Organizational Change Management: A Best Practice to Effective ERM Implementation

Organizational Change Management: A Best Practice to Effective ERM Implementation Christine Ackerman, CPA Associate Vice President & Director of Internal Audit University of Cincinnati Anita Ingram, ARM Assistant Vice President & Chief Risk Officer University of Cincinnati

Learning Objectives After attending this session, participants will be able to: Build a successful case and framework for ERM with a defined approach, assessment tools and outcomes. List key collaboration and consultative techniques deployed in the partnership between risk management and internal audit to gain top-level support and build consensus with institutional stakeholders for ERM. Navigate the challenges and pitfalls of implementing and sustaining a successful ERM program. 2

Agenda I. University of Cincinnati II. Building the Case for ERM III. Higher Education ERM Environment IV. Roles of Internal Audit and Risk Management in ERM V. Leveraging Collaboration VI. ERM at the University of Cincinnati VII.Managing Organizational Change VIII.Developing Key Risk Indicators IX. Successful ERM 3

University of Cincinnati who are we? UC Facts: UC is a public research university with an enrollment of more than 43,000 students; 372 programs of study; 16 to 1 student to faculty ratio; 14 Colleges Arts and Sciences; Allied Health; Business; Clermont & Blue Ash Colleges (2 Year); Music; Design, Architecture, Art & Planning; Education, Criminal Justice, and Human Services; Engineering & Applied Science; Law; Medicine; Nursing; Pharmacy; Graduate School 4

Building the Case for ERM The decentralized nature and entrepreneurial environment in higher education institutions can lead to challenges in coordinating risk management activities across the institution The dynamic nature of higher education requires ongoing assessment and management of a variety of issues to be able to identify, evaluate, and respond to risks 5

Building the Case for ERM Demonstrate small victories with something smaller than full ERM implementation - Demonstrate ERM approach using compliance as an example - Collaborated on launch of ERM program for UC Foundation Hired consultant to assist with developing and implementing ERM framework Cost of implementing ERM not unreasonable Board of Trustees and senior administration support Be careful not to fall into compliance or tactical trap Be careful that ERM isn t seen as a way to avoid risk 6

Higher Ed ERM Environment Some Higher Education organizations have robust ERM programs, yet many do not With those programs that are in place, they may not be working as intended AICPA reports on enterprise risk oversight across a range of industries: 51% of the respondents reported that their organizations had no formal enterprise-wide approach to risk oversight; and Only 14.9% said they had a complete formal enterprise-wide risk management process in place 7

Roles of Internal Audit and Risk Management in ERM 8

Roles of Internal Audit and Risk Management in ERM Internal audit champions adoption of ERM Internal audit participates in ERM interviews and risk advisory council - Important that internal audit be positively perceived throughout organization - Audit assists with identifying and evaluating risks - Audit assists with consolidating and reporting on risks Audits can inform and evaluate how units are responding to risk mitigation 9

Roles of Internal Audit and Risk Management in ERM Risk management deals with risks from a broad perspective of strategic, operational, financial, compliance and reputational risks as an interrelated portfolio Risk management both leads & participates in risk assessment process and leads the risk advisory counsel Provides the process and methods to manage unwanted variations from expectations, which are linked directly to the organization s strategy View risks in a way that crosses silos, builds internal alliances, exhibits flexibility, expands to include emerging risks, and enhances strategic decision-making capabilities 1 0

Leveraging Collaboration Enterprise risk assessment informs annual audit plan Reports are shared, both functions identify different types of risks - Chief Risk Officer, by receiving internal audit reports, can help connect the dots, identify trends occurring in internal audit reports - Internal audit can utilize knowledge of specific risks to scope and tailor audit procedures Collaboration builds efficiencies and improves results by crossleveraging competencies, roles & responsibilities Enhances communication depth and consistency, especially at board and management level 1 1

Leveraging Collaboration Internal Audit Defines ERM as a process Use specific risk management standard; usually COSO Develops audit plan to define the scope of work Links findings from any riskbased audit plans and the enterprise risk assessment Discuss the risk-based audit plan with risk management Risk Management Defines ERM as a discipline Use specific risk management standard; either ISO 31000 or COSO Develops the enterprise risk assessment designed to get a sense of the risks and call attention to most severe risks. Share ERM results with internal audit 1 2

