National Underwriter - April 16, 2012

business face. What complicates ours is we have people who spend a lot of time in foreign countries, we have people who are constantly moving via air, and we have one of the most labor-intensive risks within an organization: a hospital. So when you put that all together, it creates a medley, a “vegetable soup” mix of risks we have to be flexible enough to manage.

When we’re talking about our hospital, we’re looking at your standard hospital exposures: We’re dealing with needle sticks; we’re dealing with combative patients; we’re dealing with back injuries. At the university, it’s really slips and falls and the occasional [incident] in a laboratory where someone gets a respiratory infection due to the inhalation of a chemical. But they don’t happen very often; the exposures here at the university are very small compared to the exposures at our medical center.

Being the head risk manager at a major university entails a huge number of challenges. But also, I imagine, a great deal of professional satisfaction. What do you enjoy most about the job?

Every day I come to work and the issues are different. The world is continually changing, the NYU world is continually changing, and that constant change is very good.

But even more satisfying than that is we can actually sit down and talk to people and come up with a safe way for them to accomplish what they’re out to do. So we can have researchers complete their investigations in a safe manner. So a film student who has a lot of red flags in a film can complete his or her film and get a good grade and go on to become a famous director.

Remember, students and faculty don’t do what they do every day behind a desk, whether they’re in primary education or they’re involved in university research or the development of new products. We need to make sure all of their goals can be worked toward, and that we don’t say no. Because if we say no, the university doesn’t get to meet its ultimate goal of having people excel in their chosen field. It’s very easy to say no, and we don’t want to say no.

You’re known as a leader not only in enterprise risk management, but also in the emerging field of strategic risk management. What are your latest efforts here?

From a strategic perspective, I’m talking to the visionaries of the university in senior management to get their ideas of where NYU is going to be moving to in the next three to five years. And we’re beginning to develop the risk map for that.

And between the hospital and the fact that you’re storing very sensitive student-education records, I imagine that Cyber Liability is a growing concern for you?

Cyber Liability is a huge concern for the university because we are maintaining not only student records, which contain their grades, but we have personal information such as checking account numbers, Social Security numbers, addresses, names of parents.

And likewise we have HIPAA-protected information both here at Washington Square in our student-health facility and up at our medical center. So maintaining all of those medical records and the confidentiality of the records that are protected under HIPAA from a cyber attack is a great concern to the organization.

We routinely employ organizations to come and hack our systems, and we look at the vulnerability of those reports and work very quickly to ensure that people aren’t able to hack our systems.

The other big Cyber exposure is the proliferation of smartphones and laptop computers where people take this information and are now mobile. We are moving toward an encryption methodology for all those devices. The medical center is already there.

“I’m talking to the visionaries of the university in
senior management to get their ideas of where NYU is
going to be moving to in the next three to five years.
And we’re beginning to develop the risk map for that.”

Our faculty and staff around the globe are really starting to actively embrace enterprise risk management. It’s a change-management process getting people to alter the way they think, to change the way they operate and to get them to understand that risk management is really not about insurance—it’s about everything that brings risk to the university. And our job is to be proactive, to be out there every day preaching the virtues of risk management and to move our enterprise program forward.

My senior managers ask me how long it takes to get the enterprise-risk program to maturity. And my stock answer is the program never matures because we continue to move forward, and the risks continue to evolve. New risks come on; the old risks get mitigated and become part of the normal business operations of the organization.

What about educating the next generation of risk managers? What’s the best advice you could give to someone who’s just starting out in the RM field?

I’ll make this a really easy answer: Jump in feet first, get yourself wet, and get immersed in all aspects of an organization’s operations. Learn it from the ground up, meaning learn the risk-transfer piece and continually build from there. Learn the claims, learn the underwriting, look at the enterprise-risk-management program. Understand how your organization works internally. What are its current goals? Future goals?

And continue to build your education. Networking and education is invaluable from a risk-management perspective. The world is continually changing; our profession is continually changing. In order for us to stay relevant as risk managers, we need to continue to change and morph as the world and our organizations change. NU