Elizabeth Carmichael

Elizabeth Carmichael is the director of compliance and risk management for Five Colleges Inc., which includes Amherst, Hampshire, Mount Holyoke, and Smith College. She can be reached at [email protected]

Risk Insider: Elizabeth Carmichael

ERM Is Not Just ‘Our’ Problem

By: | June 15, 2016 • 2 min read
Elizabeth Carmichael is the director of compliance and risk management for Five Colleges Inc., which includes Amherst, Hampshire, Mount Holyoke, and Smith College. She can be reached at [email protected]

Jack Hampton recently wrote, “Risk managers have a staggering problem on their hands if they are ever going to make enterprise risk management inroads across the full Academy. There is no other way to see it.”

And he’s right. Risk managers will always have a staggering, even insolvable problem, on their hands as long as they are the ones responsible for developing and implementing ERM at their institution. The same holds true for any business.

I’ve recently come back from the Higher Education Compliance Conference of the Society of Corporate Compliance and Ethics (SCCE).

There, I was heartened to hear presentations from multiple institutions where a team of senior leaders across the institution lead the ERM process.

As we know, engaging senior leadership in the ERM process helps to ensure the success of the program by placing the risk ownership across the institution, rather than allowing the perception of ownership to sit in Risk Management.

As we know, engaging senior leadership in the ERM process helps to ensure the success of the program by placing the risk ownership across the institution, rather than allowing the perception of ownership to sit in risk management. The most mature and robust programs fully integrate the compliance, ERM, traditional risk management and internal audit functions.

Advertisement




The risk management burden, as Jack points out, is endless and ever varying. We will never be able to stop the rogue employee from breaking the rules, including the grumpy professor trying to make a point by publicly illustrating gaps in our systems.

We may seldom be able to stop the determined assassin before he strikes.

However, an ERM program can protect the institution or the company from the consequences of these actions while boosting resiliency and resources if it enables us to develop processes that will

  • Put organizational structures in place to identify and manage risk across the enterprise (including compliance risks);
  • Create codes of conduct, policies and procedures in place to guide people on what to do;
  • Educate and train our community so they know what they are expected to do;
  • Give our operations managers tools to self-monitor their risk management and compliance activities and audit the operations as necessary;
  • Develop a clear reporting and investigation processes for claims and complaints;
  • Discipline those that willfully break the rules; teach those that accidentally break the rules; and
  • Investigate and remediate systemic problems and risks.

So, how do we engage leadership in embracing and leading ERM? We talk about it, frequently and to anyone who will listen.

Practice your one-minute ERM elevator speech and use it on faculty, deans, all of your director-level peers and especially senior leaders.

Meet with key risk partners and share the benefits of an enterprise-wide approach.

Be a thought leader on your campus and tie the ERM process to the academic mission.

Gates Garrity-Rokous, vice president and chief compliance officer at The Ohio State University recommends relentless optimism.

Help your senior leaders and administrators understand that using the ERM process will make their lives easier, because ERM will help the institution allocate resources by highest need. Tell them how the ERM process will make our campuses better through improved awareness and clearer communication of risk issues.

It’s easy to feel discouraged in the face of constant stories of tragedies and malfeasance. But there are silver linings.

The students at UCLA were prepared and knew how to shelter in place so that casualties from the Mainak Sarkar shooting were limited. We’re getting better, we’re doing more with less and finding continual improvement.

Find your inner optimist, share your successes with your peers, keep calm and carry on.

Share this article:

Risk Insider: Elizabeth Carmichael

Saying ‘No’ to a Risk

By: | March 24, 2016 • 2 min read
Elizabeth Carmichael is the director of compliance and risk management for Five Colleges Inc., which includes Amherst, Hampshire, Mount Holyoke, and Smith College. She can be reached at [email protected]

Being the person who directly says “no” to a risk can be somewhat perilous for a risk manager. As most of us know, the risk manager’s job is more about helping the organization to make an informed decision than being the arbiter of all risk-taking.

It is tempting to support an administrator who has asked for a risk assessment on a proposal that they don’t want to undertake by letting the administrator “blame risk management” for the negative decision, i.e., “Risk Management says we can’t do it.”

All I can say is, don’t do this. Don’t let administrators ever “blame” risk management for a decision unless you actually had the responsibility and authority in your office to make the decision and did so.

This pattern typically exists in organizations where administrators have little or no authority to make decisions, or in organizations where customers (students or parents in higher ed) have easy access to the president or other senior managers who overturn lower managers’ decisions without all the facts at hand.

