attendant risks. “While still new in its development, the disciplineimpels an organization to integrate risk into …planning….”9and operations, focusing on the interrelations ofimportant risk factors across the organization’s activities.


In a university, ERM helps to create a synergistic organization which is bigger than the sum of its parts, a placewhere students learn, scientists discover, musicians compose, and patients thrive. ERM helps to provide thecommon awareness across an organization that allows individuals to focus their attention on the risks which havestrategic impact.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has published the benchmarkmodel for enterprise risk management.10 COSO is a member organization which has defined best practices andprovided guidance to American organizations on internal controls. It is sponsored by the American AccountingAssociation, the American Institute of Certified Public Accountants, the Financial Executives International, theInstitute of Management Accountants, and The Institute of Internal Auditors.

In 2001, COSO initiated a project, and engaged PricewaterhouseCoopers, to develop a framework that would bereadily usable by managements to evaluate and improve their organizations’ enterprise risk management. InSeptember 2004, COSO published Enterprise Risk Management – Integrated Framework. This model focuses onachieving institutional goals, standardizes ERM language, key concepts and tools, and provides a basis for im-plementing and evaluating ERM. Standard tools include risk maps, control footprints, and monitoring plans.

The eight interrelated elements in the COSO model do not form a linear, serial process. Rather, “…it is a multidi-rectional, iterative process in which almost any component can and does influence another.”11 The elements areinternal environment (tone, philosophy), objective setting (strategic goals), event identification (risks and oppor-tunities), risk assessment (likelihood and impact), risk response (avoid, accept, reduce or share risk), controlactivities (policies and procedures), information and communication (up, down, across and up), and monitoring(data, metrics, audits). Each of these elements contributes to overall enterprise success.

1. Internal Environment. Every organization has a culture which influences how risk is perceived and handled.The values of an organization form the overarching frame within which a philosophy for risk managementevolves. The risk conversation begins here.

2. Objective Setting. The risk conversation continues by clarifying the strategic objectives of the institution.Enterprise risk management is about managing a limited number of key risks, which threaten the ability of aninstitution to meet strategic goals.

3. Event Identification. The risk conversation proceeds with a discussion of the internal and external forceswhich will affect the institution’s success in meeting its strategic objectives. This is an on-going identificationprocess to which any member of the community may contribute.

4. Risk Assessment. Leaders focus on a limited number of risks with a high likelihood of occurrence and a highimpact on the institution’s reputation and resources.

Risks can be categorized into four types, sometimes called risk pillars: compliance, financial, operational, andstrategic. A risk mapping process is a helpful tool to distill out the important risks in each “pillar” and discusspossible risk reduction strategies.

A risk map is a visual tool that arrays each risk based on its impact on the institution and its likelihood of oc-currence. For example, noncompliance in faculty effort reporting could have significant financial conse-quences. Since the Office of the Inspector General has included effort reporting in its audit plan, thelikelihood of occurrence is also high. That would place faculty effort reporting in the high/high or upper righthand quadrant (see diagram below). Usually senior leaders base their conversations on risk maps which havebeen completed by knowledgeable campus units or committees.12 These maps can focus on one area of risk,such as compliance or finance, or all risks at an institutional level.


Figure 2

Risk Map

5. Risk Plan or Response: Once the risk map is agreed upon, the conversation shifts to specific actions. Shouldthe risk be accepted (do nothing), avoided (do not pursue the strategy which generates the risk), shared (buyinsurance for some or all of the risk), or reduced (clarify policies, introduce training)? Usually this discussionresults in a risk plan or response, which identifies responsibilities, timing and budgets. This plan may alsocontain information about rapid response expectations when unexpected outcomes occur.

6. Both the risk map and the risk plan are usually shared broadly throughout the institution and with Boardmembers. Often there is a senior leader responsible for championing the entire institution-wide risk process.An experienced consultant or project leader is also needed to ensure speedy and efficient roll-out of the ap-proach.

7. Control Activities. An important element in implementing any plan is clear articulation of the objective (what)and the process (how). A risk plan relies on written policies and procedures to provide these guideposts.

8. Information and Communication. There are many ways that good information flows in an organization,including training, reports, websites, hotlines, meetings, emails. Information should flow up, down, acrossand around the entity. A critical factor which ensures good communication is culture—an open culture en-courages courageous communication about possible problems, creative communication about solutions, andcritical communication about gaps in information or systems.

9. Monitoring and Measurement. A significant contributor to the success of ERM is data-gathering, research,analysis and metrics. The UW risk management staff, both central and UW Medicine, have experience withdata-driven programs that might guide such an effort. Monitoring and auditing rely heavily on statisticalanalysis of data in assessing the strength of compliance systems.

A recent survey by the Risk and Insurance Management Society and Marsh confirmed four benefits from ERM:(1) improved communications on risk taking with stakeholders and the Board, (2) better informed decisions, (3)better allocation of resources to address risk, and (4) stronger governance practices.13

When senior leaders and Board members in an organization integrate risk into their strategic discussions, theorganization strengthens its skills in dealing with unexpected outcomes. Not only are big risk reduced, but crisismanagement under adverse circumstances is also reduced. By focusing on a few critical risks, senior leaders gaintime, flexibility, and maneuverability to tailor responses for these eventualities. They encourage talk across silos,reducing surprises and broadening understanding of rapid response plans.


Centralized Compliance Management

The second model which might be used by the UW for managing its compliance and risk is a centralized compli-ance approach. Rather than encompassing all risks (compliance, finance, operations, and strategic), this modelfocuses on only one area: legal and regulatory compliance.

Over a decade ago, COSO established a framework to help businesses and other entities assess and enhance theircompliance and internal control systems. That framework has since been incorporated into policy, rule, andregulation, and used by thousands of enterprises to better control their activities. This COSO framework was builtaround the Federal Sentencing Guidelines for Organizations, the Federal law pertaining to the assessment ofdamages for fraud against the federally funded programs and the federal government, including agencies anddepartments. Adhering to the Guidelines may protect an institution from severe penalties for fraud.

“Other Federal agencies, including DHHS in 1997, subsequently began to adopt a series of ‘guidances’ or modelcompliance plans for the healthcare industry based on the Federal Sentencing Guidelines. These guidelines, whichwere updated in November 2004, identify seven ‘elements’ that constitute an effective compliance program.”14

1. The seven elements of a good compliance program include:

2. Compliance Standards and Procedures. This includes an organizational code of conduct and compliancepolicies and procedures.

3. Role of Organizational Leadership. The governing body and the senior leadership of the institution mustbe knowledgeable about the content and operation of the compliance program. This requires senior leaders topay close attention to compliance matters. It also means that senior leaders must promote a “culture of com-pliance.” In addition, the Board has responsibility for compliance oversight, including monitoring complianceplans, proactively seeking information on concerns, and evaluating information provided. A compliance offi-cer must be designated who is qualified, has access to senior leaders and the Board, and appropriate author-ity, status and institutional respect.

4. Employee Screening. Individuals with a history of legal violations are not to be included in leadership. Bothemployees and vendors should be screened.

5. Training and Education. Compliance standard and procedures should be communicated through training andother information. This is one of the most important elements and includes training of Board, leaders, andemployees. Key components include a systematic education plan, documentation of training delivered, ade-quate coverage of the material, testing of material mastery. Training should be tailored to each position.

6. Internal Monitoring and Auditing. The organization must insure that the compliance program is being fol-lowed. The effectiveness of the program must be evaluated periodically. There must be an anonymous report-ing mechanism. Auditing is very important and should include an audit plan, auditor independence, auditreports, corrective action plans, and repayments. The critical elements in an internal monitoring system areconfidential reporting mechanism (hotline), confidentiality/anonymity policies and procedures, protectionfrom retaliation, alternative communication methods, and tracking. There should be procedures to monitorimplementation and effectiveness of all the compliance elements. In addition, it is emphasized that the organ-izational culture should encourage open communications.

7. Discipline and Incentives. The compliance plan should be supported with appropriate disciplinary actionsand incentives. This includes employee evaluations, performance incentives, and disciplinary standards.

8. Response and Prevention. After a violation of law has been detected, the organization must take reasonablecorrective action. This includes action plans, follow-up audits, and investigations, prompt reporting, and re-payment of overpayments.

A number of integrated compliance programs, such as those at the University of Texas System and the Universityof Minnesota, have adopted the Federal Sentencing Guidelines as their institutional compliance framework.


Summary

The two frameworks suggested for consideration are enterprise risk management and centralized compliancemanagement. Although they are both university-wide approaches, they vary in a number of important aspects,including scope, objective and benefits. First, their scopes differ. Integrated compliance programs are concernedabout compliance with law and regulation; ERM focuses broadly across all risks: compliance, finance, operations,and strategic. Second, their objectives differ. Integrated compliance programs are about the control of the institu-tion’s activities. ERM, on the other hand, integrates risk into an institution’s strategic plans with the goal ofachieving an appropriate balance of risk and return. Third, their benefits differ. Integrated compliance programs,if based on the Federal Sentencing Guidelines, provide potential protection from federal penalties. ERM does notnecessarily provide that benefit, although it may if integrated compliance programs, such as the one emerging inUW Medicine, are sheltered under its umbrella. Distinct benefits which accrue to ERM include improved com-munication among senior leaders and Board members which supports more informed decisions, better allocationof resources, and stronger governance practices.15


CHAPTER II: PEER UNIVERSITIES

This section of the report will describe the approaches being used by other universities. First, general commentson compliance philosophies, models, and organizations are offered, based on nine universities. Then vignettes onfour universities are provided: Stanford University, the University of Texas System, the University of Minnesota,and the University of Pennsylvania.

