overview of current risk management activities & proposed ... · pdf fileenterprise risk...

Prepared by the Office of the University Auditor March 6, 2014

State University of New York Enterprise Risk Management

Overview of Current Risk Management Activities & Proposed ERM Framework

Attachment B

ENTERPRISE RISK MANAGEMENT Table of Contents

2

Overview of Risk 3 SUNY’s Risk Management Activities 6 Overview of ERM & Current Trends 10 Proposed ERM Framework for SUNY 13 Closing Thoughts 20

ENTERPRISE RISK MANAGEMENT Overview of Risk

3

An Organization needs to have processes in place to IDENTIFY, ASSESS,

and MANAGE its risks and opportunities.

ENTERPRISE RISK MANAGEMENT Overview of Risk

RISKS & OPPORTUNITIES Strategic

Financial

Operational

Compliance

Reputational

4

ENTERPRISE RISK MANAGEMENT Overview of Risk and Examples

• Risks that affect SUNY’s ability to achieve its strategic goals and objectives

Strategic

• Risks that may result in a loss of assets

Financial

• Risks that affect on-going management processes

Operational

• Risks that affect compliance with laws, regulations, policies and procedures

Compliance

• Risks that affect SUNY’s reputation or brand

Reputational

5

ENTERPRISE RISK MANAGEMENT SUNY’s Risk Management Activities

6

SUNY’S Current Risk Management Activities

• Managed throughout the system by numerous individuals and departments, but no formal, defined process.

• Ad-hoc responses to events when required.

• Informal process for assigning roles and responsibilities for various risks and determining risk ownership.

Examples of SUNY’s Risk Management Activities


AUDIT FUNCTION

•Conducts an Annual Risk Assessment (operational and compliance areas). •Audit results identify weaknesses in operations and instances of non-compliance.

COMPLIANCE PROGRAM

•Compliance Committee – 12 members from key operational and financial areas. •Workgroups by key functions – assess laws, regulations, and ethical obligations;

and identify and mitigate related risks. • Inventory of compliance requirements.

INTERNAL CONTROL PROGRAM

•Verifies system of internal controls for key functions (operational controls). • Inventory of assessable units to identify and mitigate risks.

7


HOSPITAL COMPLIANCE PROGRAMS

• Required to maintain a compliance program. • Includes risks assessment of key activities.

INFORMATION SECURITY PROGRAM

• Information Security Guidelines –applies risk management to information and system assets.

• Incorporates risk analysis that looks for well-known threats.

ANTI-FRAUD PROGRAM

• Fraud Policy – sets the tone of zero tolerance for fraud and irregularities and requires campuses to establish hotlines.

• Fraud Procedure – process may identify risks that are reported to senior management.

8


EXTERNAL AUDIT ACTIVITIES

• Results of external audit activities that identify risks are communicated to the appropriate individuals by the Office of the University Auditor.

RESPONSE – INTERNAL EVENTS

• Ad-hoc committees are formed to evaluate appropriateness of response and to assess current related policies and procedures.

RESPONSE – EXTERNAL EVENTS

• Ad-hoc committees are formed to evaluate SUNY’s exposure to type of risk identified and to assess current related policies and procedures.

9

ENTERPRISE RISK MANAGEMENT Overview of ERM & Current Trends

ENTERPRISE RISK MANAGEMENT Enterprise Risk Management (ERM) supports the achievement of strategic objectives through the establishment of a formal and continuous process that is designed to identify, assess, and manage risks and opportunities.

10


11

WHY ENTERPRISE RISK MANAGEMENT?

Assists SUNY in meeting its strategic goals and objectives;

Provides an opportunity to coordinate and focus SUNY’s numerous risk management activities;

Creates a “risk-aware” culture;

Provides a formal mechanism for responding to significant events; and

Enhances collaboration and communication throughout the system.


Higher Education Trends Examples • Several higher education institutions are

employing some form of ERM .

• Framework varies: stand-alone ERM or ERM incorporated into risk management services, audit services, compliance, or environment, health, and safety office.

