University of Wisconsin SystemEnterprise Risk Management
UW Milwaukee
September 11 & 14, 2012
IntroductionsIntroductions
2
ERM Working Group Agenda
Welcome & Introductions
ERM in Higher Education
Case Study Discussion
UW System ERM Initiative
Critical ERM Program Components
Risk Identification and Workshop Process
Voting Process
Next Steps
Q&A, Feedback, and Conclusion
3
ERM in Higher Education
4
What is Enterprise Risk Management?
“A comprehensive program designed to proactively and continuously identify and manage real and potential threats and opportunities that may impact our operations.”
Designed to protect and increase stakeholder value, fit into the organization’s culture, and leverage current controls and capabilities.
An operational strategy that promotes continuous sustainable improvement across the organization; creating value.
A process that identifies and prioritizes real and potential risks (threats and opportunities) that may affect an organization’s strategy and/or operations and promote the ability to manage risks to an acceptable level.
5
ERM = STRATEGIC RISK MANAGEMENT
• Enterprise Wide Risk Management
•A wide range of risks are identified and evaluated, including finance, human capital, strategic, operational, and reputational
•Evaluation includes the “upside of risks” or opportunities risk-taking can provide
•Helps manage successful growth or program expansion
•Risks are owned by all and mitigated at the department level
6
Why Implement ERM?
• Sustain competitive advantage
• Respond when a significant event occurs
• Avoid financial surprises
• Manage scarce resources
• Define risk appetite and risk tolerance levels
• Determine effectiveness of existing controls
• Improve risk assessments
• Increase accountability
• Allocate resources more effectively
7
Why Implement ERM? (cont.)
• Competition
• Student Demands
• New Technologies
• Globalization
• Entrepreneurial ventures beyond traditional education
• Pressure for increased productivity and accountability while reducing costs
• Increased compliance expectations
• Research
• Safety/Security
8
Higher Education ERM Efforts
Organizations
- National Association of College and University Business Officers (NACUBO)
- Association of Governing Boards (AGB)
- University Risk Management and Insurance Association (URMIA)
Institutions
-University of California - University of Washington
-University of Minnesota - Auburn University
-Texas A&M University - Purdue University
-Maricopa County Community College
9
Higher Education Risk Case Studies
• Two Scenarios designed to start you thinking about key concepts associated with ERM• Risk v. Opportunity• Likelihood & Impact• Controls• Mitigation
10
UW System Enterprise Risk Management
Initiative
11
UW System – ERM Vision
The University of Wisconsin System endeavors to lead higher education by integrating the principles of Enterprise Risk Management (ERM) into the culture and strategic decision making of its academic, student affairs, and business functions. ERM will promote the success and enhance the accountability of the UW System by incorporating risk assessment into the System’s strategic objectives and budget development process.
12
Mission Statement
The mission of the University of Wisconsin Enterprise Risk Management Project is to initiate a comprehensive program which will support the identification of the UW’s mission-critical risks, assess how to manage those risks, and align resources with risk management responsibilities.
13
Goals and Objectives for Accomplishing the Mission:
Goal #1: Integrate ERM into the culture and strategic decision making processes of the organization.
• Objectives: • 1-1 Develop common ERM terminology.• 1-2. Raise awareness of the need for risk management.• 1-3. Establish continuous monitoring and communications processes.
Goal #2: Balance the cost of managing risk with the anticipated benefits.
• Objectives:• 2-1. Define the organization’s overall risk appetite/tolerance, and establish associated
materiality thresholds.• 2-2. Document current procedures, controls, and risks. • 2-3. Compare current risks to control efforts, as well as to the organization’s risk
appetite, to help identify priority risks. • 2-4. Assess the value of alternative risk management actions.
14
Goals and Objectives for Accomplishing the Mission:
Goal #3: Manage risk in accordance with best practices, and demonstrate due diligence in decision making.
• Objectives:• 3-1. Assign responsibilities for risk management at the “lowest” levels of the
organization. • 3-2. Regard compliance with the law as a minimum standard.• 3-3. Streamline risk-management-related practices.• 3-4. Identify competitive opportunities.
Goal #4: Use the pilot projects to develop a system-wide ERM implementation strategy.
