1 / 28

Ohio Department of Higher Education Trustee Conference

Ohio Department of Higher Education Trustee Conference. Attorney-Client Privileged November 9, 2017. Douglas A. Huffner, JD Sr. Director & Chief Risk Officer The Ohio State University 2012 - Present. Housekeeping. Welcome! Relevant Background Board of Trustee Goals

dylane
Download Presentation

Ohio Department of Higher Education Trustee Conference

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ohio Department of Higher EducationTrustee Conference Attorney-Client Privileged November 9, 2017 Douglas A. Huffner, JD Sr. Director & Chief Risk Officer The Ohio State University 2012 - Present

  2. Housekeeping • Welcome! • Relevant Background • Board of Trustee Goals • What Happens Here Doesn’t Stay Here!

  3. Size of Institution – Does It Matter ? • What’s the difference between a large institution and a not as large institution? • Number of Students • Number of Colleges • Number of Buildings • Number of Researchers • Number of Staff • Number of Driver’s • Number of Minor’s Visiting Your Campus • Number of Athlete’s – Scholarship and Non-Scholarship • Number of Dollars it Costs to Attend • Numbers in the Budget? • Numbers of Policies and Strategic Plans • All Numbers – But are risks different??

  4. Making Sense Of ERM - Simplicity, Complexity & Relativity • Complexity, Simplicity and Relativity in Higher Education • Complexity primarily arises out of an Institutions Numbers and Decentralization of Operations, Systems and Processes • Simplicity arises when you take a rather overwhelming, complex operating environment on its face, understand it as best as you can, and manage it using a strong Governance Framework to Support your ERM Program • Relativity can be as simple as just adding or subtracting zero’s – Same Issues. Different Volume. Different Velocity. • A fair premise from which to begin?

  5. Current State of ERM in Higher Education • Support and interest level for ERM at the board and senior leadership level continues to be strong. Most institutions have a senior level executive accountable for the ERM program • Primary drivers for ERM programs are board driven requirements, regulatory requirements, rating agency expectations, and institutional complexity • Linkage between ERM and the strategic planning process is an evolving area of focus and future goal for most institutions • New and emerging risks are being identified informally through risk committees, networking with other institutions, and/or monitoring events and trends within the industry.

  6. The Committee of Sponsoring Organizations (COSO) The COSO model defines internal control as “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance of the achievement of objectives” in the following categories: 1. Effectiveness and efficiency of operations 2. Reliability of financial reporting 3. Compliancewith applicable laws and regulations To help assist with the implementation of the ERM process, COSO developed the ERM Integrated Framework (2004), also known as the COSO Cube. This cube is an update to the initial COSO I framework developed in 1992:

  7. International Organization of Standardization (ISO 31000) • Provides principles and generic guidelines on risk management. Provides a universally recognized paradigm for practitioners and organizations employing risk management processes across different industries, subject matters and regions. • Defined as “a process that provides confidence that planned objectives will be achieved within an acceptable degree of residual risk.”

  8. ISO 31000 Risk Management Model Principles Process Creates University Value Integral Part of University Process(es) Part of Strategic Decision Making Process Explicitly Addresses Uncertainty Systematic, Structured and Timely Based on Best AvailableInformation Tailored to Unit & Organization Takes Human and Cultural Factors into Account Transparent and Inclusive Dynamic, Iterative and Responsive to Change Facilitates Continual Improvementand Enhancement of the Organization Mandate & Commitment from BoT Establish the Context Design framework for managing risk Risk Assessment Risk Identification Monitor and Review Communicate and Consult Continually improve the framework Implement risk management Risk Analysis Risk Evaluation Monitor and review the framework Risk Treatment

  9. The Changing Focus of Risk Management Strategic Integrated Transactional Historic Risk Management • Insurance • Specific Hazards • No Internal Audit or Compliance Input • Separate Safety & Emergency Management • “Silo” Approach • Risk Manager = Insurance Buyer

  10. Risk Committee Background and Objectives Background: Strategic look at university-wide risk(s) & compliance issues Support strategic planning process through execution: identify risks not captured in plans Top tier risks lack : Clarity of Ownership and Adequacy of Planning Iterative process Board Expectations/Mandate: Oversight of top tier risks Backstop to strategic plans Link to scorecards Governance process over enterprise (“University”) and Compliance risks Objective: Ensure effective oversight of University risk management practices Review, assess, and monitor: Material risks associated with conducting University business Internal risk management processes or systems University policies and procedures for risk management Responsibilities: Design guidelines, controls, and other procedures to manage University risks Monitor effectiveness of risk management practices Recommend and monitor ongoing mitigation strategies Periodically review University Risk Assessment and recommend changes Other responsibilities as assigned

