Organizational Change Management: A Best Practice to Effective ERM Implementation

(1)

2 0 1 5 A N N U A L C O N F E R E N C E

I n d i a n a p o l i s

Organizational Change Management:

A Best Practice to Effective ERM

Implementation

Christine

Ackerman,

CPA

Associate Vice President & Director of Internal Audit

University of Cincinnati

Anita

Ingram,

ARM

Assistant Vice President & Chief Risk Officer

University of Cincinnati

(2)

Learning Objectives

After attending this session, participants will be able to:



Build a successful case and framework for ERM with a

defined approach, assessment tools and outcomes.



List key collaboration and consultative techniques

deployed in the partnership between risk management

and internal audit to gain top-level support and build

consensus with institutional stakeholders for ERM.



Navigate the challenges and pitfalls of implementing

and sustaining a successful ERM program.

(3)

Agenda

I. University of Cincinnati

II. Building the Case for ERM

III. Higher Education ERM Environment

IV. Roles of Internal Audit and Risk Management in ERM

V. Leveraging Collaboration

VI. ERM at the University of Cincinnati

VII.Managing Organizational Change

VIII.Developing Key Risk Indicators

IX. Successful ERM

(4)

University of Cincinnati – who

are we?

UC Facts:

• UC is a public research university with an

enrollment of more than 43,000 students;

• 372 programs of study;

• 16 to 1 student to faculty ratio;

• 14 Colleges

-Arts and Sciences; Allied Health; Business; Clermont & Blue Ash Colleges (2 Year);

Music; Design, Architecture, Art & Planning; Education, Criminal Justice, and

Human Services; Engineering & Applied Science; Law; Medicine; Nursing;

Pharmacy; Graduate School

(5)

Building the Case for ERM

• The decentralized nature and entrepreneurial

environment in higher education institutions can lead

to challenges in coordinating risk management

activities across the institution

• The dynamic nature of higher education requires

ongoing assessment and management of a variety of

issues to be able to identify, evaluate, and respond to

risks

(6)

Building the Case for ERM

• Demonstrate small victories with something smaller

than full ERM implementation

- Demonstrate ERM approach using compliance as an example

- Collaborated on launch of ERM program for UC Foundation

• Hired consultant to assist with developing and

implementing ERM framework

• Cost of implementing ERM not unreasonable

• Board of Trustees and senior administration support

• Be careful not to fall into compliance or tactical trap

• Be careful that ERM isn’t seen as a way to avoid risk

(7)

Higher Ed ERM Environment

• Some Higher Education organizations have

robust ERM programs, yet many do not

• With those programs that are in place, they

may not be working as intended

• AICPA reports on enterprise risk oversight

across a range of industries:

• 51% of the respondents reported that their organizations had no

formal enterprise-wide approach to risk oversight; and

• Only 14.9% said they had a complete formal enterprise-wide risk

management process in place

(8)

Roles of Internal Audit and Risk Management in ERM

(9)

Roles of Internal Audit and Risk Management in ERM

• Internal audit champions adoption of ERM

• Internal audit participates in ERM interviews and risk

advisory council

- Important that internal audit be positively perceived

throughout organization

- Audit assists with identifying and evaluating risks

- Audit assists with consolidating and reporting on risks

• Audits can inform and evaluate how units are responding

to risk mitigation

(10)

Roles of Internal Audit and Risk Management in ERM

• Risk management deals with risks from a broad

perspective of strategic, operational, financial, compliance

and reputational risks as an interrelated portfolio

• Risk management both leads & participates in risk

assessment process and leads the risk advisory counsel

• Provides the process and methods to manage unwanted

variations from expectations, which are linked directly to

the organization’s strategy



View risks in a way that crosses silos, builds internal alliances, exhibits

flexibility, expands to include emerging risks, and enhances strategic

decision-making capabilities

1

0

(11)

Leveraging Collaboration

• Enterprise risk assessment informs annual audit plan

• Reports are shared, both functions identify different types of risks

-

Chief Risk Officer, by receiving internal audit reports, can help

‘connect the dots’, identify trends occurring in internal audit reports

-

Internal audit can utilize knowledge of specific risks to scope and

tailor audit procedures

• Collaboration builds efficiencies and improves results by

cross-leveraging competencies, roles & responsibilities

• Enhances communication depth and consistency, especially at

board and management level

1

(12)

Leveraging Collaboration

Internal Audit

• Defines ERM as a process

• Use specific risk management

standard; usually COSO

• Develops audit plan to define

the scope of work

• Links findings from any

risk-based audit plans and the

enterprise risk assessment

• Discuss the risk-based audit

plan with risk management

Risk Management

• Defines ERM as a discipline

• Use specific risk management

standard; either ISO 31000 or

COSO

• Develops the enterprise risk

assessment designed to get a

sense of the risks and call

attention to most severe risks.

