University of California Risk Services. Enterprise Risk Management Resources

Transcription

1 University of California Risk Enterprise Risk Management Resources

2 What is Enterprise Risk Management? Enterprise Risk Management (ERM) is defined by the Committee of Sponsoring Organizations (COSO) as "a process, effected by an entity's board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. 2

3 UC ERM HISTORY Regents adopt COSO framework (1996) Controller positions established at each campus (late 1990s) Several campuses develop ERM initiatives (2004 present) Chief Risk Officer (CRO) position established (December 2004) ERM Panel formed to develop an ERM strategy (June 2005) KPMG selected to review existing programs and data and identify what components of the ERM framework exists and what processes or programs needed in order for UC to move forward with the implementation of ERM (2006) IBM Cognos Software selected for UC ERM Data Warehouse Website developed Resources deployed Maturity model 3

4 Recognition for UC ERM Program UC was the first non-financial institution to receive credit agency acknowledgement of our Enterprise Risk Management Program: The UC has implemented a system-wide enterprise risk management information system, which, in our opinion, is a credit strength. Standard & Poor s RatingsDirect on the Global Credit Portal, September 9, 2010 APQC (the American Productivity and Quality Center), the leading non-profit organization focused on quality improvement and benchmarking, selected the University of California as one of the top 5 Best-Practice Organization in Enterprise Risk Management out of over 300 global organizations. 4

5 Recognition for UC ERM Program UC is known as a center of excellence for Enterprise Risk Management. During 2010, the Risk website was visited by more than 128,000 unique visitors, including institutions of higher education and Fortune 100 companies, from more than 200 countries. The department has become a center of excellence and has assisted numerous organizations with their ERM programs, including private and public institutions of higher education, government agencies, and corporations of varying sizes both domestically and internationally. 5

6 A Strategic View of Risk UC Office of Risk strategy is to ensure that the solutions we deploy are focused on results: creating efficiency, reducing the cost of risk, improving the cost of borrowing, and reducing IT and operational redundancy. Improve Cost of Borrowing Create Efficiency Reduce Cost of Risk Improve Cost of Borrowing Reduce IT and Operational Redundancy 6

7 The foundation of UC s Enterprise Risk Management (ERM) program is to have people actively manage their various risks Everyone is a Risk Manager. The University utilizes a multifunctional approach that attacks the University s entire portfolio of risk by utilizing a host of different tools, workgroups, and initiatives. Our solutions allow the University to take on new opportunities and, by managing risk strategically, ensure optimum outcomes. We have learned that by focusing on developing tools and processes that address a broad array of risks, both frequent and infrequent yet catastrophic ( black swans ), small and large, we create a more efficient and effective program. 7

8 UC ERM Solution Set 8

9 UC ERM Maturity Work Plan The ERM Maturity Work Plan has been enhanced since its implementation three years ago, adding consistency to the assessment and systemwide reporting on the maturity of the ERM Program. Campuses collaborated and agreed two years ago to begin assessing maturity of the ERM Initiative Goals. The Initiative Goals define what the ERM Program is to achieve in the long-term. The growth can be seen in the summary tables presented below. TABLE 1. CHANGE IN AVERAGE MATURITY RATINGS, JANUARY 2011-SEPTEMBER INITIATIVE GOALS ERM Components Initiative Goals Initiative Goals (Sept 2011) (Jan 2011) Internal Environment/Objective Setting Event Identification/Risk Assessment Risk Response/Control Activities Information & Communication Monitoring

10 UC ERM Tool Kit Dashboards Surveys Forms UC Action Risk Assessment Financial Controls UC Ready Resources Monthly Webinars 10

11 11

12 Insert OPRS Main Page 12

13 13

14 ERMIS Dashboard Ready Risk Assessments ERMIS Dashboard-Ready Risk Assessments The UCOP Office of Risk now offers four Excel based workbooks intended to support ERMIS Dashboard users in their assessment of risks related activities. These tools have been designed to provide insight from multiple perspectives, including: A budget change perspective A control perspective A key risk and mitigation perspective for new programs or initiatives A program risk review perspective Once populated, the data from each of these tools can be exported and integrated directly into the ERMIS for future reference and historical trend analysis. 14

