The Enterprise Risk Management Process in Higher Education

1
The Enterprise Risk Management Processin Higher
Education

• Presented By
• David B. Crawford, CIA, CPA, CCSA
• Justina Crawford, MA, BME
• JDEnterprises crawfordjd_at_earthlink.net

2
Topics

• What is Risk Management That is Enterprise Risk
  Management (ERM)
• Why Implement ERM in Higher Education
• Components of ERM Process
• How to Implement ERM
• Who Should be the Permanent ERM Owner

3
What is Risk Management?

• A process that defines how the institution
• Identifies risks to the achievement of goals
  objectives
• Measures the significance of each identified risk
• Determines the most appropriate business response
  to each risk
• Evaluates and reports on how well the chosen
  responses are carried out

4
Characteristics of the Risk Management Process

• Requires an allocation of resources (people,
  funds, time)
• Is defined by policies and procedures
• Is an integral part of both the strategic and
  day-to-day operations of the institution
• Is designed to provide reasonable
  (cost-effective) assurance that the institution
  can successfully accomplish its mission

5
What is Enterprise Risk Management (ERM)

• It is an institution-wide or holistic approach to
  the risk management process.
• In the USA, the recognized institution-wide risk
  management model is the COSO Enterprise Risk
  Management Framework.

6
COSO ERM Characteristics

• A continuous, proactive and systematic process
• to understand, manage, and communicate risk
• from an institution-wide perspective.

7
COSO ERM Components
8
ERM is Management 101
9
Why Implement ERM The Big Picture

• IT IS SIMPLY GOOD BUSINESS, and

10
Why Implement ERM Specific Drivers

• US Sentencing Guidelines for Organizations
  (Compliance)
• Sarbanes Oxley Act of 2002
• (Financial Reporting)
• Transparency and Accountability (Operations and
  Strategic)
• Quick response to new initiatives such as the
  Governors Fraud Initiative

11
Benefits of ERM (1 of 2)

• Reduce the incidence of serious negative
  surprises
• Quickly identify emerging risks and problem areas
  before they escalate and cause serious harm
• Respond to expectations of regulators,
  stakeholders, and others.
• Make risk and controls understandable
• Provide a simple, uniform methodology that is
  applicable in all environments

12
Benefits of ERM (2 of 2)

• Need to enhance accountability and communication
• Need to continuously eliminate unnecessary
  controls and add needed controls.
• Need to reduce response time for emerging risks
• Need to focus efforts on important issues and
  concerns.

13
Impact on Higher Education Institutions
University of MichiganChief Urologist charged
with Conflict of Interest100,000 penalty1
year probation
Thomas Jefferson UniversityMedicare
over-billing12 mil
University of MinnesotaMisuse federal grants32
mil
University of South Florida Improper Research
Costing4.1 mil
Johns Hopkins Effort reporting 2.6 mil
Stanford UniversityInflated research overhead
costs1.2 mil
Yale UniversityMedical credit balances5.6
mil
University of ChicagoResearch fraud and
abuse650,000
Duke UniversitySexual harassment 0.5 mil
Northwestern University Effort Reporting
fraud5.5 mil
University of WashingtonBilling fraud whistle
blower35 mil
Columbia University Hazardous waste
violations 800,000 penalty sought
University of TexasComponent Institution Medical
Billing 20 mil
Duke University Medicare fraud Millions sought
14
ERM It will change your organizational culture
15
What Changes?

• Ownership of risk and controls
• Questioning before acting
• Two-way communication
• Bad as well as good news
• Rapid response to changes
• Rapid response to failures in risk management

16
Components of an ERM Process

• Standard risk management methodology
• Common risk language
• Standard tools and techniques
• Standard outputs
• Common assurance strategies

17
The Assurance Continuum
The UT developed risk management methodology
18
The Assurance ContinuumERM Principles

• Risk management is the responsibility of every
  employee.
• Assurance regarding the management of risks is
  provided by employees, first line supervisors,
  middle and upper managers, and internal auditors.
• Risk management and risk assurance activities are
  based upon risk self-assessments performed at
  every level of the organization.

