2015 ANNUAL CONFERENCE Indianapolis Organizational Change Management: A Best Practice to Effective ERM Implementation Christine Ackerman, CPA Associate Vice President & Director of Internal Audit University of Cincinnati Anita Ingram, ARM Assistant Vice President & Chief Risk Officer University of Cincinnati
32
Embed
Organizational Change Management: A Best …acua.org/.../documents/B2-OrganizationalChangeManagement.pdf2015 ANNUAL CONFERENCE Indianapolis Organizational Change Management: A Best
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
2015 ANNUAL CONFERENCEI n d i a n a p o l i s
Organizational Change Management: A Best Practice to Effective ERM
Implementation
Christine Ackerman, CPAAssociate Vice President & Director of Internal Audit
University of Cincinnati
Anita Ingram, ARMAssistant Vice President & Chief Risk Officer
University of Cincinnati
2015 ANNUAL CONFERENCEI n d i a n a p o l i s
Learning Objectives
After attending this session, participants will be able to: Build a successful case and framework for ERM with a
defined approach, assessment tools and outcomes. List key collaboration and consultative techniques
deployed in the partnership between risk management and internal audit to gain top-level support and build consensus with institutional stakeholders for ERM.
Navigate the challenges and pitfalls of implementing and sustaining a successful ERM program.
2
2015 ANNUAL CONFERENCEI n d i a n a p o l i s
AgendaI. University of Cincinnati II. Building the Case for ERM III. Higher Education ERM EnvironmentIV. Roles of Internal Audit and Risk Management in ERM V. Leveraging Collaboration VI. ERM at the University of Cincinnati VII.Managing Organizational ChangeVIII.Developing Key Risk IndicatorsIX. Successful ERM
3
2015 ANNUAL CONFERENCEI n d i a n a p o l i s
University of Cincinnati – who are we?
UC Facts:• UC is a public research university with an
enrollment of more than 43,000 students;• 372 programs of study;• 16 to 1 student to faculty ratio;• 14 Colleges -
Arts and Sciences; Allied Health; Business; Clermont & Blue Ash Colleges (2 Year); Music; Design, Architecture, Art & Planning; Education, Criminal Justice, and Human Services; Engineering & Applied Science; Law; Medicine; Nursing; Pharmacy; Graduate School
4
2015 ANNUAL CONFERENCEI n d i a n a p o l i s
Building the Case for ERM• The decentralized nature and entrepreneurial
environment in higher education institutions can lead to challenges in coordinating risk management activities across the institution
• The dynamic nature of higher education requires ongoing assessment and management of a variety of issues to be able to identify, evaluate, and respond to risks
5
2015 ANNUAL CONFERENCEI n d i a n a p o l i s
Building the Case for ERM• Demonstrate small victories with something smaller
than full ERM implementation- Demonstrate ERM approach using compliance as an example- Collaborated on launch of ERM program for UC Foundation
• Hired consultant to assist with developing and implementing ERM framework
• Cost of implementing ERM not unreasonable • Board of Trustees and senior administration support• Be careful not to fall into compliance or tactical trap• Be careful that ERM isn’t seen as a way to avoid risk
6
2015 ANNUAL CONFERENCEI n d i a n a p o l i s
Higher Ed ERM Environment
• Some Higher Education organizations have robust ERM programs, yet many do not
• With those programs that are in place, they may not be working as intended
• AICPA reports on enterprise risk oversight across a range of industries:
• 51% of the respondents reported that their organizations had no formal enterprise-wide approach to risk oversight; and
• Only 14.9% said they had a complete formal enterprise-wide risk management process in place
7
2015 ANNUAL CONFERENCEI n d i a n a p o l i s
Roles of Internal Audit and Risk Management in ERM
8
2015 ANNUAL CONFERENCEI n d i a n a p o l i s
Roles of Internal Audit and Risk Management in ERM
• Internal audit champions adoption of ERM• Internal audit participates in ERM interviews and risk
advisory council- Important that internal audit be positively perceived
throughout organization- Audit assists with identifying and evaluating risks- Audit assists with consolidating and reporting on risks
• Audits can inform and evaluate how units are responding to risk mitigation
9
2015 ANNUAL CONFERENCEI n d i a n a p o l i s
Roles of Internal Audit and Risk Management in ERM• Risk management deals with risks from a broad
perspective of strategic, operational, financial, compliance and reputational risks as an interrelated portfolio
• Risk management both leads & participates in risk assessment process and leads the risk advisory counsel
