business face. What complicates ours is
we have people who spend a lot of time
in foreign countries, we have people who
are constantly moving via air, and we have
one of the most labor-intensive risks within
an organization: a hospital. So when you
put that all together, it creates a medley, a
“vegetable soup” mix of risks we have to be
flexible enough to manage.
When we’re talking about our hospital,
we’re looking at your standard hospital
exposures: We’re dealing with needle
sticks; we’re dealing with combative
patients; we’re dealing with back
injuries. At the university, it’s really slips
and falls and the occasional [incident]
in a laboratory where someone gets
a respiratory infection due to the
inhalation of a chemical. But they don’t
happen very often; the exposures here at
the university are very small compared
to the exposures at our medical center.
Being the head risk manager at a major university
entails a huge number of challenges. But also, I
imagine, a great deal of professional satisfaction.
What do you enjoy most about the job?
Every day I come to work and the issues
are different. The world is continually
changing, the NYU world is continually
changing, and that constant change is
But even more satisfying than that is
we can actually sit down and talk to
people and come up with a safe way
for them to accomplish what they’re
out to do. So we can have researchers
complete their investigations in a
safe manner. So a film student who
has a lot of red flags in a film can
complete his or her film and get a
good grade and go on to become a
Remember, students and faculty
don’t do what they do every day behind
a desk, whether they’re in primary
education or they’re involved in
university research or the development
of new products. We need to make sure
all of their goals can be worked toward,
and that we don’t say no. Because if
we say no, the university doesn’t get to
meet its ultimate goal of having people
excel in their chosen field. It’s very easy
to say no, and we don’t want to say no.
You’re known as a leader not only in enterprise
risk management, but also in the emerging
field of strategic risk management. What are
your latest efforts here?
From a strategic perspective, I’m talking to
the visionaries of the university in senior
management to get their ideas of where
NYU is going to be moving to in the next
three to five years. And we’re beginning to
develop the risk map for that.
And between the hospital and the fact
that you’re storing very sensitive student-education records, I imagine that Cyber
Liability is a growing concern for you?
Cyber Liability is a huge concern for the
university because we are maintaining
not only student records, which contain
their grades, but we have personal
information such as checking account
numbers, Social Security numbers,
addresses, names of parents.
And likewise we have HIPAA-protected information both here at
Washington Square in our student-health
facility and up at our medical center. So
maintaining all of those medical records
and the confidentiality of the records
that are protected under HIPAA from
a cyber attack is a great concern to the
We routinely employ organizations to
come and hack our systems, and we look at
the vulnerability of those reports and work
very quickly to ensure that people aren’t
able to hack our systems.
The other big Cyber exposure is
the proliferation of smartphones and
laptop computers where people take
this information and are now mobile.
We are moving toward an encryption
methodology for all those devices. The
medical center is already there.
“I’m talking to the visionaries of the university in
senior management to get their ideas of where NYU is
going to be moving to in the next three to five years.
And we’re beginning to develop the risk map for that.”
Our faculty and staff around the globe
are really starting to actively embrace
enterprise risk management. It’s a change-management process getting people to
alter the way they think, to change the
way they operate and to get them to
understand that risk management is
really not about insurance—it’s about
everything that brings risk to the
university. And our job is to be proactive,
to be out there every day preaching the
virtues of risk management and to move
our enterprise program forward.
My senior managers ask me how long
it takes to get the enterprise-risk program
to maturity. And my stock answer is the
program never matures because we continue
to move forward, and the risks continue to
evolve. New risks come on; the old risks get
mitigated and become part of the normal
business operations of the organization.
What about educating the next generation
of risk managers? What’s the best advice you
could give to someone who’s just starting out
in the RM field?
I’ll make this a really easy answer: Jump in
feet first, get yourself wet, and get immersed
in all aspects of an organization’s operations.
Learn it from the ground up, meaning learn
the risk-transfer piece and continually build
from there. Learn the claims, learn the
underwriting, look at the enterprise-risk-management program. Understand how
your organization works internally. What
are its current goals? Future goals?
And continue to build your education.
Networking and education is invaluable
from a risk-management perspective.
The world is continually changing; our
profession is continually changing. In order
for us to stay relevant as risk managers, we
need to continue to change and morph as
the world and our organizations change. NU