Enterprise Risk Management One University s Approach. Assessing and Managing Risks at Texas A&M University

Similar documents
Enterprise Risk Management. Assessing and Managing Risks at Texas A&M University

Enterprise Risk Management, Compliance, and Management Advisory Services: An Integrated Approach. SCCE s Higher Education Compliance Conference

Strengthening Your Enterprise Risk Management Process

From Dictionary.com. Risk: Exposure to the chance of injury or loss; a hazard or dangerous chance

FY 2013 Internal Audit Annual Report

WORKFORCE SOLUTIONS TEXOMA POLICIES & PROCEDURES CHAPTER 7 - RISK ASSESSMENT

ACADEMIC DIVISION ENTERPRISE RISK MANAGEMENT (ERM) GARY NIMAX ASSISTANT VICE PRESIDENT FOR COMPLIANCE AND ENTERPRISE RISK MANAGEMENT

INTERNAL CONTROLS ON OUR CAMPUS. Kara Kearney-Saylor Director of Internal Audit, UB

Successful ERM Program Standards. Definitions of Enterprise Risk Management (ERM)

Internal Control at OSU COSO & Enterprise Risk Management. Oregon State University Board of Trustees Executive & Audit Committee Educational Session

ERM 101. Casualty Loss Reserve Seminar, Fall /5/ Practical Enterprise Risk Management (ERM) Agenda ERM 101 2

MANDATE OF THE CONDUCT REVIEW, GOVERNANCE & HUMAN RESOURCE COMMITTEE

MANDATE OF THE CONDUCT REVIEW, GOVERNANCE & HUMAN RESOURCE COMMITTEE

TEACHERS RETIREMENT BOARD. AUDITS AND RISK MANAGEMENT COMMITTEE Item Number: 9 SUBJECT: Scope and Structure of the Enterprise Compliance Program

Guide to Internal Controls

In Control: Getting Familiar with the New COSO Guidelines. CSMFO Monterey, California February 18, 2015

Enterprise Risk Management (ERM) How Internal Audit Can Add Great Value

Company LOGO C B T. An Educational Computer Based Training Program

Charter for Enterprise Risk Management

TO MEMBERS OF THE COMMITTEE ON COMPLIANCE AND AUDIT: DISCUSSION ITEM

Developing an Integrated Anti-Fraud, Compliance, and Ethics Program

Enterprise Risk Management Plan FY Submitted: April 3, 2017

Enterprise Risk Management Program Development Update. Finance & Audit Committee Meeting September 25, 2015

MPAC BOARD OF DIRECTORS MANDATE

METROPOLITAN TRANSPORTATION AUTHORITY

Texas Tech University System

Gleim CIA Review Updates to Part Edition, 1st Printing June 2018

Risk Management in the 21 st Century Ameren Business Risk Management

Performance Risk Management Jonathan Blackmore, May 2013

Enterprise Risk Management Framework

Fraud Risk Management

Office of Compliance Program Report

Catching Fraud During a Recession Through Superior Internal Controls. FICPA s 25 th Annual Accounting Show. J. Stephen Nouss September 29, 2010

San Francisco Chapter. Presented by Scott Perry - Slalom Consulting

TOR NAME Responsible Owner Effective date Technology Strategy Committee (TSC) Terms of Reference (TOR) College Board

Lya Villasuso OECD Corporate Affairs Division Response ed to: RE: Corporate Governance and the Financial Crises

COSO ERM: Integrating with Strategy and Performance. Michael Parkinson

Enterprise Risk Management Defined and Explained

B U S I N E S S R I S K M A N A G E M E N T L T D

Compliance, Internal Audit, and Risk Management: What do they look like at a Managed Care Plan?

Enterprise Risk Management (ERM) Program Primer

King lll Principle Comments on application in 2016 Reference Chapter 1: Ethical leadership and corporate citizenship Principle 1.