• Provides the process and methods to manage unwanted variations from expectations, which are linked directly to the organization’s strategy View risks in a way that crosses silos, builds internal alliances, exhibits
flexibility, expands to include emerging risks, and enhances strategic decision-making capabilities
10
2015 ANNUAL CONFERENCEI n d i a n a p o l i s
Leveraging Collaboration
• Enterprise risk assessment informs annual audit plan• Reports are shared, both functions identify different types of risks
- Chief Risk Officer, by receiving internal audit reports, can help ‘connect the dots’, identify trends occurring in internal audit reports
- Internal audit can utilize knowledge of specific risks to scope and tailor audit procedures
• Collaboration builds efficiencies and improves results by cross-leveraging competencies, roles & responsibilities
• Enhances communication depth and consistency, especially at board and management level
11
2015 ANNUAL CONFERENCEI n d i a n a p o l i s
Leveraging Collaboration
Internal Audit
• Defines ERM as a process• Use specific risk management
standard; usually COSO• Develops audit plan to define
the scope of work• Links findings from any risk-
based audit plans and the enterprise risk assessment
• Discuss the risk-based audit plan with risk management
Risk Management
• Defines ERM as a discipline• Use specific risk management
standard; either ISO 31000 or COSO
• Develops the enterprise risk assessment designed to get a sense of the risks and call attention to most severe risks.
• Share ERM results with internal audit
12
2015 ANNUAL CONFERENCEI n d i a n a p o l i s
Leveraging Collaboration• Enterprise Risk Management (ERM) is about
supporting opportunities as well as preventing problems
• It is tied to business objectives & strategies –and supports them
• It works within the entity’s culture and will become integral to decision making
• It will ensure that Risk Management applies to all levels of the organization and to all activities
13
2015 ANNUAL CONFERENCEI n d i a n a p o l i s
ERM at UC: Program Context
• Effort Began in 2012• VISION STATEMENT: Create a risk-aware
culture, permitting the University to ensure an effective means to identify, measure, control, and assign responsibility to manage risks, while encouraging the acceptance of reasonable opportunities.
• 2013 hired consultant to assist with developing ERM framework
• 2014 launched search for CRO; launched formal ERM program
4 14
2015 ANNUAL CONFERENCEI n d i a n a p o l i s
ERM at UC: Timeline
15
Phase 1: Build the Case for ERM 1.Understand the institution’s strategic plans, environment, and culture 2.Determine the status of existing risk management program & processes3.State goals and objectives (Dec 2014)4.Obtain top‐level commitment, support, and participation
Estimated date to completion: June 2015
Phase 2: Build the ERM Foundation5.Name a Project Leader6.Plan project and define timeline (Jan 2015)7.Create a cross‐functional Risk Council & related subcommittees (Nov 2014)8.Create mission and goals statement (Jan 2015)9.Create top-level ERM Executive Committee
Phase 3: Implementation10. Assess risks and update risk portfolio: validate and prioritize (Jan 2015 and ongoing)11. Assign ownership and take action (Sept/Oct 2015)12.Train & educate to assist board, academics & administrators with ERM process
Phase 4: Sustain the ERM Program
13.Measure and assess results; monitor 14.Meet and review regularly; realign risk treatments as appropriate with available resources (periodically)15. Report results (annually and upon request)16. Do not neglect traditional risk management functions17. Develop and implement institution-wide systems for communicating
GREEN: COMPLETEDRED: IN PROGRESS; PARTIALLY COMPLETEDBLACK: FUTURE ACTION
2015 ANNUAL CONFERENCEI n d i a n a p o l i s
ERM at UC: Framework
16
AS/NZS ISO 31000:2009 — Overview of the relationships between the risk management principles, framework, and process Note: The brown arrow depicts that the principles inform the mandate and commitment for managing risk (reflected in the organizations management system). The light blue arrow shows that the framework enables the application of the risk management process. The dark blue arrow indicates that experience in applying the process can improve the organizations management system
Monitoring & review, continual improvement and communication occur throughout
RM ProcessFrameworkPrinciples
2015 ANNUAL CONFERENCEI n d i a n a p o l i s
Audit & Risk Committee of the Board
ERM Executive Committee
ERM Risk Council
17
ERM at UC: Governance Structure
Communications
Risk Review
2015 ANNUAL CONFERENCEI n d i a n a p o l i s
ERM at UC: Role of the Board• Participating in their committees’ risk reviews
• Board/Committees should hear from the risk’s designated leader, once each year, minimally.
