Get an assist with your organization’s alignment with URMIA’s Peer Review Service. Guest host Craig McAllister, University of Miami and an URMIA Board Member talks with Robin Oldfield, University of Dayton and Mark Anderson, University of Pittsburgh and URMIA staffer, Gary Langsdale about the program and it’s impactful outcomes.
Craig: Hello everyone, and welcome to the URMIAmatters podcast. I’m Craig McAllister, I’m the Executive Director of Risk Management for the University of Miami, I’m a member of URMIAs Board and today’s guest host. Today’s topic is the URMIA Peer Review Process. With us today are Robin Oldfield, the Associate Vice President for Audit, Risk and Compliance, and Chief Risk Officer at the University of Dayton, Mark Anderson, Executive Director of Enterprise Risk Management at the University of Pittsburgh and Gary Langsdale, the Education Manager for URMIA. I’d like each of the guests to give us some background on themselves, starting with Robin.
Robin: So, I’ve been at the University of Dayton for 21 years, Associate Vice President of Audit, Risk and Compliance. Over the years, I started with Environmental Health & Safety in Risk Management & Insurance and have since added the internal audit, compliance, enterprise risk management and most recently emergency management as well.
Craig: That’s quite the portfolio, thank you Robin. Mark?
Mark: Hi, Mark Anderson. I’ve been at the University of Pittsburgh for about 6 months, so I just got past my probation period so I’m really happy about that but my background over the last several years was at an academic medical center where I developed an enterprise risk management program there and oversee both operational risk management and enterprise risk management at the University of Pittsburgh. My background is as a CPA and as a recovering lawyer.
Craig: Thanks, Mark. And Gary?
Gary: Well, I’m pleased to say that I’ve been the Education Manager at URMIA on a part-time basis for the last two and a half years, 2+ years, and before that I spent the most recent 16 years as the Assistant Vice President and Chief Risk Officer for the Pennsylvania State University and was in manufacturing risk management previously.
Craig: Thanks, Gary. To start off today with the peer review process, I’m asking Gary to run through and describe the URMIA process at a high level.
Gary: Ok, sure. So the process really begins with an institution expressing interest in having a peer review that would contact the URMIA National Office staff and we would get back to the Risk Manager or to whoever at the institution and have an informal conversation about their desires, their scope, what they’re really looking for, and then URMIA would propose a more formal scope document with areas that we would recommend be reviewed and documents we might like to see and people we might like to speak with by title. We would also talk about who might be selected as peers or proposed as peers. The peers come from URMIAs Institutional members and there would be a conversation from our perspective about who has expressed previous interest in being a peer and participating in a peer review. The institution might have ideas. We would construct it in a way so that it’s like kinds of institutions. So for a state-affiliated university we might choose risk managers who are in a state university, for privates we would focus on privates, for community college we might find someone with that experience, and so it would be up to the institution and the URMIA staff to agree upon the peers and agree upon the scope, there is a charge for the service, which is really based on a cost-covering. URMIA would like to make a slight profit, we are a non-profit entity but we’d like to cover our costs and contribute to URMIAs overall budget with this process and then we would set a schedule and hopefully we find that the process works very well when the peers have an opportunity to be on campus to see the campus, to meet in person with various constituents of the risk management office and our most recent effort, because of the pandemic, everything we did was online, was by zoom. And that worked surprisingly well and in the future, we just debriefed about our peer review at the University of Pittsburgh, and the peers concluded that there might be some sort of a hybrid that’s, I think that’s the word of the month these days. It is a hybrid experience for a peer review where some of the interviews could be conducted by zoom at everyone’s mutual convenience, but perhaps have an on-campus segment to get a better feel for the campus and the people and how things are laid out.
Craig: And what is the output from the peer review?
