Embedding a Risk Framework Using a
SWOT Analysis
Fernando F. Padró
Director, Learning & Teaching Services (Acting)
Ngaire Winwood
Workshop objectives:
IntroductionFocus
Rationale for application to education Sarbanes-Oxley Act of 2002
TEQSA
Baldrige Criteria ISO 31000:2009 COSO Framework
Evaluation and linkage to SWOT
Exercises in using SWOT with risk framework
The focus of this workshop:
Yes: Academic and student focus regarding risk management in education
Yes: Managerial approaches in documenting risk management in support of academic activities
No: The workshop will not focus on insurance and insurance
issues, pure fiscal management issues, catasprophic/emergency response concerns, safety & health concerns – although
some of the discussion can/does cross-over
• The workshop is mainly designed for higher education, but many of the issues do cross over to primary/secondary education.
• The basis of the presentation is on the developing increase in the use of enterprise risk management (ERM) concepts in higher education quality assurance, spearheaded by Australia’s Tertiary Education
Quality and Standards Agency (TEQSA) and the longstanding research and adopted practices sponsored by the UK’s Higher Education Funding Council for England (HEFCE)
• In the USA, the main avenue for ERM is the Sarbanes-Oxley Act of
2002 ((Pub.L. 107–204, 116 Stat. 745 (July 30, 2002)). For higher education, the 2003 NACUBO (National Association of College and
• Enterprise risk management (ERM combines aspects of quality assurance (QA) and quality control (QC).
• It’s the developing new wrinkle in QA in higher education (Padró, 2014), but it can easily apply to
primary/secondary education as well because it seems to fit glove-in-hand with increased external regulatory
oversight.
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy
nor yourself, you will succumb in every battle.” …
"In the wise leader's plans, considerations of advantage and of
disadvantage will be blended together. If our expectation of advantage be tempered in this way, we may succeed in accomplishing the essential part
of our schemes. If, on the other hand, in the midst of difficulties we are always ready to seize an advantage, we may extricate ourselves from
misfortune."
-- Sun Tsu
“A risk is a chance you take; if it fails you can recover. A gamble is a chance taken; if it fails, recovery is impossible.”
Sarbanes-Oxley Act of 2002
• The impetus behind its passage was to shore up the confidence crisis created by perceived lax corporate governance processes (Thapa & Brown, 2007; Rosenbloom, 2006; Padró, 2010).
• It legally codified many best practices which had been discussed before for a number of years (Fram & Zoffer, 2005).
• The passage of SoX upset the uneasy balance between state and
federal law, potentially federalizing corporate law by taking over a realm heretofore taken care of by organizations themselves, state regulators, and court decisions (Wu, 2006; Parles, O’Sullivan, & Shannon, 2007).
NACUBO 2003 recommendations on
adopting SoX
Title 3 – Corporate Responsibility
Section 301: The creation of an independent audit committee, with operations based on notions of external review.
Section 302: CEO and CFO required to assert the financial statements have no material misstatements or
omissions and that they have evaluated “disclosure controls and procedures” (e.g., quality of overall disclosures such as notes to the financial
NACUBO 2003 recommendations on
adopting SoX
Title IV – Enhanced Financial Disclosures
Section 401: Follow current and appropriate accounting standard
guidance (i.e. FASB, GASB).
Section 403: Board members should report financial conflict of interests.
Section 404: Internal control requirements and managerial assessment
of these controls. [Probably, the most important provision of SoX, which has imposed a large compliance burden
(Rosenbloom, 2006).]
Section 406: Code of ethics for senior financial managers.
Section 407: At least one financial expert as member of audit committee.
NACUBO 2003 recommendations on
adopting SoX
• Title VIII -- Corporate and Criminal Fraud
Section 802: It is good practice to ensure that documents and records sent or received in connection with the audit are retained for seven years.
[Section 806: Whistleblower protection.]
• Title XII: Corporate Fraud Accountability
TEQSA:
• TEQSA’s use of a risk framework is legislative based, with the original premise set by its predecessor the Australian Universities Quality
Agency (AUQA) (Padró, 2014).
