Enterprise Risk and Compliance Management

Similar documents
Enterprise Risk Management: Taking the First Steps

Understanding Enterprise Risk Management. Presented by Dorothy Gjerdrum Arthur J Gallagher

The New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework

Introduction to Enterprise Risk Management at UVM DRAFT

Effective Enterprise Risk Management with ErmsCo ERM Foundation

Your asset is your business. The more challenging the economy, the more valuable the asset becomes. Decisions are magnified. Risk is amplified.

Enterprise Risk Management in Colleges and Universities

Organizational Change Management: A Best Practice to Effective ERM Implementation

RISK MANAGEMENT REPORTING GUIDELINES AND MANUAL 2013/14. For North Simcoe Muskoka LHIN Health Service Providers

Integrated Risk Management:

ENTERPRISE RISK MANAGEMENT FRAMEWORK

FY 2015 Year in Review Internal Audit Division

From Information Management to Information Governance: The New Paradigm

PRIORITIZING CYBERSECURITY

Opportunity. for Greater Relevance LEVERAGING ENTERPRISE RISK MANAGEMENT: By Janice M. Abraham, Robert Baird, and Frank Neugebauer

Data Governance. Unlocking Value and Controlling Risk. Data Governance.

Linking Risk Management to Business Strategy, Processes, Operations and Reporting

IFAD Policy on Enterprise Risk Management

Operational Success: Targeting Performance

Finance Division. Strategic Plan

Take the right steps 9 principles for building the Risk Intelligent Enterprise

Distributor Liability Contract Risk Management THOMAS DOUGLASS APRIL 15, 2015

Enterprise-Wide Risk Assessment

THE ROLE OF FINANCE AND ACCOUNTING IN ENTERPRISE RISK MANAGEMENT

Framework for Enterprise Risk Management

Matthew E. Breecher Breecher & Company PC November 12, 2008

Challenges in the Changing and Litigious Environment of Higher Education i

Department of Veterans Affairs VA Directive VA Enterprise Risk Management (ERM)

OPTIMUS SBR. Optimizing Results with Business Intelligence Governance CHOICE TOOLS. PRECISION AIM. BOLD ATTITUDE.

ENTERPRISE RISK MANAGEMENT POLICY

Successfully identifying, assessing and managing risks for stakeholders

ENTERPRISE RISK MANAGEMENT. J. Joseph Hoey, Ed.D. Bridgepoint Education CAIR 2015

Change Management in Higher Education: Using Model and Design Thinking to Develop Ideas that Work for your Institution

Beyond risk identification Evolving provider ERM programs

SECURITY RISK MANAGEMENT

OAC Presentation to UNESCO Member States

HP and netforensics Security Information Management solutions. Business blueprint

ENTERPRISE RISK MANAGEMENT POLICY

ENTERPRISE RISK MANAGEMENT FRAMEWORK

Global Technology Audit Guide. Auditing IT Governance

Enterprise Risk Management in a Highly Uncertain World. A Presentation to the Government-University- Industry Research Roundtable June 20, 2012

fmswhitepaper Why community-based financial institutions should practice enterprise risk management.

Risk Management Policy and Framework

Enterprise Risk Management at Pennsylvania State University (A) Strategy Implementation in a Decentralized Organization

Governance, Risk, and Compliance (GRC) White Paper

How To Be An Active Business Owner

Practice Guide COORDINATING RISK MANAGEMENT AND ASSURANCE

Information Security Management System for Microsoft s Cloud Infrastructure

Saldanha Bay Municipality. Risk Management Strategy. Inclusive of, framework, procedures and methodology

POL ENTERPRISE RISK MANAGEMENT SC51. Executive Services Department BUSINESS UNIT: Executive Support Services SERVICE UNIT:

RISK MANAGEMENT FRAMEWORK. 2 RESPONSIBLE PERSON: Sarah Price, Chief Officer

Enterprise Risk Management Policy

Improving Financial Performance, Governance and Compliance

BUSINESS CONTINUITY PLANNING

Simply Sophisticated. Information Security and Compliance

Operational Risk Management - The Next Frontier The Risk Management Association (RMA)

Enterprise Risk Management Panel Discussion

ENTERPRISE RISK MANAGEMENT in the Great City Schools

Policy : Enterprise Risk Management Policy

University of Oregon Information Technology Risk Assessment. December 2, 2015

Designing a Modern, Holistic ECM Strategy for Healthcare. How ECM consulting helps healthcare providers thrive in an atmosphere of change.

What others are saying about Risks!

