Attorney Perspectives: Enterprise Risk Management in a Time of Innovation

Attorney Perspectives: Enterprise Risk Management in a Time of Innovation Nancy Pringle, Vice President and General Counsel, Ithaca College Stephen Sencer, Senior Vice President and General Counsel, Emory University Leanne Shank, General Counsel, Washington and Lee University

Agenda Relationship between NACUA and NACUBO Evolution of Enterprise Risk Management Collaboration with GC s and CBO s Various Approaches Board Engagement

Relationship between NACUA and NACUBO Collaboration on Joint Programming and Workshops Compliance Alliance Common, Institution-Wide Interests and Goals: Regulation, Compliance, Enterprise Risk Management

Enterprise Risk Management What it is and what it is not Institutions are different Size Culture Roles on campus Senior Administrators Others

Collaborative Models between GC and CBO Emory University Washington and Lee Ithaca College

Emory s EVP F&A Guidance Identify Know what your big risks are? What could really hurt your mission? Assess Know your vulnerability and deliberately accept or invest resources to mitigate. Plan Know what you will do (and how you will act) if risk plays out before mitigated. Process Develop a process for doing the above Objective No surprises 6

Emory s Risk Philosophy Risk in one form or another, is present in virtually all worthwhile endeavors. Not all risk is bad; the goal is not to eliminate all risk, for doing so would unduly limit productive activity. Rather, the goal is to assume risk judiciously, mitigate it when possible, and prepare to respond effectively and efficiently when necessary. 7

ERM Implementation Steps Step 1 Find a Champion Step 2 Create Broad Organization Step 3 Conduct Initial Risk Assessment Step 4 Assign Ownership Step 5 Develop Risk Management Plans Step 6 Present to Senior Leadership Step 7 Take Action Where Needed Step 8 Repeat 8

Step 1: Find a Champion Staff and faculty need to know participation is mandatory Risk assessment takes a lot of effort The process itself is risky to individuals Emory s champions Chair of Audit Committee President EVP for Finance Administration Note: The Program will reflect the priorities of the Champion 9

Step 2: Create Broad Organization ERM Executive Committee President (Committee Chair) Provost EVP for Health Affairs EVP for F&A SVP and General Counsel SVP and Dean for Campus Life SVP for Development VP and Secretary VP of Communications President and CEO, Emory Healthcare ERM Steering Committee Chief Risk Officer (Co-Chair) Chief Audit Officer (Co-Chair) Chief Investment Officer Deputy General Counsel VP for Campus Services VP for Finance VP for Human Resources VP for IT VP for Research Administration Senior Vice Provost Director of Student Activities Director of CEPAR Finance & Investment Campus Safety & Physical Plant Healthcare Human Resources Information Technology Governance & Corporate Affairs Academic & Student Affairs Research 1 0

Step 3: Conduct Initial Risk Assessment Cast a big net Asked committees to identify EVERY risk Generated 555 risks Eliminated duplicates Reduced list to 140 Assessed frequency and severity rankings Distilled the list to 50 Key Risks 1

EMORY ENTERPRISE RISK MANAGEMENT (ERM) 0.5 RISK IDENTIFICATION - SORTED BY ADJUSTED RISK SCORE (b) ( c ) (d) (e) (f) (g)= [.50(e)]+(f) (h) Likelihood Impact Adj Risk No. Risk POL RMPO (1 thru 4) (1 thru 4) Score Group 1 VP Research Admin Don Jones 4 3 5Research 2 VP Research Admin Don Jones 4 3 5Research 3 EVP-FA/Provost Susan Smith 4 3 5 Operational 4 EVP WHSC / EVP-F&A Mike White 4 3 5 Financial 5 SVP Campus Life Jerry Brown 3 3 4.5 Student Affairs 6 VP Campus Services Bob Fisher 1 4 4.5 Operational 7 VP IT Richard Downs 3 3 4.5IT 8 CEO EHC John Phillips 3 3 4.5 Healthcare 9 Provost Susan Smith 3 3 4.5 Faculty 10 Provost Susan Smith 3 3 4.5 Faculty 11 SVP Campus Life Jerry Brown 4 2 4 Student Affairs 12 General Counsel Steve Parsons 2 3 4Security 13 Director Yerkes Claire Roberts 2 3 4security 14 VP Research Admin Don Jones 2 3 4Research 15 VP Communications Ronald Little 2 3 4 Operational 16 VP IT Richard Downs 4 2 4IT 17 EVP-FA, Provost Susan Smith 4 2 4HR 18 VP HR Charles Bassett 4 2 4HR 19 CEO EHC / SVP Campus Life John Phillips/ Jerry 4 2 4 Healthcare Brown 20 CEO EHC John Phillips 2 3 4 Healthcare 12

Step 4: Assign Ownership Steering Committee identified a Primary Operational Leader for each risk Individual with primary, though not necessarily sole, operational responsibility, over the functional area where a specific risk has the greatest impact. POLs assigned a Risk Management Process Owner to each risk Must be sufficiently familiar with the risk and best positioned to write a comprehensive Risk Management Plan 1 3

Step 5: Risk Management Plans 14

Step 6: Present to Senior Leadership Executive Committee meets periodically for focused review of Risk Management Plans. Risk hearings ensure that each key risk gets high-level attention each year. Groups of similar risks are presented and discussed at each meeting. Risk Management Process Owner presents his/her Risk Management Plan and answers questions. 1

