University of Wisconsin System Enterprise Risk Management UW Milwaukee September 11 & 14, 2012

1. University of Wisconsin SystemEnterprise Risk ManagementUW MilwaukeeSeptember 11 & 14, 2012

2. Introductions

3. ERM Working Group Agenda

4. ERM in Higher Education

5. What is Enterprise Risk Management? “A comprehensive program designed to proactively and continuously identify and manage real and potential threats and opportunities that may impact our operations.” • Designed to protect and increase stakeholder value, fit into the organization’s culture, and leverage current controls and capabilities. • An operational strategy that promotes continuous sustainable improvement across the organization; creating value. • A process that identifies and prioritizes real and potential risks (threats and opportunities) that may affect an organization’s strategy and/or operations and promote the ability to manage risks to an acceptable level.

6. ERM = STRATEGIC RISK MANAGEMENT • Enterprise Wide Risk Management • A wide range of risks are identified and evaluated, including finance, human capital, strategic, operational, and reputational • Evaluation includes the “upside of risks” or opportunities risk-taking can provide • Helps manage successful growth or program expansion • Risks are owned by all and mitigated at the department level

7. Why Implement ERM? Sustain competitive advantage Respond when a significant event occurs Avoid financial surprises Manage scarce resources Define risk appetite and risk tolerance levels Determine effectiveness of existing controls Improve risk assessments Increase accountability Allocate resources more effectively

8. Why Implement ERM? (cont.) Competition Student Demands New Technologies Globalization Entrepreneurial ventures beyond traditional education Pressure for increased productivity and accountability while reducing costs Increased compliance expectations Research Safety/Security

9. Higher Education ERM Efforts Organizations - National Association of College and University Business Officers (NACUBO) - Association of Governing Boards (AGB) - University Risk Management and Insurance Association (URMIA) Institutions • University of California - University of Washington • University of Minnesota - Auburn University • Texas A&M University - Purdue University • Maricopa County Community College

10. Higher Education Risk Case Studies • Two Scenarios designed to start you thinking about key concepts associated with ERM • Risk v. Opportunity • Likelihood & Impact • Controls • Mitigation

11. UW System Enterprise Risk Management Initiative

12. UW System – ERM Vision The University of Wisconsin System endeavors to lead higher education by integrating the principles of Enterprise Risk Management (ERM) into the culture and strategic decision making of its academic, student affairs, and business functions. ERM will promote the success and enhance the accountability of the UW System by incorporating risk assessment into the System’s strategic objectives and budget development process.

13. Mission Statement The mission of the University of Wisconsin Enterprise Risk Management Project is to initiate a comprehensive program which will support the identification of the UW’s mission-critical risks, assess how to manage those risks, and align resources with risk management responsibilities.

14.  Goals and Objectives for Accomplishing the Mission: Goal #1: Integrate ERM into the culture and strategic decision making processes of the organization. • Objectives: • 1-1 Develop common ERM terminology. • 1-2. Raise awareness of the need for risk management. • 1-3. Establish continuous monitoring and communications processes. Goal #2: Balance the cost of managing risk with the anticipated benefits. • Objectives: • 2-1. Define the organization’s overall risk appetite/tolerance, and establish associated materiality thresholds. • 2-2. Document current procedures, controls, and risks. • 2-3. Compare current risks to control efforts, as well as to the organization’s risk appetite, to help identify priority risks. • 2-4. Assess the value of alternative risk management actions.

15.  Goals and Objectives for Accomplishing the Mission: Goal #3: Manage risk in accordance with best practices, and demonstrate due diligence in decision making. • Objectives: • 3-1. Assign responsibilities for risk management at the “lowest” levels of the organization. • 3-2. Regard compliance with the law as a minimum standard. • 3-3. Streamline risk-management-related practices. • 3-4. Identify competitive opportunities. Goal #4: Use the pilot projects to develop a system-wide ERM implementation strategy. • Objectives: • 4-1. Establish an organizational and communication structure for managing the pilots. • 4-2. Transfer knowledge from the consultants to UW System Administration staff. • 4-3. Involve the UW System president and cabinet in ERM-related decisions.