The Future of Census Bureau Operations

Governance and Risk Management in the Public Sector. Fernando A. Fernandez Inter-American Development Bank (202)

Enterprise Risk Management: Concepts & Issues

Accenture CAS: Solution Implementation Making change happen

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

ENABLING THE BUSINESS WITH SOCIAL RELATIONSHIP PLATFORMS

Feature. Developing an Information Security and Risk Management Strategy

Risk Management Policy Adopted by:

Developing an Effective Enterprise Risk Management Program

IT Governance. What is it and how to audit it. 21 April 2009

Consumer Goods and Services

ORGANISING COMMITTEE POLICY AND GOVERNANCE FOR RISKS TO REPUTATION

Fraud Prevention and Deterrence

fs viewpoint

How To Listen To Social Media

2015 Report on the Current State of Enterprise Risk Oversight:

Enterprise Risk Management VCU Process

STRATEGIC PLAN. February 2014 July JIMMIE KERR ROAD GRAHAM, NC 27253

How To Manage Risk

Presentation Objectives Why is Internal Audit here? Concepts (Enterprise Risk Management, Strategic Risk, Strategic Risk Management, etc.

Army Regulation Product Assurance. Army Quality Program. Headquarters Department of the Army Washington, DC 25 February 2014 UNCLASSIFIED

Agile Master Data Management TM : Data Governance in Action. A whitepaper by First San Francisco Partners

Sage HRMS The choice between compliance risk and compliance confidence lies in HR management systems

Cybersecurity: Mission integration to protect your assets

RSA ARCHER OPERATIONAL RISK MANAGEMENT

FRONTIER COLLEGE : Strategic Plan

Internal Auditing Guidelines

Enterprise Risk Management Handbook. June, 2010

Audit of the Test of Design of Entity-Level Controls

Pension & Health Benefits Committee California Public Employees Retirement System

Chapter I: Fundamentals of Business Continuity Management

Internal audit strategic planning Making internal audit s vision a reality during a period of rapid transformation

STRATEGIC INTELLIGENCE WITH BI COMPETENCY CENTER. Student Rodica Maria BOGZA, Ph.D. The Bucharest Academy of Economic Studies

Becoming Reactively Proactive Rethinking compliance risk management in today's environment

University of Windsor Board of Governors. That the Board of Governors approve of the Enterprise Risk Management Framework.

Avondale College Limited Enterprise Risk Management Framework

Organizational Competencies

How To Decide If You Should Move To The Cloud

Transcription:

Enterprise Risk and Compliance Management Their Integral Roles in Higher Education Governance Gallagher Higher Education Practice NOVEMBER 2015

Introduction Anyone involved in the management of higher education institutions in the United States will not normally make it far into a conversation with colleagues without the topic of enterprise risk management or compliance making its way in. There is mounting pressure from governing boards to be assured that risks surrounding the strategic mission of the organization, including the risks of noncompliance with an ever-growing list of laws and regulations, are being identified, measured and treated. But the next question is normally, How in the world can I even begin given the already-stressed resources of our institution? A university general counsel recently told the story of how she would wake in the middle of the night worried about a recent news story highlighting a particular risk facing colleges and universities. When she arrived at work the next morning she would figuratively pull risk and compliance out of her drawer and put it on her desk to begin considering where to start. Then, after many days of looking at the stack in front of her, and with thankfulness for a shortage of news events to support her original fear, she slipped the stack back in the drawer where it was safe until the next, inevitable sleepless night. This counsel, as well as any number of higher education risk managers, are not alone. Enterprise risk and compliance management often looks to be a task too formidable to even consider beginning. However, there are many models and tools, to be explored later, which can help make the journey both possible and perhaps even enjoyable. Defining Enterprise Risk and Compliance Enterprise Risk Management The term enterprise risk management (ERM) is somewhat unique to the U.S. In most of the world, when the more general term risk management is used, it is the broader view of risk that we call ERM that is intended. In this country though, ERM has become a helpful differentiator from what we now might call traditional risk management (TRM), or the well-polished functions of risk financing, loss control and claims management. This discipline of TRM has saved U.S. corporations and nonprofits billions of dollars and helped keep countless workers, customers, students and the public free from harm, and we are many strides ahead of the rest of the world in this area. The principal difference between ERM and TRM, however, can be found in how risk is defined. Traditional risk is defined by Merriam Webster as, the possibility that something bad or unpleasant will happen and risk management is defined by The Institutes as, minimizing the adverse effects of accidental losses. Both definitions of risk and traditional risk management foresee only harm and our job is then to minimize its adverse effects. ERM takes a broader view. ISO 31000, the international risk management standard, defines risk as, the effect of uncertainty on objectives. This definition is not limited to traditionally insurable risks. In fact, less than ten percent of the items on a typical ERM risk register can be insured. Instead, the majority of risks identified are tied to the mission and objectives of the organization. RISK can be a threat or opportunity Anything that can harm, prevent, delay or enhance an organization s ability to achieve objectives = RISK ERM delineates the threats that could keep the institution from achieving its objectives and looks for any and all opportunities that could be exploited to increase the likelihood of those same objectives being realized. In Janice Abraham s book entitled, Risk Management: An Accountability Guide for University and College Boards (AGB Press, 2013), she offers a helpful definition of ERM as, a business process led by senior leadership that extends the concepts of risk management and includes: Identifying risks across the entire enterprise; Assessing the impact of risks to the operations and mission; Developing and practicing response or mitigation plans; and Monitoring the identified risks, holding the risk owner accountable, and consistently scanning for emerging risks. Enterprise Compliance Management Although the phrase enterprise compliance management (ECM) has not yet embedded itself into our corporate lexicon, it is a helpful way to look at how compliance could be managed on an enterprise-wide basis rather than in departmental silos as is the case in most colleges and universities. There has certainly been some debate about whether compliance is a part of ERM or should stand on its own in the higher education environment, but the conventional Gallagher Higher Education Practice Enterprise Risk and Compliance Management 2