Step 7 Take Action Where Needed Executive Committee identifies gaps Gap between where are and where we want to be with respect to specific risks. RMPOs report back at next Risk Hearing 1 6

Step 8 - Repeat The entire list of Key Risks is reviewed each year to ensure list of current List remains fairly stable Each year something new is added Each Key Risk is presented each year 1

W&L Collaboration Between GC and CFO ERM and Compliance Team Leaders Coordinate Board Reporting Coordinate Internal Communication among Stakeholders

ERM at W&L WHY? Systematic vs. Ad Hoc Approach Structure to Identify, Assess and Manage Risks Identify Opportunities as well as Downside Risks

ERM at W&L How to Begin? BUY IN from the TOP Credibility President, President s Cabinet Board Engagement at Audit Committee Spearheaded by GC and CFO ERM TEAM leaders (put $$ and law together and you will get attention)

ERM at W&L How to Begin? Examined Culture and Existing Operational and Reporting Relationships and Structures Offshoot from Existing Compliance Structure and Matrix Identified Logical Offices/Departments/Stakeholders

W&L ERM Phase I Process President s Cabinet Identified Top 5-10 Risks in their Areas Defined Risks Broadly: Operational, Strategic, Reputational, Financial, Compliance/Legal Identified Who OWNS each Risk Assessment: Dig Downs by ERM Team with Operational Liaisons Across Campus Input on Coverage and Existing Risk Management from Insurance Broker

W&L ERM Phase I Process cont d ERM Team Assessed Likelihood and Impact after Dig Down Exercises Developed Risk Management Plan for Each Risk with input from risk OWNER Returned to President s Cabinet for BUY IN of Risk Identification, Assessment, and Management Plans and to address gaps in risk management Ongoing Monitoring

W&L ERM Risk Data Sheet

Incremental and Ongoing Process Review and Update Phase I Risks and Risk Management Plans Regularly Phase II : Ongoing Monitoring of Phase I Risk Areas Identified 5 High Profile Risk Areas for Detailed Risk ID, Assessment, Management and Monitoring Broader Review of Human Resources, Sexual Assault/Title IX/Clery, Sponsored Research, Website Accessibility, Environmental Health and Safety

Ithaca College Collaboration between GC and CBO General Counsel charged in 2008 by President and Board Chair in leading ERM All-College ERM committee created of mid-level administrators. Composition of committee done in collaboration with CBO and other VP s. Members of the ERM committee sub-divided into working groups ERM sub-committee groups worked within respective divisions to complete risk assessments with consultation from VP s

Model for Assessment Kept it manageable - used risk topics identified by United Educators Sub-committees worked within units to assess risks for severity and probability of occurrence Assessments reviewed and signed-off by ERM committee and senior leadership team. Key stakeholders assigned, mitigation plans developed, and budgetary impact identified Master matrix created - tracks rankings, key owners, mitigation plans, budget impact, updates

Education Engagement beyond ERM Committee Programs were developed for presentation to administrators, divisional units, and faculty on the importance of the initiative and the collective ownership of the college community Institutional Budget Committee GC and CBO worked together on presentation to institutional budget committee - the budget committee sets priorities considering need to mitigate high risk areas

Ithaca College Engagement of Board Special committee on Risk Management created by Board Chair General Counsel worked with board committee to identify best practices for the board role in ERM Vice-Presidents met with special committee to review work completed in identifying and assessing risks President s Cabinet presented best thinking on key strategic risks for board consideration Special Committee recommended to the Board ongoing oversight of ERM operational risks and entire Board engagement on Strategic institutional risks

Board Engagement Special Committee followed Association of Governing Board best practice recommendations Senior Leadership partners with the Board Roles of Full Board/Standing Committees/Audit Committee identified and approved by the Board

AGB Best Practices Tone at the top matters Fiduciary obligation Understand and embrace specific roles Question sacred cows Understand, respect, and appreciate differences between business and education Incorporate RM into board committees and full board s work

Partnering with the Board Board focus on high impact risks and with the administration determines institutional risk appetite Board focus on mitigation plans and on-going assessment of success of the plans Anticipate the cost to the institution or the opportunity lost of not taking a risk All risks have owners board needs to have noses in and fingers out of operational risks

Risk Type and Board Committees Strategic Risk Full Board oversight Establish strategic questions around strategic risks Understand and analyze major initiatives under consideration Identify major societal and demographic shifts Financial Risk Business, Investment and Audit Committees Operational Risk Academic Affairs, Student Affairs, Buildings and Grounds Committees Compliance Risk Audit Committee

Lessons Learned and Challenges Defining institution s risk tolerance depends on institution Creating safe environment is important Operational risks v. strategic risks Buy-in requires active on-going support of senior leadership Support from Board and President is critical Relationship building with ERM Team across campus ERM helps employees feel vested in RISK ID and Management Process Inaction: Start SMALL, but START somewhere Do Not Overwhelm Board or senior administration-don t let process overtake ongoing mission Engage board at an appropriate level enough, but not too much, is best model 3

Added Benefits of ERM Enhanced relationships across campus RESULTS in more open and ongoing Communication about all Operations Learn of Problems before Crisis Responses Needed Reduces Silos builds TEAM mentality

Additional Resources Available from AGB Press: - Risk Management: An Accountability Guide for University and College Boards

Questions and Answers