Aired: December 6, 2023
An effective enterprise risk management, or ERM, program is more than just identifying risks; it should add value to an organization by focusing on managing and monitoring risks over time. How do boards distinguish between disruptive and strategic risks? How do campuses address student mental health as a crucial area of risk? What are the key questions boards need to ask to assess the effectiveness of ERM and wellness initiatives at their institutions?
In this podcast, Barbara McCuen Jones, AGB’s director of digital solutions speaks about the importance of adaptability, board involvement, and transparency in ERM programs with three leading experts: Leigh Goller, the chief audit, risk, and compliance officer for Duke University and Duke University Health System; Sharon McMullen, a consulting director at Huron, a global professional services firm; and Anne Pifer, a managing director at Huron.
Barbara McCuen Jones:
Welcome to the Trusteeship Podcast from AGB, the Association of Governing Boards. We cover everything higher education leaders need to know about the challenges facing our nation’s colleges and universities. More important, we provide the facts and insight you need to solve those challenges and to be the storytellers and advocates higher education needs.
An effective enterprise risk management program is more than just identifying risks. It should add value to the organization by focusing on managing and monitoring risks over time. But how do boards distinguish between disruptive and strategic risks? How do campuses address student mental health as a crucial area of risk. What are some of the key questions boards need to ask to assess the effectiveness of enterprise risk management and wellness initiatives at their institutions?
I’m Barbara McCuen Jones, AGB’s Director of Digital Solutions, and in this podcast I’m speaking with Anne Pifer, managing director at Huron, Leigh Goller, who is the chief audit risk and compliance officer for Duke University and Duke University Health System, and Sharon McMullen, a consulting director at Huron. Thanks so much for joining us.
Anne, in your experience working with a variety of universities and colleges, what is your view on what demonstrates an effective enterprise risk management program in today’s environment?
Thanks, Barb. I think what an enterprise risk management function—or ERM is—it’s really viewed as a function, a framework, and it’s a culture as well, and it’s a critical part of the university. The way that I, in my experience, have reviewed whether it’s effective is first to ask, really, is it adding value to the organization? Is there clarity, purpose, and value to the ERM function? In my experience, it means one that’s not simply identifying the internal and external risks and risk factors but is more focused on managing the risk and monitoring over time. So an effective program can also help identify institution-specific barriers that affect risk management and develop strategies to break down those barriers over time.
Secondly, an effective ERM program can be one that evolves and adapts, so not just overcoming obstacles but it can adapt to the needs of the university. Within higher education institutions, we’ve seen characteristics of maturing ERM programs that are iterative and build upon themselves. The COSO framework, or the Committee of Sponsoring Organizations, gives key principles and a framework to build upon, and some of those key characteristics include board involvement and confidence in the program with continuous improvement as a focus area and effort from the board, as well as increasing the awareness and transparency of the ERM program throughout the institution. The most mature and effective ERM organizations leverage data analytics to inform risk assessment and monitoring, and they’re really trying to achieve agility or resilience in the organization.
Barbara McCuen Jones:
And how might you define a resilient or agile model in today’s risk and regulatory environment?
Well, often, resilience is defined as the ability to survive and thrive in a world of uncertainty, and that’s certainly the definition we look at when we think about resilience in higher education. When you consider what that represents in real terms, it means you can’t simply have a singular approach toward addressing risks. The ERM is meant to be interwoven within an organization with more of a focus on accountability and anticipation of risk. It’s the ability to think beyond the critical crisis-specific responses in the short term, because there’s many of those, but also the ability to think long term to adapt, strengthen, or create a unified effort in the face of what may be many unknowns. So, again, thinking about its continuous improvement and building upon experience learned through some of the short-term crises.
One of the things that resonated with me was an article from the Harvard Business Review in 2022 that said, instead of a trait when you think about resilience, think about it as a state that any employee or an organization or an operation can attain. So it’s certainly a trait, but think about it as a state that the ERM function can operate in. I think the best example that I have is just this past week I was on a campus and really thought about the quickly dynamic environment and challenging environment that they have and how they took a risk that’s inherent right now to all institutions and turned that into an opportunity. This campus I was on last week had a live example where they were thinking about how they’d turn this into an opportunity.
