October 16

1

Strengthening Risk Oversight in

Higher Education

Mark Beasley

Deloitte Professor of

Enterprise Risk Management

NC State University

Session Objectives

1. Relate ERM with Existing Risk Management

2. Emphasize Intersection of ERM and Strategy

3. Outline Key Elements of ERM

2

Huge Management Challenge

Declining

Resources

Value of Research

in Question

Urbanization

Population

Growth

Attract / Retain Faculty

Expertise

Endowment

Challenges

Slowing Demand for

College Grad

New Delivery

Competitors

(for profit)

Online Open

Access (MOOCs)

Athletics Physical Security /

Public Access

October 16

2

Huge Management Challenge

Declining

Resources

Value of Research

in Question

Urbanization

Population

Growth

Attract / Retain Faculty

Expertise

Endowment

Challenges

Slowing Demand for

College Grad

New Delivery

Competitors

(for profit)

Online Open

Access (MOOCs)

Athletics Physical Security /

Public Access

Increasing Expectations and

Greater Demands for

Transparency

Teaching

Security

and Safety

Research

IT Risks

Compliance

Risks

Reputation

Risks

Human

Resources

Housing/

Food

Service

Admissions

Delivery

Funding

Execution

Traditional Risk Management

Teaching

Security

and Safety

Research

IT Risks

Compliance

Risks

Reputation

Risks

Human

Resources

Housing/

Food

Service

Admissions

Delivery

Funding

Execution

Traditional Risk Management

Individual

Risks

Individual

Risks

Individual

Risks

Individual

Risks

Individual

Risks

Individual

Risks

Individual

Risks

Individual

Risks

October 16

3

This is Reality

Declining

Resources

Value of Research

in Question

Urbanization

Population

Growth

Attract / Retain Faculty

Expertise

Endowment

Challenges

Slowing Demand for

College Grad

New Delivery

Competitors

(for profit)

Online Open

Access (MOOCs)

Athletics Physical Security /

Public Access

Interconnected – with a cascading impacts

Teaching

Security

and Safety

Research

IT Risks

Compliance

Risks

Reputation

Risks

Human

Resources

Housing/

Food

Service

Admissions

Delivery

Funding

Execution

What Prevents This?

Risk

Risk

Risk

Risk

R

i

s

k

Risk

Risk

Risk

R

i

s

k

Teaching

Security

and Safety

Research

IT Risks

Compliance

Risks

Reputation

Risks

Human

Resources

Housing/

Food

Service

Admissions

Delivery

Funding

Execution

Could Miss Bigger Enterprise Risks

Individual

Risks

Individual

Risks

Individual

Risks

Individual

Risks

Individual

Risks

Individual

Risks

Individual

Risks

Individual

Risks

Talent Risk

IT Risk

Competitor Disruption

Operations Risk

Economic and Political Risk

October 16

4

Poor Risk Management Ultimately Affects

Success

Core Value Drivers

and New Strategies

Effective Risk Oversight Should

Inform This Picture

Enhance

Global

Reputation

& Brand of

University

Risks &

Opportunities

Missed

Opportunities

Missed

Opportunities

10

Time

Range of

Uncertainty

Core Drivers of

University’s

Success

Strategic View of Risk Management

Observe

Performance Later

What is process for

managing uncertainty?

Key Elements of Enterprise Risk Management

ERM is a process, effected by an entity’s board of

directors, management, and other personnel, applied in

strategy setting and across the enterprise, designed to

identify potential events that may affect the entity, manage

risks to be within its risk appetite, to provide reasonable

assurance regarding the achievement of entity objectives.

-Committee of Sponsoring Organizations of the Treadway Commission

(COSO 2004) (see www.coso.org)

Strategic Purpose

October 16

5

Purpose. This policy directs the president to establish and oversee enterprise risk management and compliance processes for the University of North Carolina.

The president, with assistance from the chief audit officer of the University, the senior vice president and general counsel of the University, and other senior officers and staff, shall establish and oversee University-wide processes to address enterprise risk management, including risks related to compliance with laws and ethical standards at the system level, and to complement and support the risk management and compliance processes and activities of the constituent institutions.

March 2016

UNC Policies - University Enterprise Risk

Management and Compliance

The system-wide processes should include components focused on the following:

1. Developing, implementing, evaluating, and monitoring a University system-wide enterprise risk management

process;

2. Promoting the establishment of and collaboration among the risk management, ethics, and compliance programs at the constituent institutions;

3. Advising, assisting, and supporting the constituent institution risk management and compliance processes, and

providing other advice and counsel for these purposes;

4. Promoting a culture that supports board goals for risk management and compliance;

5. Promoting a uniform approach to measuring the University resources expended on regulatory compliance;

6. Supporting training and educational efforts;

7. Providing regular reports to the board’s CARMC;

8. Referring matters to the chancellors of the constituent institutions, the president’s staff, or other University

officers, divisions, and units, as appropriate; and

9. Performing such other duties as directed by the president.

Subject to the direction of the president, each constituent institution shall establish an enterprise risk management

process that aligns with the institution’s programs, activities, and management systems and that supports the

institution’s strategic and other goals.

