ERM, Internal Audit Elevate Risk Solutions at Case Western Reserve

When Case Western Reserve University (CWRU) was searching for a new leader for audit services in early 2020, Rose Kelly had an advantage over other prospective candidates. She was already employed in the institution’s controller’s office and had previously served as an external auditor for the university. That experience meant she was already familiar with CWRU’s operating model, organizational structure, and risk profile.

Since becoming director of audit services, Kelly has further deepened and diversified her perspective on risk, in part because she’s also a student at the campus. She began pursuing a master’s degree remotely as the pandemic disrupted in-person learning, so she has experienced the challenges associated with this transition from multiple angles.

“It’s probably not common for audit or risk leaders at higher education institutions to also have a role as a consumer of the institution’s offerings, but this gives me a great vantage point for considering risks broadly,” says Kelly. That perspective was perhaps especially fitting during the pandemic, as she assumed a leadership role in the university’s COVID-19 response.

Kelly recently discussed how CWRU manages enterprise risk, and how COVID-19 became a high priority focus, with Dawn Jones, managing director for Deloitte Risk & Financial Advisory, Deloitte & Touche LLP. A summary of their discussion follows, edited for brevity and clarity.

Jones: What are the critical risks on your radar in higher education?

Kelly: COVID-19 has been an important priority as we prepare for a new academic cycle, but we are hopeful it is a temporary risk. I assumed this role only a few weeks before most universities sent students home and moved to remote environments. Assisting in managing the university’s COVID-19 response has been a core responsibility for me this past year. As we move forward, we expect the virus to become more of an ongoing part of everyday life, so we anticipate a time when it will move a little lower in our risk profile.

Our transition to online education led to some unexpected benefits, but we are an in-person, residential university, so we are working through how to capture the best of both experiences as we move into a new era for higher education. COVID-19 also interrelates with other risks. We’re facing many of the same risks as other institutions with respect to technology, cybersecurity, changes in revenue, and other consequences of the pandemic. We’re particularly focused on our international students. We have a high concentration of students from other countries, and we value the diversity they bring to our campus. For a variety of reasons, these students may have difficulty coming back to campus or engaging in the same ways they have been able to in the past.

A collaborative approach gives us a broader view of risk and an opportunity to consider risks that may still be emerging, which enables us to anticipate certain threats.

—Rose Kelly, director of audit services, Case Western Reserve University

What are your plans for managing your highest priority risks?

Our strategy has involved rapid innovation. For example, when classes moved online, our technology department worked closely with faculty to allow them to provide course content with high production standards that could be made available on demand, which was important to students situated around the world. As a student myself, I can attest to the quality of the content. To help our international students, in some instances we formed cohorts abroad where students could study remotely as a community. On the technology side, we’ve taken measures to stay ahead of adversaries and develop playbooks on how to respond to possibly harmful events. We also engage in scenario planning, where we run drills to test and practice responses to potential breaches.

How has your approach to enterprise risk management (ERM) become more formalized in the past few years?

The university had an informal approach to risk management until a few years ago, when we recognized the need for a more strategic, defined process. The institution developed a formal program using both internal and external resources to identify our top risks, measure risks according to key performance indicators, and elevate the discussion of risk to university leadership and the board of trustees’ audit committee. I meet with the audit committee at least three times annually to review our risk profile, discuss our strategy for mitigating risks, and refresh our plans. We consider not only known risks but also threats that we might anticipate based on what’s happening at the university, in the community, or in society more broadly. For example, changes in leadership might lead to changes in our risk profile and areas of strategic focus, and we’ve seen changes in both political leadership and our university leadership in recent months.

How do you coordinate collaboration between ERM and internal audit?

The risk assessment is a collaborative effort between internal audit and our compliance offices to promote a common understanding of critical risks—within the risk and compliance functions and broadly across the institution. The process is intensive and refreshed throughout the year. We begin with an annual risk assessment that looks deeply at risks within specific areas, which are then evaluated and distributed broadly across the institution. Throughout the year, we meet with every operational area across the campus and form relationships with leaders and managers with whom we can share risk insights and vice versa.

How is this collaborative approach to ERM helping you identify and manage risk more effectively?

We place a great deal of emphasis on communication across the risk functions and operational areas of the university, with the aim of identifying threats that might be missed otherwise. We also gather insights from our integrity hotline by assessing those reports to identify risk indicators. The frequent touch points and the efforts to refresh risk assessments throughout the year give us continual insights into how risks may change and how we can respond. Without that kind of collaboration across functions and at all levels, we risk falling into silos that might inhibit effective responses. The way we are addressing COVID-19 represents an example of how this broad, collaborative approach to ERM enables us to make rapid operational changes in response to unprecedented risks.

To what extent does this approach add value to the institution?

A collaborative approach gives us a broader view of risk and an opportunity to consider risks that may still be emerging, which enables us to anticipate certain threats. It also empowers us to have more insightful discussions about risks with university leaders and the audit committee, which helps promote a risk-intelligent tone at the top and a culture of compliance. An enterprisewide view of potential risks and opportunities means the university’s risk professionals can provide not only information about the institution’s risk profile but also advice about how risk might be managed from a holistic perspective.

What do you expect to see in the next few years regarding the risk landscape in higher education?

Cybersecurity risks have become more pervasive, and we expect that trend to continue. Political unrest can also represent risk for colleges and universities, so we are monitoring the political landscape closely. Enrollment shifts also represent an area of risk that we are monitoring. We see a growing number of institutions in parts of the world that historically did not represent competition for us, so we are focused on strategies that will help us continue to attract and retain international students. We are encouraged, however, by strong enrollment results for the upcoming academic year. Many of our students are ready to get back on campus for a more traditional college experience, including me. So far, I have only interacted with my law classmates online, so I’m looking forward to meeting them in person.

—by Tina Griffiths, senior manager, Tara Atkins, senior consultant, and Elizabeth Walton, manager, all with Deloitte Risk & Financial Advisory, Deloitte & Touche LLP

Disclaimer and Copyright

This article is part of an ongoing series of interviews with executives. The executive’s participation in this article is solely for educational purposes based on their knowledge of the subject, and the views expressed by them are solely their own. This article should not be deemed or construed to be for the purpose of soliciting business for any of the companies mentioned, nor does Deloitte advocate or endorse the services or products provided by these companies.

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the “Deloitte” name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.

Copyright © 2021 Deloitte Development LLC. All rights reserved.