Review of UVM ERM Planning€¦ · UVM ERM Plan T:\Higher Ed\Prospects\UVM erm\UVM ERM Plan (3)...

28
© 2010 Arthur J. Gallagher & Co. Review of UVM ERM Planning October 27, 2010 Report by ERM Consultants Dorothy M. Gjerdrum & John McLaughlin Gallagher Higher Education Practice

Transcript of Review of UVM ERM Planning€¦ · UVM ERM Plan T:\Higher Ed\Prospects\UVM erm\UVM ERM Plan (3)...

© 2010 Arthur J. Gallagher & Co.

Review of UVM ERM Planning

October 27, 2010

Report by ERM Consultants Dorothy M. Gjerdrum & John McLaughlin

Gallagher Higher Education Practice

UVM ERM Plan

T:\Higher Ed\Prospects\UVM erm\UVM ERM Plan (3) 11.1.doc

Table of Contents

Section Page

Introduction ...............................................................................................................................................1

Summary of the Survey of Key Institutions ...............................................................................................2

Summary of Interviews with Key Internal Stakeholders............................................................................2

ERM Program Recommendations ............................................................................................................5

Appendices

A. Zoomerang Survey B. Description of Roles – the Modified IIA Model C. Description of Roles – Article

UVM ERM Plan

T:\Higher Ed\Prospects\UVM erm\UVM ERM Plan (3) 11.1.doc 1

Introduction

In November of 2009, UVM President Daniel Mark Fogel approved the implementation of an Enterprise Risk Management (ERM) program at UVM and appointed Vice President for Finance and Administration Richard H. Cate as the University’s Chief Risk Officer.

In March 2010, Vice President Cate chartered an ERM Advisory Committee (ERMAC), composed of representatives from the University’s major operational units, and gave the committee the charge to design and implement an ERM program for UVM. ERMAC members include:

Mary Dewey, Director of Risk Management (Co-Chair) Al Turgeon, Executive Assistant to the VPFA (Co-Chair) Tom Mercurio, Associate General Counsel Patrick Brown, Director of Student Life Claire Burlingham, University Controller Salvatore Chiarelli, Director of Physical Plant Patricia Corcoran, Assistant Dean for Student Affairs, College of Arts & Sciences Brian Cote, Senior Associate Dean for Finance & HR, College of Medicine Anna Drummond, Chief Compliance Officer William Harrison, Chief Internal Auditor Dan Harvey, Chief of Staff to the Vice President for Research and Dean of the Graduate College Kim Howard, Director of International Education Services Barbara Johnson, Associate Vice President for Human Resource Services Wendy Koenig, Director of Federal Relations Mark Metivier, Financial Manager, Development & Alumni Relations Jeffrey Schulman, Associate Director of Athletics David Todd, Chief Information Officer Lianne Tuomey, Chief and Director of UVM Police Services

At its initial meeting in April 2010, the ERMAC formed three subcommittees—Policy & Program, Communication & Training, and Software—each of which met several times through the late spring and early summer to develop key parameters of a “DRAFT” ERM program, including a draft policy; a draft training plan; an approach to and set of guiding questions for initiating risk conversations with deans, vice presidents, and their key staff; and a draft risk assessment tool, including rating scales for risk impact and likelihood.

In response to trustee requests made at the Board's May 2010 meeting, the CRO hired Arthur J. Gallagher (AJG) Higher Education practice to review and provide advice about UVM’s ERM planning and implementation. UVM’s objectives for its ERM implementation are to (1) promote and establish an awareness and culture of risk management at the institution; (2) establish effective and manageable enterprise level processes for risk identification, assessment, response, monitoring, and reporting; (3) facilitate the identification, assessment, and management of risk at both the enterprise/institutional level and the unit level; (4) integrate the ERM process into the institution’s regular operational cycles as much as possible; (5) follow or establish ERM best practices in higher education; and (6) facilitate the integration of strategic planning, budgeting, and risk management.

In preparation for the AJG external review, the ERMAC co-chairs compiled the work of the ERMAC subcommittees to date into a draft ‘ERM Program Guide.’

The AJG review process included interviews with key internal stakeholders, discussions with ERM program leaders, review of the draft Program Guide and other relevant documents and a survey of peer and aspirant institutions regarding ERM implementation.

