Managing risk is everyone's business at Penn State

Just mentioning the word 'risk' makes some people nervous. Risk is something that few beyond the world of poker, sky diving or NASCAR are willing to take on.

But mention risk to Gary Langsdale and he sees an opportunity for change. As Penn State's risk manager, Langsdale is charged with identifying the University's potential risks and helping people assess, eliminate, reduce, avoid or manage these risks. Everything from data security, student behaviors, pandemics, laboratory environments, weather emergencies and more — these are the events and operations that Langsdale knows if not handled correctly could threaten Penn State's ability to achieve its goals.

"Facing risk is about being aware of and assessing potential threats to your organization," said Langsdale. "It's about minimizing the consequences of the unknown."
That's why Langsdale heads up a team of University employees who have been taking an inventory of Penn State's possible risks through an approach known as Enterprise Risk Management (ERM). ERM is a concept that was embraced more than a decade ago by the corporate world and Penn State was among the first universities to adopt similar strategies to systematically identify, prioritize and assess its potential risks.

In fact in a recent nationwide survey of university leaders, 60 percent of respondents reported that their institutions do no identify major risks to their institution's success. The survey, sponsored by the Association of Governing Boards of Universities and Colleges, a group that serves the interests of trustees and other academic governing bodies, points out how higher education is lagging behind in this important area of responsibility.

Because risks can have a substantial effect on a university's ability to operate, Penn State officials are moving to proactively identify possible risks, prioritize those risks by likelihood and magnitude of impact, assign who should be in charge of managing the risk, determine a response and monitor progress.

"Risk assessment should be a normal part of any institution's strategic planning," said Al Horvath, Penn State's vice president for finance and business. "We need to look at risk and weigh it against the potential rewards. If you think about it, there is a broad spectrum of risk that faces any complex organization, and all successful organizations take on risk at some level because the most promising opportunities are going to involve some form of risk."

According to those in the field of risk management, there are generally four types of risk that include strategic, financial, operational and compliance. Uncertainty in the financial markets, declining enrollment, legal liabilities, research operations, and natural causes and disasters are all examples of risks that Penn State faces on any given day.

Langsdale said that the ERM approach being undertaken by Penn State is meant to provide a framework to identify events or circumstances that pose a hazard or vulnerability to the institution.

"By proactively addressing risk, as well as the opportunities that come with it, we can make everyone aware of how to appropriately manage risk. We can be better prepared to live with and respond to it," he said.

Langsdale and his team set out to broadly identify risks at Penn State, by defining risk as "any impediment to accomplishing institutional goals." Through 53 face-to-face interviews across the University, more than 100 possible risk items were identified. Ten were pinpointed as having a higher probability of occurrence or negative outcome. The 10 risks in no particular order are:

1. Unique risks involved in operating an academic medical center.
2. Data/information security risks (protecting the confidentiality, integrity and availability of electronic data).
3. Emergency prevention, preparation and management (identified as both an operational and hazard risk).
4. General physical well-being and safety of students and employees.
5. Protecting Penn State's reputation and maintaining the quality of a Penn State degree.
6. External funding and its impact on operations (both state and federal funding).
7. Technology initiatives, rapid changes in technology, data storage and Penn State's ability to keep up with commercial applications and maintain interoperability.
8. Meeting the changing student demographics in today's marketplace.
9. Alcohol impact related to high-risk drinking by students.
10.The regulatory environment and Penn State's ability to maintain compliance with a complex set of laws and regulations.

Langsdale said in addition to these 10 items, there are numerous other risks that must be continually monitored and addressed by the University and its employees. These include: adequate space and facilities; employee retention; fiscal oversight and management controls; the increasing cost of healthcare and benefits; and fundraising and endowment management issues.

Penn State's risk manager suggested that supervisors and employees look within their own work units to identify possible risk. He also said managers need to support training that may be needed to help staff develop the skills to see potential risks and help leadership decide if the risk should be avoided, accepted, reduced of shared.

"Our goal is to raise the visibility of the need to manage risk, to change the way people think about risk and how they view it moving forward," Langsdale said. "We want risk identification to move deeper into our institution. It's the people on the front lines who are going to be able to identify risks more quickly."

There is already a class offered through Penn State's Human Resource Development Center (HRDC) called "Enterprise Risk Management (LDR 201)." About 200 people have taken the course, that will be offered again March 29, 2010.

"Every Penn State employee has some responsibility for risk they may face and to manage it in some way," Vice President Horvath said, reinforcing the goals of the ERM program. "The risk tolerance of departments and units in relation to whatever payoffs we are seeking, needs to be understood and it needs to be a priority.
"Although risk cannot be eliminated, it can be managed, and we need to embed risk consideration into every management function."

Contacts: 
Last Updated November 18, 2010