My phone rang earlier this week, and at the other end of the line was my compliance officer contact in higher education.
“Matt,” she said, “I’m looking for GRC software that can help with the university’s risk management program. We started with a database in Microsoft Access and want something that can really handle enterprise risk management.”
That might be a tall order, I said. Can you tell me more?
My higher education friend told me more. Her university is a state-run institution out west, with compliance obligations that run from healthcare (including a teaching hospital), to Title IX and its gender equality concerns, to management of federal research dollars, to college athletics. Plus the all the “normal” risks that come with running a small town’s worth of students, professors, and staffers.
What’s more, her university took over a struggling nearby nonprofit several years ago already working under, shall we say,“close oversight” from the federal government. So the university president decided to use that moment to launch an enterprise risk management program for the whole campus.
That all seems like a plausible chain of events so far, I said, and cheers to your university for trying to implement an ERM program for such a diverse set of risks. So, um… why Microsoft Access as a database for all those risks?
“Well, we needed something,” my friend said. A faint sigh of resignation floated down the phone line.
You can’t fault a compliance officer for that answer, since it so often happens to be true: the organization wants to improve its compliance or ERM effort, but the technology is intimidating, the clock is ticking—and, well, you gotta start somewhere. So you fire up the application that happens to be on your computer already, and that’s Microsoft Office.
Let’s also remember: my friend knows that Access is an imperfect, junior varsity solution. Generating reports can be difficult. You worry whether all risks have been classified correctly, or whether the database is current, or whether everyone who needs to review enterprise risks has full mastery of Access.
To make matters even more frustrating, while Access is a junior varsity solution, my friend’s university is trying to implement a varsity-level program. The university president convened a group from across all parts of the campus, and told them to list every risk that came to mind—including risks well outside a person’s specific job. The university wanted a list of every risk it could find. That led to a lot of risks.
This project took more than a year, my friend told me, and eventually the university pared down to a list of 15 key risks and numerous secondary risks. Now campus executives are trying to prioritize those 15 risks and, ideally, assign costs of risk failure to each one.
That process is difficult. My friend gave the example of boilers, a risk that’s as mundane as you can get. If the boilers fail, the university could face significant financial pain: students housed elsewhere if the boilers fail in winter, or research ruined if certain temperature controls aren’t maintained. Yes, the university has a plan for its physical plant that includes upgrades of boilers. But what happens if they fail and require immediate attention? What qualifies as “immediate,” anyway? How do you prioritize that against other risks, like a privacy breach at the teaching hospital?
As my friend told me her story, it all started to sound familiar. Then I realized, this challenge of ERM was familiar. This is what corporate accounting departments endured 10 years ago, when they struggled through Sarbanes-Oxley compliance. And what was the first SOX compliance technology most companies used because, well, you had to use something? Microsoft Excel.
Parallels between the two situations abound. A good SOX compliance program requires strong executive support, a cross-disciplinary team, a close review of financial processes and risks, a catalog of financial reporting controls to mitigate those risks, and then a ruthless process to boil down that list to a manageable number of key controls. Then you need to find a technology solution that poses the two biggest threats: employees creating their own spreadsheets of financial data, which in turn doesn’t give senior leadership the correct understanding of internal control over financial reporting when the time comes to sign Section 404 attestations.
ERM is pretty much the same process for all risks, with a different Microsoft Office application to leave you frustrated. So you don’t need to reinvent the wheel for enterprise risk management—you just need to strengthen and expand the wheel you invented for SOX 10 years ago.
My friend in academia never endured SOX implementation, so the hill her institution needs to climb is a bit steeper. She expects the school to find and implement a GRC solution by the end of this year. We’ll check back with her from time to time to see how the battle goes.