UVM ERM Plan

T:\Higher Ed\Prospects\UVM erm\UVM ERM Plan (3) 11.1.doc 2

Summary of the Survey of Key Institutions

As part of our review process, Gallagher was asked to survey 30 peer and aspirant institutions on the status and structure of their ERM program. Of the 30 Institutions surveyed, 47% responded. Of those responding, 43% had started an ERM process. Half of the institutions that had not begun an ERM process indicated that they were considering beginning an ERM initiative.

Pertinent observations:

1. Of the institutions that had begun an ERM process, 83% were institutions with an endowment in excess of $1 billion. However, of those indicating they had not begun an ERM process, but were considering doing so, the size of an institution’s endowment did not appear to be a factor.

Survey results suggest that larger institutions, measured by the size of their endowment and number of FTEs, were early adopters of ERM. Going forward, within the peer and aspirant group surveyed, it does not appear that size of endowment or number of FTEs will be a significant factor in whether or not an institution decides to implement and ERM process.

2. We suspect that the institutions that did not respond to the survey are institutions that have not yet begun an ERM process.

3. A majority (67%) of the institutions that have an ERM program indicated they are in the beginning stages of implementation.

4. Only one institution has a CRO leading the ERM initiative. Other Institutions indicated that risk ownership was shared among key individuals in the institution. The one institution with a CRO .leading their ERM initiative characterized the status of their ERM program as being a “Defined Program.” A defined program has established the internal framework, conducted risk assessments and begun the process of measuring, managing and monitoring risks.

5. The response regarding the top three challenges was interesting, if not surprising. Institutions are struggling with defining roles, developing the framework and marshaling resources and time – many of the same issues and concerns stated by stakeholders at UVM.

Summary of Interviews with Key Internal Stakeholders

Interview questions focused on the development of the ERM program at UVM and asked for specific recommendations regarding structure and roles. We appreciated the selection of interviewees; they represented a diverse group that have a broad and deep understanding of university operations. The discussions were candid and very insightful, and because there were excellent suggestions for implementation and the potential barriers, some individual comments are included.

Key internal stakeholders interviewed included:

Rob Cioffi, Chair of the Board of Trustees Dale Rocheleau, Board of Trustees Bill Botzow, Audit Committee Chair, Board of Trustees Dan Fogel, President of UVM Jane Knodell, Interim Provost and Senior Vice President Eleanor Miller, Dean, College of Arts and Sciences Rick Morin, Dean, College of Medicine Bernard Cole, Interim Dean, College of Engineering and Math Richard Cate, Vice President for Finance and Administration and University Treasurer Fran Bazluke, Vice President for Legal Affairs and General Counsel Chris Lucier, Vice President for Enrollment Management Thomas Gustafson, Vice President for Campus and Student Life

UVM ERM Plan

T:\Higher Ed\Prospects\UVM erm\UVM ERM Plan (3) 11.1.doc 3

Bill Ballard, Associate Vice President of Administrative and Facilities Services Anna Drummond, Chief Compliance Officer Bill Harrison, Chief Internal Auditor Mary Dewey, Director of Risk Management Al Turgeon, Executive Assistant to the Vice President for Finance and Administration

General comments on the interviews:

Among those interviewed, understanding of the ERM program varied. Some could articulate the goals of the project; others had just learned of it. There is a general understanding that the CFO brought the idea forward and that its implementation is supported by the President and the Board of Trustees. Most expressed enthusiasm for the program and thought it was a good time for UVM to broaden its understanding and management of risk. The idea of crossover risks (that occur in multiple areas or departments) and a centralized approach to managing those risks was new to many.

Divergent views were expressed about the organizational culture at UVM. A number of people noted that the culture has changed in recent years. Most interviewees referenced the decentralized nature of university operations and the effect of that upon decision making and communication. An appropriate description of a risk associated with the decentralized nature of university operations was put this way: “Being decentralized means that we can get in trouble for something that no one knows is going on.” That is also a simple but compelling reason for implementing ERM.

At the senior leadership and board level, the working model appears to be collaborative and egalitarian. At the department or operational level, people feel that is not the case and they feel more isolated from leadership and that communication is not as effective. One person described it as “A lot of meetings but not a lot of communication.” Throughout, there seems to be a high reliance upon personal relationships, individual and small group collaboration as the most effective forms of communication and decision making. The possible exception is at the college of medicine, which has an operating model that is self-described as different from the rest of the university (not as focused on undergraduates, not tuition driven, more nimble regarding decision making and which uses a co-governance model).