• Objectives:• 4-1. Establish an organizational and communication structure for managing the
pilots.• 4-2. Transfer knowledge from the consultants to UW System Administration staff.• 4-3. Involve the UW System president and cabinet in ERM-related decisions.
15
Current State of Project
• Core Risks LTD., in consultation with Arthur J. Gallagher, selected to develop UWS ERM model
• Full risk assessment completed at six UW institutions (Oshkosh, Superior, Whitewater, Parkside, River Falls, and Platteville)
• Established an ERM Core Team at System Administration
• Developed UWSA website in support of initiative: http://www.wisconsin.edu/oslp/erm/
16
Current Examples That Incorporate ERM Processes
• Security and Threat Assessments
• International/Study Abroad Risk Assessment
• Continuity of Operations
• Other
17
Board of Regents
Evolution to achieve ERM
Central Funct
Athletics
InstitutionA
InstitutionB
Safety
IS
Prior State – Individual area/ function silos report risk on an ad hoc basis from the bottom-up to
management. No top-down linkage to the Executive Management/BOD
strategic objectives.
EvolutionResilient State –
enhanced sustainability across the enterprise.
Housing
•Convergence of Reporting:
•Consistency of Process:
•Focus on Risk:
•Informed Decision-making
•Ownership:
Risk Council
Enterprise Risk
Management
Other
Institution B
Athletics
Institution A Housing
Safety ISOther
CentralFunct
Audit Comm
18
Signs of Success…
A successfully implemented program will result in:
• A process for open and objective discussion on risk and related issues facing the organization on an aggregate basis. It must promote honest and fact based discussion and enhance decision making while assuring that “the messenger does not get shot”.
• Regular reporting of the organization’s risk profile that: 1) prioritizes risks from a materiality perspective and; 2) clearly helps direct the asset allocation (money, time, people) toward risk mitigation.
• No new bureaucracy; ERM needs to be embedded into the existing culture and structure to assure sustainability. This is best assured by integrating the ERM findings into the annual budget and strategic planning cycles. Normally, if it isn’t budgeted, it doesn’t exist.
1919
Critical ERM Program Components
20
External Strategic Operational Other
Natural Catastrophe Reputation/Image Student Safety & HealthEndowment Fund
Challenges
Man-made catastropheProgram/ Academic
rankingSports Program Other University Funding
Economic/Political Quality of Faculty Institution FacilitiesNational Loan Source
availability
Competition Strategic Plan Academic Facilities Human resource
State/Federal support Alumni RelationsInfrastructure/ Physical
PlantLegal
VisitorsPartner Programs
Local/AbroadAlcohol/Drugs Other Compliance
Social issues Joint Ventures IT/ TelecomMinors on Campus
(matriculated and other)
Security
Parent Related Matters
Higher Education Risk Categories
21
22
Management ControlManagement Control
Types of controls
Rule-based – Policy, process, or standard. Management Control – Responsibility for control is
assigned to a specific person or function within the organization.
Compliance-based – Rule-based or Management Control, where adherence is verified.
Physical Control – Barrier, mechanical, or computer control.
Risk Culture – Tone at the top for managing risk.
23
In a world with no constraints
… More = Better
Management Control Scale
24
None/Weak = 1
Limited = 2
Moderate = 3
Strong = 4
Current Level of Control over the Risk
Less Control
More Control
Impact Defined
• Impact is the total outcome (as measured against a specific materiality metric) that would be realized if a Risk Driver were to occur.
• Specific reference point used to categorize the materiality of the Impact of a Risk.
• Used to “bucket” risks from different parts of the organization to allow for detailed, cross-functional discussion• Low• Moderate• High• Extreme
25
Critical Definitions Impact & Materiality – Sample
26
•Impact on Enrollment used as example ….
•Calculated over a certain period of time (36 months)
26
UW System Materiality - Impact on Enrollment
UW System Milwaukee
Extreme10% 12,520
High6% 5,250
ExtremeModerate
3% 2,600
10%
High
350 6%
175 3%
Low
Low
Moderate
600
1
10,000
1
3
4
2
4
3
2
1
Materiality Matrix (For Discussion)
27
UW-PLATTEVILLE Materiality Matrix Risk Validation Workshop
Biennial Reduction in Total Revenue: Incorporates change in state support, tuition and fees, gifts, grants and contracts, endowments, and other income. Accounts for increases/decreases in expenses such as operating, debt, and loss.
