organizational change management: a best...

2015 ANNUAL CONFERENCEI n d i a n a p o l i s

Organizational Change Management: A Best Practice to Effective ERM

Implementation

Christine Ackerman, CPAAssociate Vice President & Director of Internal Audit

University of Cincinnati

Anita Ingram, ARMAssistant Vice President & Chief Risk Officer

University of Cincinnati


Learning Objectives

After attending this session, participants will be able to: Build a successful case and framework for ERM with a

defined approach, assessment tools and outcomes. List key collaboration and consultative techniques

deployed in the partnership between risk management and internal audit to gain top-level support and build consensus with institutional stakeholders for ERM.

Navigate the challenges and pitfalls of implementing and sustaining a successful ERM program.

2


AgendaI. University of Cincinnati II. Building the Case for ERM III. Higher Education ERM EnvironmentIV. Roles of Internal Audit and Risk Management in ERM V. Leveraging Collaboration VI. ERM at the University of Cincinnati VII.Managing Organizational ChangeVIII.Developing Key Risk IndicatorsIX. Successful ERM

3


University of Cincinnati – who are we?

UC Facts:• UC is a public research university with an

enrollment of more than 43,000 students;• 372 programs of study;• 16 to 1 student to faculty ratio;• 14 Colleges -

Arts and Sciences; Allied Health; Business; Clermont & Blue Ash Colleges (2 Year); Music; Design, Architecture, Art & Planning; Education, Criminal Justice, and Human Services; Engineering & Applied Science; Law; Medicine; Nursing; Pharmacy; Graduate School

4


Building the Case for ERM• The decentralized nature and entrepreneurial

environment in higher education institutions can lead to challenges in coordinating risk management activities across the institution

• The dynamic nature of higher education requires ongoing assessment and management of a variety of issues to be able to identify, evaluate, and respond to risks

5


Building the Case for ERM• Demonstrate small victories with something smaller

than full ERM implementation- Demonstrate ERM approach using compliance as an example- Collaborated on launch of ERM program for UC Foundation

• Hired consultant to assist with developing and implementing ERM framework

• Cost of implementing ERM not unreasonable • Board of Trustees and senior administration support• Be careful not to fall into compliance or tactical trap• Be careful that ERM isn’t seen as a way to avoid risk

6


Higher Ed ERM Environment

• Some Higher Education organizations have robust ERM programs, yet many do not

• With those programs that are in place, they may not be working as intended

• AICPA reports on enterprise risk oversight across a range of industries:

• 51% of the respondents reported that their organizations had no formal enterprise-wide approach to risk oversight; and

• Only 14.9% said they had a complete formal enterprise-wide risk management process in place

7


Roles of Internal Audit and Risk Management in ERM

8


Roles of Internal Audit and Risk Management in ERM

• Internal audit champions adoption of ERM• Internal audit participates in ERM interviews and risk

advisory council- Important that internal audit be positively perceived

throughout organization- Audit assists with identifying and evaluating risks- Audit assists with consolidating and reporting on risks

• Audits can inform and evaluate how units are responding to risk mitigation

9


Roles of Internal Audit and Risk Management in ERM• Risk management deals with risks from a broad

perspective of strategic, operational, financial, compliance and reputational risks as an interrelated portfolio

• Risk management both leads & participates in risk assessment process and leads the risk advisory counsel

• Provides the process and methods to manage unwanted variations from expectations, which are linked directly to the organization’s strategy View risks in a way that crosses silos, builds internal alliances, exhibits

flexibility, expands to include emerging risks, and enhances strategic decision-making capabilities

10


Leveraging Collaboration

• Enterprise risk assessment informs annual audit plan• Reports are shared, both functions identify different types of risks

- Chief Risk Officer, by receiving internal audit reports, can help ‘connect the dots’, identify trends occurring in internal audit reports

- Internal audit can utilize knowledge of specific risks to scope and tailor audit procedures

• Collaboration builds efficiencies and improves results by cross-leveraging competencies, roles & responsibilities

• Enhances communication depth and consistency, especially at board and management level

11


Leveraging Collaboration

Internal Audit

• Defines ERM as a process• Use specific risk management

standard; usually COSO• Develops audit plan to define

the scope of work• Links findings from any risk-

based audit plans and the enterprise risk assessment

• Discuss the risk-based audit plan with risk management

Risk Management

• Defines ERM as a discipline• Use specific risk management

standard; either ISO 31000 or COSO

• Develops the enterprise risk assessment designed to get a sense of the risks and call attention to most severe risks.