Specific concerns expressed:

• A question that WILL be asked by people is whether this program will add another layer to administration.

• There needs to be more understanding and buy-in for this process to work.

• We haven't explained to people what this is and why this is important.

• We need to avoid making it a burden on the campus at large.

• There are perceptions among some faculty members that compliance and ERM do not have a place in higher education.

• Let’s not overdo it. We’ve got the right elements, but we need to build it over time.

• There’s a very real sense that if you impose one more responsibility on people, they will explode.

• I’m worried that this process will make us more risk adverse.

Comments about faculty involvement:

• There’s probably very little understanding of this on the faculty side. This [initiative] is coming out of the non-academic side of the house.

• If you want people involved in change, you need to get them involved at the beginning and convince them that it's a reasonable idea and not a threat to them. Spend time visiting departments and talking; it’s messy but it’s much more effective than trying to impose change from the top.

UVM ERM Plan

T:\Higher Ed\Prospects\UVM erm\UVM ERM Plan (3) 11.1.doc 4

• I think the way to pitch it [to faculty] is to talk about how a lack of risk management threatens their academic goals. A recent example is that we lost years of research because an air conditioner shut down.

• Make sure the VPs and Deans are involved. Maybe we need to include the department chairs, too. Describe the process and what we’ll expect from them. Create the case and explain what it will mean to them. It’s not going to be meaningful to them until then.

• The way to approach the faculty is to avoid foisting things on them. Lead it off with a discussion. Let faculty discuss and kick the idea around. You need to plant the seed and water it. DON'T tell them: "It's something we're doing, but you won't have to do much work." [That will only feed doubt and suspicion.] Ask them for advice. These are people who are working hard at teaching. They want to do research that's going to have a national impact. Appeal to that.

Comments about the barriers to implementation:

• Faculty and staff will wonder: “Will this process make my life more difficult?” If they perceive that to be true, they will create barriers to implementation.

• Getting the proper resourcing for the project will be a challenge.

• Building support and understanding without overwhelming people. We must proceed with patience.

• Outreach and communication must start first. No one will make it a priority unless they understand how it will benefit them.

• Several said that the culture that exists is a barrier; they were specifically referring to resisting change and overcoming the status quo.

• The college of medicine will be a challenge.

• Overload is a real barrier.

• The process as developed is too complex and will turn people off. We have to start with discussion and persuasion.

• The perception that this will take a lot of time and be difficult to understand and implement is a barrier.

• Do we have the capacity to get the work done?

Implementation suggestions from the interviews:

• Web resources are helpful.

• Use podcasts and documents.

• Meet with small-sized groups. We did this last year to explain how to administer the union contract. They put very simple slides up and used it to develop discussion. It was engaging, very informative and they had lunch. The audience included administrators and deans.

• When it comes to program development, if it looks like a lot of money was spent, it will create immediate antagonism.

• Decide what most important to communicate. The risk assessment is not the end goal.

• There needs to be ongoing efforts to educate people and develop support. This is best implemented through influence rather than authority.

• For the Board, send them a primer and then set up an afternoon educational session.

UVM ERM Plan

T:\Higher Ed\Prospects\UVM erm\UVM ERM Plan (3) 11.1.doc 5

ERM Program Recommendations

1. CRO Position

It is our recommendation that Richard Cate retain the role of CRO for an interim period of 12-18 months. This is a critical phase of implementation and we recommend that it proceed with minimal disruption. It makes a strong statement about UVM’s commitment to ERM that the role of CRO has been designated at the senior leadership level. Participation and interest will be taken more seriously as a result. In addition, continuing with Richard Cate in the role of CRO allows the program to develop without spending scarce resources on a new position. When program implementation is further developed and support for the ERM program has grown, it may be appropriate to hire a person to fill the position of CRO. At that point, we would recommend that Richard Cate become the Risk Champion at UVM and that the Chief Risk Officer report to him (for hiring and firing purposes), with an additional reporting and communication line to the Audit Committee.

The development of ERM in higher education is still new enough that there is not a well established norm for the organization of personnel. However, it is not uncommon for the Vice President for Finance and Administration to be responsible for enterprise risk management, and we believe it makes sense for UVM as well. (The 2008 survey from the Association of Governing Boards/United Educators indicates that 49.7% of governing boards or presidents have assigned primary responsibility for institutional risk management to the financial officer. The UVM survey of September 2010 indicates that 48% of 29 institutions report to the VP for Finance and Administration.)

