Risk, Compliance, and Controls: A Three-Pronged Approach

Publication Date: December 6, 2022

When it comes to risk management and compliance, the knowledge of three groups is better than one. At least, that has been the experience of Case Western Reserve University (CWRU or university). We have taken a three-pronged approach to risk, compliance, and controls. Internal Audit, co-sourced with Deloitte & Touche LLP (Deloitte[1]); Enterprise Risk Management (ERM); and Compliance are the three units that work together to safeguard the university’s community and assets.

Deloitte has been engaged by CWRU for over 10 years and assists in developing and executing the annual internal audit workplan and performing special, one-off reviews based on emerging areas of risk or potential for control deficiencies. ERM, which is headed by the University’s Director of Audit Services, takes a holistic approach to risk on a university-wide level. ERM identifies the university’s top ten risks, understands how CWRU is trying to mitigate them and predicts how they affect our operations and strategic plans. As these risks are often interconnected, we try to have a deeper understanding of their complexity so that we can mitigate or accept the risk. Lastly, the compliance function is headed by the Chief Compliance Officer, who reports to the Office of General Counsel. Compliance helps ensure that departments on campus understand their obligations from a legal and risk-based standpoint.

There are myriad benefits to this triumvirate approach. Having three separate departments look at risk and controls helps to give a broader perspective of the organization’s activities and brings a multidisciplinary approach to problem-solving. The different backgrounds allow for the coverage of a wide swath, with ERM focusing on strategy and operations, Internal Audit on internal controls, and Compliance on regulatory matters. These separate points of view allow us to see which issues may be on the horizon and which others may be starting to fade into the background. For instance, at CWRU, the Compliance Program leads the University on export controls compliance. When issues on undue foreign government influence rose in visibility over the past few years, Compliance brought that issue to the group. During the height of the COVID-19 pandemic, ERM was deeply involved with operational risks on campus relating to the rules of the road for faculty, staff, and students. Now that the risks of the pandemic are becoming more of a known, managed risk, we’ve been able to shift the ranking of the risk to one that is less urgent. In annual internal audits performed by Deloitte, we can learn whether and how the controls are working around areas that we are tracking in ERM and Compliance, like the management of grants or endowment stewardship, for example.

Not all risk is bad, and discussions within the group have prompted us to see which risks might represent opportunities. For example, the need to shift university operations and activities because of the pandemic allowed us to see new opportunities. Online learning, and the skills we gained from adapting to new modes of learning have blossomed in the pandemic’s wake. Each of our three unique offices has seats at different tables across campus, this has allowed us to disseminate our message regarding having a risk-intelligent tone at the top and a culture of compliance. Over the years, this has sunk in at various levels, and university community members now consult our departments when risk or control situations arise where they might not have done so in the past. This, of course, can be seen as a very good cultural shift on campus.

Annually, we perform a large risk assessment that is Internal Audit, with the support and participation of ERM and Compliance. The assessment usually is performed between the end of summer and the beginning of the academic year in early fall. We gather insights through live meetings with some groups (in person and virtually) and surveys for others, depending on risk profile and department size. This process usually  touches roughly 30 unique departments, schools, and units on campus. Some years we add additional units or drill-down deeper within a department if issues arise that warrant them. For individuals we speak with in person, there are some pre-determined questions sent ahead of time to the attendees on the risk topics, which allows them time to reflect on what they are seeing in their departments, schools, and university as a whole. In the meetings, the discussions organically move into various areas of concern and risk management practices. This process has become seen on campus as a safe space for people to express their thoughts and opinions. We have found that participants do not hold their concerns back, which is a good way to get many “real items” out on the table. We perform ad-hoc follow-ups during the year to see if there have been any changes to what people are seeing or hearing and always leave the door open for individuals to come to us with their concerns or ideas.

The annual risk assessment meetings inform and drive Internal Audit’s testing program for the year. The broad risk discussions and survey results help Internal Audit identify which auditable risks are top of mind for leaders. The risk assessment process also helps inform Internal Audit on areas where current control and process gaps may exist or where controls may be designed appropriately but are not consistently operating effectively. Having the perspectives from ERM and Compliance also helps Internal Audit prioritize the risk universe and develop a risk-based internal audit workplan. Internal Audit also gathers insights from ERM and Compliance on their upcoming initiatives and workplans. By working together on the risk assessment and sharing our plans, we can cover a broad spectrum of risk and avoid duplicating efforts or overwhelming stakeholders.
ERM benefits from these annual risk meetings in that they help refine the organization’s most significant risks.

Our ERM program is specifically designed to capture and monitor risks holistically for the university. While the program is formally updated three times a year, we generally reach out to key stakeholders more often throughout the year to get a sense of current or impending changes. We measure risk to the university by its expected impact, probability, outlook, and maturity of mitigation preparedness. It is also importantto see how the risk has altered over time. The ERM program is meant to be dynamic as the university changes and the environment we operate in also changes. Sometimes risks are added because they’ve become heightened, and sometimes they are removed from the top of the list as they shuffle towards the background as circumstances on campus change.

The annual risk assessment meetings help Compliance identify vulnerabilities in compliance functions across the organization. They help Compliance to have “eyes and ears” across a wide swath of campus, ensuring that if there are any new compliance-related risks on the horizon the appropriate unit is managing them. Compliance works continually with departments to ensure that areas with significant compliance requirements and risks make improvements and keep important metrics top of mind. The office has created an internally-used dashboard system to keep track of progress within fifteen key compliance areas at the university. Some tracked items include the assignment of oversight responsibilities, appropriate policies and procedures, compliance training and education, monitoring compliance with policies, and violation investigations. We have found this to be a very successful method of tracking and quantifying risk related to compliance.

This in-depth and three-pronged approach to risk, compliance, and controls has become a cornerstone in our ability to view and process risk on campus. It can be easy to fall into the trap of siloed offices and walled-off environments within a university, but this integrated and open method has allowed us to move forward and create new paths that could not have existed otherwise. The end goal is always to safeguard the university from unnecessary risk while allowing those risks which will let us flourish to be monitored and handled with well-placed guardrails. It is an enjoyable process that brings a sense of satisfaction and security to our campus.


[1] As used in this document, “Deloitte” means Deloitte & Touche LLP, which provides audit and enterprise risk services. Deloitte & Touche LLP is a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

About the Authors

Elizabeth Walton

Elizabeth Walton is a Senior Manager at Deloitte with a primary focus in Internal Audit (IA) transformation and IT Internal Audit within the higher education industry. She has focused on the design and development of IA programs as well as identifying, testing and designing internal controls over key IT and business processes.

Lisa Palazzo

Lisa Palazzo is the University Chief Compliance and Privacy Officer for Case Western Reserve University. A compliance professional for ten years, before entering the compliance field Palazzo had a career in private legal practice and the publishing industry.

Rose Kelly

Rose Kelly is the Director of Audit Services for Case Western Reserve University. An audit, risk management and financial reporting professional, Rose had a career in public accounting and corporate financial reporting before joining the higher education field seven years ago.

Tina Griffiths

Tina Griffiths is a Managing Director with Deloitte’s Higher Education practice.  For the last 21 years, Tina has provided internal audit strategy, co-sourcing and outsourcing, compliance and risk management services to public and private higher education institutions.