2 0 1 5 A N N U A L C O N F E R E N C E
I n d i a n a p o l i s
Organizational Change Management:
A Best Practice to Effective ERM
Implementation
Christine
Ackerman,
CPA
Associate Vice President & Director of Internal Audit
University of Cincinnati
Anita
Ingram,
ARM
Assistant Vice President & Chief Risk Officer
University of Cincinnati
2 0 1 5 A N N U A L C O N F E R E N C E
I n d i a n a p o l i s
Learning Objectives
After attending this session, participants will be able to:
Build a successful case and framework for ERM with a
defined approach, assessment tools and outcomes.
List key collaboration and consultative techniques
deployed in the partnership between risk management
and internal audit to gain top-level support and build
consensus with institutional stakeholders for ERM.
Navigate the challenges and pitfalls of implementing
and sustaining a successful ERM program.
2 0 1 5 A N N U A L C O N F E R E N C E
I n d i a n a p o l i s
Agenda
I.
University of Cincinnati
II. Building the Case for ERM
III. Higher Education ERM Environment
IV. Roles of Internal Audit and Risk Management in ERM
V. Leveraging Collaboration
VI. ERM at the University of Cincinnati
VII.Managing Organizational Change
VIII.Developing Key Risk Indicators
IX. Successful ERM
2 0 1 5 A N N U A L C O N F E R E N C E
I n d i a n a p o l i s
University of Cincinnati – who
are we?
UC Facts:
•
UC is a public research university with an
enrollment of more than 43,000 students;
•
372 programs of study;
•
16 to 1 student to faculty ratio;
•
14 Colleges
-Arts and Sciences; Allied Health; Business; Clermont & Blue Ash Colleges (2 Year);
Music; Design, Architecture, Art & Planning; Education, Criminal Justice, and
Human Services; Engineering & Applied Science; Law; Medicine; Nursing;
Pharmacy; Graduate School
2 0 1 5 A N N U A L C O N F E R E N C E
I n d i a n a p o l i s
Building the Case for ERM
•
The decentralized nature and entrepreneurial
environment in higher education institutions can lead
to challenges in coordinating risk management
activities across the institution
•
The dynamic nature of higher education requires
ongoing assessment and management of a variety of
issues to be able to identify, evaluate, and respond to
risks
2 0 1 5 A N N U A L C O N F E R E N C E
I n d i a n a p o l i s
Building the Case for ERM
•
Demonstrate small victories with something smaller
than full ERM implementation
- Demonstrate ERM approach using compliance as an example
- Collaborated on launch of ERM program for UC Foundation
•
Hired consultant to assist with developing and
implementing ERM framework
•
Cost of implementing ERM not unreasonable
•
Board of Trustees and senior administration support
•
Be careful not to fall into compliance or tactical trap
•
Be careful that ERM isn’t seen as a way to avoid risk
2 0 1 5 A N N U A L C O N F E R E N C E
I n d i a n a p o l i s
Higher Ed ERM Environment
•
Some Higher Education organizations have
robust ERM programs, yet many do not
•
With those programs that are in place, they
may not be working as intended
•
AICPA reports on enterprise risk oversight
across a range of industries:
•
51% of the respondents reported that their organizations had no
formal enterprise-wide approach to risk oversight; and
•
Only 14.9% said they had a complete formal enterprise-wide risk
management process in place
2 0 1 5 A N N U A L C O N F E R E N C E
I n d i a n a p o l i s
Roles of Internal Audit and Risk Management in ERM
2 0 1 5 A N N U A L C O N F E R E N C E
I n d i a n a p o l i s
Roles of Internal Audit and Risk Management in ERM
•
Internal audit champions adoption of ERM
•
Internal audit participates in ERM interviews and risk
advisory council
- Important that internal audit be positively perceived
throughout organization
- Audit assists with identifying and evaluating risks
- Audit assists with consolidating and reporting on risks
•
Audits can inform and evaluate how units are responding
to risk mitigation
2 0 1 5 A N N U A L C O N F E R E N C E
I n d i a n a p o l i s
Roles of Internal Audit and Risk Management in ERM
•
Risk management deals with risks from a broad
perspective of strategic, operational, financial, compliance
and reputational risks as an interrelated portfolio
•
Risk management both leads & participates in risk
assessment process and leads the risk advisory counsel
•
Provides the process and methods to manage unwanted
variations from expectations, which are linked directly to
the organization’s strategy
View risks in a way that crosses silos, builds internal alliances, exhibits
flexibility, expands to include emerging risks, and enhances strategic
decision-making capabilities
1
0
