Based on a review of the literature and discussions with risk and audit managers at other universities, the report also summarized various models and structures for organizing the risk management activities. One method was to appoint a central risk officer with institution-wide oversight and responsibility. With this model, key decisions would need to be made regarding reporting lines and the placement of that position within the organization. The report also outlined UW's current approach to risk management, noting that it had moved beyond the insurance approach, "which is usually reactive and ad hoc," but also observing that responsibility for specific risks was currently distributed among the institution's organizational silos (p. 15). It further noted that "the UW does not formally integrate risk and compliance into its strategic conversations at the university-wide level" (p. 15). While acknowledging the good progress being made in several areas (including UW Medicine, the newly restructured Department of Audits, and the Office of Risk Management), the report highlighted the weaknesses of the current approach, including the fact that "due to the size, decentralization, and complexity of the institution, a proliferation of compliance, audit, and risk management activities has grown up around separate and distinct risk areas, each largely operating in a self-defined stovepipe" (p. 18).
Philosophy of the Program
The report also discussed the philosophy of a proposed risk management program, asking whether the preferred approach should focus on enforcing law and regulation – a compliance or control approach – or be one that "encouraged cooperation between faculty and staff to develop flexible compliance approaches – a collaborative approach" (p. 2). After sharing the findings from the literature review and the institutional profiles of the peer institutions, the report outlined three guiding principles to shape the evolution of compliance and risk management at UW: (1) foster an institution-wide perspective, (2) ensure that regulatory management is consistent with best practices, and (3) protect UW's decentralized, collaborative, entrepreneurial culture. In light of these principles, the report made the following eight recommendations, detailing the key elements and implementation suggestions for each:
1. Integrate key risks into the decision-making deliberations of senior leaders and Regents.
2. Create an integrated, institution-wide approach to compliance.
3. Ensure that good information is available for the campus community.
4. Create a safe way for interested parties to report problems.
5. Minimize surprises by identifying emerging compliance and risk issues.
6. Recommend solutions to appropriate decision makers.
7. Check progress on compliance and risk initiatives.
8. Maintain a strong audit team.