• Share ERM results with

internal audit

1

2

(13)

Leveraging Collaboration

• Enterprise Risk Management (ERM) is about

supporting opportunities as well as

preventing problems

• It is tied to business objectives & strategies –

and supports them

• It works within the entity’s culture and will

become integral to decision making

• It will ensure that Risk Management applies

to all levels of the organization and to all

activities

(14)

ERM at UC: Program Context

• Effort Began in 2012

• VISION STATEMENT: Create a

risk-aware

culture

, permitting the University to ensure an

effective means to

identify

,

measure

,

control,

and

assign responsibility

to manage risks, while

encouraging the acceptance

of reasonable

opportunities.

• 2013 hired consultant to assist with developing ERM

framework

• 2014 launched search for CRO; launched formal

ERM program

(15)

ERM at UC: Timeline

1

5

Phase 1: Build the Case for ERM

1.Understand the institution’s strategic plans, environment, and culture

2.Determine the status of existing risk management program & processes 3.State goals and objectives (Dec 2014) 4.Obtain top‐level commitment, support, and participation

Estimated date to completion: June 2015

Phase 2: Build the ERM Foundation

5.Name a Project Leader

6.Plan project and define timeline (Jan 2015)

7.Create a cross‐functional Risk Council & related subcommittees (Nov 2014)

8.Create mission and goals statement (Jan 2015) 9.Create top-level ERM Executive Committee

Phase 3: Implementation

10. Assess risks and update risk portfolio: validate and prioritize (Jan 2015 and ongoing)

11. Assign ownership and take action (Sept/Oct 2015)

12.Train & educate to assist board, academics & administrators with ERM process

Phase 4: Sustain the ERM Program

13.Measure and assess results; monitor 14.Meet and review regularly; realign risk

treatments as appropriate with available resources (periodically)

15. Report results (annually and upon request) 16. Do not neglect traditional risk management functions

17. Develop and implement institution-wide systems for communicating

GREEN:COMPLETED

RED:IN PROGRESS; PARTIALLY COMPLETED

(16)

ERM at UC: Framework

1

6

AS/NZS ISO 31000:2009 — Overview of the relationships between the risk management principles, framework, and process

Note: The brown arrow depicts that the principles inform the mandate and commitment for managing risk (reflected in the organizations management system). The light blue arrow shows that the framework enables the application of the risk management process. The dark blue arrow indicates that experience in applying the process can improve the organizations management system

Monitoring & review, continual improvement and communication occur throughout

RM Process

Framework

(17)

Audit

&

Risk

Committee

of

the

Board

ERM

Executive

Committee

ERM

Risk

Council

1

7 ERM at UC: Governance Structure

Communications

(18)

ERM at UC: Role of the Board

• Participating in their committees’ risk reviews

• Board/Committees should hear from the risk’s designated leader,

once each year, minimally.

• Ask appropriate, sometimes tough questions and in general, provide

oversight.

• Also, board members will be apprised of the university’s risk posture

by hearing the other committees’ reports.

• Committee reports will be summarized for the full board.

• The president works with the board to set the high-level ERM

agenda and develop a statement of risk appetite.

1

8

(19)

ERM at UC: Risk Identification

• Identified through Interviews, Brainstorming,

Emerging Trends, Benchmarking With Peer

Institutions, Surveys

• Risks will be categorized: (i) Compliance (ii)

Financial (iii) Operational, (iv) Strategic, or (v)

Reputational

• Top 10-15 Highest Priority risks will be assigned for

oversight by committees of the Board of Trustees

• Remaining High/Medium Priority risks will receive

oversight from the Risk Council

(20)

Preliminary research was conducted by ERM personnel with over 70 interviews involving more than 100

individuals, including the President’s Executive Cabinet, Deans, Provosts, and key external partners. Research indicates the highest ERM concerns at UC currently focus on the items above.



Information Security/Disaster Recovery Planning/UCIT Operations



Student Enrollment and Enrollment Management



Public Safety



Funding Resources & Budget



Emergency Management & Business Continuity



Building/Facilities and Deferred Maintenance



Strategic Planning



Dealing with Minors On and Off Campus



Compliance & Regulatory Issues (various)



HR Processes & HR Leadership



Environmental Hazards (Chemical Stores)



Student Mental Health Issues



Staffing & Succession Planning

2

0

(21)

Risk & Opportunity Heatmap

2

1

From: University of Vermont ERM website: http://www.uvm.edu/~erm/?Page=evaluation.html&SM=processmenu.html

(22)

ERM at UC:

What happens next?