2 0 1 5 A N N U A L C O N F E R E N C E
I n d i a n a p o l i s
Leveraging Collaboration
• Enterprise risk assessment informs annual audit plan
• Reports are shared, both functions identify different types of risks
-
Chief Risk Officer, by receiving internal audit reports, can help
‘connect the dots’, identify trends occurring in internal audit reports
-
Internal audit can utilize knowledge of specific risks to scope and
tailor audit procedures
• Collaboration builds efficiencies and improves results by
cross-leveraging competencies, roles & responsibilities
• Enhances communication depth and consistency, especially at
board and management level
1
1
2 0 1 5 A N N U A L C O N F E R E N C E
I n d i a n a p o l i s
Leveraging Collaboration
Internal Audit
• Defines ERM as a process
• Use specific risk management
standard; usually COSO
• Develops audit plan to define
the scope of work
• Links findings from any
risk-based audit plans and the
enterprise risk assessment
• Discuss the risk-based audit
plan with risk management
Risk Management
• Defines ERM as a discipline
• Use specific risk management
standard; either ISO 31000 or
COSO
• Develops the enterprise risk
assessment designed to get a
sense of the risks and call
attention to most severe risks.
• Share ERM results with
internal audit
1
2
2 0 1 5 A N N U A L C O N F E R E N C E
I n d i a n a p o l i s
Leveraging Collaboration
•
Enterprise Risk Management (ERM) is about
supporting opportunities as well as
preventing problems
•
It is tied to business objectives & strategies –
and supports them
•
It works within the entity’s culture and will
become integral to decision making
•
It will ensure that Risk Management applies
to all levels of the organization and to all
activities
2 0 1 5 A N N U A L C O N F E R E N C E
I n d i a n a p o l i s
ERM at UC: Program Context
•
Effort Began in 2012
•
VISION STATEMENT: Create a
risk-aware
culture
, permitting the University to ensure an
effective means to
identify
,
measure
,
control,
and
assign responsibility
to manage risks, while
encouraging the acceptance
of reasonable
opportunities.
•
2013 hired consultant to assist with developing ERM
framework
•
2014 launched search for CRO; launched formal
ERM program
2 0 1 5 A N N U A L C O N F E R E N C E
I n d i a n a p o l i s
ERM at UC: Timeline
1
5
Phase 1: Build the Case for ERM
1.Understand the institution’s strategic plans, environment, and culture
2.Determine the status of existing risk management program & processes 3.State goals and objectives (Dec 2014) 4.Obtain top‐level commitment, support, and participation
Estimated date to completion: June 2015
Phase 2: Build the ERM Foundation
5.Name a Project Leader
6.Plan project and define timeline (Jan 2015)
7.Create a cross‐functional Risk Council & related subcommittees (Nov 2014)
8.Create mission and goals statement (Jan 2015) 9.Create top-level ERM Executive Committee
Phase 3: Implementation
10. Assess risks and update risk portfolio: validate and prioritize (Jan 2015 and ongoing)
11. Assign ownership and take action (Sept/Oct 2015)
12.Train & educate to assist board, academics & administrators with ERM process
Phase 4: Sustain the ERM Program
13.Measure and assess results; monitor 14.Meet and review regularly; realign risk
treatments as appropriate with available resources (periodically)
15. Report results (annually and upon request) 16. Do not neglect traditional risk management functions
17. Develop and implement institution-wide systems for communicating
GREEN:COMPLETED
RED:IN PROGRESS; PARTIALLY COMPLETED
2 0 1 5 A N N U A L C O N F E R E N C E
I n d i a n a p o l i s
ERM at UC: Framework
1
6
AS/NZS ISO 31000:2009 — Overview of the relationships between the risk management principles, framework, and process
Note: The brown arrow depicts that the principles inform the mandate and commitment for managing risk (reflected in the organizations management system). The light blue arrow shows that the framework enables the application of the risk management process. The dark blue arrow indicates that experience in applying the process can improve the organizations management system
Monitoring & review, continual improvement and communication occur throughout
RM Process
Framework
2 0 1 5 A N N U A L C O N F E R E N C E
I n d i a n a p o l i s
Audit
&
Risk
Committee
of
the
Board
ERM
Executive
Committee
ERM
Risk
Council
1
7
ERM at UC: Governance Structure
Communications
2 0 1 5 A N N U A L C O N F E R E N C E
I n d i a n a p o l i s
ERM at UC: Role of the Board
• Participating in their committees’ risk reviews
• Board/Committees should hear from the risk’s designated leader,
once each year, minimally.
