Enterprise Risk Management Panel Discussion

Similar documents
Enterprise Risk Management. Breaking Down the Barriers at Emory

Enterprise Risk Management VCU Process

Attorney Perspectives: Enterprise Risk Management in a Time of Innovation

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012

In accordance with risk management best practices, below describes the standard process for enterprise risk management (ERM), including:

04A. RISK MANAGEMENT: HOW TO MAKE IT PART OF YOUR STRATEGY. November 6 8, Shulamith Klein Chief Risk Officer Emory University Emory Healthcare

Emergency Planning and Crisis Management initiatives rolled up into a viable Business Continuity and Enterprise Risk Management Program.

FINDING THE RISK IN RISK ASSESSMENTS NYSICA JULY 26, Presented by: Ken Shulman Internal Audit Director, New York State Insurance Fund

Enterprise Risk Management & Information Technology

POLICY. Number: Title: Enterprise Risk Management. Authorization

Governance Processes and Organizational Structures for Information Management

Department of Veterans Affairs VA Directive VA Enterprise Risk Management (ERM)

Analyzing Risks in Healthcare. February 12, 2014

The New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework

Policy : Enterprise Risk Management Policy

Controlling for change: A consolidation case study

APPLICATION ANNUAL WORK PLAN (ONE OBJECTIVE PER PAGE)

Organizational Change Management: A Best Practice to Effective ERM Implementation

Risk Management - Board & Management Responsibilities Murray Short, MBA, CPA CA Not-for-Profit Partner RLB LLP

Understanding Enterprise Risk Management. Presented by Dorothy Gjerdrum Arthur J Gallagher

Periodic risk assessment by internal audit

POL ENTERPRISE RISK MANAGEMENT SC51. Executive Services Department BUSINESS UNIT: Executive Support Services SERVICE UNIT:

Enterprise Risk Management, Compliance, Management Advisory Services: An Integrated Approach

Appendix A - Charter of the Academic and Student Affairs Committee

Practice Guide COORDINATING RISK MANAGEMENT AND ASSURANCE

College of Business Vision, Rationale, and Process. February 17, 2016 Provost Michael I. Kotlikoff

University of Rhode Island IT Governance

Using Strategic Risk Management to Gain Assurance and Communicate More Effectively

ADVISORY SERVICES. Risk management in an evolving world. Making the case for social media governance. kpmg.com

Enterprise Risk Management Handbook. June, 2010

Blending Sponsorship with Change Management

Linking Risk Management to Business Strategy, Processes, Operations and Reporting

Offshore and Cross-Border Programs

Date Submitted: October 1, Unit: The Office of Institutional Research, Planning, and Effectiveness I. MISSION STATEMENT

Internal Auditing Guidelines

Streamlining the Annual Risk Assessment Process

Federal Reserve System Secure Payments Task Force

Information Security Program CHARTER

Position Description Cover Sheet. Executive Director, Risk Management and Compliance Division/department: GCO/Risk Management & Compliance

Conducting Market Analysis for New Programs

Virginia Commonwealth University School of Medicine Information Security Standard

International Agreements

ENTERPRISE RISK MANAGEMENT FRAMEWORK

Academic Division Enterprise Risk Management (ERM)

How to stay competitive in a converging healthcare system kpmg.com

Federal Bureau of Investigation s Integrity and Compliance Program

Healthcare Internal Audit: In a Time of Transition

Strategic Planning Procedure Manual

Enterprise Risk Management Plan FY December 2014

Southern University College of Business Strategic Plan

Enterprise Risk Management at Pennsylvania State University (A) Strategy Implementation in a Decentralized Organization

Fraud Prevention and Deterrence

St. John s University. College of Pharmacy and Allied Health Professions. Annual Objectives Revised 7/22/10

Dean of the College of Pharmacy and Health Sciences

Self-Study Town Hall Session. Working Group #2 Research, Scholarship and Entrepreneurship