General Comments

Like the UW, peer universities (and many businesses) are wrestling with the best way to achieve excellence andmanage unexpected outcomes. There is no uniformly accepted solution for dealing with risk and its related func-tions (audit, compliance and risk management). Each organization is adopting approaches which work for thatparticular entity.

Queries about which universities are ahead of the pack revealed four names consistently: Stanford University, theUniversity of Texas System, the University of Minnesota, and the University of Pennsylvania. Others mentionedwere Massachusetts Institute of Technology (MIT), Johns Hopkins, Northwestern, Vanderbilt, and WashingtonUniversity.

The following generalizations can be made about these nine universities based on an assessment of their ap-proaches and procedures.

Philosophy. Institutions array themselves along a continuum from “corporate” to “collaborative.”

The “corporate” philosophy focuses on structure: clear accountability, separate compliance organizations, heavymonitoring in addition to that done by the line units and auditors, and serious consequences for poor compliance.It is based on the premise that compliance is only possible by adding layers of monitoring and sanctions andpresumes that people cannot be trusted to do the right thing. Compliance problems are usually due to gaming ofthe system and sub-optimization by faculty and staff.

The “collaborative” philosophy focuses on processes and outcomes: informal leadership roles, integration intomanagement responsibilities, use of compliance committees, and encouragement of open communication. It isbased on the premise that compliance is more likely in an open and safe environment where administrators takethe lead in identifying and solving compliance problems and presumes that people will do the right thing if theyhave the information and encouragement to do so. Compliance problems are usually due to gaps or misalignmentin processes, information and incentives.

Model. Only one university is moving toward “full” enterprise risk management, covering all risks (Stanford),although three others have some of the elements in place. (Minnesota, Texas, Penn). Three are using a centralizedcompliance model. (Texas, Minnesota, Penn) One is using a centralized compliance model for research compli-ance only. (Northwestern) Most have designated some central unit with compliance responsibility, such as audit.

Organization. Most university-wide compliance functions are organized under internal audit. About half haveaudit/compliance units reporting to the Executive Vice President, for Business and Finance, but with access ordual reporting to Board and President, one is in the Office of General Counsel, and the rest report to the Presidentand the Board.

Most have cross-functional compliance committees.

Stanford University

Philosophy. Steven Jung16, Director of Audit and Institutional Compliance, Stanford University, is an auditor whosees his role as helping management to make good decisions. His flexible style, audit skills, and reputation havemade it possible for him to build one of the preeminent audit and compliance organizations in the country. Believ-ing that forced compliance is not effective, he has piloted collaborative approaches, persuading Stanford adminis-trators that his ideas are just good management.

Model. Stanford, under the quiet guidance of Mr. Jung, is engaged in what he jokingly describes as “stealth enter-prise risk management.”


He puts it bluntly: “There are really only two approaches. One is a bureaucratic model dependent on many com-pliance officers, and the other is a collaborative model which brings together the right people to solve problems.The former relies on structure and position; the latter relies on relationships and trust. The bureaucratic modelwould not work at Stanford.” 17

Given his point-of-view, it is not surprising that Mr. Jung began offering facilitated problem-solving sessions tohandle knotty “audit” problems with institution-wide implications. This led to the voluntary use of risk and con-trol self-assessments throughout Stanford.

He followed this initiative with enterprise risk assessment, the first step in enterprise risk management. Thisapproach brings top managers together from across the university for a facilitated group session. The audit de-partment employs a professional facilitator for this purpose. During the facilitated sessions, an electronic ballotingtechnology is used to vote on the risks, identifying current and emerging risks. The instant feedback stimulatesthorough and thoughtful exchanges of views on risk due to anonymous feedback, time for more extensive analy-sis, ability to quickly identify areas of agreement, and efficiency.

In fall of 2005, Stanford moved to “full” enterprise risk management. Mr. Jung developed the proposal in con-junction with Stanford’s new Director of Risk Management. Before working on the proposal, Mr. Jung securedconceptual support of the Vice President for Business Affairs and Chief Financial Officer and presented the ideato the Stanford Cabinet. Then, he and the Director of Risk Management completed their recommendations. Aftera final review, the President and Provost then formally approved the proposal on September 12, 2005.

Mr. Jung’s recommendations were based on the enterprise risk management model in the Stanford hospitals.

Stanford Hospitals’ Model. The Stanford hospital process begins with an annual enterprise risk assessment by theAudit Department. The Committee on Management Control and Compliance is responsible for working withsenior managers on internal controls. This Committee is chaired by the Chief Operating Officer for the hospital.On the Committee are the General Counsel, the Vice President for Billing, the Risk Manager, the ComplianceOfficer, and other critical leaders. The Committee narrows down the Audit Department’s list to 10 or 12 highpriority risks. Each risk is assigned to a responsible manager to handle. In 90 days, that individual reports back tothe Committee with a risk mitigation plan. There is follow up during the year with the plans. This process hasbeen used for ten years, and works well. Risks are identified, mitigated, and drop off the priority list. Othersreplace them, and the process continues.

Mr. Jung believes that the university-wide approach can work similarly. The risk assessment will be done by theCompliance Committee and other university committees under the guidance of the Audit Department and withinput from Director of Risk Management. The Cabinet, Provost and President will review and prioritize the risks,assigning each critical risk to a Dean or Vice President. He expects that the Cabinet will follow-up at least annu-ally, reviewing plans and results for these key risks.

Organization. Mr. Jung reports to the Vice President for Business Affairs and CFO, Randy Livingston, with adotted-line reporting relationship to the Committee on Audit and Compliance of the Stanford Board of Trustees.He has responsibility for all audit staff at Stanford, including those who work in Stanford’s hospitals. There are 18auditors, of which four are devoted exclusively to audits at the Stanford hospitals. The remaining 14 auditorscover the non-hospital audits, which represents about 1 full-time equivalent (FTE) for each $60 million in re-search. (This compares to 9.5 FTE at the UW or $98.2 million per FTE.)

Mr. Jung believes that the audit and compliance functions can be combined at the institution-wide level if theaudit philosophy focuses on problem identification and assistance to management. If the department functions asa “cop,” he believes that it would not work.

Mr. Jung believes that the Audit and Compliance Committee of the Board plays a critical role in developing aculture of compliance; several years ago, the Committee added Compliance to its name, in recognition of theimportance of that culture.

Even more important in that regard is the Compliance Committee, which, under Mr. Jung’s leadership, pullstogether all the individuals within the University with compliance responsibilities. They meet six times each yearfor two hours. The attendance is full, and the discussions are lively. The Committee has been successful in identi-fying emerging risks and cross-silo risks. When a risk is identified, either an individual or a subcommittee ischarged with handling it. The Committee is advisory only.


University of Texas System

Philosophy. The University of Texas (UT) System has developed a rich, structured approach to compliance,which knits together its multiple campuses. This approach closely resembles a corporate compliance program. Itis hierarchical and relies heavily on a substantial network of compliance officers. Monitoring is a critical part ofthe compliance officer’s duties. Without constant monitoring, UT System and its Board believe that the culturalpressures are too strong to prevent noncompliant behavior.

Model. Starting in the early 90’s, the UT System experienced a series of compliance failures. It responded bytargeting corrective actions at affected processes or organizations. This approach did little to prevent problems inother areas of the System.

By the mid-90’s, the UT System, under the Board of Regents directives, inaugurated an initiative aimed at sys-tematic corrections—training of all academic and administrative managers on their financial, operational, andcompliance responsibilities. This initiative was viewed as very successful.

Nonetheless, in December, 1997, a Medicare billing problem of some magnitude surfaced. At this point, theChairman of the Board of Regents ordered “…the immediate implementation of a comprehensive institutionalcompliance program grounded in management providing proactive, ongoing assurance regarding compliance withall laws, rules, regulations, policies, and procedures applicable to the UT System.”18

By 2001, there was no other comprehensive institutional compliance program in higher education. Believing itsexperience and model to be applicable to other institutions, at that point the UT System published a “how-to”book on institutional compliance programs, entitled Effective Compliance Systems: A Practical Guide for Educa-tional Institutions19 .

Model. UT System’s model begins by building an infrastructure, which includes an institutional complianceofficer and dedicated compliance staff, an executive committee and a working committee. This introductory phaseis followed by actions aimed at compliance awareness. At this point, UT System developed a standard of conductguide (code of conduct), a general compliance training program, and a confidential reporting mechanism. Duringthe third phase, critical risks are managed through a risk assessment process, identifying and prioritizing theserisks. Each key risk is assigned to a single senior-level person, who is responsible for developing monitoring,training, and reporting plans for the assigned risk. The final phase of the UT System model focuses on instancesof noncompliance. A formal assurance system is developed for mission critical risks and includes certifications,inspections, agreed-on procedures, audits, and peer review.

The UT System’s compliance program also is periodically evaluated through self-assessment and external peerreviews to ensure that it is still considered “best practice.” If opportunities to improve are identified, renewalaction plans are developed to implement necessary changes.