• Designed not to impose additional reporting burdens, ‘TEQSA relies heavily on existing data collected within the sector for its risk
assessments, predominantly the national higher education collections managed by the Department of Education and survey data from
Graduate Careers Australia (GCA)’ (TEQSA, 2014, p. 1).
• TEQSA defines risk as ‘actual or potential risk events (regarding a
provider’s operations and performance) which indicate that the provider may not meet the Threshold Standards (either currently or in the
future)’ (TEQSA, 2012, p. 34).
TEQSA (2014) aims:
• Reduce regulatory burden by using risk assessments to inform a differentiated approach to evidence and reporting requirements in regulatory processes;
• Strengthen the protection of students’ interests and the sector’s reputation by monitoring key aspects ofproviders’ operations during registration periods;
• Support TEQSA case managers and providers to engage in early discussion about emergent issues prior to any formal
regulatory review; and
TEQSA:
• ‘TEQSA also recognises that innovation often involves a degree of risk taking and does not consider risk as necessarily negative or that all risk must be controlled or eliminated. To support this in practice, TEQSA’s approach allows for expert judgement and embeds providers’ history, context and own risk management within the risk assessment process’ (2014, p. 2).
• The Risk Assessment Framework is based on ISO 31000 risk standards, although in a modified form to fit its purposes. However, the argument can be said that the formative
documents leading to TEQSA and its initial Regulatory Risk
Framework (2012) was based on the COSO framework because of its top-down, external-internal regulatory compliance
E.g. of TEQSA risk factors: Student
profiles
Risk indicator Description of risk Mapping with
Threshold Standards and ESOS
Act/National Code*
1 Cohorts completed An entity that has recently commenced delivery as a higher education provider carries initial operational, business and quality risks. For example, meeting student projection targets, meeting financial targets, whether infrastructure and staff resources are maintained with the rate of student growth, and whether governance bodies successfully implement key policies and quality assurance activities. In counting the number of cohorts completed the measure will be at the
institutional level (as opposed to course level). Where applicable, attention will also be given to recently registered CRICOS locations, with any previous track record of establishing and managing new locations given consideration.
PRS 1 – Provider standing
PRS 5 – Management and human resources
PRS 7 – Physical and electronic resources and infrastructure
Other student profile risk factors for
TEQSA
• Student Load
• Attrition Rate
• Progression Rate
• Completions (by Undergraduate/Postgraduate Coursework and Higher Degree by Research, as applicable)
• Student Satisfaction (by Undergraduate /Postgraduate Coursework and Higher Degree by Research, as applicable)
TEQSA risk factor: Staff resource &
profile
Risk indicator Description of risk Mapping with
Threshold Standards and ESOS
Act/National Code*
Senior academic leaders A relatively low number of senior academic leaders embedded within the organization may compromise the strength of the organisation’s academic capability. Senior academic leaders typically make a strong contribution to key academic policies for the organisation, internal quality review, supervise staff and show professional leadership in their field of expertise.
In assessing risk in relation to senior academic leaders, consideration may be given to
context such as the size and scope of a provider’s operations, and a close institutional relationship with another higher education provider.
PRS 4 – Primacy of academic quality and integrity PRS 5 – Management and human resources PCAS 1 – Course design is appropriate and meets the Qualification Standards
PCAS 4 – Teaching and learning are of high quality
Student to staff Ratio (SSR) A high ratio of students to teaching and learning staff provides a broad indication of potential constraints on the level of support available to students, the quality of the learning experience for students, and the average teaching workload. It is not proposed here as a proxy for class size.
In assessing risk in relation to SSR,
consideration may be given to context such as trend, delivery model and mode, and relevant insights offered by other indicators relating to student outcomes and experience.