In the interim period, we recommend that Mary Dewey, Director of Risk Management, Al Turgeon, Executive Assistant to the Vice President for Finance and Administration and members of ERMAC continue to share program implementation responsibilities. We recommend that ERMAC become more involved and “hands on” with implementation. This will engage more people in the process, increase ownership and understanding of the process and assure better outcomes. Regular progress reports (at least quarterly) should be made by ERMAC to Richard Cate. Reports should then be made to the Audit Committee, the President and the Board of Trustees at least twice a year.

2. Roles and Responsibilities

Our recommendations for roles and responsibilities of the CFO, President, Director of Risk Management, General Counsel, Chief Compliance Officer, Chief Internal Auditor and Board of Trustees come from a combination of sources, experience and our understanding of the organizational structure at UVM. The sources include the NACD Blue Ribbon Commission on “Risk Governance: Balancing Risk and Reward,” BSI 31100:2008 “Risk Management – Code of Practice,” the Gallagher Higher Education Practice 2009 publication “Road to Implementation” and examples from other institutions.

Board of Trustees Understand and assess the risks associated with Board decisions and the key strategies identified by the Board. Be knowledgeable about business management risks, governance risks and emerging risks that may affect the institution. Provide for an appropriate culture of risk awareness across the university. Review and approve risk information provided by the CRO and the Audit Committee, including key risks and response strategies. Assure that management has implemented a system to manage, mitigate and monitor risk and that the university’s risk appetite is appropriate.

Board of Trustees Audit Committee Represent the Board of Trustees in providing oversight of the University’s ERM practices. Annually review the University’s risk appetite, annual report and risk register and response strategies and receive biannual reports on the status of mitigation and response.

UVM ERM Plan

T:\Higher Ed\Prospects\UVM erm\UVM ERM Plan (3) 11.1.doc 6

President Lead the setting of strategic objectives for the institution. Work with the Board of Trustees to establish the institution’s risk philosophy and appetite. Inspire and foster cultural change in support of ERM as a value and best practice for the institution.

Senior Management (President’s Senior Leadership and Deans’ Council) Demonstrate full commitment to ERM as a value and best practice, and support the President and CRO in creating the appropriate internal environment and institutional culture. In conjunction with the CRO, manage risks under the oversight of the President and the Board of Trustees.

CFO/CRO Serve as the institutional leader for ERM, fostering a collaborative, campus-wide approach. Promote the consistent use of risk management and ownership of risk at all levels within the university. Build a risk aware culture, including appropriate education and training. Lead the campus-wide effort to identify, evaluate, respond and control, monitor and report on key risks. Align risk response strategies with the University’s risk appetite, strategic objectives and budgetary resources. Work closely with the Director of Risk Management, deans, vice presidents, directors and the ERM Advisory Committee to determine which risks sufficiently jeopardize strategic initiatives and to implement enterprise-level risk response strategies to manage those risks; report on the key risks and response strategies to the President and the Board of Trustees. Annually, submit the University’s annual report and risk register and response strategies for review by the Board Audit Committee. Review and approve the University’s ERM policy.

ERMAC Support and advise the CRO in developing and reviewing the University’s ERM policy and framework for implementation, identifying risks and opportunities across the institution, reviewing risk assessments and response plans, developing enterprise-level risk response strategies and monitoring risk responses. Act as a technical resource of subject matter experts, participating in education, training, communication and awareness building of the ERM process. Assist in addressing functional, cultural and departmental barriers to managing risks. Construct the framework and methodology for continuously managing risk across the institution. Assist in the development of mitigation strategies and serve as advisors to risk owners.

Director of Risk Management Provide technical support to the CRO and ERMAC. Work with ERMAC to develop and deliver ERM training and education material for all audiences and to conduct risk identification workshops and interviews. With ERMAC, create and support the use of tools and processes to identify, evaluate, treat and report on risks and ensure the consistent implementation of UVM’s ERM program across the institution.

Chief Compliance Officer Serve as a subject matter expert on ERMAC. Evaluate and provide reports on compliance risks to the university’s senior management and ERMAC. Work with ERMAC and the Director of Risk Management on risks that are both compliance and key risks.

