state university of new york enterprise risk management
play

State University of New York Enterprise Risk Management Overview of - PowerPoint PPT Presentation

Attachment B State University of New York Enterprise Risk Management Overview of Current Risk Management Activities & Proposed ERM Framework Prepared by the Office of the University Auditor March 6, 2014 ENTERPRISE RISK MANAGEMENT Table


  1. Attachment B State University of New York Enterprise Risk Management Overview of Current Risk Management Activities & Proposed ERM Framework Prepared by the Office of the University Auditor March 6, 2014

  2. ENTERPRISE RISK MANAGEMENT Table of Contents Overview of Risk 3 SUNY’s Risk Management Activities 6 Overview of ERM & Current Trends 10 Proposed ERM Framework for SUNY 13 Closing Thoughts 20 2

  3. ENTERPRISE RISK MANAGEMENT Overview of Risk An Organization needs to have processes in place to IDENTIFY, ASSESS, and MANAGE its risks and opportunities. 3

  4. ENTERPRISE RISK MANAGEMENT Overview of Risk Operational Financial Compliance RISKS & Strategic Reputational OPPORTUNITIES 4

  5. ENTERPRISE RISK MANAGEMENT Overview of Risk and Examples Strategic • Risks that affect SUNY’s ability to achieve its strategic goals and objectives Financial • Risks that may result in a loss of assets Operational • Risks that affect on-going management processes Compliance • Risks that affect compliance with laws, regulations, policies and procedures Reputational • Risks that affect SUNY’s reputation or brand 5

  6. ENTERPRISE RISK MANAGEMENT SUNY’s Risk Management Activities SUNY’S Current Risk Management Activities • Managed throughout the system by numerous individuals and departments, but no formal, defined process. • Ad-hoc responses to events when required. • Informal process for assigning roles and responsibilities for various risks and determining risk ownership. Examples of SUNY’s Risk Management Activities 6

  7. ENTERPRISE RISK MANAGEMENT SUNY’s Risk Management Activities • Conducts an Annual Risk Assessment (operational and compliance areas). • Audit results identify weaknesses in operations and instances of non-compliance. AUDIT FUNCTION • Compliance Committee – 12 members from key operational and financial areas. • Workgroups by key functions – assess laws, regulations, and ethical obligations; and identify and mitigate related risks. COMPLIANCE • Inventory of compliance requirements. PROGRAM • Verifies system of internal controls for key functions (operational controls). INTERNAL • Inventory of assessable units to identify and mitigate risks. CONTROL PROGRAM 7

  8. ENTERPRISE RISK MANAGEMENT SUNY’s Risk Management Activities • Required to maintain a compliance program. • Includes risks assessment of key activities. HOSPITAL COMPLIANCE PROGRAMS • Information Security Guidelines –applies risk management to information and system assets. • Incorporates risk analysis that looks for well-known threats. INFORMATION SECURITY PROGRAM • Fraud Policy – sets the tone of zero tolerance for fraud and irregularities and requires campuses to establish hotlines. • Fraud Procedure – process may identify risks that are reported to senior ANTI-FRAUD management. PROGRAM 8

  9. ENTERPRISE RISK MANAGEMENT SUNY’s Risk Management Activities • Results of external audit activities that identify risks are communicated to the appropriate individuals by the Office of the University Auditor. EXTERNAL AUDIT ACTIVITIES • Ad-hoc committees are formed to evaluate appropriateness of response and to assess current related policies and procedures. RESPONSE – INTERNAL EVENTS • Ad-hoc committees are formed to evaluate SUNY’s exposure to type of risk identified and to assess current related policies and procedures. RESPONSE – EXTERNAL EVENTS 9

  10. ENTERPRISE RISK MANAGEMENT Overview of ERM & Current Trends ENTERPRISE RISK MANAGEMENT Enterprise Risk Management (ERM) supports the achievement of strategic objectives through the establishment of a formal and continuous process that is designed to identify, assess, and manage risks and opportunities. 10

  11. ENTERPRISE RISK MANAGEMENT Overview of ERM & Current Trends WHY ENTERPRISE RISK MANAGEMENT?  Assists SUNY in meeting its strategic goals and objectives;  Provides an opportunity to coordinate and focus SUNY’s numerous risk management activities;  Creates a “risk-aware” culture;  Provides a formal mechanism for responding to significant events; and  Enhances collaboration and communication throughout the system. 11

