Blogs

Learn KU’s process for integrating these campus functions                                                                                                                                                                                                        

A Less-than-Direct, but Beneficial Path to Risk Management

My career path to being a university risk officer is unique, I think. Before becoming the University of Kansas’s (KU) first chief risk officer (CRO) in 2021, I spent the previous nine years as the chief audit executive. That was nine years of learning the risk environment of a public research university with an academic medical center and the difficulties of managing risk within it, given the largeness and complexities of KU.

Nothing prepared me better for this work than my graduate studies in public administration—a “master’s in bureaucracy” as some would say. The dean of my graduate school at Texas A&M University, Robert Gates, was well-versed in leading bureaucracies and bringing about change within them. As a former director of the Central Intelligence Agency who would go on to be the university’s president and US Secretary of Defense under two presidents, my classmates and I carried the life lessons he imparted to us like gold. One such lesson, which I have found to be particularly relevant throughout my career, he shares in his book, A Passion for Leadership: Lessons on Change and Reform from Fifty Years of Public Service.¹

“Most bureaucracies—both private and public—are rigid, pyramid-like structures in which information is shared with those in ever-higher boxes in the structure but rarely laterally.”

I talk with enough of my colleagues to know, whether private or public institution and regardless of size, we experience many of the same challenges. These challenges fall in line with Secretary Gates’ critique of bureaucracies:

• Organizational siloes that restrict the flow of information
• Disjointed reporting lines for risk management and risk assurance functions
• Multiple and conflicting priorities communicated to leadership
• Overly risk-reactive
• Unclear governance over risk

The auditor in me observed these challenges and the hindrance they had on the university’s ability to proactively manage risk. Having separate institutional compliance programs for each campus often meant different policies, approaches, and resource allocations for managing the same risk within the university. Attempts at enterprise risk management (ERM) floundered without adequate senior leadership engagement. And those with risk management responsibilities opining on the same risks to leadership but not coordinating with each other. The university had the resources and expertise but, like an unsolved jigsaw puzzle, the pieces were scattered across the organization.

Office of Audit, Risk & Compliance (OARC)

To help put the pieces together, KU undertook three major changes in the fall of 2021. The first was to create the chief risk officer position also with the title of vice chancellor. The CRO leads the new Office of Audit, Risk & Compliance which includes the combined institutional compliance program for the university and KU’s relaunched ERM program. The Office’s scope is key with responsibilities for all KU campuses and the university’s closely affiliated legal entities. The CRO reports to the Executive Risk Committee—also newly established to provide a more formal risk governance structure. The chancellor chairs the Committee consisting of the senior members of KU’s leadership team.

A frequent question I receive is what was the crisis or major event that triggered the reorganization. It may be surprising, but there was not one. I credit our leadership for recognizing the increasingly difficult risk environment in which higher ed operates and how important it is to navigate that environment to accomplish the university’s strategic priorities.

What does integration of these functions under one reporting structure look like? Consider as an example how we “work” cybersecurity as an institutional risk. Each of our functions has a role to play in some form or fashion. With a structure that leverages our office’s collective and multidisciplinary expertise, you see how well the pieces can fit together.

OARC Playbook

This approach does not happen by simply moving boxes around on an organization chart. We first had to define who we are and what we do as a combined office.

• We identify, assess, and help mitigate risks to KU and its mission through our policy administration, compliance, risk management, security, and internal audit activities.
• We are lines of defense to prevent bad things from happening.
• We are “one-university” in mindset but understand the uniqueness of our campuses.
• We advance the university’s mission by helping our KU community navigate the complex risk environment in which we operate (OARC’s mission statement).

With this common identity, we adopted a framework—the OARC playbook as we call it—that serves as the base expectations for each of our functions. The playbook was adapted from a compliance framework used by Internal Audit when auditing compliance programs. We regularly train on it, typically focusing on one element at a time. For example, at our last “all-hands” training day, we undertook an exercise of stakeholder relationship mapping to help identify those critical to our programs’ success. In addition to our internal application, Integrity and Compliance has tied the playbook to the US Federal Sentencing Guidelines for an Effective Compliance and Ethics Program and uses it as criteria for the Office’s routine assessments of specific regulatory compliance programs.

Getting Along

When our associate director and I presented this topic at the URMIA Central Regional Conference in Louisville, KY this past February, I realized that the title of our presentation “We Can All Get Along: Integrating Audit, Risk, and Compliance” is a bit of a misnomer, implying that key risk management functions cannot work together. Even before the organizational changes, they did work together at KU — albeit ad hoc and through informal networks. However, the challenges found with any good bureaucracy were there, restricting a more mature and agile approach to risk management. Have we solved the puzzle? No, but we do have the pieces arranged and it is rewarding to see the impacts that it is making.

¹Gates, Robert Michael. A Passion for Leadership: Lessons on Change and Reform from Fifty Years of Public Service. Vintage Books, A Division of Penguin Random House LLC, 2017, page 65.

Insights Home

#InsightsArticle