UT System leadership believes that its structured program has reduced negative publicity, fines, external auditsand workers’ compensations claims. Kimberly Hagara, Assistant Director for System-wide Compliance, points tochange in organizational culture and speaks with pride of recognition which the compliance program has received,including safety program awards and the 2003 “Best Practices Award” from the Southern Association of Collegeand University Business Officers (SACUBO) which honored the program as a model for other organizations.20

Organization. UT System has tailored compliance programs at each of its fifteen campuses. At each institution, acompliance officer reports directly to the school’s President, who is responsible for compliance at that institution.

At the System, there is a central office headed by Charles Chaffin who manages both audit and compliance. Hefacilitates communication and collaboration among the campuses, and makes sure that good information is avail-able for executive officer and the Board of Regents.

Mr. Chaffin is the Chair of an Oversight Compliance Committee for UT System, which has responsibility formonitoring the programs of the fifteen campuses. Compliance officers from the campuses sit on this Committee,forming a working group to identify and assess risk, work out details for mitigation, and recommend action to theSystem Cabinet. This Committee meets at least four times each year. Similar committees operate at each campus.

For key risk areas, such as research, both at the System and the individual campuses, ad hoc committees arechartered to identify and prioritize key risk areas. For high risk areas, current activities are assessed and compared


to best practice. An action plan is developed with includes controls, training, communication and monitoringsteps. Each action plan identifies responsible parties and completion dates.

University of Minnesota

Philosophy. In 2002, Tom Schumacher, an attorney and experienced litigator, moved from the Office of theGeneral Counsel to create a university-wide compliance function. In his words, he was asked by the President toserve as Minnesota’s “quarterback” for all compliance issues. 21

Mr. Schumacher states: “I am here to make it easy for faculty to be compliant. I do NOT monitor” to ensure thatcompliance is happening. He believes that the role of auditors is to serve as the monitoring and, together with theGeneral Counsel, as the policing arm of the university. The General Counsel’s role is to investigate possible legalissues that raise significant institutional risk or otherwise require an attorney-client privileged investigation. Riskmanagement provides mitigation through insurance. Other University officials, for example, the NCAA compli-ance officer, the equal opportunity and affirmative action officer, the HIPAA privacy officer, conduct monitoringfor compliance issues within their areas of responsibility.

Fundamentally, Mr. Schumacher believes that good compliance is based on adequate education and trust, withappropriate monitoring as verification.. Deans and department heads should be enabled and trusted to do their job.To do his job, he needs them to seek his help as a compliance consultant on a broad range of issues. Universityleadership needs to establish the culture to make compliance a priority, and hold all University members account-able where this trust is violated.

Mr. Schumacher is not a supporter of the “corporate” approach mentioned above, describing it as a high risk for“form over substance” and “expensive.” On the continuum from corporate to collaborative, he places Minnesotain the collaborative space. He agrees that Texas has a more “corporate” philosophy while Stanford displays amore “collaborative” philosophy.

Model for Compliance. Mr. Schumacher states that “…the scope of Minnesota’s compliance program is anythingfor which the University may be sued, fined, debarred,” and includes University policies designed to ensurecompliance with laws and regulations. He defines compliance as “legal risk.” It is not “ethics” as such, nor is itbusiness risk. It is not ERM.

Mr. Schumacher believes that the appropriate structure for a university-wide compliance program is one thataligns with the Federal Sentencing Guidelines. He states that an “…organization must promote a culture thatencourages commitment to compliance with the law by minimally…” using those guidelines as a roadmap forcompliance.

Mr. Schumacher has identified 24 compliance risk areas. They include access/disability services, agriculturalresearch, animal research, athletics, bio hazards, clinical research, conflict of interest, copyrights, environmentalhealth, equal opportunity/affirmative action, facilities/ OSHA, fiscal management, grants management, housing,human resources, human subjects research, immigration, information management, tech transfer, privacy/HIPPA,safety/security, student finance, tax, and trademarks.

Each of these risk compliance areas are evaluated against the seven elements of a good compliance program fromthe Federal Sentencing Guidelines. The purpose of the review is to identify gaps in policy or procedure, lack ofclarity on compliance requirements, opportunities for training and communication, procedures out of alignmentwith University policies, and enforcement issues.

To implement the reviews, a compliance partner has been identified for each risk area. In most cases, the compli-ance partner already had responsibility for the compliance program in that area, but it may not have been explicitor it may not have been for all elements. That individual takes responsibility for compliance program activitiessuch as facilitating risk assessment, evaluating their program, integrating compliance priorities into work plans,completing compliance reports, and helping to develop program metrics.

The compliance partner may consult with an operational compliance committee which assists with risk assess-ment, development of the work plans and monitoring.

Models for ERM. Under the leadership of Minnesota’s audit director, the Board of Regents has been having riskconversations. Risk maps have been prepared on key risks, including financial, compliance, facilities, and opera-


tions. These maps identify three categories of risk based on impact and probability of occurrence: high (red),medium (yellow) and low (green). Thirty minute discussions were scheduled six times over a 12-month period.

The compliance discussion was led by Mr. Schumacher. He prepared a single picture of the University’s compli-ance risk based on risk maps from compliance partners across campus. The biggest risks included in the map weregrants (export controls, effort reporting, select agents, billing), technology (system failure, privacy, and security),athletics, environmental health and safety, clinical services and public-private partners (Mayo Clinic, companies).That risk map is shown below.

Figure 3

University of Minnesota Compliance Risk Map

According to Mr. Schumacher, this approach has allowed the Board “…to get their hands around the University’srisks without getting into the minutia.” It is a step on the road to “full” enterprise risk management.

Organization. The responsibility for compliance rests with the Deans and department heads of the variousschools, colleges and units. Central functions, including compliance, do not duplicate the work of the “operationalresponsible parties” to identify, assess, solve, and communicate about compliance problems. For many, but notall, areas there is also a University manager responsible for oversight and enforcement, such as the NCAA com-pliance officer.

In organizing its central functions, leaders at Minnesota have opted to create separate departments for compliance,audit, and legal counsel, each of which engages in independent monitoring and oversight. The Compliance Officereports to the President. The Audit Director reports to the Audit Committee of the Board of Regents, and theGeneral Counsel reports to the President and Board of Regents. Oversight for compliance at Minnesota comesfrom a Compliance Executive Working Group which includes the General Counsel, Audit Director, HumanResources Vice President, University Services Vice President, and the Research Vice President. In addition,oversight for compliance within particular areas flows up through University management. The Director forInstitutional Compliance provides information to the Board of Regents’ Audit Committee.


Shown below is a diagram of the key roles and relationships in the operation of Minnesota’s compliance program.

Figure 4

University of Minnesota Compliance Program Oversight

Among the improvements which Mr. Schumacher has facilitated in the last two years are a new on-line ResearchCompliance Guide, a code of conduct video, an outsourced compliance hotline (integrated phone and web),automated tool for self-assessment, a matrix of responsible parties for each risk area and the Compliance Partnersinfrastructure.

University of Pennsylvania

Philosophy. According to Mary Lee Brown22, the Associate Vice President for Audit, Compliance and Privacy,when the University of Pennsylvania (Penn) rolled out its compliance program in 1997, it was based on a central-ized, corporate approach. In response to a string of problems, the President at the time charged staff to seek outbest practices in compliance management. As the University of Texas discovered somewhat later, comprehensivecompliance efforts had not yet developed in higher education. As a result, Penn turned to corporate complianceframeworks for guidance, adopting a structured program with a central focus.

As senior leaders have changed and the program has matured, however, the compliance style at Penn has becomemore collaborative. Ms. Brown believes that the values of her organization, which includes three separate depart-ments for audit, compliance and privacy, are reflective of Penn’s philosophy: Excellence, Teamwork, Humanity,Integrity, Community and Stewardship—the first letters of which spell Ethics.

A former compliance officer for Penn who is currently at Microsoft, Mr. Odell Guyton23, remembers the dayswhen Penn had a series of noncompliance problems: a gene therapy death, over-billing problems, financial aidissues, and improper distribution of drugs to athletes. He reports that Penn found that no one wanted to be associ-ated with bad practices and the institution had trouble getting and keeping “…Nobel faculty and sophisticatedgrants.” Mr. Guyton remembers a Time Magazine cover featuring Penn with the line: Death by Research. Thatsituation led, he believes, to a corporate compliance program that was robust, earnest, and demonstrated results—all important to recover the confidence the institution had lost.

Compliance Model. Compliance at Penn is defined as a set of policies, procedures, guidelines and assistance thatcommunicate standards for employee behavior, provide opportunities to express concerns, detect and preventviolations of law and policies, and predict and correct practices that might lead to future compliance problems.


Since 1997, Penn has based its compliance and audit efforts on the COSO Internal Control Framework and theFederal Sentencing Guidelines, using the seven elements of a good compliance program as a guide. The institu-tion has comprehensive policies and procedures on compliance, and is formulating principles for responsiblebehavior. At the institutional level, Ms. Brown and her staff (Audit, Compliance and Privacy) share responsibilityfor compliance issues with the General Counsel. Penn has a human resources monitoring system which includesbackground checks. There are compliance and operational training and education programs for faculty and staff.There are a number of committee and councils which focus on separate risk areas, such as IRBs and the animaluse committee (IACUC.

Mr. Guyton, a former Penn compliance officer, believes that the model at Penn is a good one. He points out that“…in this world, when you are on the radar screen of the regulators, you need a corporate-level structure likeTexas or Penn. The regulators are more sophisticated today; if there are problems in one area, they will think thatthere are problems in other areas.” He cautions that one must be serious before embarking on a compliance effort,because “…you can’t go back. And if it fails, it is really bad. You must introduce a program that is robust, proac-tive, centralized and effective.” Mr. Guyton went on to note that the model used by Texas requires many peopleand is expensive.

