Building a ‘risk aware’ culture at Harvard

June 17, 2014

Acacia Matheson, Communications Officer

“What keeps you up at night?”

That was the question posed by Katie Lapp, Executive Vice President of Harvard, at the University’s inaugural Institutional Risk Management (IRM) Symposium on Tuesday, June 17, 2014.

The symposium, sponsored by Harvard’s Office of Risk Management & Audit Services (RMAS), was part education, part strategy session, part therapy session for attendees from across the University who are tasked with identifying and mitigating risk for their respective Schools and Units.

And those risks are numerous. Katie Lapp noted the breadth of the attendees’ experience in her opening remarks. Deans, administrative personnel and IT staff were among those who came to discuss threats ranging from financial and academic fraud, to campus safety and IT security.

“We are a large research university,” said Lapp in her opening remarks. “We have complicated facilities, we are the subject of cyber-attacks on a regular basis, and when you think about it, we invite thousands of students to come on our campus every day, whether they reside here or not. We need to make sure that Harvard is a safe place, that it is a vibrant place, and people feel they can do their best work here in a safe environment.”

The focus on risk management at universities has grown over the last several years, propelled by increased regulation and litigation, narrowing financial margins, increased global threats, and issues of national security.

Symposium guest speaker Jonathan Links talked about his experience at Johns Hopkins University where he is both a full-time faculty member and Johns Hopkins’ Chief Risk Officer.

“The challenge in a decentralized university setting,” said Links “is that we create a distributed ecosystem of risks and their management. And so trying to manage that system is more challenging than, let’s say, a corporation that has a very top-down, centralized organization structure and processes.”

But one of the most important things that a risk management program does, said Links, is provide systematic, credible recommendations that help mitigate areas of risk much faster than they otherwise would be.

According to Links, risk cannot be eliminated, and therefore risk elimination should not be the focus of a risk program. The goal should be to help identify and drive down risk to an acceptable level, and that level can vary risk-by-risk.

 “We [humans] are horrible at thinking about risk,” said Links.  “If an event is high probability, low consequence, we ignore the risk. If it is low probability, high consequence, we over-perceive the risk. And so if you are trying to right-size risk management, you have to start by thinking about the psychology of risk perception, and you have to get very explicit in your conversations and try to get a bit more rigorous about defining the level of risk, your appetite for the risk, and the optimum level of management control.”

After the keynote and guest speakers concluded, attendees broke into sessions that took a deeper dive into a variety of topics ranging from IT security to Title IX compliance.

At the presentation on research risk, Catherine Breen, Senior Director, Office for Sponsored Programs, and Ara Tahmassian Ph.D., Chief Research Compliance Officer, outlined the various levels of laws and regulations that place ever-increasing burdens on researchers, administrators, and staff. Researchers must abide by regulations at multiple government levels and at the University level. This requires vigilance in assessing, mitigating, and monitoring risks inherent in conducting funded research. Breen and Tahmassian urged researchers to ask questions and to use the support services provided by the University to navigate complex agreements.

According to Christian Hamer, Harvard’s Chief Information Security Officer, who facilitated the IT offering, awareness is the most important defense against the daily cyber attacks on the University. Though Harvard implements powerful technologies to deter hackers, Hamer said each user of the Harvard network plays a role in security. His advice: use different passwords for your Harvard and personal accounts, change them often, and pay attention to alerts from Harvard Information Security.

Some of the greatest risks addressed at the symposium were in the international space.  “There are Harvard people operating outside the U.S. all the time,” said Jorge Dominguez, Vice Provost for International Affairs and facilitator of the International Risk workshop. “That is the Harvard of today and the associated risks are something we think about everyday. We can’t just try to be clever and think about all the risks out there, we need to hear from those experiencing it.”

According to Dominguez, security risks, mitigating risks associated with any number of illnesses contracted overseas, awareness of local laws and customs, and protection of data are just a few of the areas Harvard Global Services takes very seriously to facilitate global engagement of students, faculty, and staff.

In all the lecture halls, one thing was clear: risks are everywhere, and we make lots of decisions every day that are really risk benefit or cost benefit decisions. What we know today is not enough for tomorrow; there will be new risks and we have to be continually vigilant.

“Warning: I am about to put on my faculty hat,” said Links “Without me, there ain’t no you.” The crowd responds with laughter. “Mission activities that are faculty driven are why there are universities in the first place. Faculty are the ones executing the programs and they have to be an integral part of the solutions. We need to build conscious venues for honest conversations between faculty and administration."

“You have to have courage,” he said, “and a certain level of trust, but it pays off.”