The stately collegiate Gothic buildings that define the iconic West Campus at Duke University evoke a strong sense of stability and the status quo. But like all institutions of higher learning, Duke faces many potential challenges to campus equilibrium—some of which could prove devastating to the university. At Duke, as elsewhere, risk is a fact of life.
Every college and university gives thought to how it can manage risk. Duke, however, has gone much farther than perfunctory planning. Taking a tack that is both strategic and focused, Duke’s administration and board have developed one of the most comprehensive approaches to risk management in higher education today.
As a prominent and highly complex institution, Duke may inherently have a broader exposure to risk than some other institutions. The university alone has annual revenues on the order of $2 billion, a figure that is matched by the Duke University Health System. The university’s endowment totals approximately $7 billion. Federal research support totals some $500 million annually, 80 percent of which goes to the Duke School of Medicine. The university has 15,000 students and 33,000 employees. As a partner in a medical school with the National University of Singapore and currently building a campus in Kunshan, China, Duke does business in more than 135 countries.
Manifestations of risk at Duke can make headlines. In 2006, for example, accusations of rape against three members of the men’s lacrosse team were widely reported and debated. While the students were eventually cleared, lawsuits related to the case persist. In another example, Duke University Health System was the target this past September of a lawsuit charging negligence and fraud in clinical trials of a lung cancer treatment.
Manage and Mitigate
Despite the real and ubiquitous threats that it faces, Duke hasn’t always been fully prepared to manage and mitigate risk. As late as 2004, for example, Duke tended not to think about its risk comprehensively or strategically. Campus discussions of risk were sporadic and localized in offices or departments. It was not always clear which divisions, departments, or individuals were responsible for what risks. Conversations that considered risk from a campuswide perspective were rare. Moreover, there was little proactive reporting about risk to Duke’s board of trustees or its audit committee. Consequently, the university as a whole had an incomplete understanding of the full range of risks it faced, which of course meant that it also lacked a comprehensive portfolio of strategies for mitigating those risks.
Duke’s board includes a predominance of officers and trustees of public companies. During the early 2000s, those leaders had been dealing in their day jobs with the need for their companies to conduct more stringent internal risk assessments required under the Sarbanes-Oxley Act of 2002. Inevitably, they began to raise more risk-related questions when they met as members of Duke’s board. Through discussions over time, Duke’s trustees and administrators recognized that the university needed to be better prepared to anticipate and manage risk. Ameliorating those circumstances would require some significant changes in thinking.
“Of all the fronts on which Duke has evolved in the last six or seven years, I actually think risk management might be the one in which there’s been the greatest transformation,” says Duke University President Richard H. Brodhead. “We used to pay focused attention in a variety of areas, such as research, compliance, and athletics. For all that, I think it used to be regarded as a fairly localized activity in the university. And I think that there were many people who regarded it as quite a secondary activity.”
That mindset started to change in 2004, when Duke hired Michael L. Somich to be its executive director of internal audits. Formerly a partner in the Big Four accounting firm Deloitte & Touche, Somich has more than three decades of experience in hospital and healthcare audits. At Duke, he is responsible for all the internal audit activities of the university, its endowment management company, and the Duke University Health System. He reports to the chairs of the audit committees of those units.
Somich says that one of the first things he noticed was that, when it came to risk, the charters for Duke’s three large units (the university, its investment company, and its medical system) were inconsistent. One of his first tasks was to tweak those charters so that they were better aligned with each other and more consistent with best practices in the field.
Changing the charters was a cakewalk compared to what Somich had to do next: Convince Duke’s top leaders that they had to take full responsibility for risk. Fortunately for him—and for Duke—he made a persuasive case.
“Like many institutions, Duke wasn’t always clear as to who owned or was responsible for something,” Somich says. “As a result, you didn’t always have accountability. You didn’t have defined responsibility. You didn’t have consequences when something went wrong. So one of the things that this process has done is define who owns what. It allows us to talk about accountability, responsibility, and consequence.”
Starting soon after Somich came to campus, Duke began to take small steps to assess its approach to risk management and make incremental improvements. In the course of that groundwork, though, Duke took a substantive step forward when Somich convinced Brodhead that he had to “own” pieces of institutional risk. While Brodhead could delegate management of risks, he would retain ultimate responsibility for them.