PRS 5 - Management and human resources PRS 6 - Responsibilities to students
PCAS 4 - Teaching and learning are of high quality NC Standard 14 – Staff capability, educational resources and premises
TEQSA risk profile: Financial viability and
sustainability
Risk indicator Description of risk Mapping with
Threshold Standards and ESOS
Act/National Code*
Financial viability This composite indicator considers risk to a provider’s current and immediate-to shortterm strength and capacity. Measures included within this indicator include profitability, liquidity, gearing, debt servicing and cash flow. i. Operating Profit Margin %: Provides an indication of the provider’s ability to manage revenues and control expenses in order to generate a surplus which can be used in the future to support the capacity of the provider to sustain its higher education operations.
ii. Liquidity: Provides an indication of the provider’s capacity to meet financial obligations within its ordinary operating cycle.
iii. Total Liabilities-to-Tangible Assets: Provides an indication of assets available to satisfy the provider's financial obligations.
iv. Debt Service Coverage: For providers with borrowings, provides an indication of the provider’s capacity to amortise and service the debt whilst reinvesting in the fixed assets of the business.
v. Operating Cash Flow Ratio: Provides an indication of the provider’s capacity to meet current financial obligations based on the cash flow generated from its operations
The corporate structure and ownership model as well as the financial resources available through affiliated or related parties may be considered in applying a rating.
PRS 2 – Financial viability and sustainability
TEQSA risk profile: Financial viability and
sustainability
Risk indicator Description of risk Mapping with Threshold Standards and ESOS Act/National Code*
Financial sustainability This indicator provides a longer-term view of a provider’s strength and capacity and its ability to exhibit structural characteristics which support operating endurance. Measures are generally analysed over a three-year period and cover revenue changes, assets, employee benefits, enrolments and revenue iversification. i. Change in revenue %: Provides an indication of any change in the level of activity in the provider. Revenue is the key source of operating income for providers and allows the provider to effectively meet higher education objectives. This is measured over a threeyear period.
ii. Asset (Capital) replacement: The provider’s fixed asset base contributes to the effective delivery of higher education objectives. As assets deteriorate this measure gives an indication of the provider’s track record of reinvesting in the fixed asset base over a three-year period.
iii. Change in Employee Benefits Ratio: Staff typically comprises the major cost item for many providers. Staff are critical to the effective achievement of higher education objectives. This measure provides an indication of the change in total staff costs (academic & non-academic staff) relative to the level of activity over a three-year period.
iv. Year on Year change in Commencements (EFTSL): Provides an indication of changes in demand for the provider's offering and its ability to maintain student load and enrolment momentum.
v. Revenue concentration: Diversification of revenue sources allows the provider to
reduce financial and business risks by spreading risks across different activities and respond more effectively to changes in its trading environment.
The corporate structure and ownership model as well as the financial resources available through affiliated entities may be considered in applying a rating.
PRS 2 – Financial viability and sustainability
NC Standard 14 – Staff capability, educational
2013-2014 Baldrige Criteria on Risk:
Leadership (Criterion 1)
1.1a(3): … [C]reate an environment for INNOVATION and
INTELLIGENT risk taking…
1.1b(2): How do senior leaders create a focus on action that
will achieve the organization’s objectives, improve its performance, enable innovation and intelligent risk taking, and attain its vision? How do senior leaders identify needed actions?
Note: ‘In the context of sustainability, the concept of innovation and taking
intelligent risks includes both technological and organizational innovation to help the organization succeed in the future’ (p. 7).
‘A sustainable organization is capable of addressing risks and opportunities arising from environmental considerations and climate change’ (p. 8).
2013-2014 Baldrige Criteria on Risk:
Leadership (Criterion 1)
1.2b(1): Legal Behavior, Regulatory Behavior, and
Accreditation:… What are your key processes,
measures, and goals for addressing risks associated with your educational programs and services and
your operations?
Re Visionary leadership:
‘Senior leaders should serve as role models through their ethical behavior and their personal involvement in planning, providing a supportive environment for taking intelligent risks,
communicating, coaching and motivating the workforce, developing
future leaders, reviewing organizational performance, and recognizing workforce members. As role models, they can reinforce ethics, values,
and expectations while building leadership, commitment, and
2013-2014 Baldrige Criteria on Risk:
Strategic Planning (Criterion 2)
2.1a(2): How do you decide which strategic opportunities are
intelligent risks for pursuing?
2.1a(3): How do you collect and analyze relevant data and
develop information on these KEY elements as part of your strategic planning PROCESS?...Risks to your organization’s SUSTAINABILITY.