• Ask appropriate, sometimes tough questions and in general, provide
oversight.
• Also, board members will be apprised of the university’s risk posture
by hearing the other committees’ reports.
• Committee reports will be summarized for the full board.
• The president works with the board to set the high-level ERM
agenda and develop a statement of risk appetite.
1
8
2 0 1 5 A N N U A L C O N F E R E N C E
I n d i a n a p o l i s
ERM at UC: Risk Identification
• Identified through Interviews, Brainstorming,
Emerging Trends, Benchmarking With Peer
Institutions, Surveys
• Risks will be categorized: (i) Compliance (ii)
Financial (iii) Operational, (iv) Strategic, or (v)
Reputational
• Top 10-15 Highest Priority risks will be assigned for
oversight by committees of the Board of Trustees
• Remaining High/Medium Priority risks will receive
oversight from the Risk Council
2 0 1 5 A N N U A L C O N F E R E N C E
I n d i a n a p o l i s
Preliminary research was conducted by ERM personnel with over 70 interviews involving more than 100
individuals, including the President’s Executive Cabinet, Deans, Provosts, and key external partners. Research indicates the highest ERM concerns at UC currently focus on the items above.
Information Security/Disaster Recovery Planning/UCIT Operations
Student Enrollment and Enrollment Management
Public Safety
Funding Resources & Budget
Emergency Management & Business Continuity
Building/Facilities and Deferred Maintenance
Strategic Planning
Dealing with Minors On and Off Campus
Compliance & Regulatory Issues (various)
HR Processes & HR Leadership
Environmental Hazards (Chemical Stores)
Student Mental Health Issues
Staffing & Succession Planning
2
0
2 0 1 5 A N N U A L C O N F E R E N C E
I n d i a n a p o l i s
Risk & Opportunity Heatmap
2
1
From: University of Vermont ERM website: http://www.uvm.edu/~erm/?Page=evaluation.html&SM=processmenu.html2 0 1 5 A N N U A L C O N F E R E N C E
I n d i a n a p o l i s
ERM at UC:
What happens next?
ERM Executive
Committee Risk
Workshop
(September ‘15)
Deliverable: HeatMap
Assess risks, update
risk portfolio: validate
and prioritize; input
to new RMIS
(October 2014 to
October 2015)
Assign/define
ownership of risk
areas and initiate, and
verify action steps (October to
December 2015) Develop and
implement
institution‐wide
systems for
communicating (Feb to Dec 2015)
2
2
2 0 1 5 A N N U A L C O N F E R E N C E
I n d i a n a p o l i s
Managing Organizational
Change
2
3
Impact of Organizational
Change
Decreased Trust, Poor Communication &
Increased Disengagement
Recovery Phase: Some
Improvement in
Communication, Trust &
Productivity
P
E
R
F
O
R
M
A
N
C
E
T I M E
1. Denial/
Shock
2. Anger/
Betrayal
3. Pain/ Sadness
4. Acceptance/
Recovery
2 0 1 5 A N N U A L C O N F E R E N C E
I n d i a n a p o l i s
Managing Organizational Change:
Cumulative Effect
2
4
P
E
R
F
O
R
M
A
N
C
E
T I M E
2 0 1 5 A N N U A L C O N F E R E N C E
I n d i a n a p o l i s
Managing Organizational Change
2
5
P
E
R
F
O
R
M
A
N
C
E
T I M E
Recovery
Renewal
2 0 1 5 A N N U A L C O N F E R E N C E
I n d i a n a p o l i s
Developing Key Risk Indicators (KRI)
•
Linking objectives to strategies to risks to KRI’s
•
Effective KRI’s can provide value in a variety of
ways, including:
-
Risk appetite
-
Risk and opportunity identification
-
Risk treatment
-
Risk reporting
-
Compliance efforts
-
Improved performance, process, and improved workplace
environment
2
6
2 0 1 5 A N N U A L C O N F E R E N C E
I n d i a n a p o l i s
Developing Key Risk Indicators (KRI)
•
Depends on risk identified
Campus safety
- Crime statistics, # of NightRide users, international student safety rankings, etc.