  11. Governance Proposed Roles • Board of Trustees • Institutional program approval and oversight • Mandate ERM to Executive leadership Team • President’s Cabinet Owner • Strategic decision-making and top-level oversight • Operational Owner(s) • Operational decision-making for risk mitigation project • Leaders with concurrent risk ownership • Project Leader(s) • Day-to-day coordination of risk mitigation efforts • Team • Key personnel tasked by Operational Owners • Responsible for achieving project deliverables Board of Trustees President’s Proposed Review Process

  12. University Risk Management Committee The Committee shall assist the President’s Cabinet and Board of Trustees in fulfilling its responsibility for oversight of the University’s risk management practices and monitoring and control of the University’s strategic and compliance risk exposures. Membership • Vice Provost Academic and Strategic Planning • Vice President for Operations – Business/Finance • Academic Appointment (Faculty/Senate Fiscal) • Vice President Talent, Culture and Human Resources • Advancement Appointment (Vice President of University Communications) • Vice President for Strategic Enrollment Planning • Chief Operating Officer, Medical Center • Academic Appointment (University Senate) • Vice President for Student Life • Associate General Counsel • Deputy CFO & Treasurer (Chair) • Associate Vice President, FOD • Vice President & Athletic Director • Chief Information Officer • Vice President for Research • Director, Internal Audit • Senior Vice President for Government Affairs and Counselor to the President • Vice President and Chief Compliance Officer • Senior Director, Chief Risk Officer • *On average 17 out of 19 members participate

  13. FY2014 Risk Assessment Risk Categories and Examples Education Scholarship Medical Student Life Advancement Financial • Significant reduction in performance of the Health system and related colleges • Changes to reimbursement • Accreditation issues • Health Care Reform • Patient care, quality & satisfaction • Medical staff training / management • Decrease in academic standing, harming ability to attract faculty or students • Academic excellence • Tenure/tenure track faculty • Distance learning (MOOCs) • Falling program support • Operational impacts of legislation • Inability to develop an environment conducive to student life • Material drop in student satisfaction (incl. graduation %) • Nationally publicized student conduct event • Student housing issues • Events impacting the brand, alumni relationships, or Advancement objectives • Awareness/Branding • Crisis management / public relations failure • Alumni relations • Regulatory reforms • Inability to perform significant academic or scientific research • Research excellence • Material drop in research expenditures • Loss of gov’t or industry funding • Conflicts of interest • Inability to reach capital, revenue, or cost containment objectives • Loss of gov’t funding • Investment portfolio losses • Accounting breakdown • Credit rating downgrade • Interest rate risk/exposure Physical Environment Information Technology Government, Community, and Affiliates Talent and Culture Athletics Compliance • Loss of infrastructure; major event impacting ongoing operations, including campus safety • Protection of physical assets • Campus safety/security • Campus disruption • Traffic Safety • Risk of disruption to Athletics operations, including significant NCAA violations • NCAA sanctions • Change in NCAA regulatory approach • Adverse event in youth program • Communications failure • Failure to meet regulatory, legal ,or policy requirements • Federal payor (medical, research) • Ethics violations • Title IX/Clery Act • EHS and ADA • Major investigation • Privacy laws (HIPAA, FERPA) • Inability to store, develop, transmit, or protect data • IT alignment to strategy • Systems and data integrity • IT operations and availability • Information security • Aging software maintenance & renewal • Failure to monitor and develop affiliate relationships • Potential fraud on University by affiliate • Nationally publicized reaction to evolving University business model • Failure to attract, develop, or retain talent • Leadership development & continuity • Retention • Workforce planning • Employment practices & safety • Succession planning

  14. Example - Inherent Risk Assessment [Severity of risk without mitigation] • Key Points: • Assess Impact based on highest rated category • Assess likelihood without existing controls or plan • Inherent risk score = Impact x Likelihood • Risk Appetite Approved by BoT Finance Committee – Materiality • Velocity Score

  15. Control Assessment - Example [Effectiveness of efforts to mitigate identified risks] • Key Points: • For opportunity (future) risks, assess planning (not controls) • Capture evaluation of controls, including trending, in Comments • Ability to Effectively Manage Velocity