Certainly, there’s very real risk today of campus protests that could turn violent on campuses. We’re seeing them, unfortunately, in the headlines every day. This particular institution and campus I was at did not perceive a high risk of that probability of that happening, of even protests happening or potential violence, but instead of simply saying, “Well, that’s low risk to us because of our population or demographics,” and move on to other critical risks, they recognized it was still a very real possibility and it would have a very significant impact. So they used it as a chance to hold a vigil for all religious faiths to come together from all viewpoints and be led by religious leaders across their community with university leadership there representing the position of the institution and really creating just a positive opportunity to bring people together even though it can represent a major risk in an institution today.
Barbara McCuen Jones:
Thanks. That’s a terrific and super relevant example, Anne. Leigh, I’m going to move on to you, and I wanted to ask you, as a university leader in risk, compliance, and audit, how do you distinguish among the plethora of risks there are to manage, particularly in a time of disruption and crisis management?
So, Barb, many of the programs that I’ve seen over the years think of risk management as list management. If we can name it, we can understand it. We’ve really come on our campus to think more of it not as list management but as action management, and that helps us focus among the plethora of risks that can be on a list and really put our time, attention, and resources on those that we hope to manage. If we look at the dichotomy between the two different kinds of major categories, we have disruptive risk and we have strategic risk. So if we look at our disruptive risk category, those are ones that we typically think more in terms of what’s our response plan? Those are going to be the ones that we may not be able to list exactly what’s going to happen or predict it. We’re not meant to be prognosticators of the future. But we can understand what’s the program that we have in place to recognize it when it’s happening, to know what those triggers are, to know where our resources are and how to put together a response plan.
Those tend to be episodic in nature. We look more at how enterprise risk management programs can add value in the long term. It’s focusing on the strategic risk. Many of our institutions have strategic plans. Most organizations of all kinds have strategic plans. If we put risk in terms of what gets in the way of our strategic goals, now, we have a long horizon way to think about what are the actions we can take not to only prevent the negative things from happening but, more importantly, to promote the good things that we want to happen through those strategic plan initiatives? So it moves us from a reactive model to one that addresses the more substantial risks that have a much slower velocity. It’s hard to measure those. Anne mentioned metrics and analysis, and a lot of our strategic goals, it’s on the long horizon, so watching the trends through those metrics and analysis will be much more informative than watching the blip on the radar screen that may come to show us where a disruptive or high-velocity risk is.
Some of the factors that we take into consideration of how to allocate our time, our resources, our talents, our technologies are thinking in terms of where can we have that positive strategic impact? Where can we focus time and attention that helps us with those strategic goals? Then viability, and that’s in terms of both the strategic goal itself as well as in the action plan. So where are the ways that we can really have a positive viewpoint on success or growth or ensuring we can carry out the mission? A few things that I would point to in strategic risks that I think transcend industry. Quality of the experience. For us, that’s going to be the educational or the research experience. For other businesses, that may be the customer experience. Ethical governance and oversight. That’s really defining that trust between us and our stakeholders. Student wellness for us. It may be employee wellness or customer wellness depending on the industry. And financial security and stability. Those all seem really rather vanilla, but if we unpack them to what it means in our strategic goals, we now have a nice framework to help focus our efforts.
And, Leigh, I think it’s really important as you walk through that distinction between the types of risks, it’s really important to recognize that the board has a critical role in considering how effective the program is and how it’s doing against its strategic priorities and goals. In my experience, the board helps to establish and communicate those expectations regarding the program and providing oversight of the ERM program but certainly not in the details necessarily of setting each distinction between the risks, but really helping to see the big picture and know what questions to ask and where to probe to ensure you’re evaluating strategic areas.
Barbara McCuen Jones:
Thanks, Anne. That’s a great point. Leigh, can you give us a tangible example of an important area of risk on campuses today?
With campuses, we run small cities. We have residents, we have commuters, we have a system of government, we have visitors. It’s a little bit like running a tourism industry, but instead we’ve got 15,000 students who are living on or near campus, many of whom have parents and loved ones who are trusting us to take care of them and put them in a safe environment. For us, safety means a lot of different things. It is the physical security and safety of the campus environment, but it’s also the health and well-being of our student population. So we do have a high strategic priority in higher education to really focus on student wellness. We are at a critical juncture where there’s a crisis of confidence in the value of higher education, and so thinking in terms of student wellness coupled with the trust that we can build through that process and how higher education is serving our students as well as society at large.
