overview of current risk management activities & proposed ... · pdf fileenterprise risk...
TRANSCRIPT
Prepared by the Office of the University Auditor March 6, 2014
State University of New York Enterprise Risk Management
Overview of Current Risk Management Activities & Proposed ERM Framework
Attachment B
ENTERPRISE RISK MANAGEMENT Table of Contents
2
Overview of Risk 3 SUNY’s Risk Management Activities 6 Overview of ERM & Current Trends 10 Proposed ERM Framework for SUNY 13 Closing Thoughts 20
ENTERPRISE RISK MANAGEMENT Overview of Risk
3
An Organization needs to have processes in place to IDENTIFY, ASSESS,
and MANAGE its risks and opportunities.
ENTERPRISE RISK MANAGEMENT Overview of Risk
RISKS & OPPORTUNITIES Strategic
Financial
Operational
Compliance
Reputational
4
ENTERPRISE RISK MANAGEMENT Overview of Risk and Examples
• Risks that affect SUNY’s ability to achieve its strategic goals and objectives
Strategic
• Risks that may result in a loss of assets
Financial
• Risks that affect on-going management processes
Operational
• Risks that affect compliance with laws, regulations, policies and procedures
Compliance
• Risks that affect SUNY’s reputation or brand
Reputational
5
ENTERPRISE RISK MANAGEMENT SUNY’s Risk Management Activities
6
SUNY’S Current Risk Management Activities
• Managed throughout the system by numerous individuals and departments, but no formal, defined process.
• Ad-hoc responses to events when required.
• Informal process for assigning roles and responsibilities for various risks and determining risk ownership.
Examples of SUNY’s Risk Management Activities
ENTERPRISE RISK MANAGEMENT SUNY’s Risk Management Activities
AUDIT FUNCTION
•Conducts an Annual Risk Assessment (operational and compliance areas). •Audit results identify weaknesses in operations and instances of non-compliance.
COMPLIANCE PROGRAM
•Compliance Committee – 12 members from key operational and financial areas. •Workgroups by key functions – assess laws, regulations, and ethical obligations;
and identify and mitigate related risks. • Inventory of compliance requirements.
INTERNAL CONTROL PROGRAM
•Verifies system of internal controls for key functions (operational controls). • Inventory of assessable units to identify and mitigate risks.
7
ENTERPRISE RISK MANAGEMENT SUNY’s Risk Management Activities
HOSPITAL COMPLIANCE PROGRAMS
• Required to maintain a compliance program. • Includes risks assessment of key activities.
INFORMATION SECURITY PROGRAM
• Information Security Guidelines –applies risk management to information and system assets.
• Incorporates risk analysis that looks for well-known threats.
ANTI-FRAUD PROGRAM
• Fraud Policy – sets the tone of zero tolerance for fraud and irregularities and requires campuses to establish hotlines.
• Fraud Procedure – process may identify risks that are reported to senior management.
8
ENTERPRISE RISK MANAGEMENT SUNY’s Risk Management Activities
EXTERNAL AUDIT ACTIVITIES
• Results of external audit activities that identify risks are communicated to the appropriate individuals by the Office of the University Auditor.
RESPONSE – INTERNAL EVENTS
• Ad-hoc committees are formed to evaluate appropriateness of response and to assess current related policies and procedures.
RESPONSE – EXTERNAL EVENTS
• Ad-hoc committees are formed to evaluate SUNY’s exposure to type of risk identified and to assess current related policies and procedures.
9
ENTERPRISE RISK MANAGEMENT Overview of ERM & Current Trends
ENTERPRISE RISK MANAGEMENT Enterprise Risk Management (ERM) supports the achievement of strategic objectives through the establishment of a formal and continuous process that is designed to identify, assess, and manage risks and opportunities.
10
ENTERPRISE RISK MANAGEMENT Overview of ERM & Current Trends
11
WHY ENTERPRISE RISK MANAGEMENT?
Assists SUNY in meeting its strategic goals and objectives;
Provides an opportunity to coordinate and focus SUNY’s numerous risk management activities;
Creates a “risk-aware” culture;
Provides a formal mechanism for responding to significant events; and
Enhances collaboration and communication throughout the system.
ENTERPRISE RISK MANAGEMENT Overview of ERM & Current Trends
Higher Education Trends Examples • Several higher education institutions are
employing some form of ERM .
• Framework varies: stand-alone ERM or ERM incorporated into risk management services, audit services, compliance, or environment, health, and safety office.