ITS Project Management

Performing a Compliance Risk Assessment for Compliance Auditing & Monitoring in Healthcare Organizations

Enterprise Risk Management in Colleges and Universities

Moving Forward with IT Governance and COBIT

Enterprise Risk Management

Risk Assessment & Enterprise Risk Management

KPMG LLP Credit Risk Management Practices 2014 Survey on Credit Bureau Reporting

SENIOR ACADEMIC ADMINISTRATOR POSITIONS RESPONSIBILITY STATEMENTS TABLE OF CONTENTS

Enterprise-Wide Risk Assessment

Organization and Job Profile

PLAN FOR INSTITUTIONAL SELF-STUDY NCA Accreditation A DECADE OF RENAISSANCE

Performance Measures for Internal Auditing

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

Enterprise Risk Management

Office of the Auditor General AUDIT OF IT GOVERNANCE. Tabled at Audit Committee March 12, 2015

Internal Audit and Advisory Services DRAFT

Integrated Risk Management:

IT Audit Perspective on Continuous Auditing/ Continuous Monitoring KPMG LLP

ERM Program. Enterprise Risk Management Guideline

Strategic Direction 7 Vision for Shared Administrative Services

Introduction to Enterprise Risk Management at UVM DRAFT

Enterprise Risk Management (ERM): In Action. January Co-presented by: Michael Yip, Marsh Risk Consulting Norma Essary, DFW International Airport

Aboriginal Affairs and Northern Development Canada. Internal Audit Report. Audit of Internal Controls Over Financial Reporting.

REQUESTS FOR PROPOSAL RFP TGF Title: Professional Services for the Implementation of the Board Governance Performance Assessment Framework

EQT GP HOLDINGS, LP (EQT GP Services, LLC) Corporate Governance Guidelines. (Adopted by the Board on April 30, 2015)

83. Standard 9. Financial Resources. 1. Description Financial stability

Allison D. Garrett Executive Vice President Abilene Christian University

Public Sector Pension Investment Board

University of New England Compliance Management Framework and Procedures

Transcription:

Enterprise Risk Management Panel Discussion Facilitators Bill Cole, VCU and VCUHS CAE Michael Bordoni, former Emory University CAE, now DHG (Dixon Hughes Goodman LLP) Risk Advisory Services Partner Gary Nimax, UVA Assistant VP for Compliance and ERM David Litton, VCU and VCUHS Audit Director

Source: VCU Enterprise Risk Management White Paper 2012

A. Definitions of Key Terms Acceptable Risk Action Plan 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. Shared with permission from KPMG LLP for educational use. 3

Panel Discussion Topics Adoption and Support Risk Data Collection Risk Categories Addressed Risk Mitigation and Management Plans Prioritization Monitoring Communication to VPs and Board Obstacles / Successes

Enterprise Risk Management Program Overview

Comprised of: Nine schools Five hospitals The Emory clinic Emory Specialty Associates JVs with the VA and Grady Revenues $4B Research $600M Employees 27K Students 12K

Rules: 1. Keep it simple 2. Support from the top 3. Organization and infrastructure 4. Define the program s objective 5. Customize the program for your institution 6. Create a charter 7. Define roles and responsibilities

From the Charter: Risk, in one form or another, is present in virtually all worthwhile endeavors. We recognize that not all risk is bad; thus our goal is not to eliminate all risk, for by doing so we would limit productive activity. Rather, our goal is to assume risk judiciously, mitigate it when possible, and prepare ourselves to respond effectively and efficiently when necessary.