“I can remember the day that it was first proposed to me that I’d be a risk owner,” Brodhead says. “It’s not the way you really think of yourself. But ownership means you’ve got it—it’s yours. You can’t make this over to someone else.” Recognizing that the proverbial buck stopped at his desk, Brodhead accepted his role as risk owner. Other top leaders soon followed suit. That proved pivotal in Duke’s transformation of its risk-management practices.
“I think that the heart of the change has been discovering that while someone somewhere in the bureaucracy can have the job of managing risks,” Brodhead says, “risks have to be thought about and faced and pieced together at the highest levels of responsibility.”
Increased attention to risk-related issues across the campus and especially on the part of top administrators signaled that risk management was a new university priority. Once administrators accepted ownership of risk, that set the stage for managers to assess institutional risk more formally and comprehensively. Part of that process was to clarify who was responsible for managing which pieces of risk. Participants gradually learned the vocabulary and processes of risk management, part of a general education about risk across the campus as a whole. Moreover, the process helped the campus community reach a common understanding of what risks Duke faced and how they might be mitigated.
Pamela J. Bernard, a vice president of Duke and its general counsel, says that the involvement of top administrative leaders was crucial. Moreover, she reports, that involvement has not been superficial, but rather has regularly constituted a “deep dive into particular areas that all major research universities are dealing with.”
A 2009 report by AGB and United Educators lists several best practices of “enterprise risk management” (ERM)—the comprehensive approach to risk management that has been adopted widely in business and can also apply to higher education. The report said universities should define risk broadly, recognize both its opportunities and downsides, develop a culture of evaluating and identifying risk at multiple levels, and consider the total cost of risk. While Somich didn’t use the phrase “enterprise risk management”at Duke, essentially what he did was lead a successful institutionwide initiative to develop what is substantively an ERM approach.
As part of that process, Brodhead and other Duke leaders made formal presentations in late 2005 about the areas of risk that they owned—along with potential mitigation strategies—to the board of trustee’s audit committee. Those discussions defined the Duke reputation as the asset most in need of protection from risk. The two areas of highest vulnerability were identified as athletics and research.
Those assumptions were confirmed the very next year, when the lacrosse incident exploded and Duke had to report to the federal government that it had overbilled Medicare in some clinical trials. Those challenges underscored the need for Duke to have a comprehensive risk-management process. Accordingly, Duke continued to be more intentional in its approach to risk, adding more formality to its riskmanagementprocesses and driving that function deeper into the institution.
The university began to devote considerable energy to developing a comprehensive compliance program to ensure that it would meet the letter of laws pertaining to the research support it received. Somich’s shop identified and trained the managers who were responsible for seeing that Duke operated within legal parameters. In addition, Duke conducted assessments of potential challenges that identified an array of operational risks, such as those pertaining to student behavior and misbehavior.
To help it distinguish different types of risks—and take a more sophisticated approach to risk in general—Duke adopted aspects of the widely respected risk framework established by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). That group divides institutional risk-management objectives into four broad categories: strategic, operations, reporting, and compliance.
When Duke’s administration first presented its assessment of risk to the board in 2005, the university’s trustees were struck by the fact that the list focused on the operational side of the house and did not distill the institution’s most pressing strategic risks. The board urged the administration to come back in 2006 with a list of the 10 top strategic risks that Duke faced, along with the campus owners of those risks and mitigation strategies for each of them. Strategic risks included those that were owned by the highest people in management, encompassing issues that would rise naturally to the level of board discussion, such as compliance with NCAA regulations, ensuring human-subject protections in clinical trials, and meeting all requirements for government funding.
At first, Duke thought that risk managers at the vice-presidential level could shape such a list. But Somich and his colleagues soon recognized that the vice presidents focused on managing operating risks, not those at the strategic level. That distinction proved to be highly instructive. Duke realized that it would be successful in identifying its strategic risks only if its senior leadership, the individuals who “owned” risk at the strategic level, were deeply engaged in the process.
A tool drawn from the business world, the “heat map,” proved invaluable when it was first presented to the audit committee in 2006. In its simplest form, a heat map summarizes and ranks data. Duke developed a model that compared the probability of different risks to their potential impact on campus. Using that template, specific potential challenges—in such areas as research compliance, athletics, physician malpractice, information technology, international activities, and student security and general well-being—could be ranked as low, medium, or high risks. The tool helped administrators and trustees see risks at a glance, assess their potential danger relative to other risks, compare risk in a given category to that of the previous year, and determine whether appropriate mitigation strategies were in place.
