Advisory Committee Recommendations: Create a Culture-Specific ERM Program
In February 2006, Hodge and Warren put forth to President Emmert a Collaborative Enterprise Risk Management Proposal developed by the SRIRC. The proposal recommended that "the UW adopt an integrated approach to managing risk and compliance, commonly called enterprise risk management (ERM)." They acknowledged that the proposed changes were not intended to "replace what already works across the university," but rather to "augment the existing organization with thoughtful direction, collaboration, and communication on strategic risks" (Collaborative ERM Final Report, February 13, 2006). At the outset, the SRIRC acknowledged that the structure and priorities of the ERM program would likely evolve and develop over time, but the members of the committee were confident that they had created a "strong, yet flexible framework within which to balance risk and opportunity" (February 14, 2006, memo to President Emmert).
While the report acknowledged the impetus for the creation of the ERM program (the $35 million compliance failure fine), it focused on the positive impact an ERM program could have for UW, beyond addressing compliance concerns. The report defined key terms and made recommendations based on three basic parameters: scope of the framework, organizational structure for the framework, and philosophy of the program. Each aspect was framed in the context of the literature review and campus comparisons; UW-specific recommendations were put forth based on SRIRC discussion and analysis.
Scope of the Risk Framework
The report reviewed and discussed the various approaches taken by organizations in practicing risk management, from a basic practice of risk transfer through insurance to a more integrated institution-wide approach. It acknowledged that, prior to implementation, some key decisions would need to be made: Would the scope of the program be institution-wide or targeted at the school, college, or unit level? Would it include all risks (compliance, finances, operations, and strategy) or be focused on certain categories of risk? ERM was cited as "the most advanced point on the continuum," a model that integrates risk into the organization's strategic discussions. The report also summarized a Centralized Compliance Management approach. This model, rather than encompassing all risks, would focus primarily on legal and regulatory compliance. It was noted that "while both are universitywide approaches, they vary in a number of important aspects, including scope, objective, and benefits" (p. 6).
The report also summarized the ERM models at four IHEs, based on interviews with compliance and audit managers at those institutions. Noting that all four were institution-wide approaches, Pennsylvania and Texas were identified as having adopted a more corporate philosophy; Minnesota, a compliance approach with a centralized style; and Stanford, a collaborative ERM approach (see Exhibit 9.5). The report recommended developing a "collaborative, institution-wide risk management model" for UW, one that "ensures that UW creates an excellent compliance model based on best practices, while protecting its decentralized, collaborative, and entrepreneurial culture" (p. 28).
Exhibit 9.5 UW's Approach to Risk Management Compared to Other Institutions From University of Washington Collaborative Enterprise Risk Management Final Report, February 13, 2006.