By the nature of their work, people at the University of California, where I serve as chief risk officer, are risk takers. Their risk appetite is amplified by an urgency or impatience to “get the job done,” a belief that they have all the information they need and therefore don’t need the assistance or interference of others, and a feeling that if all of the potential risks were uncovered, they would not be allowed to proceed.
UC employs more than 170,000 faculty and staff. Its five medical centers handle more than three million patient visits each year. UC manages three U.S. Department of Energy national laboratories and operates the largest fleet of research vessels in the world. UC is also actively involved in locations beyond its campuses, national labs and medical centers — in places throughout California, around the world and online. So, how do we align faculty and staff risk appetites with what the system can tolerate?
Our solution is to put people in charge of their own risks, and my role is to provide tools to help them identify, manage and monitor their risks — not to manage the risks for them.
Our Office of Risk Services (ORS) takes an organization-wide approach to attack the university’s portfolio of risk by utilizing a host of different tools, work groups and initiatives. Key to the program is our Enterprise Risk Management Information System (ERMIS), which provides a variety of qualitative and quantitative tools to help UC unit managers identify their risks and determine where to strategically deploy resources.
ERMIS can define, highlight and predict risks and trends to allow managers to intervene before problems arise, and it can be adapted to many different sectors. It creates efficiencies by automating manual processes, and the application flexibility reduces IT redundancy across different units and locations.
In one recent application, a UC researcher wanted to take a team of graduate students to a country that was a security and safety concern. In many universities, he would have struggled to obtain funding for such a project. Working with the Risk Services group, the researcher was able to identify specific likely risks and could modify the project plans so as to reduce the risk and unlock the funds he needed.
We are also involved in helping managers assess the risks of new projects. One of UC’s major current initiatives is to move to a centralized payroll system. The project, known as UCPATH, offers tremendous opportunities for savings and efficiency, but it carries complex risks: operational, compliance, strategic, and reporting. We are leveraging our ERMIS system and tools to monitor and report on risks and risk treatments. This same methodology has been used on a variety of important initiatives, including but not limited to foreign operations, expanding research and clinical operations, student-led community initiatives, and consolidation of business units.
We track the value and savings of our risk management program along multiple dimensions: efficiencies created, reduced impact of risks, and reductions achieved in borrowing costs. Over the last six years, the program has saved more than $500 million, while UC’s investment in resources has risen.
We are getting ready for our annual Risk Summit, where more than 600 people — from students to scientists, representing the entire spectrum of UC — will be in attendance. The common thread will be that they are all their own risk managers.
NOTE: Originally published by Harvard Business Review in 2012. Copyright 2012 Harvard Business Review. All rights reserved. Reprinted by permission.
Download the white paper, The Art of Balancing Risk and Reward. This paper outlines executive leadership’s role in setting, implementing and monitoring risk appetite (a key input to effective risk management). It’s imperative to develop a risk culture from the top down.