[PPT] - State University of New York Enterprise Risk Management Overview of PowerPoint Presentation

SLIDE 1

Prepared by the Office of the University Auditor March 6, 2014

State University of New York Enterprise Risk Management

Overview of Current Risk Management Activities & Proposed ERM Framework

Attachment B

SLIDE 2

ENTERPRISE RISK MANAGEMENT Table of Contents

2

Overview of Risk 3 SUNY’s Risk Management Activities 6 Overview of ERM & Current Trends 10 Proposed ERM Framework for SUNY 13 Closing Thoughts 20

SLIDE 3

ENTERPRISE RISK MANAGEMENT Overview of Risk

3

An Organization needs to have processes in place to IDENTIFY, ASSESS, and MANAGE its risks and

pportunities.

SLIDE 4

ENTERPRISE RISK MANAGEMENT Overview of Risk

RISKS & OPPORTUNITIES

Strategic Financial Operational Compliance Reputational

4

SLIDE 5

ENTERPRISE RISK MANAGEMENT Overview of Risk and Examples

Risks that affect SUNY’s ability to achieve its strategic goals and objectives

Strategic

Risks that may result in a loss of assets

Financial

Risks that affect on-going management processes

Operational

Risks that affect compliance with laws, regulations, policies and procedures

Compliance

Risks that affect SUNY’s reputation or brand

Reputational

5

SLIDE 6

ENTERPRISE RISK MANAGEMENT SUNY’s Risk Management Activities

6

SUNY’S Current Risk Management Activities

Managed throughout the system by numerous individuals and

departments, but no formal, defined process.

Ad-hoc responses to events when required.
Informal process for assigning roles and responsibilities for

various risks and determining risk ownership. Examples of SUNY’s Risk Management Activities

SLIDE 7

ENTERPRISE RISK MANAGEMENT SUNY’s Risk Management Activities

AUDIT FUNCTION

Conducts an Annual Risk Assessment (operational and compliance areas).
Audit results identify weaknesses in operations and instances of non-compliance.

COMPLIANCE PROGRAM

Compliance Committee – 12 members from key operational and financial areas.
Workgroups by key functions – assess laws, regulations, and ethical obligations;

and identify and mitigate related risks.

Inventory of compliance requirements.

INTERNAL CONTROL PROGRAM

Verifies system of internal controls for key functions (operational controls).
Inventory of assessable units to identify and mitigate risks.

7

SLIDE 8

ENTERPRISE RISK MANAGEMENT SUNY’s Risk Management Activities

HOSPITAL COMPLIANCE PROGRAMS

Required to maintain a compliance program.
Includes risks assessment of key activities.

INFORMATION SECURITY PROGRAM

Information Security Guidelines –applies risk management to information

and system assets.

Incorporates risk analysis that looks for well-known threats.

ANTI-FRAUD PROGRAM

Fraud Policy – sets the tone of zero tolerance for fraud and irregularities

and requires campuses to establish hotlines.

Fraud Procedure – process may identify risks that are reported to senior

management.

8

SLIDE 9

ENTERPRISE RISK MANAGEMENT SUNY’s Risk Management Activities

EXTERNAL AUDIT ACTIVITIES

Results of external audit activities that identify risks are communicated to

the appropriate individuals by the Office of the University Auditor.

RESPONSE – INTERNAL EVENTS

Ad-hoc committees are formed to evaluate appropriateness of response

and to assess current related policies and procedures.

RESPONSE – EXTERNAL EVENTS

Ad-hoc committees are formed to evaluate SUNY’s exposure to type of

risk identified and to assess current related policies and procedures.

9

SLIDE 10

ENTERPRISE RISK MANAGEMENT Overview of ERM & Current Trends ENTERPRISE RISK MANAGEMENT Enterprise Risk Management (ERM) supports the achievement

f

strategic

bjectives

through the establishment of a formal and continuous process that is designed to identify, assess, and manage risks and opportunities.

10

SLIDE 11

ENTERPRISE RISK MANAGEMENT Overview of ERM & Current Trends

11

WHY ENTERPRISE RISK MANAGEMENT?  Assists SUNY in meeting its strategic goals and objectives;  Provides an opportunity to coordinate and focus SUNY’s numerous risk management activities;  Creates a “risk-aware” culture;  Provides a formal mechanism for responding to significant events; and  Enhances collaboration and communication throughout the system.

SLIDE 12

ENTERPRISE RISK MANAGEMENT Overview of ERM & Current Trends

Higher Education Trends Examples

Several higher education institutions are

employing some form of ERM .

Framework varies: stand-alone ERM or

ERM incorporated into risk management services, audit services, compliance, or environment, health, and safety office.