All I can say is, don’t do this. Don’t let administrators ever “blame” risk management for a decision unless you actually had the responsibility and authority in your office to make the decision and did so.

In performing the risk assessment, be sure to consider the upside of the project, activity or event. Even brainstorm them so that you get a comprehensive list. Then consider the downside, the risks associated with the project, activity or event, and what risk mitigation would be needed for those risks.

Do your best to identify time and money costs to the mitigation efforts. This will give your decision-making administrators the documented ability to say, “We have completed a thorough risk assessment and mitigation analysis on this proposal and collectively determined that the return or reward on the project is insufficient to offset financial or other risks and the administrative costs of mitigating the risks that would be associated with the project. We regret that we cannot undertake this project at this time.”

Advertisement




Rather than allowing your decision-makers to “blame” risk management, empower them to communicate their educated and well-thought-out decision to stakeholders personally. (They may also surprise you and choose to do it!)

The role of risk management should be to conduct and facilitate risk assessments, and then educate our stakeholders on the outcomes of those assessments. So even if your current administration is comfortable with risk management being seen as the decision-maker, future administrations may not, and you and your department may be seen in a negative light that is difficult to shake, including being labeled as overreaching, lazy (it’s easier to say “no”), and simple nay-sayers, even if that’s not true.

Rather than allowing your decision makers to “blame” risk management, empower them to communicate their educated and well- thought-out decision to stake holders personally. (They may also surprise you and choose to do it!)

Therefore, especially for those of you whose organizations are somewhat dysfunctional, prepare your risk assessment and mitigation plans with the expectation that the president or a future president may be reading it.

Encourage the administrators that you are working with to share the proposal and risk assessment as high up the ladder as possible, and be seen as a positive, helpful force for good management in your organization.

Share this article:

Risk Insider: Elizabeth Carmichael

Risk Management Is the Natural Owner of Compliance

By: | August 20, 2014 • 2 min read
Elizabeth Carmichael is the director of compliance and risk management for Five Colleges Inc., which includes Amherst, Hampshire, Mount Holyoke, and Smith College. She can be reached at [email protected]

With the adoption of Enterprise Risk Management (ERM), many organizations have already begun to include compliance risks as part of their organization’s risk management portfolio. However, even if the organization has not yet climbed aboard the ERM bandwagon, risk managers should be actively supporting, if not directing, their organization’s compliance efforts in several key areas, namely, interdepartmental risks.

After all, the compliance challenges in most organizations will not be those that land neatly in one department. Dining services managers will be on top of sanitation regulations; comptrollers will file their taxes.

No, the greatest compliance challenges are those that cross division and department lines.

Take a look at some of the compliance requirements that prove challenging to institutions of higher education.

Title IX: Which prohibits discrimination on the basis of sex, covers not only equity in sports but also sexual assault and misconduct. Consequently, this impacts nearly every division of the institution.

Americans with Disabilities Act (ADA): Its related laws and regulations impact academics, student life, facilities, IT, human resources, admissions, athletics  and a multitude of other departments.

Export Controls: A mishmash of laws that similarly effects any department involved with academics, research, technology, and travel.

Records Retention Policy: Required under the tax form 990, covers every division and department and has additional privacy and security implications.

“…the compliance challenges in most organizations will not be those that land neatly in one department.”

Institutions traditionally find it difficult to manage compliance requirements such as these because there is no natural “owner” of the requirement. It is here that risk managers are ideally situated to help their institutions by gathering together individuals from the affected departments into a committee or task force.

Together, they can begin to create a shared management process for the institution. In the absence of hierarchical authority, committees and task forces can wield significant influence, especially if appointed by the president or board.

Furthermore, many compliance requirements are a natural fit within a risk management portfolio because they address insured risks. Compliance with anti-discrimination laws (like Title IX and ADA) is a perfect example, as acts of discrimination may be insured through educators’ or employers’ legal liability policies.

Other compliance matters may directly affect the essential identity of the institution. For instance, if an institution violates the regulations on political speech, it could lose its non-profit status and suffer reputational damages.

While it is impractical for a risk manager to be on top of every regulation that an institution is required to be in compliance with (they number in the hundreds) it is important that the risk manager be a leader in compliance matters that, when not addressed, can directly impact insurance and claims.

Offer to help organize a compliance effort. Make sure to (successfully) follow though.

You don’t have to be a subject expert to do this! Your results can showcase risk management services in the institution, reduce risk, and create a template for your next compliance project.

Share this article: