The Enterprise Risk Management Process in Higher Education - PowerPoint PPT Presentation

1 / 42
About This Presentation
Title:

The Enterprise Risk Management Process in Higher Education

Description:

Columbia University. Hazardous waste violations $800,000 penalty sought. Northwestern University ' ... Performed by executive management ... – PowerPoint PPT presentation

Number of Views:361
Avg rating:3.0/5.0
Slides: 43
Provided by: justinaa
Category:

less

Transcript and Presenter's Notes

Title: The Enterprise Risk Management Process in Higher Education


1
The Enterprise Risk Management Processin Higher
Education
  • Presented By
  • David B. Crawford, CIA, CPA, CCSA
  • Justina Crawford, MA, BME
  • JDEnterprises crawfordjd_at_earthlink.net

2
Topics
  • What is Risk Management That is Enterprise Risk
    Management (ERM)
  • Why Implement ERM in Higher Education
  • Components of ERM Process
  • How to Implement ERM
  • Who Should be the Permanent ERM Owner

3
What is Risk Management?
  • A process that defines how the institution
  • Identifies risks to the achievement of goals
    objectives
  • Measures the significance of each identified risk
  • Determines the most appropriate business response
    to each risk
  • Evaluates and reports on how well the chosen
    responses are carried out

4
Characteristics of the Risk Management Process
  • Requires an allocation of resources (people,
    funds, time)
  • Is defined by policies and procedures
  • Is an integral part of both the strategic and
    day-to-day operations of the institution
  • Is designed to provide reasonable
    (cost-effective) assurance that the institution
    can successfully accomplish its mission

5
What is Enterprise Risk Management (ERM)
  • It is an institution-wide or holistic approach to
    the risk management process.
  • In the USA, the recognized institution-wide risk
    management model is the COSO Enterprise Risk
    Management Framework.

6
COSO ERM Characteristics
  • A continuous, proactive and systematic process
  • to understand, manage, and communicate risk
  • from an institution-wide perspective.

7
COSO ERM Components
8
ERM is Management 101
9
Why Implement ERM The Big Picture
  • IT IS SIMPLY GOOD BUSINESS, and

10
Why Implement ERM Specific Drivers
  • US Sentencing Guidelines for Organizations
    (Compliance)
  • Sarbanes Oxley Act of 2002
  • (Financial Reporting)
  • Transparency and Accountability (Operations and
    Strategic)
  • Quick response to new initiatives such as the
    Governors Fraud Initiative

11
Benefits of ERM (1 of 2)
  • Reduce the incidence of serious negative
    surprises
  • Quickly identify emerging risks and problem areas
    before they escalate and cause serious harm
  • Respond to expectations of regulators,
    stakeholders, and others.
  • Make risk and controls understandable
  • Provide a simple, uniform methodology that is
    applicable in all environments

12
Benefits of ERM (2 of 2)
  • Need to enhance accountability and communication
  • Need to continuously eliminate unnecessary
    controls and add needed controls.
  • Need to reduce response time for emerging risks
  • Need to focus efforts on important issues and
    concerns.

13
Impact on Higher Education Institutions
University of MichiganChief Urologist charged
with Conflict of Interest100,000 penalty1
year probation
Thomas Jefferson UniversityMedicare
over-billing12 mil
University of MinnesotaMisuse federal grants32
mil
University of South Florida Improper Research
Costing4.1 mil
Johns Hopkins Effort reporting 2.6 mil
Stanford UniversityInflated research overhead
costs1.2 mil
Yale UniversityMedical credit balances5.6
mil
University of ChicagoResearch fraud and
abuse650,000
Duke UniversitySexual harassment 0.5 mil
Northwestern University Effort Reporting
fraud5.5 mil
University of WashingtonBilling fraud whistle
blower35 mil
Columbia University Hazardous waste
violations 800,000 penalty sought
University of TexasComponent Institution Medical
Billing 20 mil
Duke University Medicare fraud Millions sought
14
ERM It will change your organizational culture
15
What Changes?
  • Ownership of risk and controls
  • Questioning before acting
  • Two-way communication
  • Bad as well as good news
  • Rapid response to changes
  • Rapid response to failures in risk management

16
Components of an ERM Process
  • Standard risk management methodology
  • Common risk language
  • Standard tools and techniques
  • Standard outputs
  • Common assurance strategies

17
The Assurance Continuum
The UT developed risk management methodology
18
The Assurance ContinuumERM Principles
  • Risk management is the responsibility of every
    employee.
  • Assurance regarding the management of risks is
    provided by employees, first line supervisors,
    middle and upper managers, and internal auditors.
  • Risk management and risk assurance activities are
    based upon risk self-assessments performed at
    every level of the organization.

