Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ohio Department of Higher Education Trustee Conference

Published byThomas Boyd Modified over 5 years ago

Similar presentations

Presentation on theme: "Ohio Department of Higher Education Trustee Conference"— Presentation transcript:

1 Ohio Department of Higher Education Trustee Conference
Attorney-Client Privileged November 9, 2017 Douglas A. Huffner, JD Sr. Director & Chief Risk Officer The Ohio State University Present

2 Housekeeping Welcome! Relevant Background Board of Trustee Goals
What Happens Here Doesn’t Stay Here!

3 Size of Institution – Does It Matter ?
What’s the difference between a large institution and a not as large institution? Number of Students Number of Colleges Number of Buildings Number of Researchers Number of Staff Number of Driver’s Number of Minor’s Visiting Your Campus Number of Athlete’s – Scholarship and Non-Scholarship Number of Dollars it Costs to Attend Numbers in the Budget? Numbers of Policies and Strategic Plans All Numbers – But are risks different??

4 Making Sense Of ERM - Simplicity, Complexity & Relativity
Complexity, Simplicity and Relativity in Higher Education Complexity primarily arises out of an Institutions Numbers and Decentralization of Operations, Systems and Processes Simplicity arises when you take a rather overwhelming, complex operating environment on its face, understand it as best as you can, and manage it using a strong Governance Framework to Support your ERM Program Relativity can be as simple as just adding or subtracting zero’s – Same Issues. Different Volume. Different Velocity. A fair premise from which to begin?

5 Current State of ERM in Higher Education
Support and interest level for ERM at the board and senior leadership level continues to be strong. Most institutions have a senior level executive accountable for the ERM program Primary drivers for ERM programs are board driven requirements, regulatory requirements, rating agency expectations, and institutional complexity Linkage between ERM and the strategic planning process is an evolving area of focus and future goal for most institutions New and emerging risks are being identified informally through risk committees, networking with other institutions, and/or monitoring events and trends within the industry.

6 The Committee of Sponsoring Organizations (COSO)
The COSO model defines internal control as “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance of the achievement of objectives” in the following categories: 1. Effectiveness and efficiency of operations 2. Reliability of financial reporting 3. Compliance with applicable laws and regulations To help assist with the implementation of the ERM process, COSO developed the ERM Integrated Framework (2004), also known as the COSO Cube. This cube is an update to the initial COSO I framework developed in 1992:

7 International Organization of Standardization (ISO 31000)
Provides principles and generic guidelines on risk management. Provides a universally recognized paradigm for practitioners and organizations employing risk management processes across different industries, subject matters and regions. Defined as “a process that provides confidence that planned objectives will be achieved within an acceptable degree of residual risk.”

8 ISO 31000 Risk Management Model
Principles Process Creates University Value Integral Part of University Process(es) Part of Strategic Decision Making Process Explicitly Addresses Uncertainty Systematic, Structured and Timely Based on Best Available Information Tailored to Unit & Organization Takes Human and Cultural Factors into Account Transparent and Inclusive Dynamic, Iterative and Responsive to Change Facilitates Continual Improvement and Enhancement of the Organization Mandate & Commitment from BoT Establish the Context Design framework for managing risk Risk Assessment Risk Identification Communicate and Consult Monitor and Review Continually improve the framework Implement risk management Risk Analysis Risk Evaluation Monitor and review the framework Risk Treatment

9 The Changing Focus of Risk Management
Strategic Integrated Transactional Historic Risk Management Insurance Specific Hazards No Internal Audit or Compliance Input Separate Safety & Emergency Management “Silo” Approach Risk Manager = Insurance Buyer