ERM Model. Dr. Rick Whitfield, previous Vice President for Audit and Compliance at Penn, wrote his disserta-tion on enterprise risk management, and is considered an expert in the field. Despite that fact, Penn did not ag-gressively implement the ERM approach in any structured manner, according to Ms. Brown.

Like the other universities featured in this paper, Penn has moved in the direction of ERM. At one point, theUniversity had an Oversight Committee which brought together senior leadership and compliance officers fromacross the institution to discuss common issues and converse across the compliance silos. While subsequentlyabandoned, Penn is in the process of reorganizing this effort as a Compliance Advisory Board to include severalDeans and the Vice Provost for Research.

Penn has a new President, new Provost, and new Executive Vice President. Under this leadership team, seniorleaders are beginning to consider the broader implications of strategic decisions, balancing risk and return. Theprinciples of ERM have been endorsed by the Board of Trustees, and Ms. Brown expects to see continued interestin integrated approaches to risk management in the future.

Organization. Penn’s compliance functions are organized in a “hub and spoke” manner according to Ms. Brown.The Office of Institutional Compliance serves as the hub of compliance activities for the University and PennMedicine. The spokes are the specialized compliance functions and liaison scattered around the institution, eitherin the University or Penn Medicine. These functions include the School of Medicine Compliance Office, theUniversity of Pennsylvania Health System Office of Billing Compliance and Review Services, IntercollegiateAthletics Compliance Office, Corporate Tax Office, Office of Affirmative Action, Division of Public Safety,Office of Regulatory Affairs, Office of Environmental Health and Radiation Safety, and Human Resources.

The Deans of the Schools and Colleges are responsible for compliance in their organizations. The Office ofInstitutional Compliance collaborates with and monitors the work of the compliance officers and liaisons whoform the “spokes” of the compliance wheel. The compliance liaison relationship is designed to increase interac-tion and communication between the Office and the schools and centers institution-wide. Other activities of thatOffice are communication and education of faculty and staff about compliance risks, identification of actual andpotential compliance risks, and collaboration with the community on innovative and effective ways to managerisks.24

The Associate Vice President for Audit, Compliance and Privacy reports administratively to the Executive VicePresident, but has direct access to the President of the University and the Board. Other key relationships whichrequire direct reporting include the CEO of the Health System and the EVP/Dean of Medicine. Complianceofficers throughout Penn have a dotted line relationship to the Associate Vice President.

The Office of Institutional Compliance is staffed with three and one-half full-time equivalent staff: a complianceofficer, an associate compliance officer, a sponsored projects compliance training associate director, and a supportstaff person.

It should be noted that there is a separate department under Ms. Brown which focuses solely on privacy issues.This function evolved from a faculty council recommendation in 2000. The unit is staffed with one professional,


who focuses on sensitive data and the evolving regulatory landscape, identifying possible vulnerable areas.Among the compliance areas covered by this individual are Gramm Leach Bliley, HIPAA and FERPA. This unitalso uses a similar liaisons “hub and spokes” approach to that used by the Institutional Compliance Department.

In addition, the Audit Department has 15 auditors each of whom covers $50 million in research. (At the UW,there are 9.5 auditors with a coverage ratio of $98 million.). Mr. Guyton mentioned the synergies of the organiza-tional relationship with the Audit Department which allowed the compliance function to stay small and “leverage”off the monitoring work of the auditors.

The areas where Penn targets its compliance activities are research, tax, patient billing, HIPAA, and humanresources. Current initiatives include assessing practices on conflicts of interest, developing new tools and educa-tion on research risk, identifying compliance liaisons to facilitate communication, and establishing the objectivesand structure for the Compliance Advisory Board.

Summary

In summary, the vignettes of four universities have been covered (Stanford University, University of Texas,University of Pennsylvania, and University of Minnesota). Based on interviews with compliance and audit man-agers at these universities descriptions of their programs were developed which focus on three elements of com-pliance: (1) philosophy, (2) model, and (3) organization.

In considering the differences and similarities of these four benchmark programs, the graph below may be instruc-tive. Each institution has developed an institution-wide program. Only one has selected ERM with a collaborativestyle. The other three have centralized compliance programs. The styles differ with Texas and Penn being morecorporate in philosophy and Minnesota being more collaborative.

Figure 5

Approaches to Compliance


CHAPTER III. UNIVERSITY OF WASHINGTON

This paper has emphasized the importance of shared reputation to the campus community and its link to risk. Ithas also discussed two possible risk frameworks: enterprise risk management and integrated compliance man-agement. The experience of other universities has been described, including detailed comments on four institu-tions.

Keeping that information in mind, it is time to turn to the University of Washington’s experience. The currentstate will be described, including philosophy, model and organization, allowing comparison to peer universities(see vignettes above). This will be followed by a discussion of the future risk climate. Weaknesses of the currentmodel will be identified, and lessons learned from recent noncompliance events will be summarized.

Current philosophy.

The University of Washington (UW), like Stanford and Minnesota, has developed a collaborative, decentralizedapproach to management, including management of compliance and risk. As noted above, this approach targetsprocesses and outcomes and relies on informal leadership and open communication. UW administrators fre-quently work together across organizational lines to resolve compliance problems, with the goal of furthering thebusiness of the University.

The UW’s formal risk management policy, in place since 1984, makes it clear that the goal is “… to reduce therisk of … accidental loss or injury to the greatest extent feasible, consistent with the carrying out of the Univer-sity’s mission of teaching, research and public service.” The intent is management of risk without impedingessential University programs.

Likewise, the Charter of the Department of Audits, adopted by the Board of Regents, makes it clear that auditorsalso work in a collaborative mode to address institutional problems. That Charter states that it is the “…: missionof Internal Audit is to assist the Board of Regents and the University management in the discharge of their over-sight, management, and operating responsibilities. This is accomplished through independent audits and consulta-tions designed to evaluate and promote strong systems of internal controls, including effective and efficientoperations.”

This same philosophy was echoed in the recent report from the UW Medicine Board Review Committee. Thatdocument states: “One key to success is the philosophy of the Compliance Programs at UW Medicine. Ideally, theCompliance Program is seen as working in partnership with physicians rather than simply enforcing rules. Thefocus is on supporting the physicians and staff with training, information, and performance feedback to enablethem to comply with regulations and policies.”25

Current Approach to Risk Management.

As noted above, there is a continuum of possible risk management approaches.26 The UW has moved beyond thebasic insurance approach, which is usually reactive and ad hoc, and is proactively engaged in identifying andmanaging specific risks. As is typical for this approach, responsibility for these specific risks is distributed amongthe institution’s organizational silos. The central audit and risk management staff work across these institutionalsilos, providing independent advice and expertise to campus administrators.

However, the UW does not formally integrate risk and compliance into its strategic conversations at theuniversity-wide level. Furthermore, there is no dedicated audit or compliance committee of the Board of Regentsto provide oversight for compliance and risk management. Each of the universities described above had such acommittee.

Although the University has not adopted enterprise risk management, it has taken a number of steps in that direc-tion. UW Medicine is rolling out an integrated compliance structure. The Federal Sentencing Guidelines serve asguidelines to the effort. Athletics is focused strongly on developing a common language and philosophy on ethicalbehavior and compliance. The Director of Audit and the Executive Director of Risk Management have initiatedrisk mapping pilots and studied ERM. The Director of Health Sciences Risk Management is working with man-agement to assess the feasibility of “enterprise risk management” for the medical centers. Financial Managementand Planning and Budgeting have formed a taskforce on financial risk management, forming action teams withcampus administrators.


Current Organization.

UW has a long history of managing risks. Scattered throughout the institution are individuals and operationstasked with compliance, audit, or risk management responsibilities. These separate efforts are done well. “Mis-takes” are corrected; procedures, business rules and processes are re-engineered to reduce the likelihood of “riskybusiness.”

Audit. The Department of Audits was formed in the late 1950s. The Department functions under the authority ofthe Finance, Audit and Facilities Committee of the Board of Regents. Operationally, the Director of Audits re-ports to the Treasurer of the Board and has access to any senior leader or Board member.

The mission of Internal Audit is to assist the Board of Regents and the University leadership in the discharge oftheir oversight, management, and operating responsibilities. This is accomplished through independent audits andconsultations designed to evaluate and promote strong systems of internal controls, including effective and effi-cient operations.

The Department deploys its staff based on an annual risk assessment and audit plan, which identifies and assessescompliance, financial and operational risks. The department’s scope includes all University of Washington units,except the Medical Centers.

UW internal auditors are concerned with any phase of University activity in which they may be of service tomanagement, including going beyond the accounting records to obtain a full understanding of operations underreview. The Department has a good track record for alerting units (and the University administration) of opportu-nities for improvement, serving as an early warning system. For example, of the 14 points made during a recentfederal review, nine had been noted in an earlier report by Internal Audit.

It is worth pointing out that the Audit Department is quite lean. With 9.5 FTE, each auditor must cover $98 mil-lion in research. On average the eight public peer universities have 10.3 FTE with each auditor covering $50million in research. The private institutions are even more deeply staffed. Stanford, for example, has 14 univer-sity-based auditors for coverage of $60 million. Johns Hopkins has 24 FTE, with each auditor covering $69million in research. University of Pennsylvania has 23 FTE, with research coverage of $32 million.