19
Common Risk Language Examples
  • Business risk
  • Impact
  • Probability/likelihood
  • Monitoring plan
  • On-going assurance
  • Periodic assurance
  • Goals and objectives
  • Level 1 Controls
  • Level 2 Controls
  • Level 3 Controls
  • Level 4 Controls
  • Process
  • Mitigation strategy
  • Assurance Continuum
  • Certification
  • Self-assessment workshop
  • Control footprint
  • Risk Footprint

20
Standard Tools and Techniques
  • Texas Instruments Brainstorming
  • Excel Workbook powered by Visual Basic Macros
  • The Levels of Control in COSO, a UT creation that
    defines the monitoring responsibilities of each
    employee in the risk management process
  • Three Tier Risk Assessment

21
Assurance Continuum Levels of Control in COSO
Collaborative Assurance (Governance and
Management Control Processes)
Periodic Assurance
I----------I
I----------I
(Governance Control Processes)
I------------ On-going Assurance
------------I (Management Control Processes)
Level 1 Controls (Execution )
Level 3 Controls (Oversight)
Level 2 Controls (Supervisory)
Level 4 Controls (Internal Audit)
Level 4 Controls ( Internal Audit)
Pre-operations design review of on-going assurance
During execution of event or transaction
Immediately after execution of event or
transaction
Soon after execution of event or transaction
Post-operations audit of execution of on-going
assurance
22
Standard Outputs
  • Risk Footprints
  • Control Footprints
  • Monitoring Plans

23
TYPES OF RISK ASSESSMENTS
  • Institution-wide perspective
  • Activity-wide perspective
  • Process detail perspective

24
INSTITUTION-WIDE RISK ASSESSMENT
  • Performed by executive management
  • Defines the major activities the institution
    performs to achieve goals and objectives
  • Identifies the essential processes used in each
    major activity
  • Ranks each process as to impact on achievement of
    goals and objectives and the probability that the
    process will fail to contribute to that
    achievement
  • Provides a road map for allocation of assurance
    resources in the institution (on-going and
    periodic)

25
INSTITUTION-WIDE RISK ASSESSMENT
26
ACTIVITY-WIDE RISK ASSESSMENT
  • Performed by the activity area management team
  • Uses the processes for the activity from the
    Institution-wide Risk Assessment
  • Identifies the major risk areas in each process
  • Ranks the major risk areas as to their impact on
    the achievement of goals and objectives if they
    occur and the probability that they will occur
  • Provides a road map for assurance strategies at
    the activity level and ensures coverage of
    institution-wide critical risks

27
ACTIVITY-WIDE RISK ASSESSMENT
28
PROCESS RISK ASSESSMENT
  • Performed by those employees (managers and staff)
    working in the process
  • Uses the major risk areas from the Activity-wide
    risk assessment
  • Identifies the specific risks that can occur in
    each major risk area in the process
  • Ranks the specific risk for impact on achievement
    of goals and objectives if they occur and the
    probability of their occurrence
  • Provides road map for on-going, daily management
    of risks and for periodic assurance activities

29
PROCESS RISK ASSESSMENT
30
Risk Footprint Usage
  • Management uses the footprint to allocate
    resources to managing risks that can affect the
    achievement of goals and objectives
  • Internal Audit uses the footprint to provide
    governance and executive management with
    appropriate level of assurance on all identified
    risks

31
Control Footprint
32
Control Footprint Usage
  • Identify over- and under-controlled risks
  • Identify marginal or unneeded controls
  • Identify critical controls

33
Monitoring Plan
34
Monitoring Plan Usage
  • Ensure continuous and appropriate management of
    most critical risks
  • Links risk, planned control steps, and evidence
    of execution of control steps
  • Provides a roadmap for audit of the application
    of planned controls

35
Assurance Strategies
  • External Assurance Providers
  • Use where available
  • Internal Audit
  • Traditional Test-of-Transaction Audits on Red
    Risks
  • Analytical procedures on Yellow risks
  • Certifications by Management
  • On all Green and Gray risks

36
External Assurance Providers
  • Compliance officer, CEO, and governance
    function obtain assurance from other assurance
    providers.
  • Accreditation teams (SACS)
  • Regulators
  • External auditors
  • Federal auditors

37
Certifications By Management
  • Criteria is the monitoring plan
  • Responsible party for the risk performs
    self-assessment of application of the monitoring
    plan
  • Responsible party signs a statement regarding the
    proper implementation of the monitoring plan
  • Internal audit selects statistical sample of
    certifications and validates

38
Deciding Which Assurance Strategy To Use
  • Based on
  • significance of the risk
  • prior experience with risk and its
    management
  • availability of cost effective assurance
    strategies
  • confidence level needed

39
How to Implement ERM?
  • Find a champion
  • Designate the catalyst or driver of the
    initiative
  • Develop an Action Plan to Implement Enterprise
    Risk Management
  • Select a simple, universally usable set of tools
  • Involve everyone
  • Train, Train, Train, Train, Train, Train
  • Do the little things right every day

40
Potential Implementation Drivers
  • Compliance Function
  • Infrastructure for risk management is already in
    place
  • Minimizes start-up time
  • Capitalizes on experience and knowledge
  • Internal Audit Function
  • Uses ERM model to build Annual Audit Plan
  • Uses ERM model for individual audit engagements
  • Capitalizes on experience and knowledge

41
Permanent ERM Owner?
  • Budget function
  • Accountability and Management Improvement
    function
  • Compliance function
  • New risk management function

42
Resources
Effective Compliance Systems A Practical Guide
for Educational Institutions Crawford,et al
www.theiia.org
www.COSO.org
www.csa-pdk.com
Email crawfordjd_at_earthlink.net
Write a Comment
User Comments (0)
About PowerShow.com