URMIA Matters

Enterprise Risk Management Inspirations

March 09, 2022 Gary Langsdale with Guests Nancy Loucks and Andre Le Duc Season 3 Episode 9
URMIA Matters
Enterprise Risk Management Inspirations
Show Notes Transcript

Enterprise Risk Management (ERM) is not for the faint hearted but URMIA has a peer group of practitioners who get it. Learn more about the Higher Ed ERM Roundtable, a bi-monthly conversation for those with ERM responsibilities regardless of your program’s maturity level. Gary Langsdale, Andre Le Duc, and Nancy Loucks talk about the evolution of ERM and their institution’s current projects.

Show Notes {member login required]

Connect with URMIA & URMIA with your network
-Share /Tag in Social Media @urmianetwork
-Not a member? Join ->www.urmia.org/join
-Email | contactus@urmia.org

Give URMIA Matters a boost:
-Give the podcast a 5 star rating
-Share the podcast - click that button!
-Follow on your podcast platform - don't miss an episode!

Thanks for listening to URMIA Matters!

Show Notes

URMIA website

URMIA upcoming events

Request to join the URMIA Higher Ed ERM Roundtable community


 Andre Le Duc, Chief Resilience Officer – Associate Vice President - University of Oregon

Nancy Loucks, Director of Enterprise Risk Management - Yale University


Gary Langsdale, ARM, DRM, Education Manager - URMIA

Gary: Well, hello everyone. This is Gary Lansdale from URMIA here with another Urmia matters podcast. My guests today are Nancy Loucks from Yale and Andre Le Duc from the University of Oregon. And we're here to talk about. enterprise risk management and specifically the URMIA higher education, ERM round table, which is a sub-community within URMIA for those who have ERM specific responsibilities or aspire to run their ERM programs. And the reason that we're doing this podcast is that URMIA has noticed within the last 12 months, a significant increase in the interest in ERM for example, we had an ERM 101 session at the annual conference in Seattle last fall and it had over 300 people attend both in-person and online, which was a good indication that, ERM is an important factor right now for our members.

So let me start with Nancy. Um, would you give us a little introduction? 

Nancy: Sure Gary. Thank you. I'm the director of enterprise risk management at Yale and have been in that position for the last seven years. My prior experience included more than 30 years in the financial services industry split about half in business development and relationship management and half in the risk management arena, primarily commercial banking, capital markets and fiduciary credit risk and enterprise risk.

Gary: Thanks Nancy, uh, Andre. How about. 

Andre: Thanks Gary. Uh, my name is Andre Le Duc. Uh, the chief resilience officer at the University of Oregon, and also serve as our associate vice president for safety and risk services. Um, the, you know, the, as far as kind of a little bit of my background, um, we have been running an enterprise risk management program for about nine years now, but that's one of the components that's kind of in our portfolio. So the portfolio that I oversee, um, both includes all of, kind of the normal safety and risk things. So police, environmental health and safety, risk management, insurance, emergency management. And then as the chief resilience officer, I oversee the president's strategic enterprise risk management committee that we've been running for about nine years and I come from a research background. So yeah, I know we'll talk a little bit more if I don't think I've taken the normal traditional path, um, to get, uh, to where I am as far as kind of utilizing ERM but we'll talk a little bit more.

Gary: Okay. Well, why don't you go ahead because that is certainly coming from a researcher's perspective. That's a non-traditional path to risk management. Why don't you talk about how you here. 

Andre: sure. So again, you know, uh, we've been at the University of Oregon for about 22 years, have, um, founded a number of, um, different research groups that looked at organizational resilience and disaster management cities, counties, business level. And I always say that one day I made a question or asked a question of what were we doing on campus back in about 2002, 2003, and realized that we really weren't doing much around emergency management or risk management to the fact that we did not have programs.

Um, so in 2007, um, I make a long story short. We started down what I would call, um, a journey, um, and an evolution where we started the first ever emergency management program, 2009, we started our first ever centralized risk management function. And since then, we've kind of continued to grow and evolve that, but again, that backbone is as a researcher looking at what makes an organization or an entity or community resilient, we've really taken those concepts and said, okay, well, how do we apply that now to a higher ed environment? And it's critical to kind of talk about that evolution because it's one thing to quickly jump and say, well, how'd your ERM program start? And that would, I would be remiss if I didn't say that, “Well, actually, we've got to go back a little bit further to say that, you know, how did risk management and kind of centralized concept of risk management in a very decentralized higher ed environment start?