• Share ERM results with internal audit

12


Leveraging Collaboration• Enterprise Risk Management (ERM) is about

supporting opportunities as well as preventing problems

• It is tied to business objectives & strategies –and supports them

• It works within the entity’s culture and will become integral to decision making

• It will ensure that Risk Management applies to all levels of the organization and to all activities

13


ERM at UC: Program Context

• Effort Began in 2012• VISION STATEMENT: Create a risk-aware

culture, permitting the University to ensure an effective means to identify, measure, control, and assign responsibility to manage risks, while encouraging the acceptance of reasonable opportunities.

• 2013 hired consultant to assist with developing ERM framework

• 2014 launched search for CRO; launched formal ERM program

4 14


ERM at UC: Timeline

15

Phase 1: Build the Case for ERM 1.Understand the institution’s strategic plans, environment, and culture 2.Determine the status of existing risk management program & processes3.State goals and objectives (Dec 2014)4.Obtain top‐level commitment, support, and participation

Estimated date to completion: June 2015

Phase 2: Build the ERM Foundation5.Name a Project Leader6.Plan project and define timeline (Jan 2015)7.Create a cross‐functional Risk Council & related subcommittees (Nov 2014)8.Create mission and goals statement (Jan 2015)9.Create top-level ERM Executive Committee

Phase 3: Implementation10. Assess risks and update risk portfolio: validate and prioritize (Jan 2015 and ongoing)11. Assign ownership and take action (Sept/Oct 2015)12.Train & educate to assist board, academics & administrators with ERM process

Phase 4: Sustain the ERM Program

13.Measure and assess results; monitor 14.Meet and review regularly; realign risk treatments as appropriate with available resources (periodically)15. Report results (annually and upon request)16. Do not neglect traditional risk management functions17. Develop and implement institution-wide systems for communicating

GREEN: COMPLETEDRED: IN PROGRESS; PARTIALLY COMPLETEDBLACK: FUTURE ACTION


ERM at UC: Framework

16

AS/NZS ISO 31000:2009 — Overview of the relationships between the risk management principles, framework, and process Note: The brown arrow depicts that the principles inform the mandate and commitment for managing risk (reflected in the organizations management system). The light blue arrow shows that the framework enables the application of the risk management process. The dark blue arrow indicates that experience in applying the process can improve the organizations management system

Monitoring & review, continual improvement and communication occur throughout

RM ProcessFrameworkPrinciples


Audit & Risk Committee of the Board

ERM Executive Committee

ERM Risk Council

17

ERM at UC: Governance Structure

Communications

Risk Review


ERM at UC: Role of the Board• Participating in their committees’ risk reviews

• Board/Committees should hear from the risk’s designated leader, once each year, minimally.

• Ask appropriate, sometimes tough questions and in general, provide oversight.

• Also, board members will be apprised of the university’s risk posture by hearing the other committees’ reports.

• Committee reports will be summarized for the full board.

• The president works with the board to set the high-level ERM agenda and develop a statement of risk appetite.

18

12


ERM at UC: Risk Identification• Identified through Interviews, Brainstorming,

Emerging Trends, Benchmarking With Peer Institutions, Surveys

• Risks will be categorized: (i) Compliance (ii) Financial (iii) Operational, (iv) Strategic, or (v) Reputational

• Top 10-15 Highest Priority risks will be assigned for oversight by committees of the Board of Trustees

• Remaining High/Medium Priority risks will receive oversight from the Risk Council

11 19


Preliminary research was conducted by ERM personnel with over 70 interviews involving more than 100 individuals, including the President’s Executive Cabinet, Deans, Provosts, and key external partners. Research indicates the highest ERM concerns at UC currently focus on the items above.

Information Security/Disaster Recovery Planning/UCIT OperationsStudent Enrollment and Enrollment Management

Public SafetyFunding Resources & Budget

Emergency Management & Business ContinuityBuilding/Facilities and Deferred Maintenance

Strategic PlanningDealing with Minors On and Off CampusCompliance & Regulatory Issues (various)

HR Processes & HR Leadership Environmental Hazards (Chemical Stores)

Student Mental Health IssuesStaffing & Succession Planning

20

ERM at UC: Findings


Risk & Opportunity Heatmap

21

From: University of Vermont ERM website: http://www.uvm.edu/~erm/?Page=evaluation.html&SM=processmenu.html


ERM at UC: What happens next?