• Ask appropriate, sometimes tough questions and in general, provide oversight.
• Also, board members will be apprised of the university’s risk posture by hearing the other committees’ reports.
• Committee reports will be summarized for the full board.
• The president works with the board to set the high-level ERM agenda and develop a statement of risk appetite.
18
12
2015 ANNUAL CONFERENCEI n d i a n a p o l i s
ERM at UC: Risk Identification• Identified through Interviews, Brainstorming,
Emerging Trends, Benchmarking With Peer Institutions, Surveys
• Risks will be categorized: (i) Compliance (ii) Financial (iii) Operational, (iv) Strategic, or (v) Reputational
• Top 10-15 Highest Priority risks will be assigned for oversight by committees of the Board of Trustees
• Remaining High/Medium Priority risks will receive oversight from the Risk Council
11 19
2015 ANNUAL CONFERENCEI n d i a n a p o l i s
Preliminary research was conducted by ERM personnel with over 70 interviews involving more than 100 individuals, including the President’s Executive Cabinet, Deans, Provosts, and key external partners. Research indicates the highest ERM concerns at UC currently focus on the items above.
Information Security/Disaster Recovery Planning/UCIT OperationsStudent Enrollment and Enrollment Management
Public SafetyFunding Resources & Budget
Emergency Management & Business ContinuityBuilding/Facilities and Deferred Maintenance
Strategic PlanningDealing with Minors On and Off CampusCompliance & Regulatory Issues (various)
Student Mental Health IssuesStaffing & Succession Planning
20
ERM at UC: Findings
2015 ANNUAL CONFERENCEI n d i a n a p o l i s
Risk & Opportunity Heatmap
21
From: University of Vermont ERM website: http://www.uvm.edu/~erm/?Page=evaluation.html&SM=processmenu.html
2015 ANNUAL CONFERENCEI n d i a n a p o l i s
ERM at UC: What happens next?