And it truly has been that evolution. And, um, quite frankly, where we're at now with kind of employing both the concepts of organizational resilience, which there's methodologies around how you do that. And then enterprise risk management. We're really trying to weave those two elements together to address a pretty unique culture that is higher ed and again, what we're doing at the U of O is, um, unique to the U of O but the fundamentals, I think, are things that can be transferred to any campus. But the bottom line is you've got to build systems and programs that address your institution and meet your institution, whether it be the academic, the research, the administration, where they're at and bring them along for the journey.

And that's where we say we are today that we're not done. Um, but we continue to evolve.

Gary: So Andre. Yeah, I I've always heard it said in higher ed that if you've seen one university, you've seen one university and it's very much the same with ERM programs. If you've seen one school's ERM program, you've seen one ERM. Just going to ask you a follow up question. Based on your experience in doing the research in the public arena, how would you contrast higher ed in general, in their emergency programs, um, with what you see in higher ed and what has become the you have U of O. 

Andre: Yeah, that's a, that's a great question, Gary. Cause I think one of the things that has really benefited me, um, coming both from the academic, but specifically the applied research side of the academy is, um, I had the great fortune for 11 years of running the research institutions of working with, you know, numbers of counties, cities, businesses.

And so you, you can start to see where people are struggling with these concepts outside of higher ed. So I think it's easy sometimes to say, well, higher ed is unique and we're different. And I always say, well, people are people. Um, and kind of the, the culture is really a key component in the sense of, um, understanding, uh, you know, how to change things.

So. From the research perspective? I think so there's some very basic sediments of, you know, programs that are basically, I say, baked in - meaning that you're over time. You're just ingraining this into the operational fabric of the institution, whether that's the emergency management side of the house, the operational risk or enterprise risk management are going to be more successful because you're taking a systems approach to something as opposed to bolting something on where you just make a program and you say, okay, over here, you're responsible for ERM but it's not really, you know, something that's over time going to be folded into the fabric of decision-making, financial, commitments - we're, again, those things take time. 
 So I think what the research afforded me was that I knew what I was up against. Um, I knew that this was not going to be an old. Um, element and that we had to take incremental steps. And then the other key is that people generally like to be involved in things that uh, accomplished things, that build things, that move things. And so our approach that, again, there's lots of great documents out there on how to start, ERM programs, how to work on that is understanding that you need to build things with your constituents. And that's definitely something from the research side, whether we were approaching a project, working with the city or county or state or business entities that we always approached it, where we were partnered with them, we were partners with them and we were moving Um, the dial forward together or not. Um, and so that I think is one of the key things that we can all learn from this is that if you really don't, don't start big, start small, make those little successes. And one of the things I've been very proud of with our ERM program, as the product that we're not just tracking the risks, we're actually changing the way that the institution, uh, writes policy, um, changing operational procedures, but there's a process and that process is engaging, uh, people from across the campus.

Um, so again, I think those are the things from a research perspective. It's just the way I think of, I need to bring the stakeholders together. We need to have kind of what our hypothesis or mission set or appreciative question is. And then we work together to accomplish that. Um, and, and knowing that you're going to have successes sometimes, and you're going to have failures and sometimes your failures provide you the best learning of how to then retool things and come back at it.

Gary: Nancy. I want to go back to you because you know, certainly the finance industry one of the first industries to embrace ERM but I didn't hear you say you were involved in ERM when you were in banking and finance, how did, how did you make the leap from that to higher ed and the ERM at the same time? 

Nancy: uh, so my work with enterprise risk management does actually date back to my banking days. In the mid 1990s, the financial regulators began the practice of supervision by risk and in response to that my institution developed an enterprise risk management framework that evolved over the ensuing years at responsive to changes in the financial regulation. And that was a period of time when I was involved in the risk management functions. 

Gary: Well, um, Nancy, let me ask you about URMIA’s higher ed ERM round table. It's been around for a number of years and you have been one of the co-leaders, um, of that group Uh, from it’s beginning. Uh, can you talk about the round table, how it got started and how it has evolved? 

Nancy: So it began in response to a need to develop a group of practitioners in enterprise risk management. Many of us are single incumbents and it was building a community of people trying to, uh, progress, uh, establish advanced programs in higher ed institutions. Um, we currently have membership from the institutional members of URMIA who either lead maturing or matured programs to those who are just starting out. And our bi-monthly meetings, alternate between foundational and more advanced topics. The listserv I find is a valuable resource that allows members to reach out to other practitioners for peer practice and guidance.