Duke trustee Susan M. Stalnecker, the vice president of finance and treasurer of E.I. DuPont de Nemours and Company, notes that if risk management is not tied to other management processes, “it can wither on the vine very quickly.” She says the heat map helps focus Duke’s agenda around risk and helps ensure that discussions translate into action. “It informs the audit schedule in a very practical way,” she says. “It also identifies subjects for the entire board to get engaged in.”
Ownership of risk at Duke rests with both management and the board of trustees. Broadly speaking, ownership and responsibility for risk at the board level lies with the executive committee. Responsibility for the risk-management process, however, rests with the board’s audit committee. The audit committee is responsible for reviewing management’s risk-related processes. And while the audit committee does not own any of the strategic risks, it is responsible for assessing management’s conclusions related to strategic risks.
As Duke began to engage its trustees more regularly in systematic discussions of risk, the board pushed the institution to do even more. “Because many of our trustees come from corporate settings, they are quite familiar with enterprise risk management,” Bernard says. “The interest that the trustees had in this issue sparked interest at the university level.”
Two chairs of the audit committee— Susan Stalnecker and her successor in that role, Jack O. Bovender, Jr., a past chairman and chief executive officer at Hospital Corporation of America—emphasized the importance of the risk-management process and strategic risks by allotting significant time for discussion of those topics in audit committee meetings. They also highlighted senior leadership’s presentation about risk to the full board. “While they did a great job,” Somich says, “it was like singing to the choir as most of the board members are from public companies that have developed ERM programs.” A board retreat in 2008 focused on areas of strategic risk and the university’s riskmanagement process as a whole.
“It’s fair to say that risks were discussed prior to the implementation of the current process,” says the chair of Duke’s board, G. Richard Wagoner, Jr., who retired as chairman and chief executive officer of General Motors Corporation in 2009. “But today, discussions around risk are much more structured. The whole issue of risk and risk management is more broadly considered throughout the general discussions that we have at the university.” Wagoner says those discussions are crucial because they clarify management and board responsibilities for understanding and managing risk.
Wagoner believes that Duke’s strategic approach to risk is vital. “This isn’t just an audit staff activity, or a compliance office activity, but one that is led on a strategic basis, through a committee structure, by the president of the university and all of his key reports,” he says. “I think that’s the sign of a good program. And I think it makes operating managers more effective, because the process of thinking about what risks could happen, how important they are, and how we can mitigate them is, in the end, an important part of strategic planning.”
Board engagement is a central component in Duke’s approach to risk management. As Stalnecker notes, “It is part of the board’s responsibility to ensure that the university has a robust and functioning risk-management process. Risk management is part of [the board’s] charter and definition of activities,” she says.
Boards must of course walk a fine line between engagement and micromanagement. “It’s not our role to tell the management of any particular part of the organization that owns a certain enterprise risk and its mitigation strategy the A-B-C’s of the mitigation strategy,” Bovender says. “We just have to make sure that they have worked through that process, and that we, at some oversight level, agree that that’s the appropriate approach to it. We’re not in the business of managing the process. We’re in the business of the oversight of the process.”
Duke continued to invest time and energy in considerations of risk. Efforts in 2007 and 2008, for example, dove more deeply into understanding strategic risk and sought to further clarify the university’s understanding of its operational risks.
By 2011, Duke had formalized a comprehensive approach to risk management and was already starting to fine-tune its strategies. Each year, the audit committee reviews Duke’s annual risk-managementprocess plan and a heat map that assesses strategic risk, both of which are also provided annually to the full board. Every other year, Brodhead makes a presentation about strategic risk to the full board, which earmarks a portion of that meeting for discussion of risk. Bovender says that the risk-management approach that Duke developed is as robust and effective as the best ones he saw in his corporate life.
Duke has learned much from its development of a risk-management program. Early risk-assessment activities revealed, for example, that the university needed much stronger risk-mitigation strategies. “We learned that we didn’t have adequate response strategies, or hadn’t thought them through,” Somich says. That aspect of risk management quickly became a priority. Another takeaway was that compliance and internal audit functions cannot be considered substitutes for a full riskmanagement process.