In addition, since 1999, the Medical Centers have had one auditor. While there is a good working relationshipbetween UW Audits and Medical Center Audits, there is no formal relationship between the two units. Further-more, there is no clear understanding about the role, if any, of the audit department with affiliated organizationssuch as the UWP, SCCA, or Children’s.

Risk Management. The University has an extensive risk management system. The Office of Risk Managementprovides a full range of services in the areas of risk financing, liability claims management, Workers’ Compensa-tion, and discrimination complaint investigation. In addition, the office consults with units on risk reductiontechniques, contractual risk transfer mechanisms and other risk management issues.

Authorized to self-insure by 1976 legislation, the University has chosen to retain predictable losses in the areas ofprofessional liability, general liability, automobile liability and employment practices liability. Less predictablelosses are commercially insured under approximately 60 policies, such as marine, aviation and real property. TheUniversity does not insure or self-insure a number of exposures, including business risks, directors and officersliability or construction disputes. Self-sustaining departments are responsible for payment of premiums, per claimdeductibles or both, thus raising the awareness of the potential for loss and the financial impact of loss.

In 2002, the University incorporated its own insurance company, Portage Bay Insurance (PBI), to manage itsretained self-insurance funds and to allow the University to access the reinsurance market for catastrophic cover-age. This risk financing strategy significantly increased competition among commercial insurers for participationin the University’s excess program, resulting in reduced premiums, improved terms of coverage, and diversifica-tion of underwriters. PBI is directed by a board of UW employees having expertise in risk and financial manage-ment as well as outside directors with considerable industry experience. PBI serves the University exclusively.

The Health Sciences Risk Management (HSRM) program serves the six schools of the Warren Magnuson HealthSciences Center, focusing on adverse event management, risk analysis, risk management education and consulta-tion. HSRM is data-driven, analyzing the 12,000 event reports received annually from the hospitals and School ofMedicine to develop and monitor management plans.


In the School of Medicine, an Associate Dean oversees the various risk management activities and functions ofthe School. A Claims Review Committee identifies clinical practice corrections needed to avoid recurrence oflosses and to raise the awareness of the Health Sciences community regarding the nature and causes of significantlosses. A Patient Safety Committee discusses strategic risk management policies and systems and monitors per-formance metrics. A Sites of Practice Committee evaluates proposals from School of Medicine departments toplace faculty, residents or students in non-UW facilities for practice or education, considering the risks and re-wards of each proposed placement review of clinical competency.

Legal. The University Division of the Attorney General’s Office provides legal advice and counsel to all Univer-sity campuses and programs. It helps the University make wise risk decisions by advising on the range of legalconsequences of possible management decisions and the relative advantages of legal strategies. The divisionprovides a broad spectrum of legal advice and representation. It is staffed by 14 Assistant Attorneys General andextends appointments, when needed, to private practitioners having a legal specialty required by the University.

Compliance. The UW has a number of institution-wide compliance functions which provide targeted services.Four of these functions are particularly critical to the wellbeing of employees and research subjects: InstitutionalReview Boards, Environmental Health and Safety Department, the University Police Department, and the Officeof Emergency Management. These functions will be described below. In addition, the UW Medicine BoardReview Committee Report, Achieving Excellence in Compliance, is an excellent source of information on thecurrent compliance program of UW Medicine and its future direction.

The UW has four institutional review boards (IRBs), organized within the Human Subjects Division of the Officeof Sponsored Projects under the Vice Provost for Research. In partnership with researchers, IRBs protect therights and welfare of human research subjects recruited to participate in research activities conducted under theauspices of the University of Washington. The IRBs have the authority to approve, require modifications in, ordisapprove all research activities that fall within their jurisdictions as specified by federal regulations, state law,and institutional policy.

The Environmental Health and Safety Department assists University units in meeting their responsibility to pro-tect the environment and to provide a safe and healthful place of employment and learning. The department wasestablished in the 1940’s and reports to the Executive Director of Health Sciences Administration.

The University Police department has the exclusive responsibility to act upon law enforcement matters and per-form police functions for the Seattle campus of the University. Police personnel are sworn peace officers, per-forming the same services as those of any municipal police agency. They investigate all crimes and enforcefederal, state and local laws as well as WAC rules within the University’s jurisdiction. The first UWPD officerwas hired in 1902. The department reports to the Associate Vice President for Business Services.

The Office of Emergency Management, which also reports to the Associate Vice President for Business Services,develops and implements programs in emergency planning, training, response, and recovery for all UW cam-puses. It links University plans to those of the city, county, state and federal agencies, and manages UW’s partici-pation in multi-agency disaster drills.

Future Risks

Before contemplating changes in the university-wide approach to compliance and risk management, it seemsprudent to ask if future risks will mimic the past. In seeking an answer to that question, opinions were soughtfrom senior higher education leaders, the staff of the Council on Governmental Relations (COGR), UW adminis-trators (annual risk survey by Director of Audit), and managers of audit, risk management and compliance func-tions at peer universities.

Those interviewed believe that the future will be even more challenging than the past due to the increased pres-sure on the Federal budget, shifting national priorities, and continued citizen concern with the cost of highereducation and health care. In this environment, an expanded role for oversight and regulation is likely.

When queried about their “worry list”, these leaders27 identified the following list of key risks: research compli-ance, billing compliance, information security and privacy, conflicts of interest or commitment, affiliate relation-ships, vulnerable populations, employment, and athletics.


Current Model Weaknesses

The UW approach to managing compliance and risk has been described above, including philosophy, model andorganization. The future risk climate has also been briefly covered. Next, possible weaknesses in the status quoare explored through a series of questions.

First, due to the size, decentralization, and complexity of the institution, a proliferation of compliance, audit andrisk management activities has grown up around separate and distinct risk areas, each largely operating in a self-defined stovepipe. How can these stovepipes be encouraged to communicate, and to take a consistent, institutionalpoint-of-view?

Second, when compliance, mitigation, operations and policy activities are organized under one manager, it createsthe potential for competing or conflicting agendas. How should these organizational conflicts be resolved?

Third, does the UW have the right balance between “risk” and “return” in its senior management and governancedeliberations? Is the risk voice loud enough to be heard? If not, why not?

Finally, there is no common language, philosophy, or objectives to guide individual decisions and communica-tion. How can the institution’s entrepreneurial, decentralized strength be sustained while ineffective or suboptimalbehavior is reduced?

Lessons Learned

The Director of Audit evaluated seven recent UW problems, including issues with research compliance, billingcompliance, vulnerable subjects, state IT compliance, financial misadventures, and privacy. She discoveredpersistent patterns across the cases, identifying thirteen reoccurring root causes. For the purposes of this discus-sion, these root causes are classified into one of four categories: leadership, organization, knowledge and culture.

Figure 6

Root Causes for Noncompliance at the UW


The number of cases in which a root cause featured is noted in ( ) in the lists below.

Leadership—29% of the root causes were due to leadership issues. These include:

Problems not elevated to the appropriate level of management. (4)

Significant problems are recognized and communicated within an organization, but not to a manager withenough expertise or clout to take proper action.

Concerns not addressed. (2)

Employees raise issues and concerns to management but no recognition or action is forthcoming.

No management ownership of problems. (2)

Lines of responsibility and accountability are very narrowly drawn; usually tied to workload pressure or lack ofunderstanding of diverse University policies and procedures.

Institutional compliance perspective and direction is unclear or weak. (4)

The institution lacks a strong and explicit message that compliance is expected and required.

Organization—28% of the root causes were due to organizational issues. These include:

Compliance infrastructure is not apparent to employees or external regulators. (3)

There is no single ‘touch point’ where an interested party can easily gain an understanding who and where com-pliance is managed.

Compliance roles and responsibilities are not clear; ‘it’s not my problem.’ (3)

There is confusion regarding who is ultimately responsible for compliance among many staff and faculty. Theresult in many cases is that the wrong person or no one takes responsibility.

Compliance procedures are opaque, unclear, missing or contradictory. (3)

Clear guidance on compliance may be difficult to find or be missing all together.

Compliance expertise is in stovepipes. (3)

The University’s compliance expertise and responsibilities are decentralized in functional stovepipes making itdifficult to determine where to go for guidance.

Knowledge—15% of the root causes were due to knowledge issues. These include:

No place to voice concerns. (2)

Employees fear retaliation for raising problems and concerns. Although a problem is identified, managementnever hears of it.

Problems are not recognized as problems; we don’t know what we don’t know. (5)

Management lacks the necessary expertise and knowledge to recognize problems in the making.

Culture—27% of the root causes were due to cultural issues. These include:

Faculty and staff are deliberately non-compliant. (3)

Faculty and staff know of procedures and policies but refuse to comply.

Low compliance consciousness in faculty and staff. (4)

Compliance as an operational imperative has not saturated the community.

Special treatment for the few. (4)

Exceptions to significant and critical compliance standards are sometimes allowed.

