Board of Visitors Audit, Compliance, and Risk Committee March 2, 2017 1
Audit Department Activities 2
Program Project Change People Process Technology Governance Management Management Future State Design & Executive Sponsorship & Proof of Concept Leadership (Steering Scope & Integrated Plan Committee) Change Approach & Strategy Information Organization & Role Future State Design Security Design Requirements Program Structure & Risk & Issue Monitoring Management Interfaces Testing: System Integration Roles and Financial Management Business Readiness & User Acceptance Responsibilities Data Conversion Defined Goals, Objectives & Business Resource Management IT Change Case Business and Financial Education/ Training Management Controls Transition from Current to Future State Time/ Milestone IT Quality Benefits Realization Management Assurance PROJECT HEALTH CHECKS 3
Large programs are inherently risky. A project health check is a feedback loop to sponsors and stakeholders focused on drivers of success. Clearly defined goals and measures Top management support and attention Sufficient resources allocated Competent project manager and project team Effective communication and decision making Risk and issue management
Assurance and Advisory Projects: In Progress as of March 2017 BOV Meeting Subject Areas of Audit Focus UVA Division Ufirst HR Transformation Project Health Check Program governance; project Pan-University management; financial management Epic Phase 2 Implementation—Project Health Database security; Health System Check operational readiness; project management; go-live criteria IT System Security: Privileged Access Management of Health System administrative access to key systems Incident Response: Malware Ransomware Health System Medical Center Procurement Procurement processes and Health System controls Archive and Special Collections Library Safeguarding of assets Academic IT Change Management General computing controls Academic 5
Other Audit Department Current Priorities Topic Key Tasks FY 18 Audit Planning Process • Define audit risk universe • Gather stakeholder input • Conduct risk assessment • Develop audit plan for ACR Committee approval in June 2017 Hire and on-board IT Audit Job is posted; candidate pool forming Director Hire and on-board Health Job is posted; candidate pool forming System auditor 6
University Compliance 7
Enterprise Risk Management Update
ERM First Year Priorities Enhance Board Reporting Onboard Reposition Health Program System ERM Priorities 9
ERM Priorities Timeline Feb. 2016 Mar. 2016 Dec. 2016 Mar. 2017 Jun. 2017 Academic Division Develop Risk Adopt ERM Create Risk Develop Key Management Charter Mgmt. Network Risk List /Mitigation Health System Develop Risk Adopt ERM Create Risk Develop Key Management Charter Mgmt. Network Risk List /Mitigation 10
ERM K Key R y Risk k Dashbo hboard – Acad ademic ic D Divis isio ion December 2016 ! ACA CADEMIC DIVI VISI SION K KEY RI RISK SKS EXEC. OWNER NER RESOU OURCES CES - diminished, or loss of, financial resources from major funding sources. (e.g., State, Advancement, Research, EVP-COO Endowment) RESEA EARCH CH - research leadership, infrastructure, and funding to adequately support the accomplishment of our research EVP-Provost objectives EVP-Health Affairs STATE - concern about whether public policy in the State will continue to be supportive of quality public higher education President FACU CULTY - attracting, retaining, and developing a distinguished faculty EVP-Provost LEADERSHIP IP – maintaining and renewing a highly skilled and cooperative executive team given the attractive alternatives for President the best executives EXECU CUTIVE T VE TRANSITI TION – preparing for an executive leadership transition and a potential change in the University’s strategic BOV direction President IT IT SECURIT ITY Y – enhancing cybersecurity in an era of increasing threats EVP-COO RESOU OURCE CE ALLOCATIO ION – developing an optimal process for allocating resources in meeting strategic objectives EVP-COO ADVANCEM CEMENT – developing a campaign strategy that adequately addresses philanthropic investment, fundraising strategies, VP for Advancement and the governance implications of the resulting distribution of resources between the University and foundations COMPETIT ITIV IVE ENVIRON ONMEN ENT – assessing the University's competitive space in undergraduate, graduate, and professional EVP-Provost programs EVP-COO SAFET ETY – maintaining a safe environment for the University community VP for Student Affairs INVES ESTMENTS TS - stewarding assets particularly related to investable assets EVP-COO
ERM K Key R y Risk k Dashbo hboard – Health Sys System March 2017 ! HEALT LTH SY SYST STEM K KEY RI RISK SKS EXEC. OWNER NER HEALTH R H REFORM: Government payer reform (Medicare, Medicaid, and ACA) EVP-Health Affairs STRATE TEGY: Strategic direction in a changing competitive environment (flexibility around change) EVP-Health Affairs TALENT NT MANAGE GEMENT NT: : Recruitment and retention of key personnel (patient care services positions, research, and leadership) EVP-Health Affairs ONE S E SYST STEM: Alignment of Health System entities towards a single system of operation EVP-Health Affairs QUALIT LITY: Y: Achieving goals for national ranking/patient experience, quality, and care EVP-Health Affairs EVP-Health Affairs RESEA EARCH CH: Research leadership, infrastructure and funding to adequately support the accomplishment of our research objectives EVP-Health Affairs TECHNO NOLOGY GY: Technology investment and enablement SAFETY: Y: A major quality or safety event EVP-Health Affairs PARTNERSH SHIPS: PS: Maximize the benefits of off-grounds partnerships EVP-Health Affairs EVP-Health Affairs FACULT LTY P Y PRODUCTIV IVIT ITY: Y: Managing faculty productivity (clinical and research)
Key Risk List Overlap Academic Division Health System • Resources • Reform • Research • Strategy • State • Talent Management • Faculty • One System • Leadership • Quality • Research • Executive Transition • Technology • IT Security • Safety • Resource Allocation • Advancement • Partnerships • Competitive Environment • Faculty Productivity • Safety • Investments 13
Audit, Compliance, and Risk Committee Agenda CLOSED SESSION Discussion of proprietary, business related information pertaining to the operations of the Medical Center, where disclosure at this time would adversely affect the competitive position of the Medical Center; specifically confidential information and data related to the provision of patient care services, clinical documentation, and reimbursement as well as compliance with federal laws and regulations regarding the delivery and documentation of such care and related to confidentiality and privacy of protected health information, in consultation with legal counsel, as provided for in § 2.2-3711 (A)(22) of the Code of Virginia. 14
Resume Open Session and Adjourn 15
Recommend
More recommend