IN THIS ISSUE

Educating ERM

By Christina Brune
An interview with Marc Guerra, CIA, CPA, CISA,
Director Financial Control and Accountability, University of California at Riverside

How did you first learn about CSA?
It all started with a controls initiative that the University of California implemented in 1996. As part of that program, each of the university’s campuses was to conduct a campus-wide risk assessment, preferably in concert with their strategic planning process, and control self-assessment techniques were to be used for introducing the enterprise risk management (ERM) concept. The CSA tool had been in the back of my mind since then, although we didn’t begin the risk assessment effort at my campus until a few years later.

How did you begin your ERM effort?
Approximately two years ago, Executive Vice Chancellor David Warren started our campus’ strategic planning initiative. He held a series of workshops and town hall meetings and invited faculty, students, staff, and groups from the local community to help craft a vision statement that reflected the kind of campus we want to be in the year 2010. It took about one-and-a-half years to solidify this statement, which we call Vision 2010. 

Once Vision 2010 was established, I approached David with the idea of conducting a campus-wide risk assessment in the framework of our Vision 2010 statement. I got the idea from my counterpart at the university’s Santa Cruz campus, who had done the same thing. David was very agreeable. Last year, he also asked each of the campus’ units to draft its own mini Vision 2010 statement, which gave me more relevant objectives to work with. 

I had a simple three-step approach:

1. Establish objectives. (Vision 2010, which had already been hammered out, effectively became our broad set of objectives, and the individual units’ mini statements complemented those objectives.)   
2. Identify the risks and threats that may prevent us from achieving our objectives.  
3. Manage the most problematic risks and threats.

David and I drafted a three-part, open-ended survey, which I used during interviews with the deans and vice chancellors to evoke discussion. The first part included a set of questions that assessed the executives’ awareness and understanding of the objectives and their buy-in. This was a critical step, because if there was a problem with the objectives, trying to move to the next two steps — identifying and managing the risks and threats — would be pointless.

What were the lessons you learned when starting out?
To succeed, an ERM program must have high-level management support. It has to be a partnership. I was fortunate to have our vice chancellor’s support. 

The objectives also have to be clear, understood, and agreed-upon. As it turned out, in our case, the objectives weren’t always clear or understood, and there were some groups that didn’t accept or agree with the vision statement. Therefore, the executives asked me to return and engage in further discussions about the objectives and the issues that certain faculty members were having with them.

I also learned some lessons about human nature. When we began to identify the risks and threats, often people tended to discuss risks that weren’t in their areas of responsibility. More times than not, I had to reel them in and get them to discuss the ones within their realm of control. As a facilitator, that’s something you have to be aware of and respond to.

What response did you receive?
The deans and vice chancellors said that the questionnaire-based discussions we had — regarding their objectives, the overall campus objectives, the risks and threats, and the management of those risks and threats — were very helpful. In fact, they wanted me to come back and have similar conversations in a group environment with faculty and staff. Specifically, they asked me to focus on the objectives part of the survey.

The discussions elicited from the survey have been well received. People are incorporating the objectives into programs like new staff and faculty orientation and recruitment efforts.

What have you done with the information you collected?
Rather than using voting software, which I thought would be a bit too impersonal, I took notes as I engaged in conversations with the individuals and groups. Afterward, I went through my notes and identified common threads.

I’m in the process of communicating my findings in a draft report. The first part of the report is an assessment of the campus’ awareness of Vision 2010. The next section includes a list of common broad-based and unit-specific risks and threats. For example, our computing center has specific threats that aren’t common across the other units; however, they’re significant enough that they could impact our Vision 2010. The next step will be to report on ways to manage those identified risks and threats.  

Who owns the ERM effort?
One of my objectives for this entire exercise was to foster a culture of identifying, understanding, and managing risk. I wanted management to take ownership of this effort, and I believe they have. I essentially act as an enabler, or facilitator.

One testament to our risk management culture is the development of a new initiative called Leadership for Growth, which David started shortly after I completed the initial round of executive interviews. The deans and vice chancellors meet twice a month and discuss the risks and threats that may prevent us from achieving our Vision 2010. Each dean or vice chancellor hosts a dinner and presents to the group the risks and threats pertinent to his or her area. Then, they discuss these issues as a group. 

I’m not involved in this effort. It’s not a facilitated process. However, my boss, the vice chancellor of administration, attends and updates me regularly. 

How have CSA and the ERM effort complemented your regular audit work?
On a couple of occasions, the deans have asked me to come back and use the CSA approach to examine a particular process or a particular group within their unit, and I farmed that out to internal auditing. One associate vice chancellor requested that CSAs be conducted in six of her units. She recognized the benefits of using the CSA tool to get the objectives out there, communicated, and hammered in. Having an objective third person come in and discuss objectives is helpful.

What are your future plans for ERM?
I’m going to propose to David that I conduct additional, more-focused CSAs on the top common and specific risks and threats that we identified in our campus-wide risk assessment. These facilitated sessions will get the process owners involved.

I’m also proposing annual campus-wide risk assessments. Deans and vice chancellors usually have only a five-year contract, and many take other positions after that time. Therefore, we average one or two a year that turnover. I would like to discuss the executive survey with all new deans and vice chancellors after they’ve adjusted to their new positions. I’d also like to follow up with the existing deans and vice chancellors to further discuss management of the identified risks and threats.