• Several institutions employ a risk officer and have a risk management office.

• A few institutions have an ERM “policy” – most have statements regarding risk management activities and assignment of responsibility.

University of California • Risk Services Office (35 employees). • ERM Panel (comprised of 35 senior level

officers and directors). • Information system for capturing risk

management activities. • Provide training and resources.

University of North Carolina • Risk Management Services (4 employees). • Information System for capturing risk

data. University of Vermont

• Chief Risk Officer, President’s Advisory Committee on ERM, ERM Advisory Committee, and Risk Assurance Group.

12

ENTERPRISE RISK MANAGEMENT Proposed ERM Framework for SUNY

13

Implementing ERM at SUNY


KEY STEPS FOR ESTABLISHING AN ERM FRAMEWORK AT SUNY

• Assign responsibilities for risk management.

• Incorporate “risk” and “control” topics into the Compliance Committee and Workgroup Responsibilities. Rename the Compliance Committee and Workgroups to the “Risk, Internal Controls, and Compliance Committee (RICC).”

• Hire a Risk Management Coordinator at System Administration to coordinate risk management activities within the RICC.

14


KEY STEPS FOR ESTABLISHING AN ERM FRAMEWORK AT SUNY

• Assign an individual at each campus (internal control coordinator, risk manager, or other) with the responsibility for coordinating risk management activities.

• Assign a Senior Level Officer to participate in the RICC. This individual will communicate senior level initiatives to the RICC and will also communicate the results of RICC findings and activities to senior level officials.

• Provide periodic reports on risk management activities to the Audit Committee of the SUNY Board of Trustees.

15


16

Audit Committee of the Board of Trustees

Chancellor’s Cabinet & Senior Staff

RICC Committee

12 - Chairs and Co-chairs of the RICC Workgroups 1 - Member of the Chancellor’s Cabinet

Risk Management Coordinator Director of Compliance Internal Control Officer

Campus-based Risk Coordinators Campus Compliance Efforts Campus Internal Control Officers

RICC Workgroups

1 - Employment-Related & HR 2 - Finance/Procurement 3 - Student-Related 4 - Environmental Health & Safety 5 - Research 6 - Healthcare 7 - International 8 - Information Technology & Systems


RICC Committee

Employment-Related & HR

Finance & Procurement

Information Technology &

Systems

Research

International

Environmental Health &

Safety

Healthcare

Student-Related

MANAGING THE PROCESS

RICC Committee and Workgroup Responsibilities Related to ERM

Develops the risk management

framework;

Determines risk ownership;

Evaluates the results of risk assessments;

Proposes strategies for managing and responding to key risks;

Communicates the results of risk management activities to the Chancellor and Board of Trustees.

17


Risk Management Coordinator - Drives the Process

Coordinates risk activities with the campuses.

Coordinates risk activities with compliance, audit, and

internal control offices.

Maintains risk inventory.

Provides risk training and resource to

SUNY community.

Assists in developing

responses to key risks.

Prepares reports on risk

activities.

Communicates results of risk

activities to the RICC

Committee.

18


Campus-based Risk Managers (Alternative – Internal Control Officers)

Reports risk management activities to the Risk Management Coordinator.

Aligns Campus risk management activities with SUNY’s ERM Program.

Coordinates risk management activities.

Ensures departmental units are identifying, analyzing, and managing risks.

Communicates identified risks from other sources to appropriate Campus departments.

Provides training and resources to Campus employees on risk management.

19

ENTERPRISE RISK MANAGEMENT Closing Thoughts

Key steps to implement an ERM framework include: 1. Developing a policy that sets the tone

for SUNY’s commitment to risk management, internal controls, and compliance.

2. Implementing procedures that outline the framework, assign responsibilities for key activities, and define risk reporting relationships.

3. Communicating SUNY’s ERM framework to the SUNY system.

4. Providing training on risk management across the SUNY system.

20

EVERYONE IS INVOLVED IN ENTERPRISE RISK MANAGEMENT

overview of current risk management activities & proposed ... · pdf fileenterprise risk...

Documents