2.2a(3): Resource allocation: … How do you manage the
2013-2014 Baldrige Criteria on Risk:
Strategic Planning (Criterion 2)
Note: ‘Choosing which strategic opportunities to pursue involves considering relative risk, financial and otherwise, and then making intelligent choices
(“intelligent risks”)’ (p. 11).
‘Data and information might relate to student, other customer, and market requirements, expectations, and opportunities; learning-centered
education to ensure student achievement; your core competencies; the
competitive environment and your performance now and in the future relative to competitors and comparable organizations; education reform; technological and other key innovations or changes that might affect your programs and
services and the way you operate, as well as the rate of innovation; workforce and other resource needs; your ability to capitalize on diversity;
opportunities to redirect resources to higher-priority programs or
services; financial, societal, ethical, regulatory, technological, security, and other potential risks and opportunities; your ability to prevent and respond to emergencies, including natural or other disasters;
changes in the local, national, or global economy; requirements for and strengths and weaknesses of your partners and supply chain; changes in your parent
2013-2014 Baldrige Criteria on Risk:
Workforce Focus (Criterion 5)
5.2a(3): Performance management: HOW does it reinforce INTELLIGENT RISK taking to achieve INNOVATION; reinforce a focus on students, other CUSTOMERS, and student LEARNING; and reinforce achievement of
your ACTION PLANS?
Re Valuing workforce members:
2013-2014 Baldrige Criteria on Risk:
Operations Focus (Criterion 6)
6.2d: Innovation management: …HOW do you pursue the STRATEGIC OPPORTUNITIES that you determine are
INTELLIGENT RISKS?
A ‘focus on the future includes developing your
leaders, workforce, and suppliers; accomplishing
effective succession planning; creating a
supportive environment for taking intelligent risks
2013-2014 Baldrige Criteria on Risk:
Results (Criterion 7)
7.4b: What are your RESULTS for KEY MEASURES or INDICATORS of the achievement of your organizational strategy and
ACTION PLANS, including taking INTELLIGENT RISKS and building and strengthening CORE COMPETENCIES?
Indirect:
7.4a(2): Governance: What are your KEY current findings and TRENDS in KEY MEASURES or INDICATORS of
GOVERNANCE and internal and external fiscal accountability, as appropriate?
Note: For 7.4a(2), ‘Responses might include financial statement issues and risks, important internal and external auditor recommendations, and management’s response to these
2013-2014 Baldrige on Governance
‘Governance processes may include the approval of
strategic direction, policy creation and enforcement, the monitoring and evaluation of the senior leader’s
performance, the establishment of senior leaders’
compensation and benefits, succession planning, financial auditing, and risk management. Ensuring effective
2013-2014 Baldrige Criteria:
Managing for innovation
‘Innovation means making meaningful change to
improve your organization’s educational programs and
services, processes, operations, and business model,
with the purpose of creating new value for
stakeholders. Innovation should lead your organization
to new dimensions of performance. Innovation requires
a supportive environment, a process for identifying
strategic opportunities, and the pursuit of intelligent
2013-2014 Baldrige Criteria:
More on innovation
‘Innovation results from a supportive environment, a
process for identifying strategic opportunities, and the
pursuit of those strategic opportunities that you identify
as intelligent risks. Achieving innovation requires
resource support and the tolerance of failure. Fostering
the right climate is the domain of senior leaders,
identifying strategic opportunities and intelligent risks
is part of strategy, and pursuing the intelligent risks
must be embedded in managing organizational
operations’ (p. 42).
Definitions of risk: Baldrige
Intelligent Risks:‘Opportunities for which the potential gain outweighs the potential harm or loss to your organization’s sustainability if you do not explore them. Taking intelligent risks requires a tolerance for failure and an expectation that innovation is not achieved by initiating only successful endeavors. At the outset, education organizations must
invest in potential successes while realizing that some will lead to failure.
The degree of risk that is intelligent to take will vary by the pace and level of threat and opportunity in the education sector. In a rapidly changing environment with constant introductions of new programs, services, processes, or business models, there is an obvious need to invest more resources in intelligent risks than in a stable environment. In the latter, organizations must monitor and explore growth potential and change but, most likely, with a less significant commitment of resources’ (p. 47).