15 Standard Risk Assessment Templates Standard Risk Assessment Templates In addition to the "Dashboard- Ready" Risk Assessment Templates, there are several other templates available. These include: Control Self Assessment (pdf) University of California Hazard Vulnerability Assessment (doc) IT Risk Assessment (pdf) Risk Survey Template (doc) Sample Project Risk Assessment (doc) Risk Ranking Tool (xls) ERM Case Study (pdf) 15

16 Risk Assessment: New Initiative Risk Review Tool This workbook will help you consider the strategic, financial, operational, compliance, reporting, and reputational risks associated with a new initiative or project. It will not make decisions for you, but it will help you organize your thinking as you consider your initiative or project's enterprise risk management implications. This tool will enable you to assess the following for each set of objectives: Risks associated with each set of objectives Probability of those risks impacting the objectives Potential impacts of those risks Strategies for mitigating, controlling, or otherwise addressing those risks Individual(s) responsible for executing the strategies identified 16

17 Risk Assessment: New Initiative Risk Review Tool 17

18 ERM Key Risks and Mitigation Plan Welcome to the ERM Key Risks and Mitigation Plan workbook. This workbook will help you consider the strategic, financial, operational, compliance, reporting, and reputational risks associated with a new initiative or project. Not all initiatives or projects will have risks in all six areas, so you should not feel compelled to put something on every worksheet. This workbook will not make decisions for you, but it will help you organize your thinking as you consider your initiative or project's enterprise risk managment implications. Identify the following for each set of objectives: Risks associated with each set of objectives Probability of those risks impacting the objectives Potential impacts of those risks Strategies for mitigating, controlling, or otherwise addressing those risks Individual(s) responsible for executing the strategies identified Before you begin, please complete the identifying information at the top of this page and save this workbook in a secure location with an appropriate, unique name. This will minimize confusion if multiple workbooks are completed. Use the button below to get started. When you have completed the worksheet, you may export the data into a new workbook and save your information in comma separated value file (.csv) for use in the University's Enterprise Risk Management Information System (ERMIS) by coming back to this page and selecting the "Export" button when you're done. Project/Initiative description: UC Location: Department/College: Person(s) completing this workbook: Date workbook completed: Project Information 18

19 Strategic Objectives Financial Objectives Operational Objectives Compliance Objectives Reputational Objectives Reporting Objectives Return to Introduction Graph Evaluating Risks Strategic Risks (Use this space to identify those risks that could impair accomplishing identified objectives) Likelihood Severity Impact Accountability (Use this space to describe what (Use this space to identify who is would happen if the identified risk responsible for monitoring this actually occurred.) activity.) Low Low Very high Very high Strategic Objectives 1. (Use this space to list your strategic objectives.)

20 Severity Strategic Objectives Financial Objectives Operational Objectives Compliance Objectives Reputational Objectives Reporting Objectives Strategic Strategic Return to Introduction Evaluating Risks Financial Compliance Reputationa Reporting This chart is a graphical representation of the different types of risks identified during your assessment. The larger the bubble, the higher the number of risks identified. The closer the bubble moves to the upper-right hand corner of the graph, the higher the estimated impact and likelihood. Operational Frequency Likelihoo Likelihood d Likelihood Severity

21 Get Started! All done? Click here to export your data to an ERMIScompatible.csv format. Also, you can click here to view your data in a printerfriendly summary format. Printerfriendly Summary

22 Program Risk Review Similar to the Key Risk and Mitigation workbook above, this workbook will help you consider the strategic, financial, operational, compliance, reporting, and reputational risks associated with an existing initiative or project. Unlike the New Initiative Risk Review Workbook, this workbook is focused on existing initiatives or projects, rather than new ones, and will also take into consideration the effectiveness of existing controls and help the user estimate their residual risk. This workbook will not make decisions for you, but it will help you organize your thinking as you consider your initiative or project's enterprise risk management implications. This workbook enables you to assess the following for each set of objectives: Risks associated with each set of objectives Controls used to monitor risks such as reports and dashboards Frequency of the monitoring of controls Strategies for mitigating or otherwise addressing those risks Individual/department(s) responsible for executing the strategies identified 22

