By Christina Brune
How did you first learn about CSA?
How did you begin your ERM effort?
Once Vision 2010 was established, I approached David with the idea of conducting a campus-wide risk assessment in the framework of our Vision 2010 statement. I got the idea from my counterpart at the university’s Santa Cruz campus, who had done the same thing. David was very agreeable. Last year, he also asked each of the campus’ units to draft its own mini Vision 2010 statement, which gave me more relevant objectives to work with.
I had a simple three-step approach:
David and I drafted a three-part, open-ended survey, which I used during interviews with the deans and vice chancellors to evoke discussion. The first part included a set of questions that assessed the executives’ awareness and understanding of the objectives and their buy-in. This was a critical step, because if there was a problem with the objectives, trying to move to the next two steps — identifying and managing the risks and threats — would be pointless.
What were the lessons you learned when starting out?
The objectives also have to be clear, understood, and agreed-upon. As it turned out, in our case, the objectives weren’t always clear or understood, and there were some groups that didn’t accept or agree with the vision statement. Therefore, the executives asked me to return and engage in further discussions about the objectives and the issues that certain faculty members were having with them.
I also learned some lessons about human nature. When we began to identify the risks and threats, often people tended to discuss risks that weren’t in their areas of responsibility. More times than not, I had to reel them in and get them to discuss the ones within their realm of control. As a facilitator, that’s something you have to be aware of and respond to.
What response did you receive?
The discussions elicited from the survey have been well received. People are incorporating the objectives into programs like new staff and faculty orientation and recruitment efforts.
What have you done with the information you collected?
I’m in the process of communicating my findings in a draft report. The first part of the report is an assessment of the campus’ awareness of Vision 2010. The next section includes a list of common broad-based and unit-specific risks and threats. For example, our computing center has specific threats that aren’t common across the other units; however, they’re significant enough that they could impact our Vision 2010. The next step will be to report on ways to manage those identified risks and threats.
Who owns the ERM effort?
One testament to our risk management culture is the development of a new initiative called Leadership for Growth, which David started shortly after I completed the initial round of executive interviews. The deans and vice chancellors meet twice a month and discuss the risks and threats that may prevent us from achieving our Vision 2010. Each dean or vice chancellor hosts a dinner and presents to the group the risks and threats pertinent to his or her area. Then, they discuss these issues as a group.
I’m not involved in this effort. It’s not a facilitated process. However, my boss, the vice chancellor of administration, attends and updates me regularly.
How have CSA and the ERM effort complemented your regular audit work?
What are your future plans for ERM?
I’m also proposing annual campus-wide risk assessments. Deans and vice chancellors usually have only a five-year contract, and many take other positions after that time. Therefore, we average one or two a year that turnover. I would like to discuss the executive survey with all new deans and vice chancellors after they’ve adjusted to their new positions. I’d also like to follow up with the existing deans and vice chancellors to further discuss management of the identified risks and threats.
All contents of this Web site, except where expressly stated, are the copyrighted property of the Institute of Internal Auditors Inc.