Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introductions. University of Wisconsin System Enterprise Risk Management UW Milwaukee September 11 & 14, 2012.

Published byShana Spencer Modified over 7 years ago

Similar presentations

Presentation on theme: "Introductions. University of Wisconsin System Enterprise Risk Management UW Milwaukee September 11 & 14, 2012."— Presentation transcript:

1 University of Wisconsin System Enterprise Risk Management UW Milwaukee September 11 & 14, 2012

2 Introductions

3 ERM Working Group Agenda
Welcome & Introductions ERM in Higher Education Case Study Discussion UW System ERM Initiative Critical ERM Program Components Risk Identification and Workshop Process Voting Process Next Steps Q&A, Feedback, and Conclusion

4 ERM in Higher Education

5 What is Enterprise Risk Management?
CONFIDENTIAL: FOR MMC INTERNAL USE ONLY What is Enterprise Risk Management? “A comprehensive program designed to proactively and continuously identify and manage real and potential threats and opportunities that may impact our operations.” Designed to protect and increase stakeholder value, fit into the organization’s culture, and leverage current controls and capabilities. An operational strategy that promotes continuous sustainable improvement across the organization; creating value. A process that identifies and prioritizes real and potential risks (threats and opportunities) that may affect an organization’s strategy and/or operations and promote the ability to manage risks to an acceptable level. CHANGES: Deleted bullet on how rating agencies use ERM. Rating agencies may not be a significant issue worth our time, because the UW System does not issue bonds.

6 ERM = STRATEGIC RISK MANAGEMENT
Enterprise Wide Risk Management A wide range of risks are identified and evaluated, including finance, human capital, strategic, operational, and reputational Evaluation includes the “upside of risks” or opportunities risk-taking can provide Helps manage successful growth or program expansion Risks are owned by all and mitigated at the department level Kept slide as a placeholder to simply mention that ERM is risk management, but with a more strategic perspective as opposed to the traditional silo approach to risk management. More specifically, ERM helps focus risk management efforts on optimizing risk controls or risk taking to achieve specified goals

7 Why Implement ERM? Sustain competitive advantage
Respond when a significant event occurs Avoid financial surprises Manage scarce resources Define risk appetite and risk tolerance levels Determine effectiveness of existing controls Improve risk assessments Increase accountability Allocate resources more effectively Slide shows general reasons for implementing ERM

8 Why Implement ERM? (cont.)
Competition Student Demands New Technologies Globalization Entrepreneurial ventures beyond traditional education Pressure for increased productivity and accountability while reducing costs Increased compliance expectations Research Safety/Security Slide shows specific higher education related reasons for implementing ERM.

9 Higher Education ERM Efforts
Organizations - National Association of College and University Business Officers (NACUBO) - Association of Governing Boards (AGB) - University Risk Management and Insurance Association (URMIA) Institutions University of California - University of Washington University of Minnesota Auburn University Texas A&M University Purdue University Maricopa County Community College Slide can be used to illustrate increasing interest and support for ERM within Higher Education, as well as a transition to the next section on UW System ERM Initiative. The list provides examples and is not intended to be comprehensive.

10 Higher Education Risk Case Studies
Two Scenarios designed to start you thinking about key concepts associated with ERM Risk v. Opportunity Likelihood & Impact Controls Mitigation

11 UW System Enterprise Risk Management Initiative

12 UW System – ERM Vision The University of Wisconsin System endeavors to lead higher education by integrating the principles of Enterprise Risk Management (ERM) into the culture and strategic decision making of its academic, student affairs, and business functions. ERM will promote the success and enhance the accountability of the UW System by incorporating risk assessment into the System’s strategic objectives and budget development process.

13 Mission Statement The mission of the University of Wisconsin Enterprise Risk Management Project is to initiate a comprehensive program which will support the identification of the UW’s mission-critical risks, assess how to manage those risks, and align resources with risk management responsibilities. CHANGES: Updated to reflect latest mission statement (inclusion of UW-Whitewater

14 Goals and Objectives for Accomplishing the Mission:
Goal #1: Integrate ERM into the culture and strategic decision making processes of the organization.  Objectives: 1-1 Develop common ERM terminology. 1-2. Raise awareness of the need for risk management. 1-3. Establish continuous monitoring and communications processes. Goal #2: Balance the cost of managing risk with the anticipated benefits. Objectives: 2-1. Define the organization’s overall risk appetite/tolerance, and establish associated materiality thresholds. 2-2. Document current procedures, controls, and risks. 2-3. Compare current risks to control efforts, as well as to the organization’s risk appetite, to help identify priority risks. 2-4. Assess the value of alternative risk management actions.