16. Current State of Project • Core Risks LTD., in consultation with Arthur J. Gallagher, selected to develop UWS ERM model • Full risk assessment completed at six UW institutions (Oshkosh, Superior, Whitewater, Parkside, River Falls, and Platteville) • Established an ERM Core Team at System Administration • Developed UWSA website in support of initiative: http://www.wisconsin.edu/oslp/erm/

17. Current Examples That Incorporate ERM Processes • Security and Threat Assessments • International/Study Abroad Risk Assessment • Continuity of Operations • Other

18. Evolution to achieve ERM Resilient State – enhanced sustainability across the enterprise. Evolution Prior State – Individual area/ function silos report risk on an ad hoc basis from the bottom-up to management. No top-down linkage to the Executive Management/BOD strategic objectives. • Convergence of Reporting: • Consistency of Process: • Focus on Risk: • Informed Decision-making • Ownership: Board of Regents Audit Comm Institution A Institution B Enterprise Risk Risk Council IS Athletics Management Central Funct Housing Safety Institution A CentralFunct Institution B Housing Other IS Other Athletics Safety

19. Signs of Success… A successfully implemented program will result in: • A process for open and objective discussion on risk and related issues facing the organization on an aggregate basis. It must promote honest and fact based discussion and enhance decision making while assuring that “the messenger does not get shot”. • Regular reporting of the organization’s risk profile that: 1) prioritizes risks from a materiality perspective and; 2) clearly helps direct the asset allocation (money, time, people) toward risk mitigation. • No new bureaucracy; ERM needs to be embedded into the existing culture and structure to assure sustainability. This is best assured by integrating the ERM findings into the annual budget and strategic planning cycles. Normally, if it isn’t budgeted, it doesn’t exist. 19

20. Critical ERM Program Components

21. Higher Education Risk Categories

23. Management Control … More = Better In a world with no constraints Types of controls • Rule-based – Policy, process, or standard. • Management Control – Responsibility for control is assigned to a specific person or function within the organization. • Compliance-based – Rule-based or Management Control, where adherence is verified. • Physical Control – Barrier, mechanical, or computer control. • Risk Culture – Tone at the top for managing risk.

24. Management Control Scale Current Level of Control over the Risk Less Control More Control

25. Impact Defined • Impact is the total outcome (as measured against a specific materiality metric) that would be realized if a Risk Driver were to occur. • Specific reference point used to categorize the materiality of the Impact of a Risk. • Used to “bucket” risks from different parts of the organization to allow for detailed, cross-functional discussion • Low • Moderate • High • Extreme

26. UW System Materiality - Impact on Enrollment UW System Milwaukee 1 10,000 4 Extreme 10% 12,520 3 High 4 5,250 6% Extreme Moderate 2 2,600 3% 10% 600 High 3 1 Low 350 6% 2 Moderate 175 3% 1 Low Critical Definitions Impact & Materiality – Sample • Impact on Enrollment used as example …. • Calculated over a certain period of time (36 months) 26

27. Materiality Matrix (For Discussion)

28. Likelihood The likelihood that a risk will occur within next 36 months recognizing current controls Likelihood Scale: 1 = Low – Possible but unlikely to occur; remote. 2 = Moderate – Moderate risk of occurrence; maybe. 3 = Probable – Likely to occur. 4 = Almost Certain – Very likely to occur in immediate future (probable). More Likely to occur 75% 50% Less Likely to occur 10%

29. Very High Risk High Risk Moderate Risk Low Risk 4 $x,000,000 3 $xx,000,000 2 $xx,000,000 1 Unlikely Possible Probable Almost Certain Likelihood Sample Inherent Risk Map (Heat Map) Legend 1 Fire at remote building Snow Collapse of University Center Credit Crisis – loss of funding Weather shuts down campus-short term Sports team scandal Loss of Key Faculty IT system failure due to weak controls Dorm shutdown due to contamination Community activists block expansion Pandemic 2 Impact 3 4 5 6 7 8 9 10

30. Risk Retention & Risk Mitigation • Risk Retention. If an identified risk is within Risk Retention, it is accepted at this time without the need for additional action. Current controls are retained, maintained, and monitored. • Risk Mitigation. If an identified risk is not within Risk Retention, then further mitigation is planned and prioritized.

