ENTERPRISE RISK MANAGEMENT

Transcription

1 ENTERPRISE RISK MANAGEMENT

2 PROFILE AND BACKGROUND JOHN TOSCANO, CPA, PARTNER John Toscano, CPA is a partner with CohnReznick LLP and leads the Firm s Independent School Initiative. John brings more than 25 years of experience and leads the Educational Institution Industry Segment of the Firm s Not-for-Profit and Education Industry Practice in New England. He also has experience providing accounting, auditing, tax and consulting services to a wide variety of industries including manufacturing, construction and not-for profit organizations. John s primary focus throughout his career has been in servicing independent schools and institutions of higher education. During that time he has consulted on topics and issues such as financial statement presentation, tuition revenue recognition, accounting software use and implementation, endowment accounting and reporting, Form 990 compliance and corporate governance. He developed this focus through years of hands-on involvement with each of his clients. John is regularly called upon by industry associations and other organizations to present on emerging trends and has been recognized for his professional accomplishments as a past recipient of the Hartford Business Journal s 40 under 40 award. He is also active in the community and volunteers his time to various organizations. 2

3 PROFILE AND BACKGROUND KATHLEEN E. DION, ESQ Kate Dion is a member of Robinson+Cole s Litigation Section and Educational Practice team. She practices in the areas of civil litigation, government investigations, internal corporate investigations and appellate law. She represents clients in a variety of industries including education, technology, manufacturing, health care, and waste management services. Kate s courtroom experience ranges from federal and state jury trials, restraining orders, evidentiary hearings, and appeals before the Second Circuit and state appellate courts. Kate has represented colleges, universities, and independent schools located in Connecticut, Massachusetts and Great Britain in a variety of disputes, including claims of sexual abuse, libel, and collection actions. Kate is active on the Board of Directors of several non-profits. Currently, she is serving as chair of the governance committee of Longmeadow Montessori Internationale and is the vicepresident of the Longmeadow Educational Excellence Foundation. 3

4 HEADLINES HOW IS YOUR SCHOOL MANAGING? Chinese Students Seeking An Edge Head To Connecticut Schools Is your child less likely to be bullied in a private school? 16 Connecticut Schools Named in Boston Globe Sex Abuse Story Jury awards $41.7M to student disabled on field trip to China 4

5 WHAT IS ENTERPRISE RISK MANAGEMENT? By Definition: COSO defines Enterprise Risk Management as a process, effected by an entity s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives 5

6 WHAT IS ENTERPRISE RISK MANAGEMENT AT AN INDEPENDENT SCHOOL? Holistic view of managing risk through the creation of a campus-wide culture where all individuals maintain a heightened awareness. Everyone is a Risk Manager -Chris Duble, CEO Fred C. Church 6

7 THE ERM FRAMEWORK Geared toward achieving the School s objectives and relates to its mission, set forth in the following categories: Operational Strategic Risk Types Compliance Financial Reputational 7

8 THE 5 RISK TYPES 1. Operational Risk that affects on ongoing management process. 2. Compliance Risk that relates to externally imposed laws and regulations as well as with internally imposed policies and procedures concerning safety, conflict of interest and the like. 3. Reputational Risk that affects a school s reputation, brand or both. 4. Financial Risk that may result in a loss of assets. 5. Strategic Risk that affects an organization s ability to achieve it s goals. 8

9 ENTERPRISE-WIDE RISK ASSESSMENT PROCESS 9

10 ENTERPRISE-WIDE RISK ASSESSMENT PROCESS Who should participate/lead? Head of School CFO/Business Manager Trustees Others? Crucial to assemble a broad range of expertise Take care not to make the overall committee too large Should have a champion(s) for each of the 5 risk types 10

11 ENTERPRISE-WIDE RISK ASSESSMENT PROCESS Inventory Strategic Imperatives/Mandates Identify strategic imperatives/mandates Identify must achieve objectives Identify key risks to their achievement Assess Inherent Risk and Mitigations Rate and rank identified risks Assess key controls to mitigate risks Assess inherent risk and plan validation Assess Residual Risk and Exposure Validate/test mitigations, remediate, retest Assess residual risk and report exposure Continuous monitoring and enhancement 11