wisdom seems to be leaning heavily toward making the risk of noncompliance with applicable laws, regulations, industry codes and organizational standards an integral component of managing the institution s overall risk profile. DEFINITIONS OF RISK Traditional Broadened Compliance Risk Peter Lake, Professor of Law and Director of the Center for Excellence in Higher Education Law and Policy at Stetson University College of Law, identified in an article entitled, Welcome to Compliance U: The Board s Role in the Regulatory Era in the July/August 2013 edition of Trusteeship Magazine, that higher education institutions should: The possibility that something bad or unpleasant will happen. Merriam-Webster The effect of uncertainty on objectives. ISO 31000 The effect of uncertainty on compliance objectives. ISO 19600 Recognize that regulatory compliance is a major institutional challenge and a source of both risk and opportunity. Strongly avoid direct operational management of critical compliance issues from the governing-board level. Promote an enterprise risk management (ERM) approach. That includes encouraging the creation of a centralized ERM function with leadership that reports directly to the board and making sure that there are processes in place for establishing important compliance policies and keeping them up to date. Ensure that the institution coordinates compliance initiatives throughout the campus as part of ERM efforts. The organizational chart should clearly identify the office and individuals tasked with such coordination. In December 2014, ISO issued a new standard for compliance management (ISO 19600) which takes an enterprise and riskbased approach which naturally brings compliance together with ERM and congruent with the principles, framework and process outlined in ISO 31000. Both standards are tied to identifying and treating threats and opportunities in a manner that best preserves the meeting of organizational objectives. In that way, compliance risk is defined similarly as the broadened view of risk we see as part of ERM and both are managed using comparable processes. Risk is often expressed in terms of a combination of the consequences of an event and the associated likelihood of occurrence. Compliance risk can be characterized by the likelihood and the consequences of noncompliance with the organization s compliance obligations. Risk and Compliance as Part of Higher Education Governance One of the primary inhibitors to the implementation of enterprise risk and compliance management throughout the college and university environment is the misunderstanding of where these disciplines fit within the organization. Many institutions have started and then found their programs languishing because they have been managed in silos, almost as separate operational functions of the organization. The method called for in ISO 31000 and 19600 is for the institution to see risk and compliance as integral pillars of the overall governance of the college or university. In a paper published in 2014 by the Association of Governing Boards of Universities and Colleges (AGB) and United Educators (UE) entitled, A Wake-Up Call: Enterprise Risk Management at Colleges and Universities Today, it was suggested that, Risk management, at its core, is a governance and management discipline, not an end but a means to the end, with the end being the accomplishment of the institution s mission. Boards and administrators need to take demonstrable action and advance ERM efforts at their institutions. Gallagher Higher Education Practice Enterprise Risk and Compliance Management 3