International Finance Corporation

FY17-FY18 Audit Plan. Office of Internal Auditing

UNIVERSITY OF COLORADO DEPARTMENT OF INTERNAL AUDIT 2018 AUDIT PLAN As of June 1, 2017

WHY YOU NEED AN ETHICS PROGRAM AND HOW TO GET STARTED TODAY

To: Identify your chief goals and objectives Identify risks Prioritize the risks to achieving objectives Determine which controls/processes to review

Risk Management Culture: The Linkage Between Ethics & Compliance and ERM September 14, 2009

Diving into the 2013 COSO Framework. Presented by: Ronald A. Conrad

Figure 1: COSO Enterprise Risk Management Cube

716 West Ave Austin, TX USA

Committee for Senior Business Administrators. Segregation of Duties

Office of Internal Auditing

The COSO Risk Framework: A reference for internal control? Transition from COSO I to COSO II

Policy and Procedures Date: November 5, 2017

The Current State of Risk Management Maturity for Belgian Organizations kpmg.com/be

Enterprise Risk Management at

Road to Self Governance

Office of Internal Auditing

The Role of the Chief Risk Office and the Board s Role in Risk Oversight

Guidance Note: Corporate Governance - Board of Directors. January Ce document est aussi disponible en français.

Enterprise Risk Management

SAMPLE BEC SuperfastCPA Review Notes

Compliance Risk Management

APS 330 Remuneration Disclosure

A Discussion About Internal Controls February 2016

An ACUA Whitepaper Presentation: A Practical Guide to Internal Audit Risk Assessments in Higher Education. Presenters

BOARD OF REGENTS AUDIT/COMPLIANCE AND INVESTMENT COMMITTEE 3 STATE OF IOWA FEBRUARY 6-7, 2013 INTERNAL AUDIT REPORTS ISSUED

9/17/2017. An Overview of COSO s New Framework and Implementation Guidance SPEAKER. Laura Harden, CPA History

Agenda. Enterprise Risk Management Defined. The Intersection of Enterprise-wide Risk Management (ERM) and Business Continuity Management (BCM)

Benchmarking 101: Shaping your E&C Program for Maximum Value

Aligning and Integrating ERM and Business Process. Federal ERM Summit September 9, :00-12:00

Board Mandate. 1. About the Mandate. 2. Responsibilities. Purpose

Advisory Services Governance, Risk & Compliance

The ERM Journey. Best practices and lessons learned. AFERM Summit 2014

AEC Corporate Governance Framework

KING III COMPLIANCE ANALYSIS

University Risk Management Topics Assigned to Committee

Risk Management Policy Arvind Infrastructure Limited

Internal Controls and Fraud Risks

THE WHATS, WHYS AND HOWS OF AN EFFECTIVE ETHICS PROGRAM

Leveraging Internal Audit and Corporate Compliance for Effective Risk Management

Executive Summary. Exhibit 1- Streamlined communication to the Board of Directors

FAU COMPLIANCE AND ETHICS PROGRAM

Integrating Corporate Compliance Programs into Enterprise Risk Management Programs

Corporate Governance Principles 2015

DeVry Approach to ERM

Control Environment Toolkit: Internal Audit Function

An Overview of the 2013 COSO Framework. August 2013

BOARD OF REGENTS AUDIT/COMPLIANCE AND INVESTMENT COMMITTEE 3 STATE OF IOWA OCTOBER 24-25, 2012 INTERNAL AUDIT REPORTS ISSUED

BAYLOR UNIVERSITY REPORT OF EXTERNAL AND INDEPENDENT REVIEW RECOMMENDATIONS. Take swift and certain action consistent with these recommendations.

VICE PRESIDENT OF INSTRUCTION Job Description

EXECUTIVE DIRECTOR OF FACILITIES AND PHYSICAL PLANT Job Description

APPLICATION OF KING III CORPORATE GOVERNANCE PRINCIPLES 2016

Treasury and Risk- Vision 2009 March 25 th, 2009 Michele L. Turner- Sr. Manager Operations Enterprise Risk Management (OERM)

Risk Management Strategy

Institute of Internal Auditors. Dallas Chapter August 6, 2009

Establishing Enterprise Risk Management in

Transcription:

Enterprise Risk Management One University s Approach Assessing and Managing Risks at Texas A&M University March 4, 2014