10 Risk Committee Background and Objectives
Strategic look at university-wide risk(s) & compliance issues Support strategic planning process through execution: identify risks not captured in plans Top tier risks lack : Clarity of Ownership and Adequacy of Planning Iterative process Board Expectations/Mandate: Oversight of top tier risks Backstop to strategic plans Link to scorecards Governance process over enterprise (“University”) and Compliance risks Objective: Ensure effective oversight of University risk management practices Review, assess, and monitor: Material risks associated with conducting University business Internal risk management processes or systems University policies and procedures for risk management Responsibilities: Design guidelines, controls, and other procedures to manage University risks Monitor effectiveness of risk management practices Recommend and monitor ongoing mitigation strategies Periodically review University Risk Assessment and recommend changes Other responsibilities as assigned

11 Proposed Review Process
Governance Proposed Roles Board of Trustees Institutional program approval and oversight Mandate ERM to Executive leadership Team President’s Cabinet Owner Strategic decision-making and top-level oversight Operational Owner(s) Operational decision-making for risk mitigation project Leaders with concurrent risk ownership Project Leader(s) Day-to-day coordination of risk mitigation efforts Team Key personnel tasked by Operational Owners Responsible for achieving project deliverables Board of Trustees President’s Proposed Review Process Project Team Propose end state and year 1 goals Driven by Operational Owners Pre-Committee Review Operational Owners vet proposed goals and plans Optional step: subset of Committee University Risk Management Committee Review proposed goals and plans. Progress reporting President’s Cabinet Critical decision-making and resource allocation Board of Trustees Approve process, outputs and timeline at the highest level Mandates Full Participation and Cooperation for all units

12 University Risk Management Committee
The Committee shall assist the President’s Cabinet and Board of Trustees in fulfilling its responsibility for oversight of the University’s risk management practices and monitoring and control of the University’s strategic and compliance risk exposures. Membership Vice Provost Academic and Strategic Planning Associate Vice President, FOD Vice President for Operations – Business/Finance Vice President & Athletic Director Chief Information Officer Academic Appointment (Faculty/Senate Fiscal) Vice President for Research Vice President Talent, Culture and Human Resources Director, Internal Audit Senior Vice President for Government Affairs and Counselor to the President Advancement Appointment (Vice President of University Communications) Vice President and Chief Compliance Officer Vice President for Strategic Enrollment Planning Senior Director, Chief Risk Officer Chief Operating Officer, Medical Center *On average 17 out of 19 members participate Academic Appointment (University Senate) Vice President for Student Life Associate General Counsel Deputy CFO & Treasurer (Chair)

13 Risk Categories and Examples Government, Community, and Affiliates
FY2014 Risk Assessment Risk Categories and Examples Education Scholarship Medical Student Life Advancement Financial Significant reduction in performance of the Health system and related colleges Changes to reimbursement Accreditation issues Health Care Reform Patient care, quality & satisfaction Medical staff training / management Decrease in academic standing, harming ability to attract faculty or students Academic excellence Tenure/tenure track faculty Distance learning (MOOCs) Falling program support Operational impacts of legislation Inability to perform significant academic or scientific research Research excellence Material drop in research expenditures Loss of gov’t or industry funding Conflicts of interest Inability to develop an environment conducive to student life Material drop in student satisfaction (incl. graduation %) Nationally publicized student conduct event Student housing issues Events impacting the brand, alumni relationships, or Advancement objectives Awareness/Branding Crisis management / public relations failure Alumni relations Regulatory reforms Inability to reach capital, revenue, or cost containment objectives Loss of gov’t funding Investment portfolio losses Accounting breakdown Credit rating downgrade Interest rate risk/exposure Talent and Culture Information Technology Physical Environment Government, Community, and Affiliates Athletics Compliance Failure to attract, develop, or retain talent Leadership development & continuity Retention Workforce planning Employment practices & safety Succession planning Inability to store, develop, transmit, or protect data IT alignment to strategy Systems and data integrity IT operations and availability Information security Aging software maintenance & renewal Loss of infrastructure; major event impacting ongoing operations, including campus safety Protection of physical assets Campus safety/security Campus disruption Traffic Safety Risk of disruption to Athletics operations, including significant NCAA violations NCAA sanctions Change in NCAA regulatory approach Adverse event in youth program Communications failure Failure to monitor and develop affiliate relationships Potential fraud on University by affiliate Nationally publicized reaction to evolving University business model Failure to meet regulatory, legal ,or policy requirements Federal payor (medical, research) Ethics violations Title IX/Clery Act EHS and ADA Major investigation Privacy laws (HIPAA, FERPA)