Gary: So, thank you, that’s a great question, thanks. The output is a report. It usually comes as an informal discussion with the risk manager first to make sure that we’ve captured things correctly, we haven’t misunderstood anything that we’ve been told or misunderstood a structure or a program. We would then put that into a formal report. The form of the report would depend on the institution and their desires. Some schools particularly those who are subject to right-to-know laws might wish for a high-level overview instead of a detailed written report. Others might choose to have it protected by an attorney-client privilege and the engagement would come from the general counsel’s office. Still others who are just looking for a detailed report that they can use to improve their program or fine tune it depending on what the results are.
Craig: Thank you, Gary. I’d like to start off with asking Robin, really what went into the decision to have a peer review, and how did you make that decision.
Robin: So in 2017, the University of Dayton decided to take an approach where we were centralizing our approach to managing risk, and that’s when we brought internal audit, compliance, enterprise risk management with environmental health and safety and risk management and insurance under one umbrella, and in that transition we thought it would be really helpful. At the same time we were starting our enterprise risk management program and wanted to make sure that we were approaching it very thoughtfully, that we had the appropriate resources, the appropriate reporting structure to move forward with that model.
Craig: Thank you and with that being over three years ago by now I guess and I’m asking with Mark, how was the decision made at the University of Pittsburgh?
Mark: So, it’s interesting. The ERM effort at Pittsburgh has had some starts and stops over the years and pick back up again during COVID last year, which lead to my hiring. But prior to my hiring, the previous risk manager had started engaging Gary and the URMIA peer review team to come in and look at the operational risk management side of the University of Pittsburgh. When Yvonne retired and I started, she suggested that I still go forward with it even though I was new and so what we decided to do instead of looking at all of the operations, which would be ERM as well as the operational risk management side, we focused on going forward with just the operational risk management side. We actually thought it would be a good idea to look at where we were at, especially as someone who is new to the university and to identify any potential gaps between kind of where best practices were kind of where we were. So for us we looked at a kind of potential road map to see how we could close the gap, and for me being new it was perfect to identify those things.
Craig: Okay, and how much preparation did you have to do prior to the review and what was needed for that?
Mark: Is that question to me?
Mark: So there was a good bit. Once Gary and I kind of engaged a good bit during the fall and you know they sent out kind of a long list of document requests once we got the scope of what they were going to look at and so I think there was kind of just a, four or five different categories, a number of document requests about documents that we have, or we don’t have. There was also, based again on a scope of what we had kind of agreed upon, a number of people that they wanted to interview throughout the organization. For me it was particularly challenging because some of the folks that the peers were looking to interview, I hadn’t met myself yet because I started two or three months after I got here. So it was both hey, I’m the new ERM guy, by the way can you do me a favor and you know interview with the peer review folks who are coming in to take a look at our operational risk management processes. So from that perspective it was very challenging, thankfully we weren’t in a renewal period right at that time so the staff and I were able to pull stuff together, wonderful in terms of pulling it together, but it was challenging and I guess the last part I would say, coordinating all the interviews, I relied on an administrator in the CFOs office who I just said, look please help me, on bended knee and she was able to really arrange all the interviews in a really efficient manner over about a two or three week period, so I was glad actually came off without too many hitches frankly, but it was, it was challenging for us in the office and a lot of folks at Pittsburgh really chipped in to really hopefully, I think provide good information to the peers.
Craig: That’s certainly challenging, Mark, when you’re getting into the new situation you don’t know who all the players are, you know just got the set of keys to the new house and don’t know where the water meter is I guess, right. But Robin, having been there for a few more years at Dayton, how was your experience for you in prepping for this and for I guess scheduling certainly for the interviews?