23 Program Risk Review using ERM Welcome to the Program Risk Review using ERM workbook. This workbook will help you consider the strategic, financial, compliance, operational, reputational, and reporting risks associated with ongoing programs. This workbook will not make decisions for you, but it will help you organize your thinking as you consider your initiative or project's enterprise risk managment implications. Not all programs will have objectives in all of these areas, (e.g. - not all programs will have compliance objectives) but each category should be considered. Identify the following for each set of objectives: Risks associated with each set of objectives Controls used to monitor risks such as reports and dashboards Frequency of the monitoring of controls Strategies for mitigating or otherwise addressing those risks Individual/department(s) responsible for executing the strategies identified Before you begin, please complete the identifying information at the top of this page and save this workbook in a secure location with an appropriate, unique name. This will minimize confusion if multiple workbooks are completed. Use the button below to get started. Also, be sure to document the scale parameters used completing this workbook on the tab provided. When you have completed the worksheet, you may export the data into a new workbook and save your information in comma separated value file (.csv) for use in the University's Enterprise Risk Management Information System (ERMIS) by coming back to this page and selecting the "Export" button when you're done. Project/Initiative description: Project Information UC Location: Department/College: Person(s) completing this workbook: Date workbook completed: Get Started! All done? Click here to export your data to an ERMIS-compatible.csv format. Also, you can click here to view your data in a printer-friendly summary format. Printer-friendly Summary 23

24 Unit Risk Assessment Workbook This workbook will help you consider the factors affecting the risks faced by your Campus or Medical Center location. It will help you compare the benefits and risks of each option so you can make informed decisions. This tool shall support data collection and analysis activities for the following subject areas: Event Likelihood Financial Severity Reputational Impact Severity Time to Impact Injury Severity 24

25 Financial Controls SAS 112/115* establishes standards and provides guidance to external financial auditors on communicating matters related to an entity's internal control over financial reporting identified in an audit of financial statements. In particular, SAS 112/115: Defines the terms "significant deficiency" and "material weakness" incorporating the definitions already in use for public companies Provides guidance on evaluating the severity of control deficiencies identified in an audit of financial statements Requires the auditor to communicate in writing, to management and those charged with governance such as the University Board of Regents, significant deficiencies and material weaknesses identified in an audit 25

26 UC Tracker Financial Controls A work group, consisting of representatives from UC San Diego and IBM, has developed a web based tool, called UC Tracker, to facilitate the review and documentation of key department controls as required by SAS 112/115*. Key internal controls, such as ledger review and equipment inventory, require hundreds of employees at each campus to perform controls and certify effectiveness. Evidences of performance and certification currently reside in various campus departments requiring the maintenance of many files and the transfers of significant amounts of paper to central offices. UC Tracker eliminates the need for maintaining certification files and sending certifications to central offices. It can also reduce the need for files documenting the performance of several key controls. UC Tracker includes a notification system to remind performers and certifiers that it is time to perform or certify a control and to alert higher level management when a control is not performed or certified timely. A webbased dashboard in UC Tracker provides campus management with a complete and current status of the performance and certification of key controls. 26

27 UC Action 27

28 DEPARTMENT SCHOOL CAMPUS SYSTEMWIDE Risk How UC Action works within COSO framework Event Identification Users identify that an event has occurred Risk Assessment Users evaluate the risk for impact and likelihood should the event recur Control Activities Based on the results of the risk assessment, identify and implement appropriate control activity Information and Communication Ensure all appropriate individuals are informed of the controls and provided information to ensure continued compliance Monitoring Revisit established controls on an ongoing basis to ensure they are effective, functioning as designed and that they continue to provide relevant protection to the organization. STRATEGIC OPERATIONS REPORTING Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring COMPLIANCE 28

