“Risk assessment and compliance” have typically governed strategic plans for businesses but, until recently, the concepts have not permeated strategic planning processes for colleges and universities. Broadened from the traditional association with internal audit finance and operations, enterprise risk management (ERM) offers a more precise lens for higher education executives and boards of trustees to analyze “strategic risk” as they develop long-term institutional visions and goals.
The University of Tennessee System is one of several universities incorporating ERM in strategic plan goal-setting and implementation. With a new state mandate and a new planning cycle in approximately 2020, UT System President Joe DiPietro convened administrative and faculty strategic plan champions to recommend actions for the next two years based on ERM analytics. Facilitated by The Napa Group, which has partnered with the UT System in the development of its original 2012-2017 strategic plan and several “refresh” updates, led to several steps now underway in 2018.
“ERM is a discipline,” explained Executive Vice President and Chief Operating Officer Tonjanita Johnson. “We want to be sure we are looking at the risks associated with the vision and mission of the UT System – identifying both strategic opportunities and risks and having someone responsible for monitoring that progress.”
“The natural question is, ‘aren’t we already doing that?’” noted Judy Burns, Associate Director of the Office of Audit and Compliance who led the early staff work. While risk analysis occurs routinely in ongoing operations, the “enterprise” perspective by top management ensures a comprehensive approach priority setting. ERM, she explained, provides a defined tool with “structure, consistency and analytics.”
Supporting the enhanced ERM recommendations, the Board of Trustees’ Audit Committee approved a new staff position to be responsible for risk analysis integration and management in the system’s strategic goals. Burns also worked closely with the strategic plan’s champions and their teams to create detailed descriptions and action plans for identifying and mitigating risks.
ERM in Tennessee Higher Education
In 2016, the Tennessee State Government announced that state agencies and institutions of higher education must use ERM starting with their 2017 annual reporting. In doing so, Tennessee became the first state to mandate that higher education institutions fall under the new law. Already recognized for its leading-edge strategic plan dashboard, the university system responded with an accelerated plan to once ahead be ahead of the curve. Importantly, the institution’s leaders recognized, administrators and fiduciary boards should be focusing on the “right risks” and be forward-thinking in identifying previously unknown opportunities.
“ERM aims to enhance, not replace, an agency’s normal management processes by providing a comprehensive view and consistent analysis of risks and opportunities to inform management decisions,” according to the state guidelines. “It is meant to be integrated with management processes such as strategic planning and budgeting.” Both internal and external environments must be considered.
In launching the champions’ retreat, President DiPietro provided context for the system’s risk profile. He cited the many changes in state higher education priorities and cumulative federal funding uncertainties since the original strategic plan was approved. While the university’s research and outreach are stronger than ever, he added, well-documented challenges to the university’s business model continue “even in the best of times.” Future unknowns might include an economic downturn, the results of state and federal elections, competition for resources and shifting public perceptions of higher education in Tennessee. Such uncontrollable often find their way to a list of “Threats” in strategic plan SWOT analyses; at the University of Tennessee System, options for addressing them will be central to strategic risk assessment.
A holistic perspective of risks across the multi-campus university, rather than within units or functional areas, potentially highlights risks that no one official might see from a more limited view and supports smarter priority setting and resource allocation across the institution.
ERM Trends Nationally
Two nationally recognized frameworks provide guidance for ERM activities – the Committee of Sponsoring Organizations (COSO), which includes auditors and accounts, and the U.S. Government Accountability Office (GAO)’s “Green Book” standards. Initially formed in 1985 to address fraudulent financial reporting, COSO’s mission has expanded to provide leadership on methods to improve organizational performance and governance and to reduce fraud.
Building an entire program around the concept, The Enterprise Risk Management Initiative in NC State University’s Poole College of Management provides educational, research and training expertise and resources to organizations, boards and executives in all sectors to manage risk more competitively across the enterprise – and to remain competitive.
“ERM is evolutionary, not revolutionary,” Burns explained. “Our methodology has broad applicability and our opportunity is to create a process that is scalable – so that any academic or staff department could also use it in evaluating change.”