Several institutions employ a risk officer

and have a risk management office.

A few institutions have an ERM “policy” –

most have statements regarding risk management activities and assignment of responsibility. University of California

Risk Services Office (35 employees).
ERM Panel (comprised of 35 senior level
fficers and directors).
Information system for capturing risk

management activities.

Provide training and resources.

University of North Carolina

Risk Management Services (4 employees).
Information System for capturing risk

data. University of Vermont

Chief Risk Officer, President’s Advisory

Committee on ERM, ERM Advisory Committee, and Risk Assurance Group.

12

SLIDE 13

ENTERPRISE RISK MANAGEMENT Proposed ERM Framework for SUNY

13

Implementing ERM at SUNY

SLIDE 14

ENTERPRISE RISK MANAGEMENT Proposed ERM Framework for SUNY KEY STEPS FOR ESTABLISHING AN ERM FRAMEWORK AT SUNY

Assign responsibilities for risk management.
Incorporate “risk” and “control” topics into the

Compliance Committee and Workgroup Responsibilities. Rename the Compliance Committee and Workgroups to the “Risk, Internal Controls, and Compliance Committee (RICC).”

Hire a Risk Management Coordinator at System

Administration to coordinate risk management activities within the RICC.

14

SLIDE 15

ENTERPRISE RISK MANAGEMENT Proposed ERM Framework for SUNY KEY STEPS FOR ESTABLISHING AN ERM FRAMEWORK AT SUNY

Assign an individual at each campus (internal control

coordinator, risk manager, or other) with the responsibility for coordinating risk management activities.

Assign a Senior Level Officer to participate in the RICC. This

individual will communicate senior level initiatives to the RICC and will also communicate the results of RICC findings and activities to senior level officials.

Provide periodic reports on risk management activities to the

Audit Committee of the SUNY Board of Trustees.

15

SLIDE 16

ENTERPRISE RISK MANAGEMENT Proposed ERM Framework for SUNY

16

Audit Committee of the Board of Trustees Chancellor’s Cabinet & Senior Staff RICC Committee

12 - Chairs and Co-chairs of the RICC Workgroups 1 - Member of the Chancellor’s Cabinet

Risk Management Coordinator Director of Compliance Internal Control Officer Campus-based Risk Coordinators Campus Compliance Efforts Campus Internal Control Officers RICC Workgroups 1 - Employment-Related & HR 2 - Finance/Procurement 3 - Student-Related 4 - Environmental Health & Safety 5 - Research 6 - Healthcare 7 - International 8 - Information Technology & Systems

SLIDE 17

ENTERPRISE RISK MANAGEMENT Proposed ERM Framework for SUNY

RICC Committee

Employment- Related & HR Finance & Procurement Information Technology & Systems Research International Environmental Health & Safety Healthcare Student- Related

MANAGING THE PROCESS

RICC Committee and Workgroup Responsibilities Related to ERM  Develops the risk management framework;  Determines risk ownership;  Evaluates the results of risk assessments;  Proposes strategies for managing and responding to key risks;  Communicates the results of risk management activities to the Chancellor and Board of Trustees.

17

SLIDE 18

ENTERPRISE RISK MANAGEMENT Proposed ERM Framework for SUNY Risk Management Coordinator - Drives the Process

Coordinates risk activities with the campuses. Coordinates risk activities with compliance, audit, and internal control

ffices.

Maintains risk inventory. Provides risk training and resource to SUNY community. Assists in developing responses to key risks. Prepares reports on risk activities. Communicates results of risk activities to the RICC Committee.

18

SLIDE 19

ENTERPRISE RISK MANAGEMENT Proposed ERM Framework for SUNY Campus-based Risk Managers (Alternative – Internal Control Officers)

 Reports risk management activities to the Risk Management Coordinator.  Aligns Campus risk management activities with SUNY’s ERM Program.  Coordinates risk management activities.  Ensures departmental units are identifying, analyzing, and managing risks.  Communicates identified risks from other sources to appropriate Campus departments.  Provides training and resources to Campus employees on risk management.

19

SLIDE 20

ENTERPRISE RISK MANAGEMENT Closing Thoughts

Key steps to implement an ERM framework include: 1. Developing a policy that sets the tone for SUNY’s commitment to risk management, internal controls, and compliance. 2. Implementing procedures that outline the framework, assign responsibilities for key activities, and define risk reporting relationships. 3. Communicating SUNY’s ERM framework to the SUNY system. 4. Providing training on risk management across the SUNY system.

20

EVERYONE IS INVOLVED IN ENTERPRISE RISK MANAGEMENT