ERM Executive Sponsors Committee (Reputational & Strategic Risks) President (Committee Chair) Executive VP for Finance and Administration Executive VP for Health Affairs Executive VP for Academic Affairs and Provost President and CEO, Emory Healthcare Senior VP and General Counsel Senior VP and Dean for Campus Life VP and Secretary VP of Communications Senior VP for Development and Alumni Relations ERM Steering Committee Chief Risk Officer (Co-Chair) Vice President of Investments, Chief Investment Officer Vice President of Finance Senior Vice Provost for Academic Planning and Faculty Development Special Assistant to Sr. VP & Dean, Campus Life Vice President of Human Resources Vice President of Campus Services Chief Audit Officer (Co-Chair) Deputy General Counsel Vice President of Research Vice President of IT, Chief Information Officer Executive Special Assistant to the VP, Campus Services Director of Critical Event Preparedness and Response Vice President for Research Administration Finance and Investment Healthcare Research Information Technology Campus Safety and Physical Plant Governance and Corporate Affairs Academic and Student Affairs Human Resources

Frequency (likelihood of occurring) 1-low: <10% chance of occurring in 2 years 2-medium: <25% chance of occurring in 2 years 3-high: <50% chance of occurring in 2 years 4-very high: >50% chance of occurring in 2 years or already occurring Severity (potential impact) 1-minor: unlikely to have permanent or significant effect on institution s reputation or achievement of its strategic objectives 2-moderate: will have significant impact on institution but can be managed without major impact 3-serious: will have significant effect on institution and require major effort to manage and resolve occurrence, as well as its ramifications 4-very serious: will threaten existence of institution if not resolved

Definitions: Primary Operational Leader (POL) - Emory manager/executive with primary (but often NOT sole) operational responsibility over the functional area where the risk has the greatest potential impact. Risk Management Process Owner (RMPO) - Individual assigned the responsibility for drafting the Risk Management Plan and keeping it current. The RMPO is NOT necessarily the individual who has primary operational responsibility for managing the risk, but must be sufficiently familiar with the risk to prepare a coherent Risk Management Plan. 2009 Code Risk Frequency (1-4) Severity (1-4) Adjusted Risk Factor RMPO POL Assigned Risk Committee Committee Chair(s) ASA1 Academic and Student Affairs ASA2 Academic and Student Affairs ASA3 Academic and Student Affairs ASA4 Academic and Student Affairs

Risk: Examples and/or components of the risk : Steps currently in place to manage the risk: Issues:

Risk Identification (Aug to Sept) Risk Management Plans (Oct to Dec) Risk Hearings (Jan to Aug) Monitoring and Evaluation (On Going) Steering Committee identifies risks for major operational areas Risks ranked by frequency (likelihood of occurring within two years) and severity (potential impact on system) Top 50 risks, based on decreasing risk factor, are designated Key Risks Committee identifies individuals responsible for overseeing management of each key risk ( Risk Management Process Owner ) Key Risks reviewed with Executive Committee President charges Risk Management Process Owners with preparing two page plan within 90 days Plans include detailed description of risk, risk components, steps being taken to manage the risk, operational and communication responses to adverse occurrences Plans must clearly identify who is responsible and accountable for specific actions Steering Committee reviews Risk Management Plans Risk Management Process Owners revise plans based on Steering Committee feedback Risk Management Plans go to Executive Committee Risk Management Process Owners present to Executive Committee Five risk hearings, three hours each Process Owners provide five minute overview of each risk, followed by five minutes Q&A Executive Committee probes for potential gaps between the risk and the response plan Process Owners may be asked to return with additional information at the next hearing Participants identify best practices Executive Session includes overview of total risk for specific operational area and ERM process overall Key Risks and specific Risk Management Plans are reviewed throughout the year Relative frequency and severity may be adjusted resulting in the addition or deletion of key risks Updates to the Risk Management Plans are requested as needed

University of Virginia Enterprise Risk Management (ERM) College and University Auditors of Virginia May 19, 2015

UNIVERSITY OF VIRGINIA ENTERPRISE RISK MANAGEMENT (ERM) Executed risk assessment process with input from Deans and Vice Presidents. Rated the potential likelihood and impact. Refined the primary risks refined to top nine categories focused on most important to institutional continuity. Represented the key risks that merit further BOV understanding and discussion. Develop mitigation strategies to identify risk owner, action plans, due dates, and responsible parties. Share mitigation strategies with the BOV.