15 Goals and Objectives for Accomplishing the Mission:
Goal #3: Manage risk in accordance with best practices, and demonstrate due diligence in decision making.  Objectives: 3-1. Assign responsibilities for risk management at the “lowest” levels of the organization. 3-2. Regard compliance with the law as a minimum standard. 3-3. Streamline risk-management-related practices. 3-4. Identify competitive opportunities. Goal #4: Use the pilot projects to develop a system-wide ERM implementation strategy. Objectives: 4-1. Establish an organizational and communication structure for managing the pilots. 4-2. Transfer knowledge from the consultants to UW System Administration staff. 4-3. Involve the UW System president and cabinet in ERM-related decisions.

16 Current State of Project
Core Risks LTD., in consultation with Arthur J. Gallagher, selected to develop UWS ERM model Full risk assessment completed at six UW institutions (Oshkosh, Superior, Whitewater, Parkside, River Falls, and Platteville) Established an ERM Core Team at System Administration Developed UWSA website in support of initiative: Can also address how ERM at the system level began (to address SOX, CBO concerns over aligning declining resources with priorities, and the evolution of risk management from a transactional to integrated approach). Can talk about level of support at system level (e.g. sponsorship and funding).

17 Current Examples That Incorporate ERM Processes
Security and Threat Assessments International/Study Abroad Risk Assessment Continuity of Operations Other Keep slide or delete. Could keep a slide here as a way of showing that “ERM” is already in place in some instances. Do we have more/better examples? Student health insurance?

18 Evolution to achieve ERM
Resilient State – enhanced sustainability across the enterprise. Evolution Prior State – Individual area/ function silos report risk on an ad hoc basis from the bottom-up to management. No top-down linkage to the Executive Management/BOD strategic objectives. Convergence of Reporting: Consistency of Process: Focus on Risk: Informed Decision-making Ownership: Board of Regents Audit Comm Institution A Institution B Enterprise Risk IS Risk Council Athletics Management Central Funct Housing Safety Central Funct Institution A Institution B Housing Other IS Other Athletics Safety

19 Signs of Success… A successfully implemented program will result in:
A process for open and objective discussion on risk and related issues facing the organization on an aggregate basis. It must promote honest and fact based discussion and enhance decision making while assuring that “the messenger does not get shot”. Regular reporting of the organization’s risk profile that: 1) prioritizes risks from a materiality perspective and; 2) clearly helps direct the asset allocation (money, time, people) toward risk mitigation. No new bureaucracy; ERM needs to be embedded into the existing culture and structure to assure sustainability. This is best assured by integrating the ERM findings into the annual budget and strategic planning cycles. Normally, if it isn’t budgeted, it doesn’t exist. From deleted slide: A Sustainable ERM Process that is Strategic & Operational: A “Top Down & Bottom Up” Approach Top Down  Strategic A consistent method that allows our operations to make more efficient, strategic use of assets, through regular evaluation of the nature and extent of our risks and opportunities, while also meeting governance expectations Bottom Up  Operational A practical tool that provides our operations with the competitive competency to quickly identify, understand, and manage strategic risks and opportunities in a manner which is consistent with our overall goals, objectives, and culture. The result is a prioritized and substantiated approach to investment in risk avoidance and mitigation activities. 19

20 Critical ERM Program Components
Introduces the next two slides addressing categories and risk universe. There is no one way to frame the discussion, but we’ve constructed this approach to help facilitate the discussion of risk.

21 Higher Education Risk Categories
External Strategic Operational Other Natural Catastrophe Reputation/Image Student Safety & Health Endowment Fund Challenges Man-made catastrophe Program/ Academic ranking Sports Program Other University Funding Economic/Political Quality of Faculty Institution Facilities National Loan Source availability Competition Strategic Plan Academic Facilities Human resource  State/Federal support Alumni Relations Infrastructure/ Physical Plant Legal  Visitors Partner Programs Local/Abroad Alcohol/Drugs   Other Compliance  Social issues  Joint Ventures  IT/ Telecom Minors on Campus (matriculated and other) Security Parent Related Matters Used to stimulate thought and be a facilitation tool. Not intended to be all inclusive. Consider general areas – Internal, External, etc. Consider organizationally specific areas of focus. Discuss options…..