Chief Internal Auditor Provide assurance to the Board of Trustees on the effectiveness of the risk management process, that risks are correctly evaluated and that key risks are reported and managed appropriately. As a subject matter expert and a member of ERMAC, consult and advise on identifying and responding to risks and on the effectiveness of the risk assessment process.

UVM ERM Plan

T:\Higher Ed\Prospects\UVM erm\UVM ERM Plan (3) 11.1.doc 7

Risk Owners and Risk Control Owners Where the risk management process identifies risks that need to be actively managed, each risk and each response shall be assigned an owner who is responsible and accountable for:

In the case of a risk, owning the institution’s assessment of the risk, monitoring it and reporting its status, and

In the case of a control owner, responding to the risk, contributing to the development and maintenance of an appropriate control environment and reporting on the status of the response.

Risks and their responses may be owned by the same person.

The Role of Individuals UVM should embed risk management by incorporating it into each employee’s responsibilities. People should understand:

The risks that relate to their roles and their activities,

How the management of risk relates to the success of the institution,

How the management of risk helps them to achieve their own goals and objectives,

Their accountability for particular risks and how they can manage them,

How they can contribute to continuous improvement of risk management,

That risk management is a key part of the organization’s culture, and

The need to report in a systematic and timely way to senior management any perceived new or emerging risks, near misses or failures of existing control measures within the parameters agreed.

3. ERM Advisory Committee (ERMAC)

We recommend these changes to the ERMAC charter:

The ERM Advisory Committee (ERMAC) is responsible for the implementation of the ERM Program at UVM and for reporting on risk management to the VPFA. ERMAC is authorized in its duties by the VPFA/CRO.

With direction from and approval of the VPFA/CRO, ERMAC will:

Develop and review the University’s ERM policy.

Design a framework for embedding risk management across the institution.

Teach staff and faculty to identify, analyze and manage risks and exploit opportunities using tools and processes developed by the committee.

Review risk assessments and response plans.

Act as a technical resource of subject matter experts.

Develop education, training, communication and awareness building of the ERM process.

Assist departments, colleges, units and projects in developing an understanding of their key risks, risk appetite and tolerances and report on these to the VPFA and other appropriate stakeholders.

Develop, implement and report on the use of risk management technology.

Develop reports on the progress of implementing ERM at UVM.

UVM ERM Plan

T:\Higher Ed\Prospects\UVM erm\UVM ERM Plan (3) 11.1.doc 8

Although it appears that you have excellent representation from major functional areas of the university on ERMAC, a 17-member committee is larger than most risk advisory committees. ERMAC is also dominated by representatives from finance and administration. That was a logical choice during your first phase of development, but we recommend that you consider revising the roster soon, especially as you begin to implement the ERM program across the institution. We recommend that you reduce the number of representatives from Finance and Administration (from 10 to 5 of the following positions: Controller, Director of Physical Plant, Finance & HR of the College of Medicine, Compliance, Audit, International Education, HR, Federal Relations, CIO and Police Services) and add representatives from the Deans’ Council and faculty as you move into implementation.

Using subcommittees is an effective way to increase effectiveness and efficiency of the group as long as communication is thorough and flows to the whole group. ERMAC should meet at least quarterly and subcommittees may need to meet more often.

4. Engaging the Board of Trustees

The first task is to train and educate Board Members. The Board Members need more information about the ERM Program, and the recommendation received during the interviews was exactly right: Send them a primer and then offer a workshop to the Board of Trustees (the afternoon before a regularly scheduled meeting) to explain and experience the process. Train them on the roles and responsibilities of all internal stakeholders. Continue to support and encourage the discussion of risk at the strategic level. Encourage the consideration of the Ten Principles of Effective Risk Oversight by the Board outlined in the National Association of Corporate Directors Blue Ribbon Panel publication “Risk Governance: Balancing Risk and Reward.”. Offer to facilitate a more conscious discussion of strategic risks during the next Board retreat in 2011.

The Ten Principles of Effective Risk Oversight (translated to a university context):

1. Understand the university’s key drivers of success.

2. Assess the risk in the university’s strategic initiatives.

3. Define the role of the full board and standing committees with regard to risk oversight.

4. Consider whether the university’s risk management system – including people and processes – is appropriate and has sufficient resources.

5. Work with management to understand and agree on the types (and format) of risk information that the board will review.

6. Encourage a dynamic and constructive dialogue between management and the board, including a willingness to challenge assumptions.