14 Example - Inherent Risk Assessment
[Severity of risk without mitigation] Key Points: Assess Impact based on highest rated category Assess likelihood without existing controls or plan Inherent risk score = Impact x Likelihood Risk Appetite Approved by BoT Finance Committee – Materiality Velocity Score

15 Control Assessment - Example
[Effectiveness of efforts to mitigate identified risks] Key Points: For opportunity (future) risks, assess planning (not controls) Capture evaluation of controls, including trending, in Comments Ability to Effectively Manage Velocity

16 Example - Risk Assessment Process
University Risk Assessment University Experts Identified key risks – Top Down / Bottom Up Assigned ratings based on materiality scales Ratings quantify inherent and residual risk Inherent Risk (severity of risk without mitigation) Impact: degree of financial, reputational, and/or regulatory harm caused Likelihood: probability of occurrence Impact Score x Likelihood Score = Inherent Risk Residual Risk Control Assessment: measure of current controls to mitigate risk Inherent Risk x Control Assessment = Residual Risk Compliance Risks Identified critical legal requirements: Regulatory Inventory Calculated inherent and residual risk ratings of legal requirements Compliance risks addressed through separate Annual Compliance Plan Finalization of Risk Assessment Qualitative adjustments Adjust risk ratings based on internal and external environment Internal factors (e.g.): University strategy Internal Audit findings Investigations Changes to operations External factors (e.g.): Educational and economic environment New or updated regulations and enforcement Significant areas of potential publicity Designation of strategic risks Each team designated certain top risks as strategic Key factors: multiple/unclear ownership, absence of planning Committee Review Ownership: Number of identified owners; clarity of defined roles in managing risk Distribution of organizational ownership increases risk level Planning: maturity of planning and metrics Risk Assessment is Attorney-Client Privileged

17 Risk Assessment Process
Identified key risks in each category Determined inherent and residual ratings for each risk Ranked risks according to residual rating Qualitative Assessment Adjusted residual ratings based on internal and external environment Identified top risks in each category Determined which top risks should be deemed “strategic” Ownership and planning deemed critical criteria Re-ranked strategic risks to identify top institutional priorities *See Appendix

18 Risk Assessment: Strategic Risks
Qualitative Assessment Reviewed residual ratings based on environmental factors Internal factors (e.g.): University/Domain strategy Internal Audit findings Investigations Changes to operations External factors (e.g.): Educational and economic environment New or updated regulations and enforcement Significant areas of potential publicity 2. Identified top risks in each category Based on relative ranking in each domain 3. Determined which top risks should be deemed “strategic” Based on adequacy of planning and clarity of risk ownership Re-ranked strategic risks to identify top institutional priorities: Tier 1: top priority Tier 2: secondary priority Tier 3: strategic risks to be managed by current owner in FY2014 Cross referenced compliance risks

19 Examples of Strategic Risks: Pre-Mitigation Planning View
Tier 1: Top Risk Priorities 18 Parking 13 Contracts 24 Insurance Losses 34 Academic Talent 12 Affordable Care Act 35 Health Benefits for Animals 46 Ethical Violation: Board or Sr Leader Tier 3 Tier 2 Tier 1 55 1 2 54 6 32 13 7 5 Tier 2: Additional Focus Areas 22 10 30 1 Information Security 7 Too many Students 5 Cash Flow Reduction 6 Housing 10 Distance Learning 19 Nurse Shortage 55 Rising Tuition Pressure on Higher Education 54 Minors on Campus 20 19 15 24 36 Strong Clarity of Risk Ownership Weak 11 34 52 35 3 18 46 53 17 23 31 47 12 Tier 3: Continued Local Management 48 4 8 9 18 Parties 13 Football 24 Basketball 34 GPA 12 Trick or Treating 35 Class Schedules Too Early 46 Speeding Tickets 33 29 42 37 56 26 38 45 28 43 39 21 44 14 50 49 41 27 Acceptable Adequacy of Planning Incomplete Listed by Residual Risk Ranking BoT Focus – Tier 1