ERM Executive Committee Risk
Workshop(September ‘15)
Deliverable: HeatMap
Assess risks, update risk portfolio: validate and prioritize; input
to new RMIS (October 2014 to October 2015)
Assign/define ownership of risk
areas and initiate, and verify action steps
(October to December 2015)
Develop and implement
institution‐wide systems for
communicating(Feb to Dec 2015)
22
2015 ANNUAL CONFERENCEI n d i a n a p o l i s
Managing Organizational Change
23
Impact of Organizational
Change
Decreased Trust, Poor Communication & Increased Disengagement
Recovery Phase: Some Improvement in
Communication, Trust & Productivity
P
E
R
F
O
R
M
A
N
C
E
T I M E
1. Denial/ Shock
2. Anger/ Betrayal
3. Pain/ Sadness
4. Acceptance/ Recovery
2015 ANNUAL CONFERENCEI n d i a n a p o l i s
Managing Organizational Change: Cumulative Effect
24
P
E
R
F
O
R
M
A
N
C
E
T I M E
Disengagement
2015 ANNUAL CONFERENCEI n d i a n a p o l i s
Managing Organizational Change
25
P
E
R
F
O
R
M
A
N
C
E
T I M E
Recovery
RenewalKey: Manage the Depth and Duration
2015 ANNUAL CONFERENCEI n d i a n a p o l i s
Developing Key Risk Indicators (KRI)• Linking objectives to strategies to risks to KRI’s• Effective KRI’s can provide value in a variety of
ways, including:- Risk appetite- Risk and opportunity identification- Risk treatment- Risk reporting- Compliance efforts- Improved performance, process, and improved workplace
environment
26
2015 ANNUAL CONFERENCEI n d i a n a p o l i s
Developing Key Risk Indicators (KRI)
• Depends on risk identifiedCampus safety
- Crime statistics, # of NightRide users, international student safety rankings, etc.
Emergency preparedness and business continuity- # and results of drills and exercises, faculty, staff and student education and outreach, # of business continuity plans, results of business continuity tests
Information Security- # of breaches, results of external penetration tests and vulnerability scans (# of
critical/significant vulnerabilities)
Enrollment- # of births, # of projected high school graduates
27
2015 ANNUAL CONFERENCEI n d i a n a p o l i s
Successful ERM Program
• Buy‐in and support from the top• Sustainable process – slow progress is still progress!• Continuous improvement• Tools: RMIS/GRC, Interviews, Surveys, Questionnaires• Strong marketing & communication• Personnel resources• Don’t use as a means to say ‘no’, create additional
administrative burden, or create another level of bureaucracy
28
2015 ANNUAL CONFERENCEI n d i a n a p o l i s
Successful ERM ProgramA successful ERM program allows for:• Assignment of risks – Distribution of enterprise risks encourages ownership
of mitigating and managing risk at the individual/unit level• Resource optimization – Individuals have autonomy and flexibility to
maximize their talents and resources while working within their scope; individuals do not unknowingly complete redundant tasks, reducing the likelihood of expending unnecessary effort, resources and time
• Assignment of accountability – Each individual is uniquely accountable for individual risks as they contribute to a larger, more comprehensive enterprise wide risk strategy
• Coordination – Higher levels of communication across units and knowledge sharing regarding challenges and perspectives creates opportunities to break down silos resulting in greater, more collaborative coordination
29
2015 ANNUAL CONFERENCEI n d i a n a p o l i s
Dilbert on Risk Management
30
“Risk in itself is not bad; risk is essential to progress, and failure is often a key part of learning. But we must learn to balance the possible negative
consequences of risk against the potential benefits of its associated opportunity.”
2015 ANNUAL CONFERENCEI n d i a n a p o l i s
31
Questions?
Thank you!
2015 ANNUAL CONFERENCEI n d i a n a p o l i s
ResourcesoExecutive Report: The Risk Perspective, “Risk Management and Internal Audit: Forging a Collaborative Alliance” Risk and InsuranceManagement Society Inc., and the Institute of Internal Auditors Inc., 2012.
oPacific Northwest Enterprise Risk Forum, “University of Washington Enterprise Risk Management‐ A Journal of Discovery” November 7, 2012.
oCOSO Thought Leadership in ERM “Developing Key Risk Indicators to Strengthen Enterprise Risk Management, How Key Risk Indicators Can Sharpen Focus on Emerging Risks”, by Mark Beasley, Bruce Branson, Bonnie Hancock, 2010.
Sources of Information:
oANSI/ASSE/ISO 31000 – the only international standard on risk management – 2009
oCOSO ERM Framework – 2004
o“Risk Management – An Accountability Guide for University and College Boards” by Janice Abraham – AGB & UE – 2013
oConsulting firms – Huron
oGRC – Governance, Risk & Compliance (software and consulting): Riskonnect, Ventiv, Marsh Clearsights, etc.