7. Closely monitor the potential risks in the university’s culture and its incentive structure.

8. Monitor critical alignments of people, strategy, risk, controls, compliance, incentives and people.

9. Consider emerging and inter-related risks: What’s around the next corner?

10. Periodically assess the board’s risk oversight process.

UVM ERM Plan

T:\Higher Ed\Prospects\UVM erm\UVM ERM Plan (3) 11.1.doc 9

5. Embedding ERM Practices

Education Start with educating ERMAC, the President’s Senior Leadership and Dean’s Council and the Audit Committee about ERM and the UVM Implementation Plan. They need to understand it more deeply so that they can be ambassadors of the program and support its growth. This would be most effectively accomplished through in-person training, so that they can work through questions and engage in the process.

The next groups to engage and educate about ERM include directors, assistant directors and department chairs. This would also be most effective if conducted in person. Emphasis should be on the benefits of the process (with specific examples to their particular discipline), implementation steps and allow for input and ownership re implementation.

As a third phase, provide training and information to faculty, employees and students. The most efficient way to deliver training would be via webcasts, podcasts, train-the-trainer sessions, recorded web trainings, articles and distribution of written material. This can be done concurrently with a pilot project on risk identification and implementation of the risk management process.

Break up the Program Guide into easy-to-understand sections and use only the applicable portions during trainings and education sessions. All trainings and education sessions need to reinforce the goals and benefits of the ERM program and the creation of a risk-aware culture.

Create a variety of education material and formats. We recommend an interactive web site that is password protected for instructional and confidential material. Examples of resources include:

An academic style “white paper” describing how ERM is defined at UVM, the goals and benefits of the process, the framework and an overview of the process – for faculty.

A collection of articles written by others and resource material – for champions, program implementers and ERMAC.

Documentation of what other institutions are doing re ERM – for decision makers, board members and ERMAC.

Detailed training on the implementation process, tools and education material and the reasons for implementing ERM – for ERMAC and senior leadership.

An interactive risk workshop – for senior leadership, the Board of Trustees, the Council of Deans and key faculty members.

An interactive web training about how to identify and report on risk – for risk owners.

Generic information about the process and the reasons for implementing ERM – for internal and external stakeholders.

Implementing the ERM Model Consider whether ERM could benefit any of the specific projects or programs under development. Examples may include the tuition funding model, deferred maintenance, the addition of new faculty and staff to the medical college, expanding international student offerings or decisions about program cuts. This may require developing a “train the trainer” approach (for members of ERMAC, for example) to facilitate a process involving a cross section of appropriate personnel. A typical process would consider the program objectives, stakeholders, potential barriers, opportunities, risks and responses and action plans that would support success.

UVM ERM Plan

T:\Higher Ed\Prospects\UVM erm\UVM ERM Plan (3) 11.1.doc 10

Identify a pilot project for implementing the Risk Assessment Tool.

Complete the process that began with the Division of Finance & Administration (beginning with the identified 85 risks, cross compile and prioritize into a smaller list and work through the process of identifying risk owners, training them on mitigation options, reporting on risk responses and review by ERMAC).

Engage the President’s Senior Leadership Council in a process to identify key strategic risks to the institution. After prioritizing those risks into a manageable number (usually between 4 -10), assign risk owners and support the development of mitigation strategies, monitoring and reporting on those risks. These risks may be further developed at lower operational levels and need to be summarized and reported up to the Audit Committee and the Board of Trustees.

Plan to roll out implementation more broadly to individual colleges, business units or focused on special issues after both pilot projects are in full swing (typically after 12-18 months). It makes the most sense to phase in additional implementations college by college. ERMAC should create the implementation plan.

Training and Development of ERM Leaders Seek ERM training for key leaders of the initiative. Options for training include:

ARM 57 training available through RIMS. This is a certification program from the Insurance Institutes of America that requires months of self study. A two-day review course prepares participants to take an exam.

The RIMS ERM Summit is an excellent showcase of ERM programs and advanced issues (offered once a year, in the fall). Although it is heavily slanted towards large business corporations, it usually includes some public sector and university presenters.

Infonex is a for-profit company that organizes a conference focused on ERM for higher education. Their conferences are usually offered twice a year (and quite expensive).