Emergency preparedness and business continuity
- # and results of drills and exercises, faculty, staff and student education and
outreach, # of business continuity plans, results of business continuity tests
Information Security
- # of breaches, results of external penetration tests and vulnerability scans (# of
critical/significant vulnerabilities)
Enrollment
- # of births, # of projected high school graduates
2
7
2 0 1 5 A N N U A L C O N F E R E N C E
I n d i a n a p o l i s
Successful ERM Program
•
Buy
‐
in
and
support
from
the
top
•
Sustainable
process
– slow
progress
is
still
progress!
•
Continuous
improvement
•
Tools:
RMIS/GRC,
Interviews,
Surveys,
Questionnaires
•
Strong
marketing
&
communication
•
Personnel
resources
•
Don’t
use
as
a
means
to
say
‘no’,
create
additional
administrative
burden,
or
create
another
level
of
bureaucracy
2
8
2 0 1 5 A N N U A L C O N F E R E N C E
I n d i a n a p o l i s
Successful
ERM
Program
A
successful
ERM
program
allows
for:
•
Assignment
of
risks
– Distribution
of
enterprise
risks
encourages
ownership
of
mitigating
and
managing
risk
at
the
individual/unit
level
•
Resource
optimization
– Individuals
have
autonomy
and
flexibility
to
maximize
their
talents
and
resources
while
working
within
their
scope;
individuals
do
not
unknowingly
complete
redundant
tasks,
reducing
the
likelihood
of
expending
unnecessary
effort,
resources
and
time
•
Assignment
of
accountability
– Each
individual
is
uniquely
accountable
for
individual
risks
as
they
contribute
to
a
larger,
more
comprehensive
enterprise
wide
risk
strategy
•
Coordination
– Higher
levels
of
communication
across
units
and
knowledge
sharing
regarding
challenges
and
perspectives
creates
opportunities
to
break
down
silos
resulting
in
greater,
more
collaborative
coordination
2
9
2 0 1 5 A N N U A L C O N F E R E N C E
I n d i a n a p o l i s
Dilbert on Risk Management
3
0
“Risk in itself is not bad; risk is essential to progress, and failure is often a key
part of learning. But we must learn to balance the possible negative
2 0 1 5 A N N U A L C O N F E R E N C E
I n d i a n a p o l i s
3
1
Questions?
2 0 1 5 A N N U A L C O N F E R E N C E
I n d i a n a p o l i s
Resources
oExecutive Report: The Risk Perspective, “Risk Management and Internal Audit: Forging a Collaborative Alliance” Risk and Insurance Management Society Inc., and the Institute of Internal Auditors Inc., 2012.
oPacific Northwest Enterprise Risk Forum, “University of Washington Enterprise Risk Management‐A Journal of Discovery” November 7, 2012.
oCOSO Thought Leadership in ERM “Developing Key Risk Indicators to Strengthen Enterprise Risk Management, How Key Risk Indicators Can
Sharpen Focus on Emerging Risks”, by Mark Beasley, Bruce Branson, Bonnie Hancock, 2010. Sources of Information:
oANSI/ASSE/ISO 31000 – the only international standard on risk management – 2009
oCOSO ERM Framework – 2004
o“Risk Management – An Accountability Guide for University and College Boards” by Janice Abraham – AGB & UE – 2013
oConsulting firms – Huron
oGRC – Governance, Risk & Compliance (software and consulting): Riskonnect, Ventiv, Marsh Clearsights, etc. Helpful websites:
http://erm.ncsu.edu/ http://www.ecu.edu/erm/ http://f2.washington.edu/fm/erm
http://www.uvm.edu/~erm/?Page=evaluation.html&SM=processmenu.html
3
2
http://www.ucop.edu/enterprise‐risk‐management/ http://www.coso.org/‐erm.htm