ERM Executive Committee Risk

Workshop(September ‘15)

Deliverable: HeatMap

Assess risks, update risk portfolio: validate and prioritize; input

to new RMIS (October 2014 to October 2015)

Assign/define ownership of risk

areas and initiate, and verify action steps

(October to December 2015)

Develop and implement

institution‐wide systems for

communicating(Feb to Dec 2015)

22


Managing Organizational Change

23

Impact of Organizational

Change

Decreased Trust, Poor Communication & Increased Disengagement

Recovery Phase: Some Improvement in

Communication, Trust & Productivity

P

E

R

F

O

R

M

A

N

C

E

T I M E

1. Denial/ Shock

2. Anger/ Betrayal

3. Pain/ Sadness

4. Acceptance/ Recovery


Managing Organizational Change: Cumulative Effect

24

P

E

R

F

O

R

M

A

N

C

E

T I M E

Disengagement


Managing Organizational Change

25

P

E

R

F

O

R

M

A

N

C

E

T I M E

Recovery

RenewalKey: Manage the Depth and Duration


Developing Key Risk Indicators (KRI)• Linking objectives to strategies to risks to KRI’s• Effective KRI’s can provide value in a variety of

ways, including:- Risk appetite- Risk and opportunity identification- Risk treatment- Risk reporting- Compliance efforts- Improved performance, process, and improved workplace

environment

26


Developing Key Risk Indicators (KRI)

• Depends on risk identifiedCampus safety

- Crime statistics, # of NightRide users, international student safety rankings, etc.

Emergency preparedness and business continuity- # and results of drills and exercises, faculty, staff and student education and outreach, # of business continuity plans, results of business continuity tests

Information Security- # of breaches, results of external penetration tests and vulnerability scans (# of

critical/significant vulnerabilities)

Enrollment- # of births, # of projected high school graduates

27


Successful ERM Program

• Buy‐in and support from the top• Sustainable process – slow progress is still progress!• Continuous improvement• Tools: RMIS/GRC, Interviews, Surveys, Questionnaires• Strong marketing & communication• Personnel resources• Don’t use as a means to say ‘no’, create additional

administrative burden, or create another level of bureaucracy

28


Successful ERM ProgramA successful ERM program allows for:• Assignment of risks – Distribution of enterprise risks encourages ownership

of mitigating and managing risk at the individual/unit level• Resource optimization – Individuals have autonomy and flexibility to

maximize their talents and resources while working within their scope; individuals do not unknowingly complete redundant tasks, reducing the likelihood of expending unnecessary effort, resources and time

• Assignment of accountability – Each individual is uniquely accountable for individual risks as they contribute to a larger, more comprehensive enterprise wide risk strategy

• Coordination – Higher levels of communication across units and knowledge sharing regarding challenges and perspectives creates opportunities to break down silos resulting in greater, more collaborative coordination

29


Dilbert on Risk Management

30

“Risk in itself is not bad; risk is essential to progress, and failure is often a key part of learning. But we must learn to balance the possible negative

consequences of risk against the potential benefits of its associated opportunity.”


31

Questions?

Thank you!


ResourcesoExecutive Report: The Risk Perspective, “Risk Management and Internal Audit: Forging a Collaborative Alliance” Risk and InsuranceManagement Society Inc., and the Institute of Internal Auditors Inc., 2012.

oPacific Northwest Enterprise Risk Forum, “University of Washington Enterprise Risk Management‐ A Journal of Discovery” November 7, 2012.

oCOSO Thought Leadership in ERM “Developing Key Risk Indicators to Strengthen Enterprise Risk Management, How Key Risk Indicators Can Sharpen Focus on Emerging Risks”, by Mark Beasley, Bruce Branson, Bonnie Hancock, 2010.

Sources of Information:

oANSI/ASSE/ISO 31000 – the only international standard on risk management – 2009

oCOSO ERM Framework – 2004

o“Risk Management – An Accountability Guide for University and College Boards” by Janice Abraham – AGB & UE – 2013

oConsulting firms – Huron

oGRC – Governance, Risk & Compliance (software and consulting): Riskonnect, Ventiv, Marsh Clearsights, etc.

Helpful websites: http://erm.ncsu.edu/

http://www.ecu.edu/erm/

http://f2.washington.edu/fm/erm

http://www.uvm.edu/~erm/?Page=evaluation.html&SM=processmenu.html

32

http://www.ucop.edu/enterprise‐risk‐management/

http://www.coso.org/‐erm.htm

https://www.rims.org/ERM/Pages/WhatisERM.aspx

organizational change management: a best...

Documents