Building a Better Business Model Start with a discussion of Risk Higher Education Policy Commission Board of Governors Summit August 2, 2014 Importance of Risk Management • Enterprise Risk Management (ERM) • Commonly used by board members in their day job • Equally important in your role on the governing board of your institution • Higher Education Governing boards are more likely to take an “as needed” approach • A crisis on your campus, a crisis on someone else’s campus, or an announcement of a reduction in funding • Without a robust ERM process • Institutions may be unprepared to address high-priority risks that may endanger strategic plans and institutional mission. • Institutions may be unprepared to accept the risk of a bold initiative What is ERM • • • • Identifying risk across the entire enterprise Assessing the impact of risk to the operations and mission Developing and practicing response or mitigation plans; and Monitoring the identified risks, holding the risk owner accountable, and consistently scanning for emerging risks. • Two Important points • Board members should specifically discourage senior leadership form only bringing positive issues forward and invite discussion about difficult, complex or “sacred cow” issues. • Risk Management is not an end but a means to the end, with the end being the accomplishment of your Institution’s Mission. What has the HEPC Done? • • • • Various issues at more than one Institution None or very small Internal audit departments at our Institutions Engaged Protiviti to perform an Internal Audit Risk Assessment For this purpose risk is defined as “the possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood”. • They reviewed risk exposure relating to the organization’s governance, operations and information systems • • • • Reliability & integrity of financial & operational information Effectiveness & efficiency of operation & programs Safeguarding of assets; and Compliance with laws, regulations, policies, procedures, & contracts What has the HEPC Done (cont’d) • Their process was robust and included interviews of 30+ members of our Institutions’ Administration • • • • Discussion focused on goals and objectives Key success factors to achieve goals and objectives Risks that would threaten the achievement of goals and objections Events or risks that would threaten or adversely impact the reputation of the institution • Critical systems • Planned changes in process, people & systems • Other areas: • • • • Compliance/regulation requirements Decentralize activities Cash management and areas with potential for increase fraud risk Gathering and storing sensitive or non-public information High Risks Identified • Construction • Absence of documented policies, procedure, controls • Risk Type—Operational Financial Reporting • Regulatory Compliance • Absence of compliance departments that facilitates and monitors Compliance creates risk of fines, penalties, negative impact on reputation and future grant/other funding • Risk Type-Legal & Regulatory/Reputation • Date Security • Lack of policies and procedures related to date security, resulting in increased risk of unauthorized access, resulting in fines, penalties, lawsuits and reputation • Risk Type- IT/Reputation High Risks Identified (cont’d) • Procurement • P-Card issues shows the risk of inappropriate use not being detected resulting in financial loss of the institutions funds. • Risk Type – Operational/Financial Reporting • Travel and Expense • Absence of documented policies, procedure, and controls around T&E increases the risk of inappropriate expenditures resulting in financial loss of the Institutions funds. • Risk Type- governance/operational/reputation/financial reporting High Risks Identified (cont’d) • Campus Security • Inadequate policies, procedure and controls around campus security especially related to the Campus Security Dept. put the students & employees at risk and exposes the Institutions to reputational and compliance risk • Risk Type – Operational/Reputation Medium Risk Identified • • • • • Financial reporting Grant Reporting and Compliance Succession Planning Endowment Management Records Retention Next Steps • Protiviti has developed an Internal Audit Plan around the six high risk areas identified • The purpose of the audits in these risk areas will be to: • Determine the level to which the risk is being mitigated • Any further action required by the Institution to mitigate the risk to an acceptable level. • Procedures and policies changed, recommended, deemed appropriate will be shared across the institutions as a way to mitigate the high risk areas identified. • Who and how the medium risks are audited is yet to be determined. Best Practices for Boards Re: Risk Management • Require that management begin the process of developing a Risk Management System • Acknowledge that the board, its committees and senior management are responsible for overseeing the process • Understanding that Risk Management is a process, not a project. That means it gets incorporated into the ongoing work of the of the full board and its committees • Agree to question the “sacred cows” aspects of the institution so they can be assess and managed • Get risk assessment and review of the annual work plan of the board and its committee. Get away from the “as needed” practice of dealing with risk.