22

23 … More = Better In a world with no constraints Management Control
Types of controls Rule-based – Policy, process, or standard. Management Control – Responsibility for control is assigned to a specific person or function within the organization. Compliance-based – Rule-based or Management Control, where adherence is verified. Physical Control – Barrier, mechanical, or computer control. Risk Culture – Tone at the top for managing risk. … More = Better In a world with no constraints

24 Management Control Scale
Current Level of Control over the Risk None/Weak = 1 Limited = 2 Moderate = 3 Strong = 4 Less Control More Control

25 Impact Defined Impact is the total outcome (as measured against a specific materiality metric) that would be realized if a Risk Driver were to occur. Specific reference point used to categorize the materiality of the Impact of a Risk. Used to “bucket” risks from different parts of the organization to allow for detailed, cross-functional discussion Low Moderate High Extreme

26 Critical Definitions Impact & Materiality – Sample
UW System Materiality - Impact on Enrollment UW System Milwaukee Extreme 10% 12,520 High 6% 5,250 Moderate 3% 2,600 350 175 Low 600 1 10,000 3 4 2 Impact on Enrollment used as example …. Calculated over a certain period of time (36 months) Need to view slide in slide show mode to see graphic – numbers reflect actual UW-River Falls 2010 data. Illustration only – actual River Falls materiality matrix may use different metric or break points for low-high. 26

27 Materiality Matrix (For Discussion)
CHANGES: Updated to reflect actual materiality

28 Likelihood The likelihood that a risk will occur within next 36 months
recognizing current controls Almost Certain = 4 Probable = 3 Moderate = 2 Low = 1 Likelihood Scale: 1 = Low – Possible but unlikely to occur; remote. 2 = Moderate – Moderate risk of occurrence; maybe. 3 = Probable – Likely to occur. 4 = Almost Certain – Very likely to occur in immediate future (probable). More Likely to occur 75% 50% Less Likely to occur 10%

29 Sample Inherent Risk Map (Heat Map)
Unlikely Possible Probable Almost Certain Likelihood $xx,000,000 $x,000,000 1 2 3 4 Very High Risk High Risk Moderate Risk Low Risk Legend 1 Fire at remote building Snow Collapse of University Center Credit Crisis – loss of funding Weather shuts down campus-short term Sports team scandal Loss of Key Faculty IT system failure due to weak controls Dorm shutdown due to contamination Community activists block expansion Pandemic 2 Impact 3 4 5 6 7 8 9 10

30 Risk Retention & Risk Mitigation
Risk Retention. If an identified risk is within Risk Retention, it is accepted at this time without the need for additional action. Current controls are retained, maintained, and monitored. Risk Mitigation. If an identified risk is not within Risk Retention, then further mitigation is planned and prioritized.

31 Risk Identification/Workshop Process
Lead the group through the sequence of: 1) risk identification (interviews and surveys), 2) Impact & Likelihood, 3) Controls & Cost, and 4) Retention/Mitigation. End with a sample heat map.

32 Risk Surveys are sent to direct reports of Senior management
One on One Interviews with Senior Staff identify perceptions of Risk Any pre-existing Risk reports are reviewed and Identified Risks are compiled Risk Surveys are sent to direct reports of Senior management Chancellor/Risk Council informs Institution Core Working Group of decisions on recommended Risks Surveys collect risks identified from a cross functional group of operational level management Institution Risk workshop synthesizes all Risks identified to date and discusses and assesses new Risks. Output report is ready for management review Institution Workshop Core Working Group reviews and delivers summary report of Priority Risks to Chancellor

33 Risk/Opportunity Areas
What keeps you awake at night? Systemwide list: Enterprise Systems Implementation (HRS) Executive Position Recruitment/Retention IT Security Budget/Revenue Optimization Capital Planning and Budget Process and Joint Ventures AODA/Student Safety Student Services (Mental Health) Community and Legislative Relations Administrative Efficiency/Stewardship of Public Funds/Accountability Records Retention/Open Records/Confidential Information Faculty – Recruitment/Retention and Discipline Examples of a University-level list: Campus Security Current Diversity - Ineffective Performance Management/Disciplinary Process On-line Learning Strategy Facilities – Lack of Capacity Impact of Economic Challenges Long Term Staffing Challenges Study Abroad – Re-entry programs Lack of Internships Local Community Attractiveness Conflict/State to System, System to Campus

