strengthening risk oversight in higher...
TRANSCRIPT
October 16
1
Strengthening Risk Oversight in
Higher Education
Mark Beasley
Deloitte Professor of
Enterprise Risk Management
NC State University
Session Objectives
1. Relate ERM with Existing Risk Management
2. Emphasize Intersection of ERM and Strategy
3. Outline Key Elements of ERM
2
Huge Management Challenge
Declining
Resources
Value of Research
in Question
Urbanization
Population
Growth
Attract / Retain Faculty
Expertise
Endowment
Challenges
Slowing Demand for
College Grad
New Delivery
Competitors
(for profit)
Online Open
Access (MOOCs)
Athletics Physical Security /
Public Access
October 16
2
Huge Management Challenge
Declining
Resources
Value of Research
in Question
Urbanization
Population
Growth
Attract / Retain Faculty
Expertise
Endowment
Challenges
Slowing Demand for
College Grad
New Delivery
Competitors
(for profit)
Online Open
Access (MOOCs)
Athletics Physical Security /
Public Access
Increasing Expectations and
Greater Demands for
Transparency
Teaching
Security
and Safety
Research
IT Risks
Compliance
Risks
Reputation
Risks
Human
Resources
Housing/
Food
Service
Admissions
Delivery
Funding
Execution
Traditional Risk Management
Teaching
Security
and Safety
Research
IT Risks
Compliance
Risks
Reputation
Risks
Human
Resources
Housing/
Food
Service
Admissions
Delivery
Funding
Execution
Traditional Risk Management
Individual
Risks
Individual
Risks
Individual
Risks
Individual
Risks
Individual
Risks
Individual
Risks
Individual
Risks
Individual
Risks
October 16
3
This is Reality
Declining
Resources
Value of Research
in Question
Urbanization
Population
Growth
Attract / Retain Faculty
Expertise
Endowment
Challenges
Slowing Demand for
College Grad
New Delivery
Competitors
(for profit)
Online Open
Access (MOOCs)
Athletics Physical Security /
Public Access
Interconnected – with a cascading impacts
Teaching
Security
and Safety
Research
IT Risks
Compliance
Risks
Reputation
Risks
Human
Resources
Housing/
Food
Service
Admissions
Delivery
Funding
Execution
What Prevents This?
Risk
Risk
Risk
Risk
R
i
s
k
Risk
Risk
Risk
R
i
s
k
Teaching
Security
and Safety
Research
IT Risks
Compliance
Risks
Reputation
Risks
Human
Resources
Housing/
Food
Service
Admissions
Delivery
Funding
Execution
Could Miss Bigger Enterprise Risks
Individual
Risks
Individual
Risks
Individual
Risks
Individual
Risks
Individual
Risks
Individual
Risks
Individual
Risks
Individual
Risks
Talent Risk
IT Risk
Competitor Disruption
Operations Risk
Economic and Political Risk
October 16
4
Poor Risk Management Ultimately Affects
Success
Core Value Drivers
and New Strategies
Effective Risk Oversight Should
Inform This Picture
Enhance
Global
Reputation
& Brand of
University
Risks &
Opportunities
Missed
Opportunities
Missed
Opportunities
10
Time
Range of
Uncertainty
Core Drivers of
University’s
Success
Strategic View of Risk Management
Observe
Performance Later
What is process for
managing uncertainty?
Key Elements of Enterprise Risk Management
ERM is a process, effected by an entity’s board of
directors, management, and other personnel, applied in
strategy setting and across the enterprise, designed to
identify potential events that may affect the entity, manage
risks to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity objectives.
-Committee of Sponsoring Organizations of the Treadway Commission
(COSO 2004) (see www.coso.org)
Strategic Purpose
October 16
5
Purpose. This policy directs the president to establish and oversee enterprise risk management and compliance processes for the University of North Carolina.
The president, with assistance from the chief audit officer of the University, the senior vice president and general counsel of the University, and other senior officers and staff, shall establish and oversee University-wide processes to address enterprise risk management, including risks related to compliance with laws and ethical standards at the system level, and to complement and support the risk management and compliance processes and activities of the constituent institutions.
March 2016
UNC Policies - University Enterprise Risk
Management and Compliance
The system-wide processes should include components focused on the following:
1. Developing, implementing, evaluating, and monitoring a University system-wide enterprise risk management
process;
2. Promoting the establishment of and collaboration among the risk management, ethics, and compliance programs at the constituent institutions;
3. Advising, assisting, and supporting the constituent institution risk management and compliance processes, and
providing other advice and counsel for these purposes;
4. Promoting a culture that supports board goals for risk management and compliance;
5. Promoting a uniform approach to measuring the University resources expended on regulatory compliance;
6. Supporting training and educational efforts;
7. Providing regular reports to the board’s CARMC;
8. Referring matters to the chancellors of the constituent institutions, the president’s staff, or other University
officers, divisions, and units, as appropriate; and
9. Performing such other duties as directed by the president.
Subject to the direction of the president, each constituent institution shall establish an enterprise risk management
process that aligns with the institution’s programs, activities, and management systems and that supports the
institution’s strategic and other goals.
