ENTERPRISE RISK MANAGEMENT AND COMPLIANCE PROGRAM PROGRAM DESCRIPTION

Transcription

1 ENTERPRISE RISK MANAGEMENT AND COMPLIANCE PROGRAM Business and Administrative Services January 2010 (Revised January 2012)

2

3 PURPOSE The Enterprise Risk Management and Compliance Program (ERMCP) is intended to provide the campus with an effective infrastructure and processes to identify and manage significant risks, including the risk of non-compliance with laws, regulations, policies, and contractual obligations. By doing this, the campus will be better assured of successfully and consistently fulfilling its mission and strategic objectives, which include the following: To be the best public university for the quality of the education it provides students (Chancellor Blumenthal s Inauguration Ceremony, June 6, 2008) To be a top-ranked research university (Chancellor Blumenthal s Inauguration Ceremony, June 6, 2008) To give UCSC undergraduates the knowledge and intellectual tools to prepare them for the world they will live and work in (Chancellor Blumenthal s Inauguration Ceremony, June 6, 2008) To foster a mutually beneficial relationship between the campus and the community (Currents July 27, 2009) To be an environmentally sustainable campus (Currents, Interview with Chancellor Blumenthal April 3, 2008) To employ relevant and effective business management practices INTEGRATION OF ENTERPRISE RISK AND COMPLIANCE The Santa Cruz campus has established the ERMCP to support its enterprise risk management initiative and its ethics and compliance program using a comprehensive, integrated approach. This approach is designed to leverage limited campus resources. The illustration below shows how the campus views the relationship between risk, compliance, and success in achieving its mission and strategic objectives. The Risk, Compliance and Success Cycle RISK IDENTIFICATION Process fails or, ideally, a new risk to achieving campus objectives is self- identified RISK CONTROL Policies and procedures, combined with training, are designed or updated to manage the risks SUCCESS! Process operates successfully in support of achieving campus strategic objectives MONITORING Procedures are monitored for effectiveness and the individuals using them for compliance 1

4 RESPONSIBILITIES The following chart outlines the relationship between the various UC and Santa Cruz campus committees, groups, and units that are key parties to the ERMCP. It provides an overview of how pertinent information needed to assess and act on risk and compliance issues is expected to flow in a timely and effective manner to the responsible parties. UC REGENTS Providing general guidance related to UCwide ethics and compliance efforts; and monitoring progress UC Ethics and Compliance Services Office Program UC-wide compliance priorities Reporting on campus compliance efforts UC OFFICE OF THE PRESIDENT UC Enterprise Risk Management Initiative UC Risk Services Office provides general guidance, tools, and information related to the UC-wide enterprise risk management initiative SANTA CRUZ CAMPUS Monitoring and strategic management of significant UCSC risks, including those Analysis of risk mitigation plans and compliance reporting, and forwarding of significant items to the Executive Committee. Compilation and assessment of significant risks, and reporting to and from the CECO and process groups Maintenance of policies, procedural controls, and monitoring processes necessary to manage risks to acceptable levels Enterprise Risk Management and Compliance Program Executive Committee Strategic direction Enterprise Risk Management and Compliance Program Management Committee Strategic direction Campus Ethics and Compliance Officer (VC-BAS) and Select Advisors Process Owners Reporting on significant risks Reporting, and analysis and recommendation to adopt plans Reporting, and analysis and recommendation to adopt plans Risk identification, analysis, and management process perspective Analysis and reporting on campus risk assessment and management activities Strategic direction Process Governance Groups 2

