for Enterprise Risk Management Prepared by: Shannon Sinclair Version: 1.2 Document Id: Date: Release Date
TABLE OF CONTENTS TABLE OF CONTENTS... i 1. Background... 1 2. Objectives... 1 3. Scope... 2 3.1 Inclusions... 2 3.2 Exclusions... 2 4. Key Project Deliverables... 2 5. Project Authority... 3 5.1 Authorization... 3 5.2 Project Manager... 3 5.3 Staffing... 3 6. Management Approach... 4 6.1 Quality Management... 4 6.2 Risk Management... 4 7. Charter Approvals... 5 8. Appendix... 6 8.1 Project Schedule... 6 Page i
1. Background According to the EDUCAUSE article: Leveraging Enterprise Risk Management: Opportunity for Greater Relevance, colleges and universities were asked to begin Enterprise Risk Management (ERM) programs during the first decade of the 21 st century. As a result of these requests and financial pressures, public and private institutions have been implementing ERM business processes to support strategic and annual planning as well as major new initiatives. Risk management is happening sporadically across campus with varying perceptions of Mines risk appetite. This was identified through a 7-question survey of 16 participants, across three areas. The survey was intended to provide a pulse of where we are at as an Institution. It also identified there was not a common meaning of risk across campus as well as challenges and barriers to risk management including: lack of tools, resources, training, collaboration, knowledge, and authority. According to the Committee of ing Organizations of the Treadway Commission, Enterprise Risk Management (ERM) is a process, effected by an entity s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. It provides structure to avoid downside risk and take advantage of upside risk. The basic steps of ERM include: identification of risks, assessment of the likelihood and impact on the institution, aggregation and integration of risks, development of a risk management plan, and measure, track and communicate risks. Benefits include: Developing a holistic and cohesive system aimed at achieving Mines objectives Enhancing decision making and purposeful resource allocation Assisting management in making informed decisions regarding risk Fostering collaboration through an organization-wide risk language Breaking down barriers between departments and support beneficial change Improving understanding of the interrelated impacts of risk at Mines Without ERM there could be an inconsistent definition of risk, haphazard decision making, silos, challenges to managing risk, and unidentified emerging risks. ERM is intended to progress the mission, vision, core values and strategic and business objectives of the Institution to enhance overall performance. It should become a mindset that is engrained in our decision making process throughout campus. 2. Objectives Define acceptable levels of risk (e.g., Mines Risk Appetite) by August 31, 2017. Determine ERM framework to be followed by Institution by October 31, 2017. Perform the first round of risk assessment at the University-level (risks identified, prioritized, and management response plans) performed by March 31, 2018. Develop Key Risk Indicators (KRIs) by June 30, 2018. Report to the Finance & Audit Committee (FAC) by fall 2018. Page 1
Expand the team for the second phase implementation of department-level risk assessment (risks identified, prioritized, and management response plans) performed by March 31, 2019. 3. Scope 3.1 Inclusions While ERM is an on-going process, for purposes of this project, the scope will be defined as follows. The ERM Advisory will initially consist of a core group of members across campus (~12 participants). The team will receive training on ERM and will develop a definition and framework for ERM that fits Mines operations. The team will perform the risk assessment(s) aggregate and determine the most critical risks to the Institution, and determine response plans. KRIs will be developed for monitoring and decision making. The process will then be expanded and monitored on an ongoing basis. Plans will be developed to communicate and engage the Mine s community in ERM to embed risk thinking into the culture and mindset of its constituents. Resources will also be available. 3.2 Exclusions No impact to current systems. Management of all risks at every level of the organization. State risk management will not be included, beyond participation on the team. 4. Key Project Deliverables The deliverable due dates are indicated in Section 8.1: Project Schedule. Key Deliverable Acceptance Criteria Approval By: Project Charter - Core team agrees that it defines the project appropriately - It is in the accepted format ERM Advisory Project Plan Requirements document Risk Appetite Definition ERM Framework - Core team agrees that it defines the project appropriately - It is in the accepted format - Core team agrees that it defines the project appropriately - It is in the accepted format - Statement or guidelines that reflect the tolerance for risk the Institution is willing to take, which is accepted by Executive Leadership - Structured framework based on established guidelines that is repeatable for any department or area ERM Advisory ERM Advisory Executive Leadership ERM Advisory Page 2