Leveraging Collaboration Enterprise Risk Management (ERM) is about supporting opportunities as well as preventing problems It is tied to business objectives & strategies and supports them It works within the entity s culture and will become integral to decision making It will ensure that Risk Management applies to all levels of the organization and to all activities 13

ERM at UC: Program Context Effort Began in 2012 VISION STATEMENT: Create a risk-aware culture, permitting the University to ensure an effective means to identify, measure, control, and assign responsibility to manage risks, while encouraging the acceptance of reasonable opportunities. 2013 hired consultant to assist with developing ERM framework 2014 launched search for CRO; launched formal ERM program 4 14

ERM at UC: Timeline Phase 1: Build the Case for ERM 1.Understand the institution s strategic plans, environment, and culture 2.Determine the status of existing risk management program & processes 3.State goals and objectives (Dec 2014) 4.Obtain top level commitment, support, and participation Estimated date to completion: June 2015 Phase 2: Build the ERM Foundation 5.Name a Project Leader 6.Plan project and define timeline (Jan 2015) 7.Create a cross functional Risk Council & related subcommittees (Nov 2014) 8.Create mission and goals statement (Jan 2015) 9.Create top-level ERM Executive Committee GREEN: COMPLETED RED: IN PROGRESS; PARTIALLY COMPLETED BLACK: FUTURE ACTION Phase 3: Implementation 10. Assess risks and update risk portfolio: validate and prioritize (Jan 2015 and ongoing) 11. Assign ownership and take action (Sept/Oct 2015) 12.Train & educate to assist board, academics & administrators with ERM process Phase 4: Sustain the ERM Program 13.Measure and assess results; monitor 14.Meet and review regularly; realign risk treatments as appropriate with available resources (periodically) 15. Report results (annually and upon request) 16. Do not neglect traditional risk management functions 17. Develop and implement institution-wide systems for communicating 1 5

ERM at UC: Framework Principles Framework Monitoring & review, continual improvement and communication occur throughout RM Process AS/NZS ISO 31000:2009 Overview of the relationships between the risk management principles, framework, and process Note: The brown arrow depicts that the principles inform the mandate and commitment for managing risk (reflected in the organizations management system). The light blue arrow shows that the framework enables the application of the risk management process. The dark blue arrow indicates that experience in applying the process can improve the organizations management system 1 6

ERM at UC: Governance Structure Audit & Risk Committee of the Board ERM Executive Committee ERM Risk Council Communications Risk Review 1 7

ERM at UC: Role of the Board Participating in their committees risk reviews Board/Committees should hear from the risk s designated leader, once each year, minimally. Ask appropriate, sometimes tough questions and in general, provide oversight. Also, board members will be apprised of the university s risk posture by hearing the other committees reports. Committee reports will be summarized for the full board. The president works with the board to set the high-level ERM agenda and develop a statement of risk appetite. 12 1 8

ERM at UC: Risk Identification Identified through Interviews, Brainstorming, Emerging Trends, Benchmarking With Peer Institutions, Surveys Risks will be categorized: (i) Compliance (ii) Financial (iii) Operational, (iv) Strategic, or (v) Reputational Top 10-15 Highest Priority risks will be assigned for oversight by committees of the Board of Trustees Remaining High/Medium Priority risks will receive oversight from the Risk Council 11 19

ERM at UC: Findings Information Security/Disaster Recovery Planning/UCIT Operations Student Enrollment and Enrollment Management Public Safety Funding Resources & Budget Emergency Management & Business Continuity Building/Facilities and Deferred Maintenance Strategic Planning Dealing with Minors On and Off Campus Compliance & Regulatory Issues (various) HR Processes & HR Leadership Environmental Hazards (Chemical Stores) Student Mental Health Issues Staffing & Succession Planning Preliminary research was conducted by ERM personnel with over 70 interviews involving more than 100 individuals, including the President s Executive Cabinet, Deans, Provosts, and key external partners. Research indicates the highest ERM concerns at UC currently focus on the items above. 2 0

Risk & Opportunity Heatmap From: University of Vermont ERM website: http://www.uvm.edu/~erm/?page=evaluation.html&sm=processmenu.html 2 1