34 We use the Wireless Voting Technology.
The Voting Keypad: We use the Wireless Voting Technology. You may change your vote as many times as you want before voting is closed – only your last response will count. You do not have to point the keypad at the screen. Your individual responses will remain anonymous. 34

35 IMPACT & LIKELIHOOD IMPACT 1 LOW 2 MODERATE 3 HIGH 4 EXTREME
(BASED ON UW-MILWAUKEE MATERIALITY MATRIX LIKELIHOOD 1 LOW 2 MODERATE 3 PROBABLE 4 ALMOST CERTAIN

36 CONTROLS & COST CONTROLS 1. NONE/WEAK 2. LIMITED 3. MODERATE 4. STRONG
COSTS 1. HIGH (greater than $25,000) 2. LOW or NONE Cost determination of high versus low TDB by Milwaukee. $25,000 based on UW-Superior’s workshop. Cost discussion should focus on preparing the group for the discussion centered on which risks will require resources (a budget) to mitigate vs. those that may require delegation of authority or simple recognition that a risk exists. This “data” point collected in the workshop will allow the institution to better focus how to proceed with risk mitigation once all risks have been assessed.

37 MITIGATION vs RETENTION
Does this need to be placed in Risk Mitigation? Yes No

38 Sample Risk Map (Heat Map)
Unlikely Possible Probable Almost Certain Likelihood $xx,000,000 $x,000,000 1 2 3 4 Very High Risk High Risk Moderate Risk Low Risk Legend 1 Fire at remote building Snow Collapse of University Center Credit Crisis – loss of funding Weather shuts down campus-short term Sports team scandal Loss of Key Faculty IT system failure due to weak controls Dorm shutdown due to contamination Community activists block expansion Pandemic 2 Impact 3 4 5 6 7 8 9 10

39 Next Steps Discuss what happens after the workshop – essentially project management 101: 1) identify and assign risk owners, 2) establish means of accountability, 3) establish a defined institution process of review, assessment, and communication.

40 Risk Ownership Qualities of a Risk Owner... Risk Owners will...
Owners should have significant influence over their assigned Risk Driver(s). Owners will be individuals. Owners will be accountable. Risk Owners will... Work to determine the Risk Retention parameters for a particular Risk Driver. Develop Mitigation plans to return Risk Driver(s) to Risk Retention. Perform ongoing monitoring of their Risk Driver(s) to assure that Risk Drivers remain in Risk Retention. First step once risks have been assessed is to determine which risks to mitigate and who will be tasked with that responsibility. Remember… Risk Ownership is important and to be a Risk Owner is a good thing!

41 Risk Driver Mitigation Worksheet - Example
Number & Short Name Current Risk Ratings Mitigation Plan Options and Steps Timing of plan Risk Owner name: J Bond – Head of Road Safety additional functions involved: #1- Student safety issue due to unsafe pedestrian crossing at RT 66 Impact Rating & Range: 6 - (Greater than $80M) Likelihood: Possible Inherent Risk Rating: Significant Control: Poor Increase Signage Request addition of additional flashing lights from highway department Conduct assessment of possibility of adding pedestrian tunnel or bridge Q3 11 Q4 11 2012 Security Government relations Facilities and department, with support of Civil engineering department Risk mitigation is really nothing more than project management.

42 A Steady State Process (example 1)
Annual Risk workshops Risk Assessment and Workshops Risk Drill Down workshops Preliminary Objectives & Risk Survey Mitigation Plans developed and Submitted for budget consideration Risk Council Meet/Report College Risk Report Risk Council College Risk Report Risk Council Meet/Report College Risk Report Risk Council Meet/Report Report to Management/ Compliance Steering Committee Report to Board/Audit Committee (budget approval) Risk Enhanced Budget submitted

43 A Steady State Process (example 2)
Strategy / Operations Oct Nov Apr/May July Risk Assessment Report to Senior Administration Risk Survey Risk Owners Board of Regents Dec Jan Planning Enhanced Objectives Mitigation Plans Risk Council Maintenance Risks are always going to be in the context of your strategy and objectives

44 Orientation Wrap Up Questions?

Download ppt "Introductions. University of Wisconsin System Enterprise Risk Management UW Milwaukee September 11 & 14, 2012."