20 Ongoing Reporting & Engagement
Risk Mitigation Planning Ongoing Reporting & Engagement Evaluation Planning Identify Strategic Risks Cabinet and Operational Owners identified Project leader assigned based on authority/knowledge Project team assembled Project plan: project leader and team gathers feedback and development Project leader ensures appropriate consultation and review Operational owner(s) approve plan Team defines roles between departments Ongoing oversight: project leader defines tollgates in project plan to ensure review of key milestones and decisions Ongoing implementation: project leader and team execute plan Actions Assist coordination of reporting tollgates Obtain updates and drive accountability through University Risk Management Committee Provide assistance on plan execution as needed Conduct Risk Assessment (esp. ensure consistency of identification and assessment) Assist ownership decisions Support operational owners and project leaders in project management office capacity Assist project leader and team in identifying key stakeholders Assist project leader in planning Consult during plan development Consult in the use of project management tools/methodologies Risk & Compliance Team

21 Long-Term Mitigation Planning & Information Security Example
Progress Re-Evaluation Period Re-Evaluation Period Re-Evaluation Period Year 1 Year 2 Year 3 Year 4 Time ●Board of Trustees verbal updates every meeting *written progress reports/scorecards shared at each meeting in executive session Risk Scope End State Year 1 Goal Risk definition Key elements of mitigation effort Permanent ownership Ongoing management and reporting (Testing) Mitigation to acceptable level Target deadline Key dependencies Resources Roles Plan Measures of progress Accountability Key dependencies Resources

22 Tier 1 Risk Mitigation Planning Status
Planning Commitment to Board Current Status Risk Description Cabinet Owner(s) Ongoing Cabinet Approval Project Approved Projected Mitigation Date Updates & Resource Needs Risk 1 Define the risk and scope President’s Cabinet Accountability 09/2018 Red: Also identified as Compliance Risk = Not Started/Delayed = Delayed/Attention Needed = On Track = Complete

23 URM: Proposed Board Committee Oversight and Reporting
Academic Affairs and Student Life Finance Governance Medical Center (If Applicable) Advancement Audit & Compliance Academic Initiatives Research Student Life Resource Generation Controllership Physical Environment Board Governance Talent Health Sciences Medical Center James Fundraising Alumni Relations Communications Legal Compliance Internal Audit CURRENT TOPICS Strategic & Reputational Financial Talent, Culture & Human Resources Medical Advancement Compliance Research Physical Environment & Operational Affiliated Entities TOPICAL RISK ALIGNMENT Education & Scholarship Information Technology Athletics T1 Risk T2 Risk T1 Risk T2 Risk T2 Risk T1 Risk T2 Risk T1 Risk T2 Risk TIER 1 AND 2 RISK ALIGNMENT Next Steps: Finalize reporting schedule to Board Committees Integrate risk mitigation planning into strategic planning and Board scorecards 4

24 Mitigation Effectiveness Ratings

25 What Makes ERM Work? Focuses on BoT Mission and Objectives of Higher Education Consistent Messaging and Support from the Board of Trustees Formalizes Process and Governance Preserves and Creates Value Emboldens Innovation – Opportunity Risks Enhances Agility and Resilience Improves Quality of Strategic Decisions Helps in Allocation of Resources / Budgeting Empowers Subject Matter Experts Improves Stakeholder Confidence and Trust (AMBest, Moody’s)

26 Board of Trustee Allows for the Achievement of a University’s Mission Through ERM Oversight & Support ERM and its Components work to establish the foundation for sound internal control/audit/compliance within the university/college through directed leadership (tone at the top), shared values and a culture that emphasizes accountability for control.