19
Common Risk Language Examples

• Business risk
• Impact
• Probability/likelihood
• Monitoring plan
• On-going assurance
• Periodic assurance
• Goals and objectives
• Level 1 Controls
• Level 2 Controls

• Level 3 Controls
• Level 4 Controls
• Process
• Mitigation strategy
• Assurance Continuum
• Certification
• Self-assessment workshop
• Control footprint
• Risk Footprint

20
Standard Tools and Techniques

• Texas Instruments Brainstorming
• Excel Workbook powered by Visual Basic Macros
• The Levels of Control in COSO, a UT creation that
  defines the monitoring responsibilities of each
  employee in the risk management process
• Three Tier Risk Assessment

21
Assurance Continuum Levels of Control in COSO
Collaborative Assurance (Governance and
Management Control Processes)
Periodic Assurance
I----------I
I----------I
(Governance Control Processes)
I------------ On-going Assurance
------------I (Management Control Processes)
Level 1 Controls (Execution )
Level 3 Controls (Oversight)
Level 2 Controls (Supervisory)
Level 4 Controls (Internal Audit)
Level 4 Controls ( Internal Audit)
Pre-operations design review of on-going assurance
During execution of event or transaction
Immediately after execution of event or
transaction
Soon after execution of event or transaction
Post-operations audit of execution of on-going
assurance
22
Standard Outputs

• Risk Footprints
• Control Footprints
• Monitoring Plans

23
TYPES OF RISK ASSESSMENTS

• Institution-wide perspective
• Activity-wide perspective
• Process detail perspective

24
INSTITUTION-WIDE RISK ASSESSMENT

• Performed by executive management
• Defines the major activities the institution
  performs to achieve goals and objectives
• Identifies the essential processes used in each
  major activity
• Ranks each process as to impact on achievement of
  goals and objectives and the probability that the
  process will fail to contribute to that
  achievement
• Provides a road map for allocation of assurance
  resources in the institution (on-going and
  periodic)

25
INSTITUTION-WIDE RISK ASSESSMENT
26
ACTIVITY-WIDE RISK ASSESSMENT

• Performed by the activity area management team
• Uses the processes for the activity from the
  Institution-wide Risk Assessment
• Identifies the major risk areas in each process
• Ranks the major risk areas as to their impact on
  the achievement of goals and objectives if they
  occur and the probability that they will occur
• Provides a road map for assurance strategies at
  the activity level and ensures coverage of
  institution-wide critical risks

27
ACTIVITY-WIDE RISK ASSESSMENT
28
PROCESS RISK ASSESSMENT

• Performed by those employees (managers and staff)
  working in the process
• Uses the major risk areas from the Activity-wide
  risk assessment
• Identifies the specific risks that can occur in
  each major risk area in the process
• Ranks the specific risk for impact on achievement
  of goals and objectives if they occur and the
  probability of their occurrence
• Provides road map for on-going, daily management
  of risks and for periodic assurance activities

29
PROCESS RISK ASSESSMENT
30
Risk Footprint Usage

• Management uses the footprint to allocate
  resources to managing risks that can affect the
  achievement of goals and objectives
• Internal Audit uses the footprint to provide
  governance and executive management with
  appropriate level of assurance on all identified
  risks

31
Control Footprint
32
Control Footprint Usage

• Identify over- and under-controlled risks
• Identify marginal or unneeded controls
• Identify critical controls

33
Monitoring Plan
34
Monitoring Plan Usage

• Ensure continuous and appropriate management of
  most critical risks
• Links risk, planned control steps, and evidence
  of execution of control steps
• Provides a roadmap for audit of the application
  of planned controls

35
Assurance Strategies

• External Assurance Providers
• Use where available
• Internal Audit
• Traditional Test-of-Transaction Audits on Red
  Risks
• Analytical procedures on Yellow risks
• Certifications by Management
• On all Green and Gray risks

36
External Assurance Providers

• Compliance officer, CEO, and governance
  function obtain assurance from other assurance
  providers.
• Accreditation teams (SACS)
• Regulators
• External auditors
• Federal auditors

37
Certifications By Management

• Criteria is the monitoring plan
• Responsible party for the risk performs
  self-assessment of application of the monitoring
  plan
• Responsible party signs a statement regarding the
  proper implementation of the monitoring plan
• Internal audit selects statistical sample of
  certifications and validates

38
Deciding Which Assurance Strategy To Use

• Based on
• significance of the risk
• prior experience with risk and its
  management
• availability of cost effective assurance
  strategies
• confidence level needed

39
How to Implement ERM?

• Find a champion
• Designate the catalyst or driver of the
  initiative
• Develop an Action Plan to Implement Enterprise
  Risk Management
• Select a simple, universally usable set of tools
• Involve everyone
• Train, Train, Train, Train, Train, Train
• Do the little things right every day

40
Potential Implementation Drivers

• Compliance Function
• Infrastructure for risk management is already in
  place
• Minimizes start-up time
• Capitalizes on experience and knowledge
• Internal Audit Function
• Uses ERM model to build Annual Audit Plan
• Uses ERM model for individual audit engagements
• Capitalizes on experience and knowledge

41
Permanent ERM Owner?

• Budget function
• Accountability and Management Improvement
  function
• Compliance function
• New risk management function

42
Resources
Effective Compliance Systems A Practical Guide
for Educational Institutions Crawford,et al
www.theiia.org
www.COSO.org
www.csa-pdk.com
Email crawfordjd_at_earthlink.net