Robin: So in preparation it was actually, it was quite a robust amount of information that we gathered. I almost felt bad for our peer review team, having to go through all of that information, but it was an exercise that was really helpful as we were re envisioning this new what we call our audit risk and compliance umbrella because we were pulling all of these things together and really similar to mark, focusing on the enterprise risk management initiative, but really looking at it wholistically and so it really even though it felt like a heavy lift in the moment, it really paid dividends in the long run because we were able to really pull it all together and really show the benefit of how it fit under that umbrella, so once we’ve got all of that information together there was a lot of back and forth with the team and how they wanted it presented and certain things that may have been missing or that would be helpful and we were really able to work well together and that back and forth. We actually were deciding that we wanted to bring a lot of people to the table. I want to give Mark credit, it is quite a feat to bring a lot of these people together, but what a great way for being introduced to your stakeholders. We had about 16 different groups, so we grouped them by different categories. So, for example, the dean’s and the provost’s office, the finance, the administrative services, legal, athletics, you know those types of groups and we would bring them in and we would brief the peer review team on what group was coming in and give them just a little bit of background, their names, and then we would leave and they would spend the time having discussions with them and that was extremely beneficial even though it was challenging to get all of those people together in that short period of time, that was one of the highlights of the peer review.
Craig: And did both of you, were both of you the project manager for the process internally?
Mark: Yes, with Gary and the team.
Craig: How did you find the request for information the request from the peer group, Robin you said you provided a lot of information, but did you feel that it was burdensome, was it appropriate, was there more information you felt that you should have provided?
Robin: I felt like it was appropriate. I think they asked for things that were important, like I said, especially, we took a more wholistic view so we were able to share it in a manner that I felt that I had complete confidence, even though a lot of it could be considered confidential information, we were you know sharing policies and things along those lines but I felt like the process went very well.
Mark: Yeah, I’m in agreement with Robin. We had spent considerable time prior on the scope of the review itself and so in a very kind of logical fashion, the documents that were being requested flow directly from the scope of the peer review itself and so there didn’t seem to be you know excessive amounts, at least in my mind and you know it just took a while for us to gather the information but frankly it also pointed out some additional organizational challenges we have with where documents are and where they’re located and they’re not so easily at our fingertips and this process actually, which I think I knew before, but it highlighted that fact. It’s one of the things that even prior, there are certain internal drives we just need to clean up, and they need to be cleaned up prior to me getting there. This highlighted that and although not mentioned specifically in the report, it is one of the internal things that we have to do that I think this process highlights as well.
Craig: Sure it’s good to have a new set of eyes take a look at that as you came into the institution.
Gary: Craig, one of the other aspects of this peer review that both of our guests have not commented on yet, but I can speak from experience from having undergone peer reviews in the past, is the anxiety over having your institution, your office be reviewed. Do we have everything we need, are the peers going to be satisfied with what we have, what are the recommendations going to be like, what is my boss going to think about what the recommendations are. That is all the source of some personal anxiety as you’re putting everything together. When you read a document that the peers have asked for that hasn’t been reviewed or updated in the last number of years you think, oh man this document needs work.
Craig: Well I do think that that would be, that’s one of the brave components, especially Robin, you know where everything is and Mark, you’re just coming in, that’s a different, kind of opens your eyes to what is going on, but just having the process sounds like there was value in that, not just necessarily the outcome from that. Were there any specific surprises other than the process, but specific surprises that you came upon during this process.
Robin: I would say for me the surprise and the benefit of just really having, we were very blessed, we had just the A team of A team peer reviews and having them interact with our leadership and the meetings and the dialogue that were happening, really that was the biggest value for us is, it really brought a lot credibility and confidence into the room, and the recommendations and evaluation that happened really, the leadership really paid attention. There was so much buy-in and it really helped us use the moment because as we all know, our institutions, we get this initiative fatigue that happens especially amongst senior leadership and you’re trying to build consensus, we generated this excitement and this momentum that was really beneficial and I really think that it had a lot to do with the group that was around the table, the peer reviewers were just really highly respected colleagues and from that peer to peer institution I think brought so much value and that was such a pleasant surprise walking through this. Yes, going into it I felt very vulnerable, but walking out of it there was certainly things that were identified we needed to work on, but we had some buy in and that was really, for us, one of the pleasant surprises at the end of the day.