Objectives/Outline Overview of ERM Key elements and benefits ERM at Texas A&M University ERM and Compliance structure ERM 10 year implementation journey Strategies/tools to prioritize risks and evaluate mitigating activities 2

About Texas A&M University Texas first public institution of higher learning - opened Oct. 4, 1876 (Land, Sea, and Space-grant federal designations) Main campus located in College Station, Texas Health Science Center Other locations: Galveston, TX; Qatar; Costa Rica; Italy; Mexico Over 58,000 students, 2,750 faculty, and 5,500 employees; Over 850 student-led organizations Conduct research valued at over $700 million annually Large campus 5,100+ acres 600+ buildings and housing for 10,000 students golf course and an airport 4 utility plants and 2 waste water treatment facilities Mergers, acquisitions, and outsourcing Health Science Center (July 2013): College of Medicine, Dentistry, Nursing, Pharmacy Law School Outsourcing loss of 1,115 employees (Landscaping, Maintenance, Dining Services, Custodial) Part of a large System (11 Universities and the HSC, 7 agencies, 2 service units) 3

ERM Early Beginning In 1999, Management Advisory Services was established To assist management and respond to requests for objective consulting services In 2004, University Risk and Compliance was established Incorporated management advisory services with two new initiatives University Compliance Enterprise Risk Management 4

TAMU s University Risk and Compliance Office University Compliance Officer Coordinator for Title IX, ADA, and Web Accessibility Compliance Program Rules and SAPs Enterprise Risk Management Program Risk, Fraud & Misconduct Hotline Audit Liaison Management Advisory Services Code Maroon (Emergency Notification System) 5

URC Organizational Chart TAMU President Vice President for Finance and Administration Compliance Officer has direct/regular access to the CEO (System Regulation 16.01.01 System Ethics and Compliance) Associate Vice President and TAMU Compliance Officer Compliance Committee (Chair) Task Force for Campus Emergencies (Co-chair) Other University-Wide Committees ADA Compliance (ADA Coordinator and Chair) Title IX Compliance (Title IX Coordinator and Chair) Web Accessibility (Web Accessibility Coordinator and Chair) Clery Committee (Chair) Drug Free Schools and Communities Act (Chair) Rules Team (Chair) Enterprise Risk Management Margaret Zapalac, Director University Compliance Annette Wallis, Director ERM Management Advisor MAS Management Advisor Audit Liaison Management Advisor Compliance Projects Management Advisor Compliance Projects Management Advisor Rules/SAPs Management Advisor 6

ERM Definition (COSO) A process, affected by an entity s board of directors, management, and other personnel, applied in strategy setting across the enterprise, designed to identify potential events (risks) that may affect the entity and to manage risk to be within the entity s risk appetite (tolerance) to provide reasonable assurance regarding the achievement of the entity s objectives. 7

ERM and Compliance Drivers Management (CEO, Provost, CFO) Board Regents Audit Committees Auditors (Internal and External) Significant Events 8

COSO Eight ERM Components Interrelated/integrated with management processes - Internal environment (tone, philosophy, executive mgmt. commitment) - Objective setting (objectives align with mission and are within risk appetite) - Event identification (risks are identified from internal and external events) - Risk assessment (likelihood and impact analyzed) - Risk response (processes in place to manage, mitigating strategies to avoid, accept, reduce, transfer, share) - Control activities (policies and procedures to ensure risk response are effectively carried out) - Information and communication (relevant, effective, and timely) - Monitoring (on going management activities and separate evaluations) 9

NACUBO s Eight Key Elements Includes support from the top and involvement of personnel at all levels - Senior management commitment - Risk management owner (designate chief risk officer responsible to implement the ERM program) - ERM framework/process and common language - Communication (entity s objectives clearly defined and communicated throughout the organization-risks impact achievement of objectives) - Risk management process in place (ability to assess risks and take timely corrective action to mitigate risks) - Monitoring (Internal Audit involved; include also management, unit heads, Compliance Program personnel, etc.) - Human resources processes (establish accountability) - Effective training (able to mobilize staff) 10