There is no choice: each institution and board needs a process by which it routinely identifies, evaluates, and plans for risks that have the greatest potential for reputational injury or obstruction of institutional mission. Risk offers opportunities to lead change, and institutions and boards need plans and processes in place that allow them to assess that risk and take advantage of those opportunities when they arise. Risk, including compliance risk, are therefore elevated out of what has been the functional mindset in higher education to a seat at the table within the governance structure of the institution. This seat is alongside, and in support of, mission, strategy, stewardship and quality, with audit and assurance as the final piece. Each has its role in making sure that the direction of the governing board is realized: Mission Strategy Governance Stewardship Quality Assurance Risk Compliance 1. Mission The board sets the overall mission and objectives of the institution and insists that its culture and values are aligned with that mission. 2. Strategy Senior leadership, in conjunction with the board, develop strategic plans to carry out the organization s mission and objectives. 3. Stewardship Financial resources are developed and maintained to ensure the mission and strategic plans are adequately funded. 4. Quality The quality of the institution s programs are planned for and tested in order to maintain demand for the product in the long-term. 5. Risk Risks to the institution in meeting its organizational objectives, including threats and opportunities, are identified, assessed and treated. 6. Compliance Risks to the institution for failing to comply with its legal, regulatory, industry, and internal standards are identified, assessed and managed. 7. Assurance A strong management structure and culture is maintained to ensure proper reporting and accountability, and internal and external audits are utilized to bring board assurance. Internal audit has also been shifting to a risk-based model, so that the disciplines of risk, compliance and assurance are all now using the techniques of risk identification, assessment and treatment in their plans to help their governing boards reduce uncertainty in the meeting of their mission and objectives. This notion of bringing risk management fully into the governance of the organization, however, still has a long way to go at the preponderance of colleges and universities in the U.S. Again according to the paper, A Wake-Up Call: Enterprise Risk Management at Colleges and Universities Today, The state of ERM in higher education leaves many institutions unprepared to address high-priority risks that may endanger the realization of strategic plans and institutional mission. The ongoing financial and competitive pressures on colleges and universities call for a more integrated and routine process, incorporating discussions of mission-critical risks and risk management into the strategic decision-making and resource-allocation processes of boards and senior administration. Identification, mitigation, and continued attention to both upside and downside risks can help institutions navigate the volatile environment, reduce vulnerability, and build a platform for ongoing success. Centralized Oversight- Decentralized Implementation One of the most frequently asked questions about enterprise risk and compliance management is, How do I get started given the scarce resources and daily pressures at my institution? The answer lies in a model described by many as Centralized Oversight-Decentralized Implementation. Jeff Chasen, Associate Vice Provost for Institutional Compliance at the University of Kansas, has been using this method since 2013. He states, I have found that our ability to bring change to the institution has been greatly influenced by the utilization of a model that allows for the compliance office to remain the central organizer, gatherer, facilitator, and resource. We maintain our structure with responsibility for specific compliance functions assigned to the subject matter experts within our units, a role many of them held long before we began to formalize our program. Our centralized office facilitates the development of strategic action plans, coordinates (and serves on) working groups, fosters additional collaboration and resources, tracks progress, reports to senior leadership, and helps brings heightened accountability to the process. Both the ISO 31000 and 19600 standards advocate for a centralized oversight and decentralized implementation approach which takes advantage of risk and compliance obligation owners throughout the institution. These owners will develop treatment plans, normally with the oversight and Gallagher Higher Education Practice Enterprise Risk and Compliance Management 4

Centralized OVERSIGHT Decentralized IMPLEMENTATION Centralized Decentralized Where a few institutions have developed, but centralized implementation requires significant staff and does not take advantage of current subject matter expertise Oversight is at highest levels, including board, but implementation is pushed out to experienced subject matter experts through risk and/or compliance ownership Where most institutions have been, although with some limited departmental oversight, but does not incorporate board-level reporting and accountability direction of a risk committee, manage the risks and compliance obligations and report progress upward within the organization. The ISO standards are filled with helpful details for implementing a successful enterprise risk and compliance management program. They provide the architecture, but are scalable and tailorable for any college or university, no matter the size or complexity. ISO 3100 (risk) and ISO 19600 (compliance) provide the Architecture Scalable and Tailorable The essence of ISO 31000 and 19600, taken together, is simply: 1. Know your risks and compliance obligations through identification and evaluation, making sure you consider the context and stakeholders. 2. Manage the risks and compliance obligations through delegation and placing ownership with subject matter experts. 3. Provide for central oversight, accountability and reporting. 4. All using a risk management framework established by senior leadership with built in monitoring, review and continuous improvement. What Makes Enterprise Risk and Compliance Management (ERCM) Work? Doug Huffner, the Senior Director and Chief Risk Officer for The Ohio State University stated that, When we first began our URM (University Risk Management) program in 2013, I could not have imagined the value proposition that was about to transcend our institution. What started out as mostly defensive and guarded discussions of threats and barriers to achieving the University mission, quickly and completely turned around into a robust conversation about opportunities and strategic planning. Our senior-level risk committee meetings are lively and well-represented. It is amazing how our cross-functional committee, while staying focused on our risk and compliance-based decisioning model, is driving real innovation and progress throughout the University. Somewhat counterintuitively, taking an enterprise approach to risk does not make the organization more risk averse, but has the opposite effect. The Ohio State story is not unique. ERCM, done right and with the right tone, will actually help create and maintain an environment of innovation and risk taking. If a process is in place to carefully consider the risks of new ventures, a more informed decision will be the result. And when the venture is ready for launch, it will be with much greater confidence and with the desired outcome more sure. There are many reasons why ERCM works and why it makes colleges and universities better: 1. Focuses on mission and objectives Everything is tied back to the central purposes of the institution and efforts are prioritized accordingly. 2. Preserves and creates value A dynamic ERCM program will both preserve what is already going well and create new opportunities to advance the institution into the future. 3. Emboldens innovation Clearly identifying risk and agreeing on treatment plans to bring any residual risk under control, frees leadership to take more risk in support of innovation. 4. Enhances agility and resilience By having risk and compliance under control throughout the institution, the organization can be ready much more quickly to respond to opportunity and the possibility of a threat having irreparable harm is greatly reduced. Gallagher Higher Education Practice Enterprise Risk and Compliance Management 5