‘External strategic challenges may relate to student, other customer, or market
needs or expectations; changes in educational programs and services; technological changes; or budgetary, financial, societal, and other risks or needs. Internal
Definitions of risk: Baldrige
Strategic opportunities:
‘Prospects that arise from outside-the-box thinking,
brainstorming, capitalizing on serendipity, research and innovation processes, nonlinear extrapolation of current
conditions, and other approaches to imagining a different future.
The generation of ideas that lead to strategic opportunities
benefits from an environment that encourages nondirected, free thought. Choosing which strategic opportunities to pursue
ISO 31000 (2012):
• ISO 31000 looks at and handles risk from the standpoint of risk having positive as well as negative consequences (Padró,
2014).
• Creation and protection of value;
• Being an integral part of all [organizational] processes;
• Being part of decision-making;
• [Having] capacity to explicitly address uncertainty;
• Being systematic, structured and timely;
• Basing decisions on best available information;
• [Tailoring process] to the institution – [making it the university’s own];
• Transparency and inclusiveness;
• [Being] dynamic, iterative and responsive to change; and
COSO framework
• The Committee of Sponsoring Organizations of the Treadway
Commission (COSO, 2013) defines risk as the possibility that an event will occur and adversely affect the achievement of objectives.
• According to Padró (2014), there are two overall approaches espoused
in the literature and defined standards by differing organizations that can be applied to forming a risk management framework within an educational institution setting. One approach is the one currently promoted by COSO which reflects the Basel II definition. This
Control Environment Risk Assessment Control Activities Information & Communication Monitoring Activities
Update articulates principles of effective
internal control
1.Demonstrates commitment to integrity and ethical values 2.Exercises oversight responsibility
3.Establishes structure, authority and responsibility 4.Demonstrates commitment to competence
5.Enforces accountability
6.Specifies suitable objectives 7.Identifies and analyzes risk 8.Assesses fraud risk
9.Identifies and analyzes significant change
10.Selects and develops control activities
11. Selects and develops general controls over technology 12.Deploys through policies and procedures
13.Uses relevant information 14.Communicates internally 15.Communicates externally
16.Conducts ongoing and/or separate evaluations 17.Evaluates and communicates deficiencies
The beginning of the SWOT
exercise: USQ’s LTS example
What is it you
do? well, ok, or not Do you do it so good?
Evidence Who do you have to convince?
Provide PD for academic
staff Mixed, but improving Induction satisfaction data; new PD framework & platform satisfaction and analytics framework
DVC & CIO (ASD), PVC (SILS), SDVC, Eds, AD (LT), HoS, academics
Student learning support Excellent in Meet-Up; Good in Learning Centre; Good in online support activities
Formative satisfaction data (MU, TLC), Use data; analytics as basis of
summative evaluation data
Learners, DVC & CIO, PVC (SILS), AD (S), HoS, academics, accrediting bodies
Quality assurance support for course and
instructional development
Limited in scope due to lack of integrated access to T1 and T2 data for analytical purposes
Policies and procedures (informal nature of access to data); lack of direct involvement in certain QA processes
DVC & CIO (ASD), PVC (SILS), SDVC, Eds, AD (LT), HoS, SBMI, TEQSA, accrediting bodies
Supporting online
learning development Excellent in providing text support for online courses (although support
terminating as of January 2015); transitioning to e-learning support
Usage and satisfaction data; policies and procedures
Now let’s walk through a stakeholder exercise
External
stakeholder Linkage Level of Impact Communications approach
TEQSA Regulatory
compliance Staying open and in good standing Annual reports, periodic review Program accreditation bodies Program recognition and status Marketing, ability to remain viable (especially when linked to licensure)
Periodic reviews
Business and
Let’s look at distinctive objectives:
You do have them
What are your school’s distinctive objectives that make it stand out from other schools?
Or
What are your unit’s/program’s distinctive objectives that make it stand out from other units?