29 Budget Changes Work Book 29

30 Impact of Occurrence Risk Risk Assessment Traditional Heat Map High G C A Unacceptable A B C D E F G Med Low E Acceptable Caution B D Low Med High Likelihood of Occurrence F 30

31 Impact Very Low Low Medium High very High Risk Workbook Heat Map Impact & Likelihood Very Low Low Medium High Very High Likelihood 31

32 Control Structure Assessment Tool Rating Values Risk Assessment Impact Likelihood Existing Control Effectiveness Very High Complete 0.95 High 12 8 Significant 0.90 Medium 9 6 Substantial 0.75 Low 6 4 Moderate 0.60 Very Low 3 2 Minor 0.30 Minimal

33 Control Structure Assessment Tool Rating Values Additional Controls Control Effectiveness Maximum Effectiveness 0.95 Control Removed Significant Improvement 0.90 Significant Decrease Substantial Improvement 0.75 Substantial Decrease Moderate Improvement 0.60 Moderate Decrease Minor Improvement 0.30 Minor Decrease Minimal Improvement 0.10 Minimal Decrease No Change

34 Calculation of Risk Ratings Risk Rating with Current Controls RCURRENT = (I + L) * (1 CCURRENT) Risk Rating After Changes to Controls RCHANGE = RCURRENT * (1 CCHANGE) Where: I - Impact L - Likelihood CCURRENT - Existing Control Effectiveness CCHANGE - Change to Control Effectiveness 34

35 Impact Very Low Low Medium High very Hign Adequate Control Significant, Substantial Significant, Substantial Significant Significant Complete, Significant Significant, Substantial Significant, Substantial Significant, Substantial Significant Significant Substantial, Moderate Significant, Substantial Significant, Substantial Significant, Substantial Significant, Substantial Substantial, Moderate Substantial, Moderate Substantial, Moderate Significant, Substantial Significant, Substantial Substantial, Moderate, Minor Substantial, Moderate, Minor Substantial, Moderate Substantial, Moderate Significant, Substantial Very Low Low Medium High Very High Likelihood

36 Impact Very Low Low Medium High very Hign Possible Over-Controlled Complete Complete Complete Complete N/A Complete Complete Complete Complete Complete Complete, Significant Complete Complete Complete Complete Complete, Significant Complete, Significant Complete, Significant Complete Complete Complete, Significant Complete, Significant Complete, Significant Complete, Significant Complete Very Low Low Medium High Very High Likelihood

37 Impact Very Low Low Medium High very Hign Possible Under-Controlled Moderate Moderate Substantial, Moderate Substantial, Moderate Substantial Moderate Moderate Moderate Substantial, Moderate Substantial, Moderate Minor, Minimal Moderate, Minor Moderate Moderate Moderate Minor, Minimal, Minor, Minimal Minor Moderate, Minor Moderate Minimal, Minor, Minimal, Minor, Minimal Moderate, Minor Very Low Low Medium High Very High Likelihood

38 Impact Very Low Low Medium High very Hign Under Controlled Minor, Minimal, Minor, Minimal, Minor, Minimal, Minor, Minimal, Moderate, Minor, Minimal, Minor, Minimal, Minor, Minimal, Minor, Minimal, Minor, Minimal, Minor, Minimal, Minimal, Minor, Minimal, Minor, Minimal, Minor, Minimal, N/A Minimal, Minimal, Minor, Minimal, N/A N/A N/A Minimal, Very Low Low Medium High Very High Likelihood

39 Resources Overview Tackling an ERM program can be a daunting task, and though there is a multitude of information available on the Web, it is difficult to know where to start. To help facilitate this process, we have compiled some helpful resources and organized them as follows: Contact the ERM Help Desk What is ERM? How do I get started? Tools and Templates ERM at UC ERM in the News Other Miscellaneous Resources 39

40 Additional Resources 40

41 41

42 Contact Information Terri Kielhorn, JD, LLM Director, Professional Medical & Hospital Liability University of California Office of the President 1111 Franklin Street Oakland, CA (office) 42