Mark: I would say from my perspective when I was contemplating going forward with this, and there was a go, no go point early on with this because my anxiety was look, I had been here for literally two minutes and now there’s a peer review coming in on an operation that I’m still myself trying to get an understanding of, so I talked with my boss who’s a CFO at Pitt and we kind of thought it through. I think where we ended was to, because I was at Pittsburgh to really start up an ERM program, but the operational risk management program has been at Pitt for obviously forever so we decided to focus in on that and perhaps have the peers come back at some point in the future once I have a little bit more grounding in the ERM program to do that. As I thought about what could possibly be the outcome of the peer review, my staff was very anxious because they were obviously the ones who were here, they’d been here for quite some time and their institution and so they were very concerned about what could come about of this and I understood that concern, I told them as a former auditor I would hate to be audited frankly but I never was audited I always dd the scaring I was never on the scare-ee side I guess, so but I just kind of told them that look this is what I think is going to come out of this and I gave them you know three or four bullet points in a few of our meetings. Here’s what I think is going to be said, here’s what I think folks are going to say about us, here’s what I think they’re going to find, and I said if that’s kind of where things shake out, I think we can survive that as a team and I emphasized the fact that we are a team. They knew that the fact that they were here didn’t make it seem like this was all you guys and I’m new so therefore I have no skin in the game, made it clear to them I had skin in the game the moment I accepted the job to the moment I started at the job, but then this could actually be something that we leverage in the future in terms of us taking, if we’re going to be doing ERM process and evaluating other risk management processes across the university, then maybe it’s a good idea that we look at ourselves and we’ve actually kicked the tires and went underneath the hood also, so I thought you know here’s where I think the peers are going to land on some (?) and maybe some minor things, but I think the big themes, we already know what they are and they’re just going to confirm those things, and so in that regard there were no surprises because during the you know initial review of the findings and the observations, recommendations as well as the final review, frankly there really weren’t and my boss and I talked about it and you know said look, this is what we need and it’s a good document to have that we can use going forward, well frankly we already started moving in that direction, so this is helpful and I think it gives us good capital to say look, we’re looking at ourselves, we’re going to be looking at other folks as well, so I think a lot of that also had to do… I definitely echo Robin, the peers themselves were excellent and Gary was, you know and I know he’s on the call but I would say I just saw him last week in person, I would say this in person to him, he was a great kind of navigator of the process and was very transparent and frankly as a an auditee, that’s all you could ask for, as someone who’s transparent, kept us in the loop the whole way. So even if I didn’t, if I wasn’t right about what I thought the findings would be, every step of the way Gary was giving me kind of heads up on here’s where we’re going, here’s where we’re leaning, so in that regard he made it a more non-surprise event and I think we now have something we can use, a document to go close some of the gaps that I think I’d already anticipated when I’d started.
Craig: I have one final question and I would put this to both of you is, if you knew then what you know now, would you do it again?
Mark: Yes. Yeah, without question. No, there’s a benefit. There’s way more upside than downside, and the downside is just, as Gary indicated, some anxiety amongst the staff about basically you know their operation being reviewed that they’re a part of but no I would absolutely do it again.
Craig: and Robin?
Robin: Absolutely, and if anything, I might even request for another one down the road just to do a here’s where we were in 2017, here’s where we are 5 years later, what’s the progress, and then really help us to even push it further down the line. As I looked back knowing that this podcast was going, was coming up I looked back at the report and trying to gauge some of the process based on the recommendations and keeping it fresh and I think that it’s been something that I’ve been able to go back to and really utilize and if I had it to do over again, what groups of people that I would have the team really interview and areas that I would delve a little deeper into, and maybe target it a little more so I certainly would do it again and hindsight is always great and if I ever do get an opportunity to do it again then I would certainly highlight some areas to try and delve into those specialty areas.
Craig: Thanks, Robin. And I’d like to thank all three of you, Robin, Mark and Gary for talking today about the peer review process. So thank you for listening to another episode of URMIAmatters, and that’s a wrap.