31. Risk Identification/Workshop Process

32. Any pre-existing Risk reports are reviewed and Identified Risks are compiled One on One Interviews with Senior Staff identify perceptions of Risk Risk Surveys are sent to direct reports of Senior management Chancellor/Risk Council informs Institution Core Working Group of decisions on recommended Risks Surveys collect risks identified from a cross functional group of operational level management Institution Risk workshop synthesizes all Risks identified to date and discusses and assesses new Risks. Output report is ready for management review Institution Workshop Core Working Group reviews and delivers summary report of Priority Risks to Chancellor

33. Risk/Opportunity Areas What keeps you awake at night? Systemwide list: • Enterprise Systems Implementation (HRS) • Executive Position Recruitment/Retention • IT Security • Budget/Revenue Optimization • Capital Planning and Budget Process and Joint Ventures • AODA/Student Safety • Student Services (Mental Health) • Community and Legislative Relations • Administrative Efficiency/Stewardship of Public Funds/Accountability • Records Retention/Open Records/Confidential Information • Faculty – Recruitment/Retention and Discipline

34. We use the Wireless Voting Technology. The Voting Keypad: • You may change your vote as many times as you want before voting is closed – only your last response will count. • You do not have to point the keypad at the screen. • Your individual responses will remain anonymous. 34

35. IMPACT & LIKELIHOOD LIKELIHOOD 1 LOW 2 MODERATE 3 PROBABLE 4 ALMOST CERTAIN IMPACT 1 LOW 2 MODERATE 3 HIGH 4 EXTREME (BASED ON UW-MILWAUKEE MATERIALITY MATRIX

36. CONTROLS & COST COSTS 1. HIGH (greater than $25,000) 2. LOW or NONE CONTROLS 1. NONE/WEAK 2. LIMITED 3. MODERATE 4. STRONG

37. MITIGATION vs RETENTION Does this need to be placed in Risk Mitigation? • Yes • No

38. Very High Risk High Risk Moderate Risk Low Risk 4 $x,000,000 3 $xx,000,000 2 $xx,000,000 1 Unlikely Possible Probable Almost Certain Likelihood Sample Risk Map (Heat Map) Legend 1 Fire at remote building Snow Collapse of University Center Credit Crisis – loss of funding Weather shuts down campus-short term Sports team scandal Loss of Key Faculty IT system failure due to weak controls Dorm shutdown due to contamination Community activists block expansion Pandemic 2 Impact 3 4 5 6 7 8 9 10

39. Next Steps

40. Risk Ownership Remember… Risk Ownership is important and to be a Risk Owner is a good thing! • Qualities of a Risk Owner... • Owners should have significant influence over their assigned Risk Driver(s). • Owners will be individuals. • Owners will be accountable. • Risk Owners will... • Work to determine the Risk Retention parameters for a particular Risk Driver. • Develop Mitigation plans to return Risk Driver(s) to Risk Retention. • Perform ongoing monitoring of their Risk Driver(s) to assure that Risk Drivers remain in Risk Retention.

41. Risk Driver Mitigation Worksheet - Example Risk Driver Number & Short Name Current Risk Ratings Mitigation Plan Options and Steps Timing of plan Risk Owner name: J Bond – Head of Road Safetyadditional functions involved: #1- Student safety issue due to unsafe pedestrian crossing at RT 66 Increase Signage Request addition of additional flashing lights from highway department Conduct assessment of possibility of adding pedestrian tunnel or bridge Q3 11 Q4 11 2012 Security Government relations Facilities and department, with support of Civil engineering department Impact Rating & Range: 6 - (Greater than $80M) Likelihood: Possible Inherent Risk Rating: Significant Control: Poor

42. A Steady State Process (example 1) Annual Risk workshops Risk Assessment and Workshops Risk Drill Down workshops Mitigation Plans developed and Submitted for budget consideration Preliminary Objectives & Risk Survey Risk Council Meet/Report College Risk Report Risk Council College Risk Report Risk Council Meet/Report College Risk Report Report to Management/ Compliance Steering Committee Risk Council Meet/Report Report to Board/Audit Committee (budget approval) Risk Enhanced Budget submitted

43. Risk Assessment Nov Risk Survey Risk Owners Dec Oct Strategy / Operations Planning Mitigation Plans July Jan Report to Senior Administration Report to Board of Regents Apr/May Risk Enhanced Objectives A Steady State Process (example 2) Risk Council Maintenance

44. Orientation Wrap Up Questions?