27 Board of Trustee Role in ERM
Trustee Involvement and Interest – Increasingly, board and committee members share perspectives with their respective institutions, and exchange information about other ERM models and programs Executive Reporting – Require risk program status report (verbal / written) to executive leadership and oversight committees at every Board meeting Link to Strategic Planning — Align risk topics to important strategic objectives Measure Mitigation Effectiveness – Ensure that risk mitigation plans are assessed and reported on regularly Attend Risk Committee Meeting – On an Annual basis, attend at least 1 Risk Committee Meeting

28 QUESTIONS ?

Download ppt "Ohio Department of Higher Education Trustee Conference"

Similar presentations

Board Governance: A Key to Quality Organizations

Board Governance: A Key to Quality Organizations
AASHTO Internal Audit Conference 2012 – Phoenix Daniel Fodera, CMQ/OE Program Management Improvement Team Federal Highway Administration.

AASHTO Internal Audit Conference 2012 – Phoenix Daniel Fodera, CMQ/OE Program Management Improvement Team Federal Highway Administration.
Risk Management at Harvard – Panel Discussion Harvard IT Summit

Risk Management at Harvard – Panel Discussion Harvard IT Summit
Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.

Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.
Lisanne Sison Director ERM Bickmore

Lisanne Sison Director ERM Bickmore
IMFO Audit & Risk Indaba June 2012

IMFO Audit & Risk Indaba June 2012
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Control and Accounting Information Systems

Control and Accounting Information Systems
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
Risk Assessment Frameworks

Risk Assessment Frameworks
Corporate Ethics Compliance *

Corporate Ethics Compliance *
Building a Compliance Risk Monitoring Program HCCA Compliance Institute New OrleansApril 19, 2005 Lois Dehls Cornell, Esq. Assistant Vice President, Deputy.

Building a Compliance Risk Monitoring Program HCCA Compliance Institute New OrleansApril 19, 2005 Lois Dehls Cornell, Esq. Assistant Vice President, Deputy.
UNCW Institutional Risk Management IRM Overview and Policy Development & Implementation Plan Overview.

UNCW Institutional Risk Management IRM Overview and Policy Development & Implementation Plan Overview.
Information Technology Audit

Information Technology Audit
Sustainability and Total Cost of Ownership Strategies for Higher Education.

Sustainability and Total Cost of Ownership Strategies for Higher Education.
Organization Mission Organizations That Use Evaluative Thinking Will . . . Develop mission statements specific enough to provide a basis for goals and.

Organization Mission Organizations That Use Evaluative Thinking Will Develop mission statements specific enough to provide a basis for goals and.
1 Bölgesel Rekabet Edebilirlik Operasyonel Programı’nın Uygulanması için Kurumsal Kapasitenin Oluşturulmasına Yönelik Teknik Yardım Technical Assistance.

1 Bölgesel Rekabet Edebilirlik Operasyonel Programı’nın Uygulanması için Kurumsal Kapasitenin Oluşturulmasına Yönelik Teknik Yardım Technical Assistance.
Where Innovation Is Tradition Mason Initiatives: Efficiency & Effectiveness Enterprise Risk Management Beth Brock, Associate VP & Controller George Mason.

Where Innovation Is Tradition Mason Initiatives: Efficiency & Effectiveness Enterprise Risk Management Beth Brock, Associate VP & Controller George Mason.
Compliance Issues for Medical Research at Healthcare Systems Jerry Castellano, Pharm.D., CIP Corporate Director Institutional Review Board Christiana Care.

Compliance Issues for Medical Research at Healthcare Systems Jerry Castellano, Pharm.D., CIP Corporate Director Institutional Review Board Christiana Care.
Establishing A Compliance Program: It Makes Sense

Establishing A Compliance Program: It Makes Sense

Similar presentations

Ads by Google