12 IDENTIFYING RISK -EXAMPLE SUMMARY OF TOP RISKS FOR INDEPENDENT SCHOOLS Enrollment High Risks Moderate Risks Acceptable Risks Student Activities in and out of the classroom, including: Conflict of Interest Trustees and Management Human Resources Strategic Planning Fiscal Monitoring and Financial Reporting Athletics Succession Planning Corporate Governance Field Trips and International Travel Whistleblower Policies and Procedures Procurement Residence halls Study Abroad Marketing and Communication Boundary training Social Media Cash Management Cyber Security Tax Matters E-commerce Construction Management Preventing Fraud, Waste and Abuse Crisis Management Investment Management Fundraising Facilities Management Strategic Planning 12

13 A PROCESS FIT FOR ALL SCHOOLS LARGE OR SMALL Keep it manageable Make a list Prioritize Work on 5-10 at a time Heat map/matrix Assign probability of occurrence and likely impact What you can measure you can manage Build credibility around the process Leverage information from Peer Schools and Resources You don t have to start from scratch Make it a regular agenda item 13

14 WHO IS RESPONSIBLE FOR ERM? Employees Senior Management Audit Committee Board of Directors/Trustees 14

15 ROLES AND RESPONSIBILITIES BOARD OF DIRECTORS/TRUSTEES - OVERSIGHT: Actively collaborating with management in discussions of risk Influencing and concurring with the entity s risk philosophy and risk appetite Determining that overall strategy and strategic decisions are in alignment with the entity s risk appetite and philosophy Ascertaining the extent to which management has established effective enterprise risk management in the entity Reviewing the entity s portfolio view of risk and considering it in relation to the entity s risk appetite Being apprised of the most significant risks and ascertaining whether management is responding appropriately 15

16 ROLES AND RESPONSIBILITIES AUDIT (and RISK) COMMITTEE: Extension of the Board in providing oversight Work with management to understand and agree on types, frequency and format of risk information that the Board will review Review risk information prior to its presentation to the full Board Receive quarterly updates on enterprise risk and status of risk response Periodically assess the risk oversight process (on behalf of the Board) 16

17 ROLES AND RESPONSIBILITIES SENIOR MANAGMENT: Head of School: Lead the setting of strategic objectives for the Organization and related discussions Inspire and foster support of ERM process Others: Demonstrate full commitment to ERM process Support the Executive Director/President Through interview process, annually identify risks and opportunities that may affect the achievement of the Organization s objectives 17

18 ROLES AND RESPONSIBILITIES EMPLOYEES: Understand: The risks related to their roles and responsibilities How the management of risk relates to the success of the Organization How management of risk helps them to achieve their goals and objectives Their accountability for particular risks and how they can manage them How they can contribute to continuous improvement of risk management The risk management is a key part of an organization s culture The need to report in a systematic and timely way to senior management any perceived new or emerging risks and any failures of existing control measures 18

19 RISK MANAGEMENT PROGRAM CONSIDERATIONS Develop internal controls that mitigate virtually all risk Identify areas where insurance can be purchased to protect from loss Cyber insurance Self insurance vs. commercial carriers Develop policies and procedures Conflict of Interest Whistleblower Collection of delinquent accounts Gift Acceptance Conduct annual risk assessment Establish/outsource an internal audit function 19

20 ORGANIZATIONAL IMPACT OF RISK MANAGEMENT PROGRAMS Assessment and monitoring of risk is a dynamic and continuous process Operational Changes (structure; leadership; activities) Emerging issues Regulatory environment Requiring on-going investment Insurance coverage Resources Governance structure and fiduciary responsibility By-laws Role of Board/Audit Committee Communication 20

21 SOME ERM BEST PRACTICES 1. Connectivity with the School s mission 2. Place on the Board s strategic agenda - think proactively and long-term 3. Establish an Audit Committee or Clarify Audit Committee s Role in Risk Management O VERSIGHT 4. Conduct Internal Risk Management Audit, Monitor Regularly, Update Annually 5. Implement critical policies and update regularly 6. Review and benchmark results on a peer to peer basis 7. Review and benchmark employee benefits/retirement plans 21

22 CURRENT ERM ISSUES Student Safety Accessible areas Concussions Travel Contact (both with adults and student to student) Conflicts of Interest - actual or perceived conflicts Regulatory Compliance Tax compliance (compensation and related benefits) FLSA Mandatory reporter laws Fundraising Gift acceptance/collectability of pledges Viability of capital campaigns Misuse of designated funds Traditions 22

23 HAVE YOU EVER CONDUCTED AN ENTERPRISE RISK MANAGEMENT ASSESSMENT? Taken from the CohnReznick 2015 Not-for-Profit Governance Survey 23

24 THANK YOU AND BE CAREFUL OUT THERE 24