Benefits of ERM (COSO) Aligning risk appetite and strategy Management considers the unit s risk appetite in evaluating strategic alternatives, setting related objectives, and developing mechanisms to manage related risks. Enhancing risk response decisions Enterprise risk management provides the standards to identify and select among alternative risk responses risk avoidance, reduction, sharing, and acceptance. Reducing operational surprises and losses Universities gain improved capability to identify potential events and establish responses, reducing surprises and associated costs/losses. Identifying and managing multiple and cross-enterprise risks Every enterprise faces a myriad of risks affecting different parts of the organization. Enterprise risk management facilitates effective response to the interrelated impacts, and integrated responses to multiple risks. Seizing opportunities By considering a full range of potential events, management is positioned to identify and proactively realize opportunities. Improving deployment of capital Using risk information allows management to effectively assess capital needs and enhance capital allocation. 11

ERM Benefits at TAMU Value added process - Involve participants in identifying and managing risks active as part of the solution - Increase participant s exposure to other areas enhances knowledge of operations - Increase risk consciousness in decision making provides new perspective - Focus resources and efforts on high risk areas breaks down barriers and demonstrates priorities that are used 12

ERM and Compliance Governance ERM System Policy 03.01 (Aug. 2008, updated June 2010) President s Memorandum (Sept. 2009) Internal audit report on ERM (Sept. 2010) and follow-up audit (Feb. 2012) Standard Administrative Procedure 03.01.01.M0.01 (March 2011) Compliance U.S. Federal Sentencing Guidelines System Policy 16.01 (May 2012, updated Jan. 2014) System Regulation 16.01.01 (May 2012) 13

ERM at Texas A&M University Implemented ERM using a top down approach Focused on University-wide risks Performed first risk assessment in 2004 - Updated 2006, 2009, 2011, and 2013 - Participants selected to provide wide university perspective - Main actions Identify major risks facing the University Identify the mitigating activities for the top risks, including the accountable responsible person for the mitigating activities - Reviewed significant mitigating activities (2008, 2010 and 2012) 14

ERM at Texas A&M University University-wide Risk Assessment Walk-through - Mitigating activities evaluated for effectiveness (2008, 2010 and 2012) Performed by URC personnel Sample of mitigating activities (red risks) Walk-through/review process o Inquiries, review documentation, observe procedures Focus on o Evidence of activity o Monitoring/supervisory actions o Communication/reporting to management Written report includes Opportunities for Improvement 15

ERM Risk Assessments Perform risk assessments in other units VPs, direct reports to the President, Colleges, major departments or functions, etc. Use facilitated group meetings (facilitator/scribe) 2-hr meeting held with Unit Head and direct reports Identify/rank major risks facing the unit based on mission/goals/objectives (some pre-meeting work done) Identify the mitigating activities for the top risks (mostly done post-meeting) Accountable person responsible for the mitigating activities; documentation/evidence Monitoring/supervisory and reporting activities Management reviews mitigations for effectiveness 16

Common Risk Language Risk Any event or action that adversely impacts the organization s ability to achieve its objectives (compliance, strategic, operational, reputational, financial, technology, fraud, etc.) Mitigating activities/strategies Actions, procedures, and processes used to manage and monitor risks (limit, avoid, accept, transfer, share) Risk ranking Prioritize and rank (high, medium, low) Impact (consequences) Probability of occurrence (likelihood of happening) Risk assessment Process used to identify, prioritize, and document risks, mitigating strategies, monitoring processes, and any gaps Risk tolerance/appetite (conservative - moderate) 17

Risk Types Risk: Any event or action that adversely impacts the organization s ability to achieve its objectives Strategic affects the University s ability to achieve goals and objectives, competitive and market risks, etc. Financial affects loss of assetsequipment, funds, resources, fraud, etc. Reputational affects reputation or brand, public perception, political issues, etc. Risks Operational affects on-going management processes and procedures, fraud, etc. Technology affects the University s electronic processes, equipment, and data storage, etc. Compliance affects compliance with internal and external laws and regulations, safety and environmental issues, litigation, conflicts of interests, etc. 18