Instructions: Identify what objectives make the unit
How to do the SWOT exercise on
distinctive objectives
Instructions: Now that you’ve established your distinguishing objectives and agreed to why these make the unit unique, the next step is to look at each objective and identify what it is you do extremely well (++) for it and contrast it with what you do well (+). As you consider each item, you’ll notice that you
begin with an assumption. This is a good place to begin because this
brings to the fore the anecdotal inferences that drive judgment distinguishing the extremely well (++) from the well (+). The next step is to identify what and where the evidence to support your claim that something is done extremely well (++) or well (+). Next is an exercise in thinking about the intended and unintended consequences that have resulted from these activities/events to identify the designed positives and those occurring
through happenstance or that were not identified. Unintended consequences should also be positive in nature to support the
claim, although less positive consequences can be a marker in
distinguishing between a ++ and a +. Then, the exercise makes you
identify opportunities that can result from these activities/exercises and evidence to support your thinking. Similarly, you do the same in identifying, based on evidence what could go wrong either as a result of continued activity in this
Use the following headers
Very well (+ +)/ Well (+) Assumpti ons Evidence Intended conseque nces Unintend ed conseque nces Opportun itiesAnd now for the weaknesses or
challenges
Instructions: Now that you’ve established your distinguishing objectives and agreed to why these make the unit unique, the third step is to look at each
objective and identify what it is you do extremely poorly (--) for it and contrast it with what you do poorly (-). As you consider each item, you’ll notice that you begin with an assumption. This is a good place to begin because this brings to the fore the anecdotal inferences that drive judgment
distinguishing the extremely poorly (--) from that which is done poorly (-). The next step is to identify what and where the evidence to support your claim that something is done extremely poorly (--) or poorly (-). Next is an exercise in thinking about the intended and unintended
consequences that have resulted from these activities/events to identify what poor results were intended or unintended – there are times that objectives will have a designed negative impact to deliver a longer-term or different level positive impact. In this case, unintended consequences should be negative in nature, with the more negative consequences acting as a marker in distinguishing between a -- and a -. Then, the exercise makes you identify opportunities that can result from these
activities/exercises and evidence to support your thinking. Similarly, you do the same in identifying, based on evidence what could go wrong either as a result of continued activity in this realm or what could create an
Use the following headers
Very poorly (--)/ Poorly (-)
Assuptions Evidence Intended consequen
ces
Unintended consequen
ces
Opportuniti es
References
Curtis, P. & Carey, M. (2012 October). Risk assessment in practice. Committee of Sponsoring Organizations of the Treadway Commission (COSO). Retrieved from
http://www.coso.org/documents/COSOAnncsOnlineSurvy2GainInpt4Updt2IntrnlCntrlIntgratdFrmwrk%20-%
20for%20merge_files/COSO-ERM%20Risk%20Assessment%20inPractice%20Thought%20Paper%20OCtober%202012.pdf
Fram, E.H., & Zoffer, H.J. (2005). Are American corporate directors still ignoring the signals? Corporate Governance, 5(1), 31-38. Maurizio, A., Girolami, L., & Jones, P. (2007). EAI and SOA: Factors and methods influencing the integration of multiple ERP systems (in a SAP environment) to comply with the Sarbanes-Oxley Act. Journal of Enterprise Information Management, 20(1), 14-31.Padró, F.F. (2014). A conceptual framework on establishing a risk management framework within existing university assessment and evaluation practices, Studies in Learning, Evaluation, Innovation and Development, 10(1), 1-13.
Parles, L.M., O’Sullivan, S.A., & Shannon, J.H. (2007). Sarbanes-Oxley: An overview of current issues and concerns. Review of Business, 27(3), 38-46.
Rosenbloom, D.S. (2006). Take it slow: A novel concept in the life of Sarbanes-Oxley. Washington and Lee Law Review, 63(3), 1185-1217.
Tertiary Education Quality and Standards Agency (TEQSA). (February 2012). Regulatory risk framework. Retrieved from http:// www.teqsa.gov.au/sites/default/files/TEQSARegulatoryRiskFramework_0.pdf
Thapa, S., & Brown, C.L. (2007). Corporate scandals, the Sarbanes-Oxley Act of 2002 and equity prices. Academy of Accounting and Financial Studies Journal, 11(1), 83-91.
Vermeer, T.E., Raghunandam, K., & Forgione, D.A. (March 2006). The composition of nonprofit audit committees. Accounting Horizons, 20(1), 75-90.