ERM at UC: What happens next? Develop and implement institution wide systems for communicating (Feb to Dec 2015) Assess risks, update risk portfolio: validate and prioritize; input to new RMIS (October 2014 to October 2015) ERM Executive Committee Risk Workshop (September 15) Deliverable: HeatMap Assign/define ownership of risk areas and initiate, and verify action steps (October to December 2015) 2 2

Managing Organizational Change P E R F O R M A N C E Impact of Organizational 1. Denial/ Shock Change 2. Anger/ Betrayal 3. Pain/ Sadness Decreased Trust, Poor Communication & Increased Disengagement T I M E Recovery Phase: Some Improvement in Communication, Trust & Productivity 4. Acceptance/ Recovery 2 3

Managing Organizational Change: P E R F O R M A N C E Cumulative Effect T I M E Disengagement 2 4

Managing Organizational Change P E R F O R M A N C E Key: Manage the Depth and Duration T I M E Recovery Renewal 2 5

Developing Key Risk Indicators (KRI) Linking objectives to strategies to risks to KRI s Effective KRI s can provide value in a variety of ways, including: - Risk appetite - Risk and opportunity identification - Risk treatment - Risk reporting - Compliance efforts - Improved performance, process, and improved workplace environment 2 6

Developing Key Risk Indicators (KRI) Depends on risk identified Campus safety - Crime statistics, # of NightRide users, international student safety rankings, etc. Emergency preparedness and business continuity - # and results of drills and exercises, faculty, staff and student education and outreach, # of business continuity plans, results of business continuity tests Information Security - # of breaches, results of external penetration tests and vulnerability scans (# of critical/significant vulnerabilities) Enrollment - # of births, # of projected high school graduates 2 7

Successful ERM Program Buy in and support from the top Sustainable process slow progress is still progress! Continuous improvement Tools: RMIS/GRC, Interviews, Surveys, Questionnaires Strong marketing & communication Personnel resources Don t use as a means to say no, create additional administrative burden, or create another level of bureaucracy 2 8

Successful ERM Program A successful ERM program allows for: Assignment of risks Distribution of enterprise risks encourages ownership of mitigating and managing risk at the individual/unit level Resource optimization Individuals have autonomy and flexibility to maximize their talents and resources while working within their scope; individuals do not unknowingly complete redundant tasks, reducing the likelihood of expending unnecessary effort, resources and time Assignment of accountability Each individual is uniquely accountable for individual risks as they contribute to a larger, more comprehensive enterprise wide risk strategy Coordination Higher levels of communication across units and knowledge sharing regarding challenges and perspectives creates opportunities to break down silos resulting in greater, more collaborative coordination 2 9

Dilbert on Risk Management Risk in itself is not bad; risk is essential to progress, and failure is often a key part of learning. But we must learn to balance the possible negative consequences of risk against the potential benefits of its associated opportunity. 3 0

Questions? Thank you! 3 1

Resources oexecutive Report: The Risk Perspective, Risk Management and Internal Audit: Forging a Collaborative Alliance Risk and Insurance Management Society Inc., and the Institute of Internal Auditors Inc., 2012. opacific Northwest Enterprise Risk Forum, University of Washington Enterprise Risk Management A Journal of Discovery November 7, 2012. ocoso Thought Leadership in ERM Developing Key Risk Indicators to Strengthen Enterprise Risk Management, How Key Risk Indicators Can Sharpen Focus on Emerging Risks, by Mark Beasley, Bruce Branson, Bonnie Hancock, 2010. Sources of Information: oansi/asse/iso 31000 the only international standard on risk management 2009 ocoso ERM Framework 2004 o Risk Management An Accountability Guide for University and College Boards by Janice Abraham AGB & UE 2013 oconsulting firms Huron ogrc Governance, Risk & Compliance (software and consulting): Riskonnect, Ventiv, Marsh Clearsights, etc. Helpful websites: http://erm.ncsu.edu/ http://www.ecu.edu/erm/ http://f2.washington.edu/fm/erm http://www.ucop.edu/enterprise risk management/ http://www.coso.org/ erm.htm https://www.rims.org/erm/pages/whatiserm.aspx http://www.uvm.edu/~erm/?page=evaluation.html&sm=processmenu.html 3 2