In the course of my research into Enterprise Risk Management, I had the privilege of speaking with Grace Crickette, Chief Risk Officer at the University of California about the innovative strategies she and the university system used, which I wanted to share with you.
The University of California (UC) is a large, complex, diverse organization with 10 campuses, five medical centers, three national laboratories, and 184,000 staff and 232,000 students. When Crickette joined the UC system in December of 2004, her first task was to build an Enterprise Risk Management (ERM) program.
The initial step the Chief Risk Officer took was to conduct a gap analysis to identify the risk activities that were already in progress across the university system. She then formed an ERM Panel comprised of various disciplines across the University and presented her findings from the gap analysis. Crickette notes, “Many organizations’ first step in implementing ERM is to look at their risk universe and conduct a risk assessment, but the University had conducted numerous risk assessments over the years so that was not a necessary step for UC to proceed with implementing ERM. We took a different angle and focused on the ‘upside’ of risk. We asked, ‘What information would you like to monitor to make your operations successful?’”
Crickette credits an upfront information gathering approach with achieving ERM success. The ERM Panel, combined with a team from KPMG interviewed approximately 40 representatives in each location to gain an understanding of the key risk-related concerns and issues impacting each part of the organization. The initial result was more than 550 possible Leading Indicators (LIs) identified, of which 430 were unique – this is, not duplicated at any of the other campuses or medical centers. This was then consolidated to those with the highest priorities.
A critical insight gained from the experience was that UC was severely challenged with information collection, which was primarily ad hoc and manual. Data resided in Excel spreadsheets and Access databases. Acknowledges Crickette, “There was a great need for information to help identify, manage, and monitor risks, but there was a lack of data and a lack of systems.”
The ERM Panel developed a strategy for a sustainable ERM program that included a unified database to monitor, track, and manage risk across the UC system that could be mined locally by campuses and at a system-wide level.
Notes the Chief Risk Executive, “It was important to deliver low tech, ‘no tech’, and high tech tools. We needed a data warehouse supporting multiple sources – from a corporate system, claims system, survey data, to Excel spreadsheets. The business intelligence or reporting tool provided ‘the brain’ to spot trends early on and point us to where we needed to take action.” UC has partnered with IBM to create its no tech, low tech, and high tech tools which are integrated in an Enterprise Risk Management Information System (ERMIS). “IBM has been a great partner in leveraging IBM software tools, tools developed by UC’s actuary Bickmore Risk Services, as well as software programs created at our campuses.”
The philosophy of ERM quickly and naturally trickled down from the leadership team to the individual employee level. Training and communication have contributed to positively embedding a risk-aware culture. Risk education is provided internally and externally in regular meetings, in campus leadership workshops, webinars, bulletins, external conferences, and other venues. Every week the Chief Risk Officer works with different groups from both higher education and industry. On the day that I spoke with Crickette, she was on the phone advising Universities, Cal State and Harvard University.
The value of ERM delivered to UC has been four pronged:
- Reduced cost of risk, which is considerable when the direct and indirect cost of risk for UC can exceed $500 million per year.
- Improved cost of borrowing with rating agencies including Moody’s and S&P. For instance, a .1% decrease in interest rates that UC pays on its debt load represents over $10 million in potential savings.
- Created efficiencies and reduced IT redundancy, enabling staff to focus on critical work. The automated reports provide timely, reliable information that serves as a knowledge management system across UC, while also avoiding duplication of efforts by the different divisions.
An added benefit is the transition UC has made from a culture of risk avoidance to one that proactively evaluates risks as potential opportunities and entrepreneurship. Explains Crickette, “There have been a lot of pleasant surprises, particularly with the risk assessment tools. What began as early warning indicators from one little heat map evolved to people finding creative ways to use them.” As an example, UC Berkeley has one of the largest library collections. One professor in charge of overseeing the fine arts collections took the tool and worked with the University’s actuary department to develop a version that now the Library of Congress is interested in using to manage their own risk. Declares Crickette, “ERM can really help an organization to excel and function better. If you develop the right tools, people will want to use them.”
This is part of a series of insights I will be sharing from the forthcoming Enterprise Risk Management benchmark study that will publish at the end of this month. If you’re just getting started, or expanding your ERM program, be on the look out for more on this topic. And as always, I welcome you to share your own experiences and perspectives with me at firstname.lastname@example.org.