5. Formalizes process and governance Having risk and compliance embedded as pillars in the governance model will keep these disciplines in the forefront whenever decisions are made and when management tools are reviewed and developed. 6. Improves quality of decisions When risk and compliance is at the table, any decision-making process will be improved less risk of threats and more opportunities exploited will be the result. 7. Helps in allocation of resources As the institution makes decisions about the allocation of limited resources, taking a risk-based approach will enhance the organization s ability to move funds where they best reduce institutionwide threats and enhance opportunity. 8. Improves stakeholder confidence and trust The ERCM process gives internal stakeholders (e.g. board, faculty, staff, students, families, donors, alumni) and external (community, government, accreditation bodies, creditors, rating agencies) greater assurance that their investment in, fidelity to, and reliance on the institution is warranted. 9. Empowers subject matter experts ERCM improves both overall organizational productivity through delegation and gets the work to the person with the best education and experience to inform the issue. 10. Everyone s a risk manager A comprehensive and ever-improving ERCM program will undoubtedly begin to change the culture of the institution, making risk and compliance a consideration in everything it does, at every level. Governance, Risk and Compliance Software There are several vendors offering software packages for institutions to manage their risk and compliance programs using either cloud or server-based packages. Features common to many of the platforms include: Detailed risk and compliance obligation registers with multiple data points Ability to manage delegations using email assignments and workflow through calendars Reporting tools for use at all levels of the organization, including the board These systems can be very helpful in the management of a complex enterprise risk and compliance management program and are generally cost-effective. Conclusion The importance of risk and compliance management at institutions of higher learning cannot be underestimated. They fill in two critical components of governance and are among the most important means by which any organization will increase the likelihood of achieving its mission and objectives. WHY IS RISK AND COMPLIANCE MANAGEMENT IMPORTANT? 1. All organizations exist to achieve their objectives. 2. Many internal and external factors affect those objectives, causing uncertainty about whether the organization will achieve its objectives. 3. The effect this uncertainty has on an organization s objectives is risk or compliance risk. In summary, the management of risk, including compliance with relevant laws, regulations, industry codes and organizational standards, is central to the livelihood and success of all organizations. There are no greater institutions in our nation as our colleges and universities in the way they contribute to our health, our economic prosperity and help form tomorrow s generations. Assuring the fulfillment of their collective vision and securing their future is a worthwhile and necessary pursuit. Dashboards for each risk and obligation with the ability to rank risks and catalogue treatment plans Risk rankings that flow into interactive, institutional heat maps Gallagher Higher Education Practice Enterprise Risk and Compliance Management 6

Two Pierce Place Itasca, IL 60143-3141 Gallagher Higher Education Practice About the Author Scott Wightman is an Area Executive Vice President for Arthur J. Gallagher & Co. and serves on the national leadership teams of their Higher Education and Enterprise Risk Management Practices. He is a former corporate risk manager and Director of Risk Management for Saint Louis University. He is also an active member of the University Risk Management and Insurance Association (URMIA) and serves as a member of the faculty for the PRIMA/URMIA ISO 31000 training program. He was awarded the 2014 Power Broker Award in Education from Risk & Insurance Magazine and the 2015 Innovation Award from Business Insurance. He holds the ARM-E designation from The Institutes for Enterprise-Wide Risk Management. For more information, contact: Scott Wightman, ARM-E Gallagher Higher Education Practice scott_wightman@ajg.com 15BSD28970A

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information