ERM Executive

Committee Risk

Workshop

(September ‘15)

Deliverable: HeatMap

Assess risks, update

risk portfolio: validate

and prioritize; input

to new RMIS

(October 2014 to

October 2015)

Assign/define

ownership of risk

areas and initiate, and

verify action steps (October to

December 2015) Develop and

implement

institution‐wide

systems for

communicating (Feb to Dec 2015)

2

(23)

Managing Organizational

Change

2

3 Impact of Organizational

Change

Decreased Trust, Poor Communication &

Increased Disengagement

Recovery Phase: Some

Improvement in

Communication, Trust &

Productivity

P

E

R

F

O

R

M

A

N

C

E

T I M E

1. Denial/

Shock

2. Anger/

Betrayal

3. Pain/ Sadness

4. Acceptance/

Recovery

(24)

Managing Organizational Change:

Cumulative Effect

2

4 P

E

R

F

O

R

M

A

N

C

E

T I M E

(25)

Managing Organizational Change

2

5 P

E

R

F

O

R

M

A

N

C

E

T I M E

Recovery

Renewal

(26)

Developing Key Risk Indicators (KRI)

• Linking objectives to strategies to risks to KRI’s

• Effective KRI’s can provide value in a variety of

ways, including:

-

Risk appetite

-

Risk and opportunity identification

-

Risk treatment

-

Risk reporting

-

Compliance efforts

-

Improved performance, process, and improved workplace

environment

2

6

(27)

Developing Key Risk Indicators (KRI)

• Depends on risk identified



Campus safety

- Crime statistics, # of NightRide users, international student safety rankings, etc.



Emergency preparedness and business continuity

- # and results of drills and exercises, faculty, staff and student education and

outreach, # of business continuity plans, results of business continuity tests



Information Security

- # of breaches, results of external penetration tests and vulnerability scans (# of

critical/significant vulnerabilities)



Enrollment

- # of births, # of projected high school graduates

2

7

(28)

Successful ERM Program

• _Buy

_‐

_in

_and

_support

_from

_the

_top

• _Sustainable

_process

_{– slow}

_progress

_is

_still

_progress!

• _Continuous

_improvement

• _Tools:

_RMIS/GRC,

_Interviews,

_Surveys,

_{Questionnaires}

• Strong

marketing

&

communication

• _Personnel

_resources

• _Don’t

_use

_as

_a

_means

_to

_say

_‘no’,

_create

_additional

administrative

burden,

or

create

another

level

of

bureaucracy

2

8

(29)

Successful

ERM

Program

A

successful

ERM

program

allows

for:

• Assignment

of

risks

– Distribution

of

enterprise

risks

encourages

ownership

of

mitigating

and

managing

risk

at

the

individual/unit

level

• Resource

optimization

– Individuals

have

autonomy

and

flexibility

to

maximize

their

talents

and

resources

while

working

within

their

scope;

individuals

do

not

unknowingly

complete

redundant

tasks,

reducing

the

likelihood

of

expending

unnecessary

effort,

resources

and

time

• Assignment

of

accountability

– Each

individual

is

uniquely

accountable

for

individual

risks

as

they

contribute

to

a

larger,

more

comprehensive

enterprise

wide

risk

strategy

• Coordination

– Higher

levels

of

communication

across

units

and

knowledge

sharing

regarding

challenges

and

perspectives

creates

opportunities

to

break

down

silos

resulting

in

greater,

more

collaborative

coordination

2

9

(30)

Dilbert on Risk Management

3

0 “Risk in itself is not bad; risk is essential to progress, and failure is often a key

part of learning. But we must learn to balance the possible negative

(31)

3

1

Questions?

(32)

Resources

oExecutive Report: The Risk Perspective, “Risk Management and Internal Audit: Forging a Collaborative Alliance” Risk and Insurance Management Society Inc., and the Institute of Internal Auditors Inc., 2012.

oPacific Northwest Enterprise Risk Forum, “University of Washington Enterprise Risk Management‐A Journal of Discovery” November 7, 2012.

oCOSO Thought Leadership in ERM “Developing Key Risk Indicators to Strengthen Enterprise Risk Management, How Key Risk Indicators Can

Sharpen Focus on Emerging Risks”, by Mark Beasley, Bruce Branson, Bonnie Hancock, 2010. Sources of Information:

oANSI/ASSE/ISO 31000 – the only international standard on risk management – 2009

oCOSO ERM Framework – 2004

o“Risk Management – An Accountability Guide for University and College Boards” by Janice Abraham – AGB & UE – 2013

oConsulting firms – Huron

oGRC – Governance, Risk & Compliance (software and consulting): Riskonnect, Ventiv, Marsh Clearsights, etc. Helpful websites:

http://erm.ncsu.edu/ http://www.ecu.edu/erm/ http://f2.washington.edu/fm/erm

http://www.uvm.edu/~erm/?Page=evaluation.html&SM=processmenu.html

3

2

http://www.ucop.edu/enterprise‐risk‐management/ http://www.coso.org/‐erm.htm