Gary: Well, that's, that's very helpful and very true. Thank you for that, Andre. Uh, can you talk about some examples of recent, round tables, the bi-monthly sessions? What have we covered? And what's coming. 

Andre: And so we just, um, finished a, a session, um, last month, uh, that looked at kind of this maturity question and kind of building off of what Nancy was saying that again, I think it, it takes a village. So taking all the practitioners and kind of looking at, I think that discussion, I think we often. Yeah, kind of wanting to benchmark.

And so that session was really kind of, to look at a snapshot of, you know, programs that were just starting programs that kind of consider themselves in the middle and programs that are kind of feeling like they're. And kind of that advanced stage, I think it's always, uh, an evolution. Um, and then building off of that, uh, we have, um, some survey work that we're going to be doing.

So again, the idea of this being a value of round table and discussion is to really ask the practitioners what they're, where they're looking at. And so we are going to be surveying. The members in April of kind of what's on their plate and what, what are they going to be focused on in the coming years?

So that can help us set up the future round tables. So that again, the time that we spend together, um, is fruitful and benefiting everybody that's involved.

Gary: That's great. Thank you very much. each of you, uh, focus on ERM alone and Andre, I know you supervise, um, more operational risk management within your institution, but I'd like to ask each of you that there are a number of our members who have expressed frustration that they don't have the budget to have a person who is dedicated to just ERM and I wonder what advice would you have for those institutional risk managers who can have to cover the waterfront, but want to have ERM as a part of, um, that program because of the value of enterprise risk management, how do you, how do you do that? When, when it's not your sole responsibility?

Andre: Well, I'm happy to, to jump in Gary. It is a really good question. And one of the things that I'd mentioned our erm program, so we're, we're one where we started down this journey with no staff. Um, you know, uh, and, and actually a number of presidents ago where one of the presidents, um, who had come from a system where they had employed in ERM programs, said, we need to have this here. And so called upon me to say, can we build it? And so we started with a team. And so that's the part, I think that's the key is to get getting, getting those stakeholders. But then the idea of like, so right now where we're at with, with our ear and program, I have. Project manager that is kind of the, the sole person that runs the ERM program.

But that's backed up by then. We have a cabinet level team that meets monthly and the key is we didn't get there. So in the first five, six years, we had no staff. But what we did was we focused on things that similar to what we're doing with our round tables, with our practitioners, we focused in on the things that the institution said were critical and important, and we've made interdisciplinary teams, uh, to advance those efforts. So kind of a proof of concept. So again, going back to that research side of, well, don't give me the money until I can show you that it can actually have a great return on investment. We're able to pull off a few projects that again were very operational in scope, but we were able to show them how it was kind of starting to lean us towards a true ERM process through that. Then our campus runs, um, what we call the strategic initiatives process for new money and new investment, which again, often you think about this is going to be faculty, this is going to be program. Well, we succeeded, um, and securing the funding for the one position out of that.

But what I really think allowed us to succeed in that was we had product and we were saying that with this investment, and then the other part is we said, hold us accountable. So with that investment, we more than tripled the number of projects we do per year that are focused on this core concept. Um, so again, the idea of start slow, start with something where you have, um, capacity internally, because you want to be able to succeed. So sometimes you have to scale it back a bit, uh, but then build upon those successes to make a better argument. And that's the part where, again, going back to that, I lived off of grants, um, for the better part of my career of making a cohesive, coherent and simple argument or of the return on investment.

But you're not going to get there. Meaning if you have nothing to do. I just strongly advise, well, you got to start with something to kind of the proof of concept. Um, and even if that's an initial investment of saying, well, I need some startup money to do this. Um, but then throw that dedication there. And that's where I think it's so important that we're having these discussions about maturity of a program, because we started from scratch and I feel like we're a growing program. But it takes time tenacity. Um, and again, that integration, if it's not integrated, it's going to be really hard to convince leadership that this is where they should be putting limited resources.

Gary: Thanks, Andre. Nancy, anything to add to that? 

Nancy: Um, I think that I largely in agreement with Andre’s, um, view, uh, whether, ERM is your sole responsibility or a part of a portfolio. It is a journey. It needs to be continuously evolved. It needs to deliver value back to the institution, consistent with the institution's culture. Um, and I agree that it might be preferable to pilot a program on a smaller scale, so it can be done in a finite period of time.