  12. ENTERPRISE RISK MANAGEMENT Overview of ERM & Current Trends Higher Education Trends Examples Several higher education institutions are University of California • employing some form of ERM . Risk Services Office (35 employees). • ERM Panel (comprised of 35 senior level • Framework varies: stand-alone ERM or officers and directors). • ERM incorporated into risk management Information system for capturing risk • services, audit services, compliance, or management activities. environment, health, and safety office. Provide training and resources. • University of North Carolina Several institutions employ a risk officer • Risk Management Services (4 employees). • and have a risk management office. Information System for capturing risk • data. A few institutions have an ERM “policy” – • University of Vermont most have statements regarding risk Chief Risk Officer, President’s Advisory • management activities and assignment of Committee on ERM, ERM Advisory responsibility. Committee, and Risk Assurance Group. 12

  13. ENTERPRISE RISK MANAGEMENT Proposed ERM Framework for SUNY Implementing ERM at SUNY 13

  14. ENTERPRISE RISK MANAGEMENT Proposed ERM Framework for SUNY KEY STEPS FOR ESTABLISHING AN ERM FRAMEWORK AT SUNY • Assign responsibilities for risk management. • Incorporate “risk” and “control” topics into the Compliance Committee and Workgroup Responsibilities. Rename the Compliance Committee and Workgroups to the “Risk, Internal Controls, and Compliance Committee (RICC).” • Hire a Risk Management Coordinator at System Administration to coordinate risk management activities within the RICC. 14

  15. ENTERPRISE RISK MANAGEMENT Proposed ERM Framework for SUNY KEY STEPS FOR ESTABLISHING AN ERM FRAMEWORK AT SUNY • Assign an individual at each campus (internal control coordinator, risk manager, or other) with the responsibility for coordinating risk management activities. • Assign a Senior Level Officer to participate in the RICC. This individual will communicate senior level initiatives to the RICC and will also communicate the results of RICC findings and activities to senior level officials. • Provide periodic reports on risk management activities to the Audit Committee of the SUNY Board of Trustees. 15

  16. ENTERPRISE RISK MANAGEMENT Proposed ERM Framework for SUNY Audit Committee of the Board of Trustees Chancellor’s Cabinet & Senior Staff RICC Committee 12 - Chairs and Co-chairs of the RICC Workgroups 1 - Member of the Chancellor’s Cabinet Risk Management Coordinator Campus-based Risk Coordinators Director of Compliance Campus Compliance Efforts Internal Control Officer Campus Internal Control Officers RICC Workgroups 1 - Employment-Related & HR 2 - Finance/Procurement 3 - Student-Related 4 - Environmental Health & Safety 5 - Research 6 - Healthcare 7 - International 8 - Information Technology & Systems 16

  17. ENTERPRISE RISK MANAGEMENT Proposed ERM Framework for SUNY MANAGING THE PROCESS RICC Committee and Workgroup Employment- Related & HR Responsibilities Related to ERM Student- Finance &  Develops the risk management Related Procurement framework;  Determines risk ownership; Information RICC  Evaluates the results of risk Healthcare Technology & Committee Systems assessments;  Proposes strategies for managing and responding to key risks; Environmental Health & Research  Communicates the results of risk Safety management activities to the International Chancellor and Board of Trustees. 17

  18. ENTERPRISE RISK MANAGEMENT Proposed ERM Framework for SUNY Risk Management Coordinator - Drives the Process Communicates results of risk Coordinates risk activities to the activities with RICC the campuses. Committee. Coordinates risk activities with Prepares compliance, reports on risk audit, and activities. internal control offices. Assists in developing Maintains risk responses to inventory. key risks. Provides risk training and resource to SUNY 18 community.

  19. ENTERPRISE RISK MANAGEMENT Proposed ERM Framework for SUNY Campus-based Risk Managers (Alternative – Internal Control Officers)  Reports risk management activities to the Risk Management Coordinator.  Aligns Campus risk management activities with SUNY’s ERM Program.  Coordinates risk management activities.  Ensures departmental units are identifying, analyzing, and managing risks.  Communicates identified risks from other sources to appropriate Campus departments.  Provides training and resources to Campus employees on risk management. 19

  20. ENTERPRISE RISK MANAGEMENT Closing Thoughts Key steps to implement an ERM framework include: 1. Developing a policy that sets the tone for SUNY’s commitment to risk management, internal controls, and compliance. 2. Implementing procedures that outline the framework, assign responsibilities for key activities, and define risk reporting relationships. 3. Communicating SUNY’s ERM framework to the SUNY system. 4. Providing training on risk management EVERYONE IS INVOLVED IN across the SUNY system. ENTERPRISE RISK MANAGEMENT 20

Recommend


More recommend