The findings of the UW Medicine Board Review Committee were consistent with this analysis. The Committee’sReport concludes that the “… most important systemic causes of the problems that led to the Federal bill investi-gation” were complacency, under-valuing of business functions, limited governance and oversight, lack of rigor-ous risk assessment, and decentralized management structure.28


The report goes on to say that the most fundamental change that will drive UW Medicine’s future success iscultural change. Of concern to the Committee is the feeling of vulnerability of some faculty and staff, whichmakes open communication of problems unlikely. Faculty and staff are described as anxious and uninvolved.Another troubling aspect of the culture identified by the Committee is the tendency to discount or deny the needfor compliance and to discount the important of administrative work.29

Preliminary data from campus survey conducted as part of the President’s Leadership Initiative also intersectswith these findings. Respondents to the survey report a high level of fear.

It is worth noting that cultural and leadership issues feature prominently in all three studies.


CHAPTER IV: A COLLABORATIVE ENTERPRISE RISK MODEL FOR THE UW

This paper has described the philosophy, model and organization that the UW currently uses for compliance andrisk management. The risks that are likely to face the institution in the future were identified through interviewswith leaders in higher education. The weaknesses of the current system were identified. The systematic causes ofseven recent noncompliance events were analyzed.

This section of the paper lays out a framework for the University of Washington. To begin that process, a set ofguiding principles is proposed. These principles are followed by recommendations and an implementation plan. Thepaper concludes by evaluating the likely impact of the recommended actions on the institution, mapping the rec-ommendations to the root causes and guiding principles.

Guiding Principles

These guiding principles build on the high-level objectives at the beginning of this paper, adding descriptive state-ments to clarify the intent. They are intended to serve as criteria for evaluating the recommendations.

The proposed actions should:

1. Foster an institution-wide perspective.

Focus leaders on a handful of major institution-wide risks, which are integrated into the UW’s strategic plans

Encourage problem-solving and collaboration across stovepipes.

Develop a common risk language and philosophy.

Create an early-warning system for emerging risks.

Manage with facts and data.

2.Ensure that regulatory management is consistent with best practices.

Benchmark with progressive peer universities.

Consider the Federal Sentencing Guidelines.

Address root causes of UW’s recent problems.

3.Protect UW’s decentralized, collaborative, entrepreneurial culture.

Build on the strengths of the current audit, compliance and risk management programs.

Target good stewardship, rather than “compliance for compliance sake,” or “compliance policing.”

Keep it simple, understandable, effective, and efficient

Recommended Actions

Recommended actions are laid out in this section of the paper. In evaluating these seven recommendations, the threeguiding principles described above are advanced as criteria: the successful proposal must (1) foster an institution-wide perspective, (2) ensure that regulatory management is consistent with best practices, and (3) protect UW’sdecentralized, collaborative, entrepreneurial culture. The proposal should also address systematic problems inherentin the UW’s present risk structure.

Recommendation #1: Integrate key risks into the decision-making deliberations of senior leaders and Re-gents.

Key Elements—#1

Charter a President’s Advisory Committee of senior leaders to oversee and focus attention on improving theUW’s culture of integrity and compliance. This Committee will consider the following actions:

o Engage in a risk mapping process at least annually, developing and tracking plans to address issues with “highimpact” and “high likelihood.”


o Initiate an annual risk dialogue with President’s Cabinet, Board of Deans, Faculty Senate, and other key bod-ies for the purpose of sharing major risks (UW Risk Map), seeking feedback, and reporting on progress (UWRisk Plan and Risk Dashboard).

o Analyze events of unethical or noncompliant behavior, recommending changes in policy, organization, orinformation to prevent repetition.

o Coordinate with other initiatives (such as Leadership, Culture and Values and Undergraduate Student Experi-ence) to strengthen the leadership and culture of integrity and compliance. Possible common work might in-clude a UW Code of Conduct.

o Update the Board of Regents periodically.

Implementation—#1

It is proposed that the enterprise risk management approach at the UW be called Strategic Risk Management(SRM). The President’s Advisory Committee on Risk Management will serve as the Steering Committee for theStrategic Risk Management initiative, providing oversight and focus. It is expected that the risk identification,planning, and mitigation processes will be draw on the community’s ideas and information and that activities ofthe Committee will be transparent at all points.

It is expected that the President’s Advisory Committee will set aside time annually for risk mapping and planning.Analysis of events of unethical or noncompliant behavior will be studied for “lessons learned,” recommendingchanges in policy, organization, and practice to prevent repetition of the undesirable outcome. To proactivelymonitor its plans, the Committee will develop metrics on initiatives and a risk dashboard of key indicators. Coor-dination with other Presidential initiatives will be undertaken, with a particular focus on leadership and culture.The Committee will initiate an annual risk dialogue with campus leaders and the Board of Regents, sharing pro-gress on the mitigation of major risks and reinforcing the institutional commitment to a culture of compliance andintegrity.

It is proposed that the staffing for the President’s Advisory Committee and the facilitation of the campus conver-sation on SRM be handled collaboratively by the Office of Risk Management and the Department of Audits underthe guidance of an Oversight Team (OT). It is recommended that a project manager and analyst be hired to organ-ize, pilot, and manage the initiative, and that targeted consulting resources be used as needed. It is suggested thatthe Oversight Team include the Vice President for Financial Management/ Treasurer of the Board of Regents, assponsor, the Executive Director of the Office of Risk Management as team lead, and up to four additional mem-bers; candidates would probably be individuals with significant audit, risk management and compliance responsi-bilities such as the Executive Director for Health Sciences Administration, Associate Vice President for UWMedicine Compliance, Associate Vice Provost for Research, and Director of Health Sciences Risk Management.

It is proposed that the Risk Map and Risk Plan be discussed with the Board of Regents.

Recommendation #2: Create an integrated, institution-wide approach to compliance which is consistentwith best practice.

Key Elements—#2

Designate the Director of Audit as the central person responsible for coordinating compliance awarenessacross campuses, with the title of Director of Audits and Compliance.

Establish a Compliance Council chaired by the Director of Audit and Compliance, which will

o Identify and prioritize current and emerging compliance issues, recommending appropriate actions to the is-sue owner and/or senior leaders.

o Identify issue owners and establish a matrix of responsible parties for each risk area (UW Risk Matrix).

o Support and advise the President’s Advisory Committee (see #1 above) as subject matter experts on compli-ance.

o Ensure that all senior administrators are educated and aware of compliance and risk issues.


Implementation Detail—#2

It is recommended that the Director of Audit be formally designated as the coordinator of UW compliance work,and that the position title be changed to reflect that responsibility. It is further proposed that the President appointa university-wide Compliance Council, chaired by the Director of Audits and Compliance, made up of the personsfunctionally responsible for compliance in the areas such as those listed below. Representatives from the Attorney

General’s Office, Risk Management, and administrative deans should also be included. Key compliance areas thathave currently been identified include:

Table 2UW Compliance Areas

The primary purpose of this Committee will be to meet at least six times annually to identify, assess, and priori-tize current and emerging compliance issues, recommending appropriate action to issue owners and/or seniorleaders. This will include serving as consultants on compliance and risk to the President’s Advisory Committee onRisk Management. The Compliance Council will ensure that its members are knowledgeable about pertinent risksof non-compliance from internal and external courses. Committee members should also be responsible for con-sulting with and keeping the policy makers appraised of compliance issues within their areas. To facilitate theirwork, the Council will identify issue owners and establish a matrix of responsible parties for each risk area (UWRisk Matrix), which will be broadly published.

Recommendation #3: Ensure that good information is available for campus community.

Key Elements—3

Introduce a brief electronic newsletter on emerging issues.

Establish a web portal on key compliance issues. Include newsletters, hotlinks to related websites, the UWRisk Map(s), the UW Risk Plan, and the UW Risk Matrix.

Include training, communication, policies and expected behavior in action plans for key risks.

Share information among the stovepipes through the Compliance Council.

Implementation Detail—3

The Compliance Council (see Recommended Action # 2 above) will sponsor a

compliance website to provide to any interested party an easily accessible, one-touch spot for information on theUniversity’s compliance infrastructure and controls. Website content will include functional offices and officersfor compliance areas, compliance responsibilities by role and unit, compliance policies and procedures, sourcesfor additional information on compliance, and a link to the compliance helpline.

The Council will also sponsor a brief electronic newsletter on emerging and important compliance issues.


Recommendation #4: Create a safe way for interested parties to report problems.

Key Elements—4

Contract with an outside party to manage an anonymous hotline (phone and web).

Set up a website with information on where to take problems.

Introduce an early intervention program.

Implementation Detail—4

A well-publicized compliance helpline and web-contact service is proposed to give employees and stakeholders adirect means for reporting compliance issues and concerns to senior management, anonymously if desired. Aweb-contract service is suggested to allowing complainants to remain anonymous but also communicate with theUniversity representatives through a service-hosted chat room. The Departments of Audits, Risk Management,and Human Resources will initially review each contact and determine the appropriate action to be taken. Issuesmay be referred for action to Internal Audit, Risk Management, Human Resources, the appropriate ComplianceCouncil member, or the Assistant Attorney General depending on results of the initial review. The Director ofAudits will track all calls, follow-up on all actions, and log the final disposition of calls

In addition to the hotline (phone and web) an early intervention program is proposed. The University’s experienceproves that when those with a grievance against the institution are given an opportunity to voice their concerns,are listened to in a respectful manner, and are invited to resolve their issues, they are frequently satisfied anddecide not to pursue their complaints further. This approach, referred to as Early Intervention, has been successfulin many discrimination, harassment and retaliation matters over the years. It is proposed to extend this approachto complaints with serious compliance or other legal liability issues.