The results can be given back for which action can be taken, uh, then to, uh, design a massive project that takes years before it's actually reached to its concluded.

Andre: One thing I'd add to, you know, appreciate Nancy, uh, agreeing, because again, I think that the key here is you have some institutions that will put the investment forward to bring somebody in. One thing I wanted to make sure that I was really clear about is our first investor. Outside of the committee that is the president's committee.

So again, having leadership buy-in is critical on any of these things, but as a project manager. So again, kind of what Nancy was saying. If we, if you start small, the skillset that you need to kind of really get this off the ground in my mind is if you've got a solid risk management team, you've got leadership buy-in, it's bringing in a project manager to start.

You don't always have to bring in, um, kind of a high level. Uh, risk manager to, to do this. If you've got a good handle on kind of what's going on in the risk portfolio, because again, the key here is get things done to produce stuff, to move forward. The reason I say that is if you're a smaller institution, you may already have a project manager that's assigned some schools, basically have them where they can move them around.

So this idea of starting with a pilot project, you might be able to say, Hey, can we have some resources to put some funding towards the project managers? To support the ERM program. What that does for the institution is it's very clear that leadership is going to need to make the commitment they're going to need to be at the table. But what you're bringing in is somebody that can kind of, you know, make sure that things are moving forward. So in my sense, I'd been looking back a bit, um, that has helped us a lot, that, that project managers, that I'm not the one who's gonna make the decision of, if this is an acceptable risk or the risk tolerance. 

I'm here to move the process forward. That way you're constantly making it very clear to senior leadership. They need to make some decisions, but you have somebody in there that's helping bring the material, the data, the background, um, to the table, so that it's a little easier to make those decisions.

Gary: That's that's very helpful. Uh, in addition to YouTube being the co-leaders of the ERM round table group within URMIA, you are also two aspirational role models for our ERM folks. And you've both been talking about projects, I'd be interested in hearing about just one project that each of you are working, uh, on in, at your institution.

And I'll start with Nancy. 

Nancy: Uh, Gary, I'm not going to be able to answer your question because I'm working on a portfolio of projects, um, ranging from. Many of them COVID related, including recommendations for the policy group advisory work, exception approval work, progressing a research freezer monitoring project, initiating a departmental risk assessment and completing in conjunction with my colleagues in audit and compliance, the annual or annual university risk update.

So, um, would it be that I'm only working on one thing.

Gary: Well, that's a great answer, Nancy. Thank you, Andre. What about you? 

Andre: Very similar to Nancy that, uh, it is a suite of. Um, so I won't repeat, because again, similar things of looking at COVID what, what do we need to adjust, um, in our systems and kind of a set, um, coming out of this for lessons learned and also kind of the foundational elements of updating our risk management, but one that I'm excited about that actually goes beyond our institution and ties to the round tables we are about to launch -I think people are familiar or if not the disaster resilient universities, um, program back in 2016, did the first ever national needs assessment of emergency management, um, and partner. URMIA and a number of other professional associations- I'm happy to announce that we are actually launching the 2022 um, compendium to that.

Take the survey questions and see what happened between 2016. And we all know a lot of things have happened, um, since 2016. Um, so that's a project that we're kicking off this spring. That, again, I'm hopeful that will not only benefit, you know, my institution, but benefit a lot of institutions to kind of give us that, um, the waypoints.

So kind of where, where are we in contrast to other campuses and reason I think that's so important is one of the conclusions of the 2016 survey was we knew campuses were not in a solid place for continuity plans or recovery plans. Coming out of the pandemic, we want to revisit that to see where are we now have we learned, or again, are there areas that we can improve?

Gary: Okay, well, thank you very, very much. Both of you. This has been very informational and we appreciate your willingness to speak with us. We also appreciate your willingness to lead the higher ed ERM round table, um, that our members find to be so valuable. Um, if you are listening to this podcast and are interested in joining the ERM round table group, uh, go to URMIA’s website and, um, you can click there and you will find a link to a simple survey monkey survey. Um, asks you a few questions and uh, we'll we will admit you or send an email to Uh, urmia@urmia.org and we'll direct you to it. 

So this has been Gary Lansdale. Thank you to Nancy Loucks and Andre LaDuc. Um, and that's another URMIA Matters podcast.