Risk assessment Response plans Presentation of top risks (e.g., critical, high) Development of KRIs - Operationally fits the Mines environment - Acceptable to Executive and Senior Leadership - Documentation of the risk register (top risks), considering impact and likelihood - Mines leadership agrees with the overall assessment - Documentation of the response plans - Mines leadership agrees with the response plans - Summary of risks (format to be determined heat map, list, balanced scorecard, etc.) - Mines leadership agrees with the identified risks - Metrics that can be monitored to facilitate decision making - Mines leadership agrees with KRIs Report to FAC - Summary of project status Executive Leadership 5. Project Authority 5.1 Authorization This Charter has been initiated by the Office of Internal Audit and authorizes the use of organizational resources to accomplish the objectives of the project. 5.2 Project Manager The Director of Internal Audit will administer and oversee this project on a day-to-day basis. The Director will not be assuming a management role (e.g., making decisions on behalf of the institution or accountable for risk management), but rather facilitating, coaching, coordinating, reporting, and championing the project. 5.3 Staffing Project Manager Director of Internal Audit* ERM Advisory o Academic Affairs representation* o Student Life representation* o Administration & Operation representation* * - Core team Other needed input o Communications and Marketing (consultation) Page 3
o o o Consideration of technology and related support Additional departments and units to subsequently join the ERM Advisory team Work study (possible web development, other tasks) Staffing for Mines roles will be drawn from existing staff. ERM Advisory team will meet on a regular basis (frequency to be determined) and will perform tasks between meetings. One-off meetings will be scheduled depending on project needs. 6. Management Approach 6.1 Quality Management There are two governing frameworks for ERM: the International Organization of Standardization (ISO) and the Committee of ing Organizations (COSO). ISO 31000:2009, Risk management Principles and guidelines, provides principles, framework and a process for managing risk. Using ISO 31000 can help increase the likelihood of achieving objectives, improve the identification of opportunities and threats and effectively allocate and use resources for risk treatment. It provides guidance for internal programs. Institutions using it can compare their risk management practices with an internationally recognized benchmark, providing sound principles for effective management and corporate governance. COSO s ERM Integrated Framework accommodates different viewpoints and enhances strategies and decision-making. It also sets out core definitions, components, principles, and provides direction for all levels of management involved in designing, implementing, and conducting enterprise risk management practices. The Framework presiding framework will be selected by the team during the project. However, neither ISO nor COSO have specific quality management requirements. As such, lessons learned will be assessed by the participants at the end of phase 1 and changes will be made to the process going forward. Feedback / evaluation will be requested from the stakeholders of the process to assess value. 6.2 Risk Management Risk will be managed throughout the project with initial risks being identified and monitored going forward. The initial risks identified include: 1. Personnel resources will not be available to accomplish project work. 2. Development of a risk definition and framework may take longer than expected. 3. Risk definition and framework may not fit the Institution s environment. 4. Processes or systems will not be available or efficient for managing the documentation. 5. Tools/resources will not be readily available. 6. Lack of collaboration to identify interrelated risks. 7. Selection of KRIs that do not facilitate decision making. Page 4
7. Charter Approvals Project Date Project Manager Date Page 5
8. Appendix 8.1 Project Schedule Deliverable Target Date Determine need for centralized ERM process; make 12/31/2016 recommendation Socialize the ERM idea and identify participants for ERM Advisory 2/28/2017 Approval of project management documents including charter, plan, 3/31/2017 and requirements Train participants risks and controls 4/30/2017 Formalize mission, objectives, goals 5/31/2017 Define Mines risk appetite get buy-in from Executives 8/31/2017 Training/ Development of Mines framework to assess risk 10/31/2017 Perform initial risk assessment (University-wide top risks) 2/28/2018 Prioritize risks and develop/obtain response plans 3/31/2018 Monitor performance and reporting 6/30/2018 Communication of risk, status to campus and leadership Ongoing Page 6