Having had some time to reflect on what Duke has accomplished, Somich offers several general observations. “You have to have the president actively involved in risk management and supportive of it,” he says. “He or she has to be able to articulate risk management and say that there are benefits from it.” That involvement signals that risk management is important to the institution, Somich believes. The fact that a top leader is personally involved inspires others to participate actively as well. At the same time, Somich says that it is vital that a university anoint a champion of risk management who can execute top leadership’s directives at the operational level. Brodhead asked Somich to serve that role at Duke.
Somich cautions universities interested in improving their risk-management strategies to move slowly. He urges that processes of risk management be tailored so that they fit an institution’s distinct culture. “The risk-management process is huge, and there are many different levels to it,” he says. “Don’t try to do too much too fast. Be patient.”
Educating people across the institution about risk management is also important, Somich says. Complementing formal training for risk managers, for example, Somich and his colleagues introduce concepts of risk management more informally for other staff through ongoing campus discussions with departments, research labs, and other branches of the university framework. He also says that regular communication helps people across campus gain a common understanding of the riskmanagement process’ activities and goals.
Best Practices in Academe
The 2009 report by AGB and United Educators found that higher education lags behind private industry in incorporating consideration of risk into planning, management, and board oversight. As many as 60 percent of respondents said their institutions do not use comprehensive and strategic risk assessments to identify major risks to mission success. Just 5 percent said their institutions had exemplary risk-management practices. (For more on the report, see page 40.)
One of the pioneers, the University of Washington, assesses risk in the context of strategic objectives and interrelated risk factors across the institution. The university readily shares a toolkit it designed to implement the enterprise-risk-management process. Another model is found at the University of Texas, which manages risk systemwide through a central office.
Emory University also has a sophisticated, comprehensive risk-management program. Michael J. Mandl, executive vice president for finance and administration at the university, says Emory takes a holistic approach through which enterprise risk management “provides a framework for entity-wide risk identification, prioritization of key exposures, and the development of operational responses to potential adverse events. That is all based on a foundation of ownership, accountability, and transparency.”
“We inherently accept risk and don’t feel that all risk is bad,” Mandl says. “In fact, risk is necessary for success. We feel it is important to mitigate surprise and try to assume risk judiciously—mitigate it when possible and prepare ourselves to respond effectively and efficiently when risks that we are aware of materialize. Our goal is not to eliminate all risk, but rather to manage it effectively.”
The notion of enterprise risk management in higher education may be catching fire. Both Duke and Emory report that they field a steady stream of inquiries from other universities that seek ideas for how they can be more systematic and comprehensive about managing risk.
United Educators President and CEO Janice Abraham offers institutions this advice about risk management: “A, get started. B, look at what your colleague institutions have done. C, make it a regular process of doing business and make sure the board looks at no more than 10 and preferably five risks. Keep it small, keep it simple, and get it into the DNA of the institution.”
Managing risk may not rise naturally to the top of university leaders’ to-do lists, but Duke’s experience suggests that it must be made a priority for the well-being of an institution as a whole. “Risk is not just inherent at universities. It is necessary,” Bernard says.“It is a necessary part of moving forward in bold ways to challenge longheld beliefs and to improve the world for the benefit of mankind.”
“Truth to tell, universities aren’t here to manage risks,” Brodhead says. “They’re here for a great variety of functions: education, research, healthcare. It’s just that it turns out that each of those functions carries risk. And you have to pay suitable attention to the risk in order to best further the positive mission of the university.”
How Can the Audit Committee Fulfill Its Role of Risk Management?
- First, the committee must develop a comprehensive view of risk for the organization. This can be accomplished through ongoing education of the committee by management and external experts.
- Second, the committee must hold management responsible for both an effective internal-control structure and the development of a risk-management plan.
- Finally, the internal-audit function serves as a critical risk-management tool, facilitating the identification of risks and the probability they will occur, as well as assessing their impact on the organization and ensuring that management has implemented risk-management strategies.
— from The Audit Committee, by Richard L. Staisloff (AGB Press, 2011)
Common Areas of Risk
- Student alcohol abuse
- Workplace discrimination, harassment, and retaliation
- Natural disasters and business continuity
- Safety in study-abroad programs
- Delivering on the promise of graduate programs
- Violence and crisis response
- Response and treatment provided by campus health clinics
- Increasing student demand for mental-health support
- Transportation of student groups and athletic teams
- Concussion and head injuries in athletics
- The expanded role of Title IX as it relates to student sexual assault
- Minors on campus
- Hazing in student activities, including and beyond the Greek system
Compiled by United Educators