5 The ERMCP Management Committee plays a key role in supporting the Executive Committee/CECRC and the Campus Ethics and Compliance Officer in the following ways: 1. INFORMATION CONDUIT. Serve as the conduit for communicating enterprise risk, and ethics and compliance issues between the Campus Ethics and Compliance Officer and the Executive Committee/CECRC and units, committees, and workgroups responsible for maintaining policies and procedures, and ensuring compliance 2. ANALYSIS. Provide the Executive Committee/CECRC with analysis of current and newly identified risks whose significance poses a threat to the campus ability to effectively achieve its campus mission and strategic objectives 3. MONITORING AND REPORTING. Monitor and report on significant risks, and the activities and initiatives aimed at managing them to the Executive Committee/CECRC 4. SUPPORT. Support the risk management and compliance activities of process owners and campus units by providing standards for understanding, assessing, reporting, and managing risks 3

6 APPROACH The success of the ERMCP is dependent on effectively identifying and assessing all significant risks from an integrated, campus-wide perspective. The following illustrates the programs and activities that are responsible for identifying significant campus risks and compliance-related issues: RISK AND COMPLIANCE ISSUES INFORMATION SOURCES GOVERNANCE COMMITTEES AND WORKGROUPS CENTRAL OFFICE PROCESS OVERSIGHT INTERNAL AUDIT PROGRAM IDENTIFIED RISK AND COMPLIANCE ISSUES INCIDENTS AND PROCESS FAILURES RISK SERVICES OFFICE REPORTING RISK ASSESSMENTS 4

7 The following illustrates how the Santa Cruz campus intends to identify, track, analyze, report, and effectively manage these significant risk and compliance issues: Risk and compliance focus Likelihood of success in managing enterprise risk and ensuring compliance Role and Perspective Broad-based, campus-wide Very High ERMCP Executive Committee/ CECRC and Campus Ethics and Compliance Officer The Executive Committee/CECRC and Campus Ethics and Compliance Officer provide 1. Leadership to the program and establishes the appropriate tone-atthe-top for the campus 2. Monitor, manage, and report on, and the effectiveness of compliance program, and significant campus risks 3. Prioritizes and supports activities and initiatives intended to manage risks to acceptable levels ERMCP Management Committee The Management Committee provides 1. Key risk management information to the Executive Committee 2. A campus-wide perspective in analyzing and prioritizing risks 3. The capability to detect broader-scale risks not easily recognizable at the process-level 4. Standards for process owners to use in identifying, reporting, and managing risks Process Owners and related Governance Groups Process owners and related governance groups 1. Identify significant risks and compliance issues in the processes ( silos ) they oversee 2. Assess the risks, including compliance related issues, from a process-specific perspective Process (Silo)-based, unit-level Very Low 5

8 MANAGEMENT COMMITTEE SCOPE AND COMPOSITION Strategic, balanced representation on the ERMCP Management Committee will facilitate the rollup of risk and compliance issues that originate and are identified in the normal course of business within distributed units, central campus units, governance committees or workgroups, or from the results of campus monitoring activities, such as internal audits and investigations: CAMPUS-WIDE RISK ASSESSMENT, MONITORING AND AUDITING COMMITTEE REPRESENTATION Internal audit director RISK AREAS MONITORED/ MANAGED BY INDIVIDUAL CAMPUS UNITS COMMITTEE REPRESENTATION EVC Office / Info Practices/Privacy. Conflict of interest/info practices coordination/privacy Ethical behavior Title IX/Sexual Harassment Information protection and information technology security ITS client services and security director ERMCP MANAGEMENT COMMITTEE RISK AREAS MONITORED/ MANAGED JOINTLY RISK AREAS MONITORED/ MANAGED BY CENTRAL CAMPUS OFFICES COMMITTEE REPRESENTATION Financial compliance Campus controller Human resource compliance /whistleblower/title IX SHR Asst VC Student welfare, conduct, and financial aid services compliance Colleges, Housing and Educational Services Asst VC COMMITTEE REPRESENTATION Safety, emergency management, business continuity, liability, property and key personnel risk Public Safety and Risk Services AVC, Police chief, Fire Chief, Risk services director Health, safety, environmental compliance and loss prevention EH&S director Research compliance Research compliance director 6