The Early Intervention model works because it does not require complex fact-finding. Furthermore, it is safe sincecomplainants at risk (i.e. employees or students) may complain anonymously. It allows time to fix the problem.And, it does not create a new bureaucracy.

The process is relatively simple. A complainant contacts UW, perhaps anonymously through the ComplianceCouncil’s 24-hour telephone hotline or confidential web-based helpline. If the complaint potentially presentsissues of grave concern to UW (i.e. those that may involve a serious or pervasive violation of a University policyor process or state or federal laws and regulations), the University Complaint Investigation and Resolution Office(UCIRO), Human Resources (HR) and Internal Audit select a case team, which may include representatives fromthe various compliance offices, the Attorney General’s Office, or others.

The case team develops an action plan. Administrators with authority to implement a corrective action and/orapprove a resolution are notified. Next, selected case team members conduct an abbreviated investigation todetermine basic facts, including the status of the matter. If appropriate, the case team recommends that any pend-ing disciplinary actions against the complainant be suspended. Education is undertaken to prevent retaliation.

If the complaint is clearly not factually supported, the case team closes the file and advises the involved adminis-trators. Case data is maintained by Internal Audit, which responds to public disclosure requests about the file.

If the complaint is or may be factually supported, UCIRO invites the complainant to mediate. If mediation resultsin a mutually acceptable resolution, an agreement is drafted and signed by University and the complainant. Ifmediation does not result in a mutually acceptable resolution, then the case team recommends action steps basedon the facts known, or broadens the investigation as needed. If necessary, Internal Audit monitors institutionalcompliance with the mediated agreements.

Reporting will occur throughout the process with the administrative offices involved. The Compliance Councilwill provide a quarterly activity and outcome report to the EVP and Provost. An annual report will also be pro-vided for the risk identification phase of the university-wide risk management process.


Recommendation #5: Minimize surprises by identifying emerging compliance and risk issues.

Key Element—#5

Provide an automated tool for self-assessment to campus leaders.30

Monitor the effectiveness of the Compliance Council, hotline, website and early intervention program inminimizing surprises.


Actions recommended above will play an important role in reducing management surprises by identifying emerg-ing compliance and risk issues. The compliance structure in UW Medicine will also contribute to the solution.

In addition, it is recommended that the Compliance Council evaluate automated tools for self-assessment, such asthat developed by the University of Minnesota.

Recommendation #6: Maintain strong audit team with ability to proactively identify problems and collabora-tively recommend solutions to appropriate decision-makers.

Key Elements—#6

Benchmark the UW audit function against peer universities to advise resource allocation decisions.

Assess the relationship between the Director of Audit and auditor(s) for component units.


It is recommended that the UW staff the Department of Audit relative to the size, complexity, and mission of theinstitution. It is proposed that peer universities be used as a benchmark for resource deliberations. One possiblemeasure to track over time is the University’s ratio of research dollars to internal auditors ($/FTE) compared to datafrom the eight peer institutions.

It is further recommended that the relationship between the central audit department and auditor(s) for componentunits of the UW be evaluated. At a minimum, component units’ auditors should have a dotted line relationship tothe Director of Audit.

Recommendation #7: Check progress on compliance and risk initiatives.

Key Elements—#7

Develop and analyze data for key risks.

Develop metrics for senior leadership (risk dashboard).


The Office of Risk Management, with assistance from the Compliance Council, and Department of Audit, willdevelop and analyze data on the key risks identified in the annual Risk Dialogue (Risk Map).

The project manager and analyst for the Strategic Risk Management initiative, under the guidance of the President’sAdvisory Committee on Risk Management, should develop a UW Risk Dashboard for the use of senior leadersand the Board. Important sources of information and advice in this effort will come from the Compliance Council,the Office of Risk Management, the Department of Audit, and Health Sciences Risk Management, but it is expectedthat broad input will be sought.

Program Effectiveness

Having laid out a series of recommended actions to initiate a university-wide risk management process and enhancethe compliance matrix of the UW, it is important to be sure that these actions are effective.

Root causes. First, how well do the recommended steps solve the systematic weaknesses shown in the root causeanalysis?

Leadership accounted for almost one-third of the root causes. Problems were not elevated to the appropriate levelsof leadership. Concerns were ignored. At times, responsibility for the problem could not be established. At othertimes, it was not clear that compliance was expected by the institution.


The institution-wide risk management approach will strengthen the compliance direction of the University. If thetone at the top is clear, if senior leaders are setting aside time to assess and mitigate risk, a strong message is sent tocampus and stakeholders. That unambiguous focus on compliance will encourage individuals to elevate their con-cerns and faculty and administrators to take ownership and address concerns.

Organizational issues made up 28% of the root causes. Employees and external regulators could not see thecompliance infrastructure. Roles and responsibilities for compliance were not clear. Procedures were opaque,unclear, missing or contradictory. Expertise on compliance was in stovepipes and not accessible when needed.

The Compliance Council will provide visible, accessible body with compliance responsibility and expertise. Gapsor lack of clarity in procedures are likely to come up in the Council’s discussions. As the stovepipes learn moreabout each other, role definition will be improved. The role and procedures problems will not be entirely miti-gated, however.

Further clarity will come from the work of the President’s Advisory Committee on Integrity and Risk. The Com-mittee will autopsy noncompliant or unethical events, recommending changes in policy, organization and practiceto mitigate the risk of reoccurrences. The Committee will also initiate a UW Risk Plan to proactively address keyrisks. It is likely that recommendations on policies, procedures and training will result from that planning process.

Problems stemming from poor understanding or lack of knowledge were 15% of the total root causes. Individualsbelieved that they had no place to go to voice concerns. Even more significant were the problems which were notrecognized as problems. .

Several initiatives provide information and a place to go: anonymous hotline, early intervention program, website,and newsletter. As members of the Compliance Council become more familiar with each other, they will be ableto guide employees with better information. And, the institution-wide risk management framework will make it“OK” to bring up issues. It is likely that the ability to identify emerging problems will also increase throughmutual exchange of information among President’s Advisory Committee and Compliance Council members.Training, which is likely to be part of the UW Risk Plan, may help with problem identification. Finally, a strongaudit department and self-assessment tool will provide valuable information on gaps and best practices.

Culture is the most difficult and important of the four categories and accounts for 27% of the root causes. Somefaculty and staff are deliberately non-compliant. On the whole, compliance is not considered important by facultyand staff. The situation is exacerbated by special treatment for the few.

Cultural change is difficult and slow. Should the UW enforce rigid compliance with Federal regulations? Are UWleaders willing to make tough decisions when important members of the community refuse to comply? Is it some-times better to take a risk if compliance presents a significant barrier to accomplishing teaching or research mis-sions? Does the culture of the UW encourage or discourage organizational decisions that make the best use oftalents (e.g., suspicions between faculty and staff; discomfort between upper and lower campus; tensions betweenacademic administrators and non-academic administrators)?

The articulation of a philosophy on risk by the President and Board is a starting point in changing culture. Someuniversities are adopting “codes of conduct” to capture that philosophy. This document is admittedly silent on thebest approaches to change our culture.

Guiding principles. Finally, in assessing the effectiveness of the recommendations, the last point of reference tocheck is the guiding principles. As the evaluation below demonstrates, each of the three principles is met.

The first principle is to foster an institution-wide perspective on compliance and risk. The proposal to begina university-wide risk dialogue, producing a UW Risk Map, Risk Plan and Risk Dashboard are consistent withthis objective. The formation of the President’s Advisory Committee on Risk Management makes an importantstatement about the President’s commitment to compliance and provides a forum for senior leadership discussionof complex, institution-wide issues of integrity, risk and compliance. The annual risk dialogue among seniorcampus leaders and the Board also contributes to the tone at the top, which is critical in the success of any com-pliance program. The hotline, web directory of “where to go,” and the early intervention program will encourageinterested parties to bring forward concerns or information. This information will provide alerts to the right levelsof leadership, allowing the issues to be handled without triggering crises. Compliance Council members will gaina much broader perspective from their work.


The second principle is to ensure that regulatory management is consistent with best practices. The recom-mendations cover the seven elements in the Federal Sentencing Guidelines. The President’s Advisory Committee,working with the Compliance Council, will identify key risks and ensure that they are being addressed. Thisapproach is considered best practice among peer universities and regulators. From that perspective, the annualdialogue on risk and integrity by the senior leaders and Board also constitutes persuasive evidence of the institu-tion’s commitment to good stewardship. Finally, the recommendations are targeted at the persistent root causes ofnoncompliance, another best practice.

The third principle is to protect UW’s decentralized, collaborative, and entrepreneurial culture. The rec-ommendations build on the strengths of the existing system, suggesting actions that fill gaps in information andprocedures, while aligning with the philosophy and values of the institution. Both the President’s Advisory Com-mittee and the Compliance Council are a good mechanism for collaboration, communication and education acrossorganizational boundaries. The elements of the proposal focus attention on compliance, integrity and risk withoutadding central compliance staff. Instead, the proposal relies on leveraging the knowledge and creativity already inplace across the UW.


CHAPTER V: CONCLUSION

In his charge letter of April 22, 2005, President Mark Emmert stated that…”the creation of a culture of compli-ance needs to be driven by our core values and commitment to doing things the right way, to being the best at allwe do.” He went on to say that at the same time…”we need to know that the manner in which we manage regula-tory affairs is consistent with the best practices in existence.”