ENTERPRISE RISK MANAGEMENT (ERM) Sample Survey Items

TYPES OF RISK Strategic Risk Reputational Risk Enterprise Risk Management Financial Risk Legal and Regulatory Risk Operational Risk

Top Institutional Risks 1. Sufficient funding/resources to achieve goals Maintain core programs and pursue strategic objectives Align fundraising with strategic priorities Maintain historical Grounds, infrastructure and address needed capital projects Maintain State appropriations at a level necessary to accommodate enrollment growth and inflation Sustain and grow research mission Sustain AccessUVa Continue top decile performance of endowment 2. Management of human capital Achieve competitive compensation Manage generational turnover in faculty Effective succession planning 18

Top Institutional Risks 3. Legal compliance risks (state/federal/other) Comply with federal, state, or other established regulatory requirements (e.g. NCAA, SACS) 4. Keeping pace with changes in higher education Effectively implement strategic plan Ensuring adequate learning spaces to offer competitive graduate and undergraduate curricula 5. Failure to maintain reputation with key stakeholders Maintain/improve higher education rankings Maintain key accreditations 19

Top Institutional Risks 6. Failure to manage geo-political and economic risks Manage risks of increasing international experiences of faculty and students Effectively manage changing economic circumstances (e.g. growth/hyperinflation) 7. Safety/security of student, faculty and staff Effectively mitigate and respond to incidents on Grounds or at University-affiliated programs (e.g. racial incidents, harassment, pandemic risk, sexual assault, or other violence) Manage risks of increasing international experiences of faculty and students 20

Top Institutional Risks 8. Cybersecurity/leveraging IT Protect sensitive data and information Effectively leverage technology in the residential educational experience 9. Capitalize on organizational/operational efficiencies Effectively pursue organizational excellence Manage risk of differing priorities, inefficiencies, and complexity in decentralized operations and authority 21

Enterprise Risk Management Program Overview

ERM Abbreviated Timeline 2012 Identified need for ERM Developed white paper Established ERM Implementation Committee Selected KPMG as consultant Developed ERM website 2013 Conducted focus group interviews Identified risks and consolidated into risk themes Reviewed and prioritized risks Trained risk and process owners on preparation of Risk Mitigation and Management (RMM) Plans Provided preliminary review of RMM Plans

ERM Abbreviated Timeline 2014 Continued to evaluate risk theme prioritization and consolidation Transitioned ERM Implementation Committee to ERM Steering Committee Developed ERM Blackboard site Began recruitment for Assistant Vice President for Safety and Risk Management 2015 Completed review of all RMM Plans Updated heat map Source: VCU ERM Recent Events Website

Risk Name Here Deep Dive Risk defined here. If this risk encompasses multiple areas, subrisk sheets can be added to further refine specifics making up the overall risk. Risk Risk Considerations: Potential Impacts: Risk Owner: Usually a VP Process Owner: Typically that who is closest to managing the risk Key Stakeholders Who is impacted by the risk the most? Impact Insert rating Likelihood Insert rating Speed of Onset Insert rating Current Mitigation Activities Identify what is currently being done to mitigate risk. Mitigation Effectiveness Action Plans Insert expected effectiveness rating Identify what actions are planned to be done to mitigate risk Responsible Person Due Date Template shared with permission from KPMG LLP for educational use.

ERM Steering Committee Progress

ERM Steering Committee Progress Risk Likelihood x Impact Risk A 16 Risk B 16 Risk C 15 Risk D 14 Risk E 14 Risk F 13 Risk G 13 Risk H 12 Risk I 12 Risk J 10 Risk K 10 Risk L 10 Risk M 10 Risk N 9 Risk O 9 Risk P 8 Risk Q 7 Risk R 5 Risk S 5

Resources COSO Enterprise Risk Management Integrated Framework Executive Summary (September 2004) IIA Position Paper: The Role of Internal Auditing in Enterprise-wide Risk Management (January 2009) A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 (2010) VCU ERM Website

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information