UW'S ERM MODEL
After a careful review of models in the corporate sector and within higher education, UW settled on the following regarding its ERM model:
• Assess risks in the context of strategic objectives, and identify interrelation of risk factors across the institution, not only by function.
• Cover all types of risk: compliance, financial, operational, and strategic.
• Foster a common awareness that allows individuals to focus attention on risks with strategic impacts.
• Enhance and strengthen UW's culture of compliance while protecting the decentralized, collaborative, entrepreneurial nature of the institution.
Adopting and Adapting the COSO Model
UW has defined ERM according to its interpretation of the Committee of Sponsoring Organizations (COSO) model, adapting the framework to fit the university environment and the UW in particular (see Exhibit 9.9). COSO describes ERM
Exhibit 9.9 University of Washington's ERM Integrated Framework
From University of Washington Enterprise Risk Management Toolkit, p. 7. Copyright 2007, University of Washington.
as "a process, effected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives" (COSO 2004). Adopted in 2009-2010, the 2010 ERM Annual Report notes:
The UW ERM Integrated Framework offers a schema to integrate the views of risk that have historically been addressed in silos or through a fragmented approach.
The ERM framework bridges the gap between lower-level issues and upper-level issues, and it allows us to be explicit about the multiple levels on which the ERM process is deployed as a risk and/or opportunity management mechanism, (p. 4)
The top of the cube identifies risk types, including compliance, operations, and financial risks. Strategic risks can impact the mission. Mega risks are major external events over which the institution has no control, but for which the institution can prepare.
The right side of the cube views the organizational structure at three levels: entity, which entails all operations and programs; division or function, looking at a major risk in depth; and unit, where individual departments can use the tools to assess their risks. A fourth level of ERM used in the UW environment is to evaluate alternatives.
The front of the cube outlines the traditional eight steps from the COSO model, including setting the tone and context for ERM at the top, identifying risks in conjunction with strategic goals, and through the complete cycle with implementation and follow-up.
The report notes:
UW's "cube" integrates the several ERM facets into a whole, and enables ERM to be applied in a very intentional manner: Starting any new risk assessment requires identifying the appropriate level of the organization or environment at which the assessment will be made; focusing on which set of risks (compliance – strategic – mega risks) to cover; and applying all the steps in the ERM cycle to ensure a complete assessment and follow through.
The UW views ERM as integrating risk discussions into strategic deliberations and identifying the interrelation of risk factors across activities. Using the COSO model, its eight-step process involves the following (see Exhibit 9.10):
1. Leadership, culture, and values. Setting the tone at the top.
2. Strategic goals. At the entity or institutional level (top down), the division or function level (risk topic across shared goals of VPs and deans – "middle up"), the unit level (such as a department, school, or college – bottom up), or the alternatives level (investment alternatives or business options).
Exhibit 9.10 University of Washington ERM Process
From University of Washington Enterprise Risk Management Toolkit, p. 8. Copyright 2007, the University of Washington.
3. Risk identification. In the appropriate context, name the harm, loss, or compliance violation to avoid, as well as the opportunities to be identified. This typically begins with listing broad risk activities or subject areas. Risks can be identified at the entity, division, functional, unit, or alternatives level. This process includes the use of risk statements and opportunity identification.
4. Risk assessment. In the appropriate context, analyze the risk or opportunity in terms of likelihood and impact (see Exhibit 9.11). Create a risk map, ranking or prioritizing risks to inform decisions regarding response. For opportunities, rate the likelihood of occurrence on a scale of 1 to 5 (1 = rare, not expected to occur in the next five years; 5 = almost certain, expected to occur more than once per year). Also rank the positive impact, considering what impact the opportunity would have on the institution's ability to achieve goals or objectives (1 = insignificant, with little or no impact on objectives and no impact to reputation and image; 5 = outstanding, could significantly enhance the capability to meet objectives and could significantly enhance reputation and image).
5. Response. Selecting the appropriate response involves comparing the cost of implementing the option against benefits derived from it. Responses include avoid, mitigate, transfer, or accept the risk. For opportunities, the response can be exploit, enhance, share, or ignore.
6. Controls. Document internal controls for top risks, and rank for effectiveness. For UW, internal controls are narrowly defined to describe the methods used by staff or faculty that help ensure the achievement of goals and objectives, such as policies, procedures, training, and operational and physical barriers.
Exhibit 9.11 University of Washington Risk Assessment: Likelihood and Impact From University of Washington Enterprise Risk Management Toolkit, p. 17. Copyright 2007, the University of Washington.
7. Information and communication. Communicate with stakeholders and take action (the transition from analysis to action). Designate a risk owner for each of the top risks.
8. Monitoring and measuring. Monitor performance to confirm achievement of goals and objectives, and monitor risk to track activities that prevent achievement of goals and objectives.