Less than 1% 1 - 3% 3 - 5% > 5% ___%
UW-Platteville less than $1.5M between $1.5 M and $4.7
M between $4.7 M and $7.8
Mgreater than $7.8M
Annual Reduction in Number of New Freshman Enrolled: Incorporates change as influenced by factors such as high school graduate demographics, diversity/equity, safety, and learning opportunity array.
flat 0 - 3% 3 - 6% > 6% > ___%
UW-Platteville flat (1,645) reduction up to 50 between 50 and 100 greater than 100greater than a _______
reductionAnnual Reduction in Total Student Enrollment: Incorporates change as influenced by factors such as academic reputation, financial aid availability, program array, and faculty/staff resources.
Less than 1% growth flat 0 - 3% > 3%greater then ___ percent
system wide
UW-Plattevilleincrease less than 71
(7,155)7,084 reduction up to 215 greater than 215 greater than _____
Annual Change in Six-Year Graduation Rate: Incorporates change as influenced by financial aid, student support services, and course availability.
flat 0 - 3% 3 - 6% > 6%
UW-Platteville 53.60% between 53.6% and 52% between 52% and 50.4% less than 50%
Annual Change in Retention Rate: flat 0 - 3% 3 - 6% > 6%
UW-Platteville 76.30% between 76.3% and 74.0% between 74.0% and 71.7% less than 71.7%
Reputation Reputation: Incorporates impacts as influenced by peer, public, and legislative perception of institution.
Contained within administrative unit. Limited impact to external stakeholders.
Contained within the administrative unit but known by the institution. Short-term impact to stakeholders.
Local public media interest. Impact < 1 year to mission critical stakeholder group.
National publicity or media interest. Multiyear impact to critical stakeholder groups.
National publicity > 3 days, resignations, drop in Carnegie Tier rating. Long-term impact across many stakeholder groups.
Extreme System wide
Financial
Students
Materiality Area
Range of Metrics/Measures Low Medium High
Likelihood
28
Almost Certain = 4
Probable = 3
Moderate = 2
Low = 1
More Likely to occur
Less Likely to occur
The likelihood that a risk will occur within next 36 months recognizing current controls
10%
50%
75%
Likelihood Scale:
1 = Low – Possible but unlikely to occur; remote.
2 = Moderate – Moderate risk of occurrence; maybe.
3 = Probable – Likely to occur.
4 = Almost Certain – Very likely to occur in immediate future (probable).
Unlikely Possible Probable Almost Certain
LikelihoodLikelihood
$xx,000,000
$xx,000,000
$x,000,000
1
2
3
4
1
2 3
4
5
6
7
8
9
10
Sample Inherent Risk Map (Heat Map)
29
8
9
1
7
2
3
4
6
10
5
Legend
Very High Risk
High Risk
Moderate Risk
Low Risk
Imp
act
Imp
act
Fire at remote building
Snow Collapse of University Center
Credit Crisis – loss of funding
Weather shuts down campus-short term
Sports team scandal
Loss of Key Faculty
IT system failure due to weak controls
Dorm shutdown due to contamination
Community activists block expansion
Pandemic
Risk Retention & Risk Mitigation
Risk Retention. If an identified risk is within Risk Retention, it is accepted at this time without the need for additional action. Current controls are retained, maintained, and monitored.
Risk Mitigation. If an identified risk is not within Risk Retention, then further mitigation is planned and prioritized.
30
Risk Identification/Workshop
Process
31
Risk Surveys are sent to direct reports of Senior management
Surveys collect risks identified from a cross functional group of operational level management
Institution Risk workshop synthesizes all Risks identified to
date and discusses and assesses new Risks. Output report is ready
for management review
Institution Workshop Core Working Group reviews and delivers summary report of Priority Risks to Chancellor
One on One Interviews with Senior Staff identify perceptions of Risk
Any pre-existing Risk reports are reviewed and Identified Risks are compiled
Chancellor/Risk Council informs Institution Core
Working Group of decisions on
recommended Risks
32
Risk/Opportunity Areas
What keeps you awake at night?