Ranking the Risks Impact Effect on achieving objectives, the consequences High show-stopper/loss of program, significant wide spread injuries, death, large loss (%/$ of budget, rev, ex), criminal penalty, liability Medium inefficient and moderate loss, significant extra/rework, fines, moderate/minor injury Low little to no effect, warning, extra work, reprimand, small limited loss Probability Likelihood that the risk will happen High will happen frequently, occurs often, on-going event, predictable, one-time event that may recur Medium will happen infrequently, sometimes occurs, unpredictable Low will seldom happen, infrequent, rarely happens, has not happened 19

Risk Assessment Steps Review mission and strategic plan, goals, and/or objectives Identify major activities and functions Identify and rank risks Prioritize considering impact and probability Identify and document mitigating activities Evidence of activity occurring and designated accountable person/position Review monitoring and executive reporting processes Supervisory reviews, managerial oversight, communication flows, and other assurances gained by management that risks are effectively managed Follow-up: Assess effectiveness of mitigations Perform a limited review/walk through-focusing on significant mitigating activities of highest ranked risks; review mitigations are adequate and working as planned 20

Risk Assessment Tools Facilitated sessions Excel spreadsheets - Color coded, easy to use, linked w/macros - Free (developed by David B. Crawford, UTS) - Available on URC website: http://universityrisk.tamu.edu/ Voting software and touch pad equipment - Anonymous ranking of impact and probability RISKS ACTIVITIES 1 2 3 4 5 7 Research Finance & Administration HH Research Development, Programs & Facilitation HH Noncompliance with policies, rules, laws Decrease in State support HH HM Untimely reporting Lack of research management information HH HM Risks ranked considering both their impact and probability: Not rewarding academic excellence Ineffective metrics for evaluating programs and personnel Impact - the consequence(s) of the risk occurring (H=High, M=Medium, L=Low) Probability - the likelihood of the risk occurring (H=High, M=Medium, L=Low) M i t i g a t i n g A c t i v i t i e s = HH, HM = HL, MH = MM, ML, LH = LM, LL Research Finance & Administration Noncompliance with policies, rules, laws Untimely reporting R i s k s Not rewarding academic excellence HM HM Lack of a coordinated research admin. structure Lack of coordinated research admin. Lack of seed/ incentive funding HM MH Unfunded mandates Unfunded mandates Lack of industrial funding/ partnerships Not following protocol Training x x x Marketing & communication to Legislators & Public x x Policies/Forms x x Signature authority - based on delegation x x x x HL Not following protocols Evidence of Control Activity Grant training for proposal development group, Research Foundation personnel, and dept staff. New faculty orientation. Online training. Presentation to legislature (Govt. Affairs/VPR/President). Publications/Website. Research road show - committee. Cost sharing, review procedures, signed approval documents. Signature sheets. Email notification for changes. PI certifications x Online training. Forms signed. Office of research compliance x x x x Budgetary control x x x x Manager oversight and verbal communication with Sr. mgmt Budget analysis (budget vs. actual). Analysis review documented by signature and date. 21

Risk Ranking Exercise Not able to attract and retain talented faculty Noncompliance with federal and state laws (Clery Act, ADA, Title IX, etc.) Not having a strong commitment to sustainability Not having a safe environment for minors on campus (camps, enrichment programs, etc.) Incompatible duties/not segregating cash handling duties 22

Challenges Looking Forward Maintaining momentum Organization and leadership changes Keeping risk assessments up-to-date Coordinating with compliance function Risk assessment, stakeholder groups, etc. Providing effective communications regarding University-wide risks and mitigations Responsible persons, walk-through report, compliance plan Enhancing monitoring (need resources) Risk assessment walk-throughs Performing compliance reviews, for example Research Certifications (requested by Research) Title IX Self-Assessment Clery Act Reviews Higher Ed Opportunity Act (requested by SFA) Natural Gas Line Incidents (requested by the System Compliance Officer) 23

Comments/Questions? Websites: https://urc.tamu.edu http://universityrisk.tamu.edu/ Contacts: Peggy Zapalac m-zapalac@tamu.edu 979-845-8115 Larry Keller l-keller@tamu.edu 979-862-7739 24

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback