OUTCOMES AND LESSONS LEARNED
UW administrators can chart the evolution of their ERM program and the effectiveness it has on the university. They note that the early wins were at the unit level, when specific departments, such as Information Security and Environmental Health and Safety, integrated the ERM process with their well-established strategic planning processes. Those units used the risk assessment tools to identify and rank risks that could hinder or prevent the achievement of their strategic goals. Integration of ERM at the entity level is happening more slowly, but issues that impact everyone at the UW, such as faculty recruitment and retention or responding to the external financial crisis, now can happen in a more integrated fashion as the understanding of ERM evolves. For several years, due to severe budget reductions, the Office of Planning and Budgeting consciously added some questions about risk assessment into the budget request process. Vice presidents and deans were asked to address the impact of budget reductions in terms of risk. This happened, in part, because two key members of the Budget and Planning Office, as well as the Provost, have been involved with the PACERM.
UW administrators have a few other observations about their process and how and why it has worked. First, they note that they were aware from the outset that the environment at UW is highly decentralized and that appointing an "ERM czar" or chief risk officer (CRO) wouldn't fit with the culture. They made a deliberate choice not to formalize ERM through a senior-level position, but rather to engage in implementation through a committee structure. Second, they involved faculty members from the beginning. This helped with a sense of shared purpose. Faculty members came to see the business side of academia, and staff and administrators better understood the point of view of scholars engaged in teaching and learning. Third, the senior leadership has stayed dedicated to the ERM process, even with transitions in the president and other senior administrators. The 2011 ERM Annual Report points out the benefits to the UW of the ERM approach:
The value of ERM is both qualitative (e.g., risk and opportunity maps) and quantitative (e.g., dashboards to contextualize and display metrics). Qualitative benefits accumulate because the risk mapping process allows groups throughout the University to collectively prioritize issues, and ensure that the effort and resources involved in root cause analysis, measurement, and monitoring are applied only to the most significant concerns. Each iteration of the ERM process results in new capabilities, and insight gained into maintaining the University's competitive advantage – particularly from managing our financial risks and strategic opportunities better than our peers, (p. 5)
UW has been strategic, deliberate, and inclusive as it continues on its journey to develop and enhance its ERM program, learning lessons from what works and adapting new strategies in order to improve or modify its program. ERM began at UW in 2006 "by establishing a collaborative approach and structure to consider broad perspectives in identifying and assessing risk" (2012 Annual Report, p. 3). This strategy has helped UW overcome some of the traditional challenges facing universities when implementing ERM, including addressing concerns about the real effectiveness of risk assessment, getting agreement on definitions of risk assessment impact, identifying risk owners, and moving beyond the "risk discussion" to focus on mitigation (2012 Annual Report, p. 3). In her November 2012 presentation on UW's ERM program to the Pacific Northwest Enterprise Risk Forum, Ann Anderson, Associate VP and Controller, outlined the following seven key lessons that UW has learned by engaging in ERM for almost eight years:
1. Clarify the roles of the various risk committees.
2. Develop a "work plan" for the committees.
3. Develop engaging agendas, focused at the appropriate level.
4. Don't overemphasize "lowest common denominator" risks.
5. Gather data/information to develop expertise on specific risks.
6. Avoid discussing low-level, narrow risks – too time-consuming!
7. Don't get into the weeds with implementation and process. Delegate actions to responsible parties.