UNC Policies

ERM Framework

Business Model

and

Strategy

Risk

Identification

Risk

Assessment

Risk

Response

Communication

and Monitoring Internal

Environment

Starts Here

October 16

6

Starts with Understanding Key Value

Drivers

Enhance Global

Mission & Brand

of University

Provide superior

STEM education

Attract & Retain

World Renowned

Research Faculty

Deliver Excellence in

Advanced BioSciences

Expand Outreach to

National Community

What supports these

value drivers? • Core Operations?

• Financial Resources?

• Compliance?

What new strategies

are needed?

Confirm Clarity of Understanding of Key Value Drivers

1. What must go right for value driver to continue

adding value? – Key processes

– Key technologies

– Key people

Example:

What must go right for the

university to continue providing

excellence in graduate education?

Confirm Clarity of Understanding of Key Value Drivers

2. What assumptions are we making

about ability to sustain value of driver? – How assumptions developed?

– Impact if assumptions are volatile?

– How changes in assumptions currently monitored?

Example:

What big assumptions are being

made by the university re:

providing excellence in graduate

education?

October 16

7

Core Value

Driver

What Must Go Right to Sustain

Success of Crown Jewel?

What are the Big

Assumptions?

1. Delivery of

excellent

graduate

education

• Retain faculty who are experts in

field

• Attract top applicants to program

• Offer programs that are in demand

• Demand for

programs will

continue in future

• Other institutions

will not be

competitive with our

institution

2.

3.

ERM Framework

Business Model

and

Strategy

Risk

Identification

Risk

Assessment

Risk

Response

Communication

and Monitoring Internal

Environment

Identify Risks to Value Drivers

Enhance Global

Mission & Brand

of University

Provide superior

STEM education

Attract & Retain

World Renowned

Research Faculty

Deliver Excellence in

Advanced BioSciences

Expand Outreach to

National Community

Potential Risks

Potential Risks

Potential Risks

Potential Risks

Potential Risks

Potential Risks

Potential Risks

October 16

8

Analyze “Risks To” Value Driver

1. What might emerge that keeps

“what must go right” from

occurring? – Processes, people, technologies

Example:

What might prevent University

from providing excellence in

graduate education?

Strategic Lens to Sustainability Risks

1. What might emerge and impact

critical elements for “crown jewels”

and strategies to be successful? – Processes, people, technologies

2. How might assumptions shift? – Impact if Volatile, How Monitored?

Risks and

Opportunities

Example:

How might assumptions be

flawed?

Core Value

Drivers

What factors might prevent

long-term viability of key

drivers of university’s value?

- Internal factors?

- External factors?

How sound are assumptions? - Are underlying factors likely to

change? - How fast?

1. Delivery of

excellent

graduate

education

• Faculty compensation &

resources are not

sufficient to attract &

retain expert faculty

• Top applicants receive

more competitive

scholarship offers

• Students

unwilling/unable to

finance education

• Megatrends emerge that

reduce demand for program

• Other universities have

capabilities to provide unique

innovations that University

cannot develop

October 16

9

Identifying Key Risks – A Variety of Methods

Risk

Inventory

Surveys and

Checklists

Scenario

Analysis

Workshops

Interviews

Combinations

25

ERM Framework

Business Model

and

Strategy

Risk

Identification

Risk

Assessment

Risk

Response

Communication

and Monitoring Internal

Environment

Heat Map

October 16

10

Many Organizations

Tier 1 – top 10

Tier 2 – top 20

Other

ERM Framework

Business Model

and

Strategy

Risk

Identification

Risk

Assessment

Risk

Response

Communication

and Monitoring Internal

Environment

Choose Your Risk Response

• Tolerate • Risk Acceptance

• Terminate • Eliminate or avoid risk

• Transfer • Risk Sharing

• Treat • Mitigate or control risks

October 16

11

“Consequences” “Causes”

Responses: Proactive or Reactive?

Risk Event

What would cause this

event to happen?

What would the

consequences be if

this event occurs?

What could we do to

prevent it? What could we do to

minimize the

damage?

31

ERM Framework

Business Model

and

Strategy

Risk

Identification

Risk

Assessment

Risk

Response

Communication

and Monitoring Internal

Environment

KPIs vs. KRIs

Historical Forward Looking

October 16

12

Time

Range of

Uncertainty

Core Drivers of

Value

Proactive Management of Emerging Risks

Tri

gg

er

Po

ints

KRIs

Revise Strategies

KRIs for Top Risks

Enhance Global

Mission & Brand

of University

Provide superior

STEM education

Attract & Retain

World Renowned

Research Faculty

Deliver Excellence in

Advanced BioSciences

Expand Outreach to

National Community

Potential Risks

Potential Risks

Potential Risks

Potential Risks

Potential Risks

Potential Risks

Potential Risks

KRIs

KRIs

KRIs

KRIs

KRIs

KRIs

KRIs

ERM Framework

Business Model

and

Strategy

Risk

Identification

Risk

Assessment

Risk

Response

Communication

and Monitoring Internal

Environment

October 16

13

Culture is King

Assurance About Process

Business Model

and

Strategy

Risk

Identification

Risk

Assessment

Risk

Response

Communication

and Monitoring Internal

Environment

Mark S. Beasley

Deloitte Professor of Enterprise Risk Management

NC State University

Mark_beasley@ncsu.edu

919.515.6064

www.erm.ncsu.edu