Similar presentations

AASHTO Internal Audit Conference 2012 – Phoenix Daniel Fodera, CMQ/OE Program Management Improvement Team Federal Highway Administration.

AASHTO Internal Audit Conference 2012 – Phoenix Daniel Fodera, CMQ/OE Program Management Improvement Team Federal Highway Administration.
Risk Management at Harvard – Panel Discussion Harvard IT Summit

Risk Management at Harvard – Panel Discussion Harvard IT Summit
Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.

Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.
PROJECT RISK MANAGEMENT

PROJECT RISK MANAGEMENT
Agency Risk Management and Internal Control Standards Presentation to the Board of Visitors November 14, 2014.

Agency Risk Management and Internal Control Standards Presentation to the Board of Visitors November 14, 2014.
Introduction to Enterprise Risk Management (ERM)

Introduction to Enterprise Risk Management (ERM)
SEM Planning Model.

SEM Planning Model.
Operational risk management Margaret Guerquin, FSA, FCIA Canadian Institute of Actuaries 2006 General Meeting Chicago Confidential © 2006 Swiss Re All.

Operational risk management Margaret Guerquin, FSA, FCIA Canadian Institute of Actuaries 2006 General Meeting Chicago Confidential © 2006 Swiss Re All.
The Australian/New Zealand Standard on Risk Management

The Australian/New Zealand Standard on Risk Management
Risk Assessment Frameworks

Risk Assessment Frameworks
Enterprise Risk Management at Your School: Getting Started Constance Neary, VP for Risk Management, United Educators Debra Wilson, Legal Counsel, National.

Enterprise Risk Management at Your School: Getting Started Constance Neary, VP for Risk Management, United Educators Debra Wilson, Legal Counsel, National.
“The Impact of Sarbanes Oxley, An Evolving Best Practice” Ellen C. Wolf Senior Vice President & Chief Financial Officer American Water National Association.

“The Impact of Sarbanes Oxley, An Evolving Best Practice” Ellen C. Wolf Senior Vice President & Chief Financial Officer American Water National Association.
UNCW Institutional Risk Management IRM Overview and Policy Development & Implementation Plan Overview.

UNCW Institutional Risk Management IRM Overview and Policy Development & Implementation Plan Overview.
1 Business Continuity and Compliance Working Together Kristy Justice, AVP WaMu Card Services 08/19/2008.

1 Business Continuity and Compliance Working Together Kristy Justice, AVP WaMu Card Services 08/19/2008.
Privileged and Confidential Strategic Approach to Asset Management Presented to October 2004 2004 Urban Water Council Regional Seminar.

Privileged and Confidential Strategic Approach to Asset Management Presented to October Urban Water Council Regional Seminar.
Irish League of Credit Unions, 2012 W E L O O K A T T H I N G S D I F F E R E N T L Y Risk Management for Credit Unions September 2013 Risk Management.

Irish League of Credit Unions, 2012 W E L O O K A T T H I N G S D I F F E R E N T L Y Risk Management for Credit Unions September 2013 Risk Management.
Peer Information Security Policies: A Sampling Summer 2015.

Peer Information Security Policies: A Sampling Summer 2015.
21 st Century Maricopa Review of Process Human Resources Projects Steering Team Meeting May 12, 2010.

21 st Century Maricopa Review of Process Human Resources Projects Steering Team Meeting May 12, 2010.
Audits & Assessments: What are the Differences and How Do We Learn from the Results? Brown Bag March 12, 2009 Sal Rubano – Director, Office of the Vice.

Audits & Assessments: What are the Differences and How Do We Learn from the Results? Brown Bag March 12, 2009 Sal Rubano – Director, Office of the Vice.
1 Enterprise Risk Management (ERM) Program PNM Resources, Inc. March 29, 2007 Presentation to American Public Power Association March 2007 Austin, Texas.

1 Enterprise Risk Management (ERM) Program PNM Resources, Inc. March 29, 2007 Presentation to American Public Power Association March 2007 Austin, Texas.

Similar presentations

Ads by Google