We protect a lot of the value in the educational experience through that overall safety and security, and it helps to provide that strength and resilience in the environment to our students so that they can focus on what they’re here for and, more importantly, to achieve their goals for being prepared for their futures. If they’re distracted by a shortfall of resources to help them be successful in this environment, then we’ve really shortchanged them in their experience here. So it’s critical for us to think in terms of that broad span of health and wellness for our students, and then we can carry some of those same strategies onto our faculty and staff and for physical security to the visitors to our campus as well. So it has a lot of layers of positive benefit for what’s otherwise a rather intractable risk that’s really hard to tease out what’s meaningful to an individual versus what’s beneficial to a population.
Barbara McCuen Jones:
Sharon, we hear a lot about the student mental health crisis. What should we be thinking about this?
Yeah. Thanks, Barb. Maybe I’ll start by describing the current state. Rates of depression, anxiety, self-harm, and suicide have been rising in the young adult population for about 15 years. The causes are complex and multifactorial. Interestingly, the COVID pandemic is thought to be an accelerator, not a root cause. Surgeon General Vivek Murthy has called this problem in teens and young adults the public health crisis of our time and equates the health outcomes of loneliness, which we are now understanding to be a problem across the lifespan and particularly with college-age people. He equates that, loneliness, to having a similar impact on mortality as smoking 15 cigarettes a day. We also know that mental health conditions differentially impact vulnerable populations. So our students with historically marginalized identities, first-generation low-income students, international students, student-athletes, each are impacted by their mental health conditions in a different way.
In terms of risk, I’ll start at a high level. As Leigh noted, wellness is essential for learning and for success, and given that there’s risk in not prioritizing it, look no further than the existential risk to our institutions. We just lived through the COVID-19 pandemic for an example of the impact on colleges and universities from threats to health and well-being. Less dramatically but every bit as important and impactful is that well-being is a critical factor in the degree to which colleges and universities can be successful in meeting their academic, research, service, and other missions. A second risk I see is related to expertise. Student well-being is everyone’s responsibility on campus. However, that doesn’t mean that everyone on campus has expertise in wellness. Instead, we need each member of the campus community to see their role appropriate to their positions and their spheres of influence in the larger vision for wellbeing.
That vision is best led by population health experts, which most campuses have in the form of health promotion departments. Leading institutions leverage that expertise to ensure the initiatives they support actually move the needle on population health outcomes. Then, finally, I’ll mention the risk inherent in framing this situation that we’re talking about using crisis terminology. On the one hand, I really appreciate the value of calling attention to this important dynamic so that it can be addressed. On the other hand, I worry about the catastrophizing language. We have a tendency to pathologize the human experience, and the crisis narrative may be stigmatizing to our students, not helping them. Instead, we can approach this from a strengths perspective.
Barbara McCuen Jones:
What can colleges and universities do to mitigate the risks associated with student mental health?
Importantly, complex societal problems like this one require a whole of campus systems approach that’s based in theory and led by experts. It requires a multi-dimensional understanding of wellness and a long view, advancing wellbeing is measured in years, five years, 10 years, not semesters, and attention to multiple levels of influence. It’s not just a magic solution. It’s multiple interventions that layer upon each other. I think of this as the Swiss cheese approach. A great example is what we did with the pandemic. So we had a level of intervention, which was masks. That was really important, not perfect. We layered on top of that the intervention of isolation when we’re sick. Really important, not perfect. We layered on top of that vaccines. Really important, not perfect. But, together, taking that multi-level approach is how we are able to address these big societal problems like mental health conditions in our young adult population, like the COVID pandemic.
So if I can start with the individual level, we see leading institutions providing comprehensive holistic care by integrating mental health and medical care and services in recognition that the mind and the body are inextricably linked. Now, while care and services, so, for example, counseling sessions, are critically important for our students and people in general that need them… But these individual-level interventions, while necessary, not sufficient. Holes in that layer of Swiss cheese. So we layer on top of that population-level approaches to cover some of those holes. Innovative colleges and universities are leveraging systems approaches to create health-inspired campuses, for example, by infusing wellbeing into where students live, learn, work, and play. We know these social determinants of health have greater impact on population health outcomes than do individual-level care and services. Still necessary, just not sufficient.
Another intervention is at the policy level. Colleges and universities can take a health in all policies approach. For example, that would mean prioritizing healthy and inexpensive food in dining halls, providing safe and plentiful opportunities for exercise, and developing strategies to address loneliness and enhance belongingness. Another layer is at the organizational structure. Leading institutions are creating chief health and wellness officer roles with the mandate to advance wellbeing across the institution and, important, the positioning and resources to be successful in that. All of these measures, all of these levels of intervention, all of these systems approaches help to mitigate the risks associated with threats to health and wellbeing. A good first step is a broad campus health risk assessment to understand the current state and to surface opportunities to foster wellbeing.