The Canadian Standards Association offers training on how to implement ISO 31000 – www.csa.ca

6. Protecting Public Information

Within higher education, there are a variety of responses to the question of how to protect the institution from undue scrutiny or lawsuits resulting from the process of identifying risks. In part, management response depends upon the state and local jurisdiction involved. For example, in some locales, it is possible to protect information by issuing a “draft copy” and not a final report. In other places, it is possible to protect the entity’s risk register (a prioritized view of key risks) by issuing it under attorney-client privilege. Whether you have any legal options for protecting the confidentiality of your risk information is a question for review by legal counsel and in-state experts on your particular sunshine laws.

Our recommendation is that you implement the full process of enterprise risk management before you publish any results or reports on risk. If UVM were to identify key risks and stop the process, you would indeed increase your legal liability. It would be the same as noticing a serious potential for injury and ignoring it. The ERM process, however, should not stop at risk identification. It is the second of many steps that you will take, including establishing the context, identifying risks, analyzing, evaluating and determining appropriate risk treatments and then monitoring the ongoing management and communication of those risk treatments. If UVM is fully engaged in the whole process, we believe that you establish a strong case for UVM’s commitment to the management of risk. In many states, that is the strongest defense you can muster. Some universities feel so strongly about that position that they publish their risk registers online (especially in places like Canada and the United Kingdom where the process is mandated and litigation is less volatile).

UVM ERM Plan

T:\Higher Ed\Prospects\UVM erm\UVM ERM Plan (3) 11.1.doc 11

It is worth noting that risks do not decrease or dissipate as a result of silence. Many court cases have proven that an unwillingness to recognize or document a risk does not protect an entity from liability (disputing the theory that “if I stick my head in the sand, no one will see me.”). It is less and less palatable for entities to address risks by refusing to acknowledge them, and societal pressures will continue to push universities on that point.

7. Risk Assessment Tools

Many organizations that implement ERM use Microsoft office products to track the management of risk. There are also specific software programs available for purchase (although most of them are quite expensive). We are concerned that you may be overwhelmed by data if you do not plan for its management before you begin. The templates that you have created are an excellent beginning, but you need to begin the discussion about how you will manage the whole process two or five years from now. We recommend that you review the affordable ERM software and tools used by other institutions of higher education and public entities.

T:\Higher Ed\Prospects\UVM erm\UVM ERM Plan (3) 11.1.doc 12

UVM ERM Survey Results Overview

T:\Higher Ed\Prospects\UVM erm\UVM ERM Plan (3) 11.1.doc 13

T:\Higher Ed\Prospects\UVM erm\UVM ERM Plan (3) 11.1.doc 14

T:\Higher Ed\Prospects\UVM erm\UVM ERM Plan (3) 11.1.doc 15

T:\Higher Ed\Prospects\UVM erm\UVM ERM Plan (3) 11.1.doc 16

T:\Higher Ed\Prospects\UVM erm\UVM ERM Plan (3) 11.1.doc 17

UVM ERM Survey Cross Tab Report

T:\Higher Ed\Prospects\UVM erm\UVM ERM Plan (3) 11.1.doc 18

UVM ERM Survey Cross Tab Report

T:\Higher Ed\Prospects\UVM erm\UVM ERM Plan (3) 11.1.doc 19

UVM ERM Survey Cross Tab Report

T:\Higher Ed\Prospects\UVM erm\UVM ERM Plan (3) 11.1.doc 20

UVM ERM Survey

T:\Higher Ed\Prospects\UVM erm\UVM ERM Plan (3) 11.1.doc 21

UVM ERM Survey

T:\Higher Ed\Prospects\UVM erm\UVM ERM Plan (3) 11.1.doc 22

UVM ERM Survey

T:\Higher Ed\Prospects\UVM erm\UVM ERM Plan (3) 11.1.doc 23

UVM ERM Survey

T:\Higher Ed\Prospects\UVM erm\UVM ERM Plan (3) 11.1.doc 24

Framework Design: Clarifying Who Does What (Based on the Institute of Internal Auditors Position Paper)

Legend Core internal audit roles in regard to ERM

Legitimate internal audit roles with safeguards

Roles internal audit should not undertake

President & BOT

Internal Audit

BOT Audit Committee

ERMAC Proposed ERM Leadership Roles

Risk Owners

CRO

T:\Higher Ed\Prospects\UVM erm\UVM ERM Plan (3) 11.1.doc 25

T:\Higher Ed\Prospects\UVM erm\UVM ERM Plan (3) 11.1.doc 26