Systemwide list:• Enterprise Systems Implementation (HRS)• Executive Position Recruitment/Retention• IT Security• Budget/Revenue Optimization• Capital Planning and Budget Process and Joint Ventures• AODA/Student Safety• Student Services (Mental Health)• Community and Legislative Relations• Administrative Efficiency/Stewardship of Public Funds/Accountability• Records Retention/Open Records/Confidential Information• Faculty – Recruitment/Retention and Discipline
33
We use the Wireless Voting Technology.
3434
1. You may change your vote as many times as you want before voting is closed – only your last response will count.
2. You do not have to point the keypad at the screen.
3. Your individual responses will remain anonymous.
The Voting Keypad:
IMPACT & LIKELIHOOD
IMPACT
1 LOW
2 MODERATE
3 HIGH
4 EXTREME
(BASED ON UW-MILWAUKEE MATERIALITY MATRIX
35
LIKELIHOOD
1 LOW
2 MODERATE
3 PROBABLE
4 ALMOST CERTAIN
CONTROLS & COST
CONTROLS
1. NONE/WEAK
2. LIMITED
3. MODERATE
4. STRONG
36
COSTS
1. HIGH (greater than $25,000)
2. LOW or NONE
MITIGATION vs RETENTION
1. Yes
2. No
37
0%0%
Does this need to be placed in Risk Mitigation?
Unlikely Possible Probable Almost Certain
LikelihoodLikelihood
$xx,000,000
$xx,000,000
$x,000,000
1
2
3
4 2 36
79
10
Sample Risk Map (Heat Map)
38
8
9
1
7
2
3
4
6
10
5
Legend
Very High Risk
High Risk
Moderate Risk
Low Risk
Imp
act
Imp
act
Fire at remote building
Snow Collapse of University Center
Credit Crisis – loss of funding
Weather shuts down campus-short term
Sports team scandal
Loss of Key Faculty
IT system failure due to weak controls
Dorm shutdown due to contamination
Community activists block expansion
Pandemic
Next Steps
39
Risk Ownership
• Qualities of a Risk Owner...
• Owners should have significant influence over their assigned Risk Driver(s).
• Owners will be individuals.• Owners will be accountable.
• Risk Owners will...
• Work to determine the Risk Retention parameters for a particular Risk Driver.
• Develop Mitigation plans to return Risk Driver(s) to Risk Retention.
• Perform ongoing monitoring of their Risk Driver(s) to assure that Risk Drivers remain in Risk Retention.
40
Remember… Risk Ownership is important and to be a Risk Owner is a good thing!
Risk Driver Mitigation Worksheet - Example
41
Security
Government relations
Facilities and department, with support of Civil engineering department
Q3 11
Q4 11
2012
Increase Signage
Request addition of additional flashing lights from highway department
Conduct assessment of possibility of adding pedestrian tunnel or bridge
Impact Rating & Range:6 - (Greater than $80M)
Likelihood: Possible
Inherent Risk Rating:Significant
Control:Poor
#1- Student safety issue due to unsafe pedestrian crossing at RT 66
Risk Owner name:
J Bond – Head of Road Safety
additional functions involved:
Timing of plan
Mitigation PlanOptions and Steps
Current Risk RatingsRisk DriverNumber &
Short Name
Risk Council
PreliminaryObjectives
& Risk Survey
Risk Assessment and Workshops
Mitigation Plans developed and
Submitted for budget consideration
Risk EnhancedBudget submitted
Report toBoard/Audit Committee
(budget approval)
Report to Management/ Compliance
Steering Committee
AnnualRisk workshops
Risk Drill Downworkshops
Ris
k C
ounci
l M
eet/
Report
Risk Council
Meet/ReportCo
llege
Ris
k
Repo
rt
Risk C
ounc
il
Mee
t/Rep
ort
Colle
ge R
isk
Report
College Risk
Report
A Steady State Process (example 1)
42
Strategy / Operations
Oct
Nov
Apr/May
July
Risk Assessment
Report to Senior
Administration
Risk Survey Risk Owners
Report toBoard of Regents
Dec
Jan
Planning
Risk Enhanced
Objectives
Mitigation Plans
Risk Council Maintenance
43
A Steady State Process (example 2)
Orientation Wrap Up
Questions?
44
Top Related