The objective of this paper is to address that challenge, ensuring that the UW creates an excellent compliancemodel based on best practices, while protecting its decentralized, collaborative, and entrepreneurial culture. Thepaper presents a conceptual framework for thinking about institution-wide risk management. That framework isfollowed by information on approaches used by other research universities, featuring vignettes from StanfordUniversity, University of Texas, University of Minnesota, and University of Pennsylvania. Then the UW’s currentsituation is described, including lessons learned from recent UW problems. That analysis reveals persistent pat-terns and suggests that the root causes of noncompliance at the UW can be classified into one of four categories:leadership, organization, knowledge, and culture. Finally, the paper has proposes a collaborative, institution-widerisk management model and lays out recommendations for implementing that proposal.

These proposed changes are not intended to replace what already works across the university. Rather they areintended to augment the existing organization with thoughtful direction, collaboration, and communication onstrategic risks. This proposal identifies opportunities to strengthen the existing UW efforts by providing a centralfocus (President’s Advisory Committee and Compliance Council), access to good information (websites, newslet-ters, hotlines, Compliance Council discussions), simple but effective tools (risk maps and plans, metrics, self-assessment approaches), and opportunities for leaders and subject matter experts to deliberate on risk, integrityand compliance issues.

At its core, the UW community is bound together by the shared reputation of the institution. Each member of thecommunity contributes to that reputation and benefits from the contributions of others. Faculty, staff and studentswork hard to achieve preeminence in their fields, and in the process set the highest standards of intellectual rigorfor themselves and their colleagues. It is that excellence which is reflected in the UW’s reputation. Outcomes thatreveal noncompliant activities diminish the regard with which the institution is held, obscuring the excellence ofthe work being done.

Critical to future success is the energetic, entrepreneurial culture of the UW, which is both decentralized andcollaborative. Yet for that decentralized model to be sustainable, mechanisms must be created to develop, rein-force, and refresh common goals and values. Commenting on that important balance between commonality andindividuality, Provost Phyllis Wise noted that …”distributed leadership requires shared values and a sense ofcommunity.”31 The actions proposed in this paper engage the UW community in sharpening its common view-point and approaches to risk management, and in the process, strengthening the culture of compliance at the UW.

Provost Wise has stated: “We want to incorporate the strengths of the people here, making a community that isstronger than the sum of individual effort.”32 This proposal is offered with the belief that its recommendations willcontribute to that synergy, strengthening the UW’s community, reputation, and leadership. It is offered with thehope of preventing damaging, noncompliant events from distracting faculty, students and staff from …”ourspecial work”—…”the biggest, most complicated, most challenging questions and problems of the 21st century.”33


APPENDIX 1

April 22, 2005

Deans and Cabinet members,

With the most recent example of compliance issues, we have again been reminded that we have not yet createdthe culture of compliance that we have discussed on many occasions. As a number of you are aware, we havebeen working on these matters for some months now; making progress to be sure, but with much more to do. Tothis end, I make the following comments.

Clearly, the creation of a culture of compliance needs to be driven by our core values and commitment to doingthings the right way, to being the best at all we do. We need to have an organizational culture that follows ruleand regulations not just because they fear the regulation "police," but because it is the right thing to do, and be-cause that is what we do at the UW. Similarly, we need to know that the manner in which we manage regulatoryaffairs is consistent with the best practices in existence, both in terms of how we assure compliance and also interms of how we serve our faculty, staff and students. Compliance cannot and will not be compromised for thesake of expediency. On the other hand, there is no reason why effective compliance cannot be assured in a mannerthat promotes effective use of people's time and energy. We do not need or want another layer of bureaucracy. Wedo not need or want to create the regulatory police. But neither can we - or will we - accept anything less thancomplete confidence that we are in compliance with all the regulations within which we must operate.

To this end, we need to do several things. First, we need to continue the good work that is now underway. Wehave made very good progress on several fronts, including medicine and athletics. These good efforts need to berecognized, supported and driven to conclusion. Second, we need to move forward with the process we startedlast fall when we asked V'Ella Warren to develop proposals regarding best practices in this regard. This processhas moved along well. Their preliminary assessment provides what I believe is a very useful framework forshaping a university-wide effort and discussion about actions needed. The framework includes creating an institu-tional compliance council and the creation of a model for identifying compliance issues in advance. It also pro-poses an early intervention program and enhancing staffing to make the process work well for users. Such aneffort must be consistent with the principles outlined above. Moreover, it needs to work closely with those mostdirectly impacted (deans, faculty, coaches, and staff) to make certain we are headed in the right direction. I am,therefore, asking V'Ella and David Hodge to immediately begin working through this framework to determine if itprovides the elements and process that we need to move forward. David and V'Ella will be provided with theresources (including colleagues) they need to do thiscritical task. I am asking that they finish this work this quarter, if possible. We will need the help and cooperationof all of you to get this done.

Thanks,

Mark Emmert


ENDNOTES

1 The standard term used in the literature, enterprise risk management (ERM) was chosen for this document. However, theUW may prefer to adopt its own terms or acronyms. Strategic risk management is proposed for consideration at the endof the draft paper.

2 Global Investor Opinion Survey: Key Findings (McKinsey & Co., July 2002)3 Emmert Launches Leadership Initiative, Emmert, Mark (President, University of Washington) (University Week, April

7, 2005)4 Compliance Issues, Emmert, Mark (President, University of Washington), Memo to Deans and President’s Cabinet,

April 22, 20055 The Enterprise Risk Management Process in Higher Education, Crawford, David B. and Justina, (J.D. Enterprises)6 UW Medicine Board Review Committee Report, page 65.7 Excellence in Risk Management: A Qualitative Survey of Enterprise Risk Management Programs (Risk and Insurance

Management Society, Inc (RIMS) and Marsh, Inc., April, 2005)8 This is also called strategic risk management or institution-wide risk management.9 Risk from the CEO and Board Perspective, McCarthy, Mary Pat and Flynn, Timothy P., (New York: McGraw Hill,

2004, page 77)10 Enterprise Risk Management—Integrated Framework, (The Committee of Sponsoring Organizations of the Treadway

Commission (COSO), September, 2004). This work is considered the benchmark for ERM programs.11 Enterprise Risk Management—Integrated Framework: Executive Summary (The Committee of Sponsoring Organiza-

tions of the Treadway Commission (COSO), September, 2004).12 At the University of Washington, pilot efforts with risk maps have been led by the Director of Audits and the Executive

Director of Risk Management, involving several departments and groups on campus. Both managers are capable facilita-tors of this tool.

13 Excellence in Risk Management: A Qualitative Survey of Enterprise Risk Management Programs (Risk and InsuranceManagement Society, Inc. (RIMS) and Marsh, Inc., April 2005)

14 Achieving Excellence in Compliance, University of Washington Medicine Board Review Committee Report, July 20,2005, Appendix 15.

15 Qualitative Survey, (Risk and Insurance Management Society, Inc. (RIMS) and Marsh, Inc., April 2005)16 Mr. Jung has chaired the Association of College and University Auditors (ACUA) and has represented ACUA on the

Costing Policies Committee of the Council on Governmental Relations (COGR). Mr. Jung is a frequent presenter in na-tional forums.

17 Interview of Jung, Steven by V’Ella Warren, June, 2005.18 Effective Compliance Systems, Crawford, Chaffin, and Scarborough, page 4.19 Effective Compliance Systems: A Practical Guide for Educational Institutions, Crawford, David B. Chaffin, Charles G.

and Scarborough, Scott. (The Institute of Internal Auditors Research Foundation, 2001, page xiii)20 No More Risk Business: The University of Texas System Institutional Compliance Program,. Hagara, Kimberly K.

Assistant Director for System-wide Compliance, The University of Texas System. (Presentation to the Council on Gov-ernmental Relations (COGR))

21 Interview of Schumacher, Tom by V’Ella Warren, July, 2005.22 Interview of Brown, Mary Lee by V’Ella Warren, July 17, 2005.23 Interview of Guyton, Odell by V’Ella Warren, July, 2005.24 Brown, Mary Lee, Presentation to Council on Governmental Relations (COGR), June 10, 2004.25 UW Medicine Board Review Committee Report, page 85.26 Excellence in Risk Management II: A Qualitative Survey of Enterprise Risk Management Programs, (Risk and Insurance

Management Society, Inc. (RIMS) and Marsh, Inc., April 2005). In this report by the Risk and Insurance ManagementSociety and Marsh, the stages of risk management are noted. Defensive risk management focuses on transferring riskthrough insurance. Advanced risk management moves beyond insurance, attempting to reduce losses and minimize in-surance and settlement costs. The final stage is the enterprise risk management approach which optimizes risk, integrat-ing it into the strategy and direction of the company.

27 This list is culled from conversations with key managers at University of California System, Council on GovernmentRelations (COGR), Stanford University, University of Minnesota, Northwestern University, University of Texas System,Microsoft, University of Pennsylvania and University of Washington.

28 UW Medicine Board Review Committee Report, page 329 UW Medicine Board Review Committee Report, page 66 and 6730 Seattle Cancer Care Alliance has licensed a tool developed by the University of Minnesota31 Leadership, Culture and Values Initiative: A Report to the UW Community, 200532 LCV Initiative: A Report to the UW Community, 200533 Emmert, Mark (President, University of Washington), Address to the University Community, November, 2004.


INSTITUTION-WIDE RISK MANAGEMENT...

Documents

Transcript of INSTITUTION-WIDE RISK MANAGEMENT...