UNC Policies
ERM Framework
Business Model
and
Strategy
Risk
Identification
Risk
Assessment
Risk
Response
Communication
and Monitoring Internal
Environment
Starts Here
October 16
6
Starts with Understanding Key Value
Drivers
Enhance Global
Mission & Brand
of University
Provide superior
STEM education
Attract & Retain
World Renowned
Research Faculty
Deliver Excellence in
Advanced BioSciences
Expand Outreach to
National Community
What supports these
value drivers? • Core Operations?
• Financial Resources?
• Compliance?
What new strategies
are needed?
Confirm Clarity of Understanding of Key Value Drivers
1. What must go right for value driver to continue
adding value? – Key processes
– Key technologies
– Key people
Example:
What must go right for the
university to continue providing
excellence in graduate education?
Confirm Clarity of Understanding of Key Value Drivers
2. What assumptions are we making
about ability to sustain value of driver? – How assumptions developed?
– Impact if assumptions are volatile?
– How changes in assumptions currently monitored?
Example:
What big assumptions are being
made by the university re:
providing excellence in graduate
education?
October 16
7
Core Value
Driver
What Must Go Right to Sustain
Success of Crown Jewel?
What are the Big
Assumptions?
1. Delivery of
excellent
graduate
education
• Retain faculty who are experts in
field
• Attract top applicants to program
• Offer programs that are in demand
• Demand for
programs will
continue in future
• Other institutions
will not be
competitive with our
institution
2.
3.
ERM Framework
Business Model
and
Strategy
Risk
Identification
Risk
Assessment
Risk
Response
Communication
and Monitoring Internal
Environment
Identify Risks to Value Drivers
Enhance Global
Mission & Brand
of University
Provide superior
STEM education
Attract & Retain
World Renowned
Research Faculty
Deliver Excellence in
Advanced BioSciences
Expand Outreach to
National Community
Potential Risks
Potential Risks
Potential Risks
Potential Risks
Potential Risks
Potential Risks
Potential Risks
October 16
8
Analyze “Risks To” Value Driver
1. What might emerge that keeps
“what must go right” from
occurring? – Processes, people, technologies
Example:
What might prevent University
from providing excellence in
graduate education?
Strategic Lens to Sustainability Risks
1. What might emerge and impact
critical elements for “crown jewels”
and strategies to be successful? – Processes, people, technologies
2. How might assumptions shift? – Impact if Volatile, How Monitored?
Risks and
Opportunities
Example:
How might assumptions be
flawed?
Core Value
Drivers
What factors might prevent
long-term viability of key
drivers of university’s value?
- Internal factors?
- External factors?
How sound are assumptions? - Are underlying factors likely to
change? - How fast?
1. Delivery of
excellent
graduate
education
• Faculty compensation &
resources are not
sufficient to attract &
retain expert faculty
• Top applicants receive
more competitive
scholarship offers
• Students
unwilling/unable to
finance education
• Megatrends emerge that
reduce demand for program
• Other universities have
capabilities to provide unique
innovations that University
cannot develop
October 16
9
Identifying Key Risks – A Variety of Methods
Risk
Inventory
Surveys and
Checklists
Scenario
Analysis
Workshops
Interviews
Combinations
25
ERM Framework
Business Model
and
Strategy
Risk
Identification
Risk
Assessment
Risk
Response
Communication
and Monitoring Internal
Environment
Heat Map
October 16
10
Many Organizations
Tier 1 – top 10
Tier 2 – top 20
Other
ERM Framework
Business Model
and
Strategy
Risk
Identification
Risk
Assessment
Risk
Response
Communication
and Monitoring Internal
Environment
Choose Your Risk Response
• Tolerate • Risk Acceptance
• Terminate • Eliminate or avoid risk
• Transfer • Risk Sharing
• Treat • Mitigate or control risks
October 16
11
“Consequences” “Causes”
Responses: Proactive or Reactive?
Risk Event
What would cause this
event to happen?
What would the
consequences be if
this event occurs?
What could we do to
prevent it? What could we do to
minimize the
damage?
31
ERM Framework
Business Model
and
Strategy
Risk
Identification
Risk
Assessment
Risk
Response
Communication
and Monitoring Internal
Environment
KPIs vs. KRIs
Historical Forward Looking
October 16
12
Time
Range of
Uncertainty
Core Drivers of
Value
Proactive Management of Emerging Risks
Tri
gg
er
Po
ints
KRIs
Revise Strategies
KRIs for Top Risks
Enhance Global
Mission & Brand
of University
Provide superior
STEM education
Attract & Retain
World Renowned
Research Faculty
Deliver Excellence in
Advanced BioSciences
Expand Outreach to
National Community
Potential Risks
Potential Risks
Potential Risks
Potential Risks
Potential Risks
Potential Risks
Potential Risks
KRIs
KRIs
KRIs
KRIs
KRIs
KRIs
KRIs
ERM Framework
Business Model
and
Strategy
Risk
Identification
Risk
Assessment
Risk
Response
Communication
and Monitoring Internal
Environment
October 16
13
Culture is King
Assurance About Process
Business Model
and
Strategy
Risk
Identification
Risk
Assessment
Risk
Response
Communication
and Monitoring Internal
Environment
Mark S. Beasley
Deloitte Professor of Enterprise Risk Management
NC State University
919.515.6064
www.erm.ncsu.edu