Start with a discussion of Risk - West Virginia Higher Education

Building a Better
Business Model
Start with a discussion of Risk
Higher Education Policy Commission
Board of Governors Summit
August 2, 2014
Importance of Risk Management
• Enterprise Risk Management (ERM)
• Commonly used by board members in their day job
• Equally important in your role on the governing board of your
• Higher Education Governing boards are more likely to take an “as
needed” approach
• A crisis on your campus, a crisis on someone else’s campus, or an
announcement of a reduction in funding
• Without a robust ERM process
• Institutions may be unprepared to address high-priority risks that
may endanger strategic plans and institutional mission.
• Institutions may be unprepared to accept the risk of a bold initiative
What is ERM
Identifying risk across the entire enterprise
Assessing the impact of risk to the operations and mission
Developing and practicing response or mitigation plans; and
Monitoring the identified risks, holding the risk owner
accountable, and consistently scanning for emerging risks.
• Two Important points
• Board members should specifically discourage senior leadership form
only bringing positive issues forward and invite discussion about
difficult, complex or “sacred cow” issues.
• Risk Management is not an end but a means to the end, with the end
being the accomplishment of your Institution’s Mission.
What has the HEPC Done?
Various issues at more than one Institution
None or very small Internal audit departments at our Institutions
Engaged Protiviti to perform an Internal Audit Risk Assessment
For this purpose risk is defined as “the possibility of an event
occurring that will have an impact on the achievement of objectives.
Risk is measured in terms of impact and likelihood”.
• They reviewed risk exposure relating to the organization’s
governance, operations and information systems
Reliability & integrity of financial & operational information
Effectiveness & efficiency of operation & programs
Safeguarding of assets; and
Compliance with laws, regulations, policies, procedures, &
What has the HEPC Done (cont’d)
• Their process was robust and included interviews of 30+
members of our Institutions’ Administration
Discussion focused on goals and objectives
Key success factors to achieve goals and objectives
Risks that would threaten the achievement of goals and objections
Events or risks that would threaten or adversely impact the
reputation of the institution
• Critical systems
• Planned changes in process, people & systems
• Other areas:
Compliance/regulation requirements
Decentralize activities
Cash management and areas with potential for increase fraud risk
Gathering and storing sensitive or non-public information
High Risks Identified
• Construction
• Absence of documented policies, procedure, controls
• Risk Type—Operational Financial Reporting
• Regulatory Compliance
• Absence of compliance departments that facilitates and monitors
Compliance creates risk of fines, penalties, negative impact on
reputation and future grant/other funding
• Risk Type-Legal & Regulatory/Reputation
• Date Security
• Lack of policies and procedures related to date security, resulting in increased
risk of unauthorized access, resulting in fines, penalties, lawsuits and
• Risk Type- IT/Reputation
High Risks Identified (cont’d)
• Procurement
• P-Card issues shows the risk of inappropriate use not being
detected resulting in financial loss of the institutions funds.
• Risk Type – Operational/Financial Reporting
• Travel and Expense
• Absence of documented policies, procedure, and controls around
T&E increases the risk of inappropriate expenditures resulting
in financial loss of the Institutions funds.
• Risk Type- governance/operational/reputation/financial reporting
High Risks Identified (cont’d)
• Campus Security
• Inadequate policies, procedure and controls around campus
security especially related to the Campus Security Dept. put the
students & employees at risk and exposes the Institutions to
reputational and compliance risk
• Risk Type – Operational/Reputation
Medium Risk Identified
Financial reporting
Grant Reporting and Compliance
Succession Planning
Endowment Management
Records Retention
Next Steps
• Protiviti has developed an Internal Audit Plan around the six
high risk areas identified
• The purpose of the audits in these risk areas will be to:
• Determine the level to which the risk is being mitigated
• Any further action required by the Institution to mitigate the risk
to an acceptable level.
• Procedures and policies changed, recommended, deemed
appropriate will be shared across the institutions as a way to
mitigate the high risk areas identified.
• Who and how the medium risks are audited is yet to be
Best Practices for Boards Re: Risk Management
• Require that management begin the process of developing a
Risk Management System
• Acknowledge that the board, its committees and senior
management are responsible for overseeing the process
• Understanding that Risk Management is a process, not a
project. That means it gets incorporated into the ongoing
work of the of the full board and its committees
• Agree to question the “sacred cows” aspects of the institution
so they can be assess and managed
• Get risk assessment and review of the annual work plan of the
board and its committee. Get away from the “as needed”
practice of dealing with risk.

similar documents