Our boards can also play an important role in this by asking us the right questions. Using the noses in, fingers out mantra, they can ask us where we are focused on our health and wellbeing strategies. They can ask us are we resourced appropriately to meet the goals and objectives? So, in other words, their questions are not, “Are we doing enough?” Their question should be, “Are we doing the right things? Are we doing the best things we can for our population?” Our board created a task force that was joined with management so that our board members had a strategic view into the many complexities of health and wellness on a residential campus matched up with our leadership teams that were responsible for long-term strategic priorities for supporting campus health and wellness.
That task force came out with several very important long-horizon initiatives, including a change in our residential campus environment, particularly the way we assign housing, and promoted some additional resources in health and wellness that were different than how we had thought about it before. We had thought about health and wellness in more of an episodic framework. Now, we have more of a long-term framework of what’s the entire experience while a student is here with us, either as an undergraduate or as a graduate?
Barbara McCuen Jones:
That’s great. Thanks very much for those examples, Leigh. As we wrap up our discussion on ERM and the example of campus wellness, what are some important questions our listeners should be thinking about and asking about at their own institutions?
Yes. I think it’s crucial that board members and leadership ask these tough questions that we’ve discussed today and get a better sense of where institutions stand relative to other leading practice models and other institutions. As Leigh pointed out, some of the key questions that board members can ask around wellness include how is our college or university investing in well-being for the long term and how does it balance the provision of individual-level healthcare and services that are provided at the institution around those population wellness initiatives that Sharon spoke of?
More broadly, when stepping back, I think it will be really important for board members to ask questions about what approaches does the university leverage to foster risk management with their longitudinal strategic priorities? Is your institution in reactive mode only rather than having a lens on the longer-term risks to your mission and strategy? How does the college of university leverage data to both detect and monitor risks over time? In the case that we provided around wellness, how does the college or university assess that wellness across populations over time, and how is data used to inform leadership and the board? So these are some of the examples of questions that we would consider as a call to action for board members and leadership to be thinking about and probing at their institution.
Barbara McCuen Jones:
Anne, I want to thank you and Leigh and Sharon very much for joining us today. It’s been a great conversation about enterprise risk management, and AGB thanks Huron for its partnership with AGB. For more information about Huron, please visit huronconsultinggroup.com. Thank you all.
Chief Audit, Risk, and Compliance Officer
Duke University and Duke University Health System
Leigh Goller is the chief audit, risk, and compliance officer for Duke University and Duke University Health System. She has institutional responsibility for directing and coordinating an integrated internal audit function and a risk management function, both of which have enterprise-wide scope, as well as a federated university compliance function. The internal audit and compliance reviews she oversees make policy, process, and internal control recommendations that help Duke reduce risks. The risk management program raises awareness of the threats to and opportunities for the institution while focusing leadership on risk tolerance decisions that enable and support sound business strategies.
Barbara McCuen Jones
Director of Digital Solutions, AGB
Barbara McCuen Jones is AGB’s director of digital solutions. In that role, she leads the association’s online education initiatives, including AGB’s learning management system and programs such as board member orientation and the Board Professional Certificate Program™. She also oversees and produces AGB’s podcasts. She has more than 20 years of experience in higher education associations, including holding previous roles at the American Association of Colleges and Universities as well as the Council for Advancement and Support of Education.
Sharon McMullen, RN, MPH
Consulting Director, Huron Consulting Group
Sharon McMullen advises colleges and universities on matters impacting the health and well-being of students, faculty, staff, and the community. She has 15 years of campus health leadership experience, serving most recently as assistant vice president for health and well-being at Cornell University. Before that, she led student health at the University of Notre Dame and the University of Pennsylvania. An expert in systems approaches to advance well-being at the population level, Sharon is a Fellow of the American College Health Association.
Managing Director, Huron Consulting Group
Anne Pifer has spent more than two decades assisting universities and academic medical centers with reviewing and improving administrative operations, assessing compliance with federal regulations, supporting leadership with internal and external investigations, and enhancing risk management and compliance programs. She has collaborated on risk management, compliance, strategic, and operational initiatives with more than 60 universities or academic medical centers. She leads Huron’s engagements with higher education institutions related to proactive risk assessments or evaluations of risk and compliance frameworks to support both institutional compliance and enterprise risk management programs.