Using Strategic Risk Management to Gain Assurance and Communicate More Effectively Julie Englund Board Member, Treasurer and Finance Committee Chair Wilson College Raina Rose Tagle, CPA, CISA, CIA National Practice Leader, Higher Education Baker Tilly Baker Tilly Beers & Cutler, PLLC, is a wholly-owned subsidiary of Baker Tilly Virchow Krause, LLP.
Introduction Julie Englund Board of Trustees, Member, Finance Committee Chair, and Treasurer at Wilson College Former Chief Financial Officer at the National Academy of Sciences Former Vice President for Finance and Administration at The Catholic University of America Former Dean for Administration at Harvard Law School Former Vice President for Finance and Administration at The Brookings Institution Raina Rose Tagle Baker Tilly Partner National Practice Leader, Higher Education 2
Agenda > Overview of Risk Management > Roles and Responsibilities > Getting Started: An Approach to Managing Risk 3
Overview of Risk Management 4
Risk and Its Importance Risk is the possibility of an event occurring that will impact the achievement of an organization s mission and objectives 5
Types of Risk Environment Operations Finance Compliance Technology Strategy Reputation 6
Risks in Higher Education Enrollment Accreditation Accidents student alcohol abuse, violence Workplace discrimination Natural disasters Crisis response Study abroad safety Compliance Investment management 7
COSO ERM Framework 8
Risk Management for Boards and Management Strategic Decision Making Strategic Planning and Implementation Strategic Financial Analysis Institutional Risk Management > Strategic planning and implementation Integrate strategic priorities as context for decision making > Strategic financial analysis Allocate resources to strategic goals and provide methods and tools to evaluate financial risks, conditions, and operations > Institutional risk management Take a programmatic view of potential risks and risk management activities to effectively achieve strategic goals 9
Roles and Responsibilities 10
Roles and Responsibilities > Board > Management > Internal Audit/Monitoring > Risk Governance Framework 11
The Board s Role Ensure an integrated risk management approach to problems, solutions, and decisions, in the context of strategic goals and objectives Provide strategic comprehensive oversight of risk management processes Integrate risk considerations into committee work Integrate risk assessment and planning into comprehensive strategic and financial planning 12
Management s Role Lead a risk assessment process and implement risk management plans, in the context of strategic goals and objectives Assess risks and develop priorities Manage the risk assessment process Plan risk management and mitigation activities 13
Internal Audit s Role > In light of heightened concern about risk and its potential impact on institutions, many institutions have created an internal audit function to help assess risk and to audit key areas of vulnerability > An internal audit or other objective monitoring function can provide an objective, unbiased assessment of risks 14
Evolution of Internal Audit In recent years, those successful in the profession have evolved into a trusted advisor role that proactively engages with management and strives to add value. Previous Outlook Tactical Reactive Backward looking Focused on accounting Singular focus on compliance Gotcha attitude Current Outlook Strategic Proactive Forward looking Focused on the business An appropriate complement of risk-based and compliance-based auditing Helpful ally 15 15
Higher Education Risk Governance Framework Board of Trustees Internal Audit/Monitoring Enrollment News and media coverage Student alcohol abuse Board Committees President Senior Management Higher Education Risks Natural disasters Workplace discrimination Violence Crisis response Study abroad safety Compliance Investment management 16
Risk Management Structure Illustration 17
Getting Started: An Approach to Managing Risk 18
An Approach to Managing Risk > Strategic risk assessment > Risk mapping > Key questions for assessing your strategic risk management 19
Strategic Risk Assessment A strategic risk assessment is a framework for entity-wide risk identification (unique to your institution), prioritization of key exposures, and development of operational responses and resources in the context of other strategic priorities 20
Performing a Strategic Risk Assessment Get started Keep it simple and doable Remember that risk is constantly changing 21
Performing a Strategic Risk Assessment Senior Management Identify Risks Prioritize Risks Manage Risk Board of Trustees and Committees Oversee Risk Management 22
Identify Risks > Brainstorm potential risks at a strategic entity-wide level (Note: operational risks should be addressed by operational managers in a similar process) > Alternatively, use an outside, objective party to interview key administrators, President, and if desired, the Board, and draft an initial set of priorities based upon interviews 23
Prioritize Risks > Prioritize risks based on significance (i.e., potential impact) and likelihood (i.e., chance of occurrence) > Use the risk map as a roadmap for risk-related discussions and oversight Risks with the biggest potential impact and highest likelihood of occurrence are the top priority 24
Risk Mapping 25
Sample Risk Map High Impact / Moderate Likelihood High Impact / High Likelihood Data Security and Privacy Legal and Regulatory Environment Planning and Budgeting Potential Impact Information Retention and Institutional Knowledge Business Continuity Planning and Disaster Recovery Student Safety Reputation Governance Effectiveness Employee Conduct Growth Accounting Systems/Financial Reporting Change Management Moderate Impact / Moderate Likelihood Moderate Impact / High Likelihood Likelihood of Occurrence Strategy Operations Compliance Reputation Technology 26
Manage Risk > Clarify who is responsible for developing, implementing, and managing risk management plans Who owns each risk and is responsible for developing plans? The President typically has ultimate responsibility for risk management in an institution > Develop responses/plans to manage and mitigate risk, and monitor results This should include determining what risk management activities are already in place 27
Key Questions for Assessing Your Strategic Risk Management Is Management s risk assessment process comprehensive? Are Management s conclusions related to strategic risk appropriate? Are problems and solutions presented and discussed within a comprehensive context of competing priorities and resources? Are solutions transparently vetted in terms of alternative approaches? Are solutions discussed and decided based on risk/return characteristics? Do solutions address building/capital, student, academic, admissions, and diversity risks? Are resources being allocated to key strategic risks and strategies to protect the institution and help achieve goals? 28
Contact Information Julie Englund Board Member, Treasurer and Finance Committee Chair Wilson College jenglund@verizon.net 202 957 5300 Raina Rose Tagle, Partner, CPA, CISA, CIA National Practice Leader, Higher Education Baker Tilly raina.rosetagle@bakertilly.com 703 923 8251 Connect with us: http://www.bakertilly.com/higher-education 29