• Several institutions employ a risk officer and have a risk management office.
• A few institutions have an ERM “policy” – most have statements regarding risk management activities and assignment of responsibility.
University of California • Risk Services Office (35 employees). • ERM Panel (comprised of 35 senior level
officers and directors). • Information system for capturing risk
management activities. • Provide training and resources.
University of North Carolina • Risk Management Services (4 employees). • Information System for capturing risk
data. University of Vermont
• Chief Risk Officer, President’s Advisory Committee on ERM, ERM Advisory Committee, and Risk Assurance Group.
12
ENTERPRISE RISK MANAGEMENT Proposed ERM Framework for SUNY
KEY STEPS FOR ESTABLISHING AN ERM FRAMEWORK AT SUNY
• Assign responsibilities for risk management.
• Incorporate “risk” and “control” topics into the Compliance Committee and Workgroup Responsibilities. Rename the Compliance Committee and Workgroups to the “Risk, Internal Controls, and Compliance Committee (RICC).”
• Hire a Risk Management Coordinator at System Administration to coordinate risk management activities within the RICC.
14
ENTERPRISE RISK MANAGEMENT Proposed ERM Framework for SUNY
KEY STEPS FOR ESTABLISHING AN ERM FRAMEWORK AT SUNY
• Assign an individual at each campus (internal control coordinator, risk manager, or other) with the responsibility for coordinating risk management activities.
• Assign a Senior Level Officer to participate in the RICC. This individual will communicate senior level initiatives to the RICC and will also communicate the results of RICC findings and activities to senior level officials.
• Provide periodic reports on risk management activities to the Audit Committee of the SUNY Board of Trustees.
15
ENTERPRISE RISK MANAGEMENT Proposed ERM Framework for SUNY
16
Audit Committee of the Board of Trustees
Chancellor’s Cabinet & Senior Staff
RICC Committee
12 - Chairs and Co-chairs of the RICC Workgroups 1 - Member of the Chancellor’s Cabinet
Risk Management Coordinator Director of Compliance Internal Control Officer
Campus-based Risk Coordinators Campus Compliance Efforts Campus Internal Control Officers
RICC Workgroups
1 - Employment-Related & HR 2 - Finance/Procurement 3 - Student-Related 4 - Environmental Health & Safety 5 - Research 6 - Healthcare 7 - International 8 - Information Technology & Systems
ENTERPRISE RISK MANAGEMENT Proposed ERM Framework for SUNY
RICC Committee
Employment-Related & HR
Finance & Procurement
Information Technology &
Systems
Research
International
Environmental Health &
Safety
Healthcare
Student-Related
MANAGING THE PROCESS
RICC Committee and Workgroup Responsibilities Related to ERM
Develops the risk management
framework;
Determines risk ownership;
Evaluates the results of risk assessments;
Proposes strategies for managing and responding to key risks;
Communicates the results of risk management activities to the Chancellor and Board of Trustees.
17
ENTERPRISE RISK MANAGEMENT Proposed ERM Framework for SUNY
Risk Management Coordinator - Drives the Process
Coordinates risk activities with the campuses.
Coordinates risk activities with compliance, audit, and
internal control offices.
Maintains risk inventory.
Provides risk training and resource to
SUNY community.
Assists in developing
responses to key risks.
Prepares reports on risk
activities.
Communicates results of risk
activities to the RICC
Committee.
18
ENTERPRISE RISK MANAGEMENT Proposed ERM Framework for SUNY
Campus-based Risk Managers (Alternative – Internal Control Officers)
Reports risk management activities to the Risk Management Coordinator.
Aligns Campus risk management activities with SUNY’s ERM Program.
Coordinates risk management activities.
Ensures departmental units are identifying, analyzing, and managing risks.
Communicates identified risks from other sources to appropriate Campus departments.
Provides training and resources to Campus employees on risk management.
19
ENTERPRISE RISK MANAGEMENT Closing Thoughts
Key steps to implement an ERM framework include: 1. Developing a policy that sets the tone
for SUNY’s commitment to risk management, internal controls, and compliance.
2. Implementing procedures that outline the framework, assign responsibilities for key activities, and define risk reporting relationships.
3. Communicating SUNY’s ERM framework to the SUNY system.
4. Providing training on risk management across the SUNY system.
20
EVERYONE IS INVOLVED IN ENTERPRISE RISK MANAGEMENT