  16. Example - Risk Assessment Process University Risk Assessment University Experts • Identified key risks – Top Down / Bottom Up • Assigned ratings based on materiality scales • Ratings quantify inherent and residual risk Inherent Risk (severity of risk without mitigation) • Impact: degree of financial, reputational, and/or regulatory harm caused • Likelihood: probability of occurrence • Impact Score xLikelihood Score =Inherent Risk Residual Risk • Control Assessment: measure of current controls to mitigate risk • Inherent Risk xControl Assessment =Residual Risk Compliance Risks • Identified critical legal requirements: Regulatory Inventory • Calculated inherent and residual risk ratings of legal requirements • Compliance risks addressed through separate Annual Compliance Plan Finalization of Risk Assessment Qualitative adjustments • Adjust risk ratings based on internal and external environment • Internal factors (e.g.): • University strategy • Internal Audit findings • Investigations • Changes to operations • External factors (e.g.): • Educational and economic environment • New or updated regulations and enforcement • Significant areas of potential publicity Designation of strategic risks • Each team designated certain top risks as strategic • Key factors: multiple/unclear ownership, absence of planning Committee Review • Ownership: • Number of identified owners; clarity of defined roles in managing risk • Distribution of organizational ownership increases risk level • Planning: maturity of planning and metrics Risk Assessment is Attorney-Client Privileged

  17. Risk Assessment Process • Identified key risks in each category • Determined inherent and residual • ratings for each risk • Ranked risks according to residual • rating Qualitative Assessment • Adjusted residual ratings based on • internal and external environment • Identified top risks in each category • Determined which top risks should be deemed “strategic” • Ownership and planning deemed critical criteria • Re-ranked strategic risks to identify • top institutional priorities *See Appendix

  18. Risk Assessment: Strategic Risks Qualitative Assessment • 2. Identified top risks in each category • Based on relative ranking in each domain • 3. Determined which top risks should be deemed “strategic” • Based on adequacy of planning and clarity of risk ownership • Re-ranked strategic risks to identify top institutional priorities: • Tier 1: top priority • Tier 2: secondary priority • Tier 3: strategic risks to be managed by current owner in FY2014 • Cross referenced compliance risks • Reviewed residual ratings based on environmental factors • Internal factors (e.g.): • University/Domain strategy • Internal Audit findings • Investigations • Changes to operations • External factors (e.g.): • Educational and economic environment • New or updated regulations and enforcement • Significant areas of potential publicity

  19. Examples of Strategic Risks: Pre-Mitigation Planning View Tier 3 Tier 2 Tier 1 1 55 2 6 54 5 13 32 7 22 10 30 20 19 24 15 36 34 11 Strong-------------Clarity of Risk Ownership--------------Weak 52 35 18 3 46 53 17 23 12 47 31 4 48 8 9 33 42 37 29 26 56 38 45 28 44 39 21 43 14 27 50 41 49 Acceptable-----------------Adequacy of Planning------------Incomplete Listed by Residual Risk Ranking BoT Focus – Tier 1

  20. Risk Mitigation Planning Ongoing Reporting & Engagement Evaluation Planning • Ongoing oversight: project leader defines tollgates in project plan to ensure review of key milestones and decisions • Ongoing implementation: project leader and team execute plan • Identify Strategic Risks • Cabinet and Operational Owners identified • Project leader assigned based on authority/knowledge • Project team assembled • Project plan: project leader and team gathers feedback and development • Project leader ensures appropriate consultation and review • Operational owner(s) approve plan • Team defines roles between departments Actions • Assist coordination of reporting tollgates • Obtain updates and drive accountability through University Risk Management Committee • Provide assistance on plan execution as needed • Assist project leader and team in identifying key stakeholders • Assist project leader in planning • Consult during plan development • Consult in the use of project management tools/methodologies • Conduct Risk Assessment (esp. ensure consistency of identification and assessment) • Assist ownership decisions • Support operational owners and project leaders in project management office capacity Risk & Compliance Team

  21. Long-Term Mitigation Planning & Information Security Example ● ● ● ● Progress Re-Evaluation Period Re-Evaluation Period Re-Evaluation Period ● ● ● ● Year 1 Year 4 Year 2 Year 3 Time ●Board of Trustees verbal updates every meeting *written progress reports/scorecards shared at each meeting in executive session Risk Scope End State Year 1 Goal • Permanent ownership • Ongoing management and reporting (Testing) • Mitigation to acceptable level • Target deadline • Key dependencies • Resources • Roles • Plan • Measures of progress • Accountability • Key dependencies • Resources • Risk definition • Key elements of mitigation effort

  22. Tier 1Risk Mitigation Planning Status Planning Commitment to Board Current Status = On Track = Complete = Delayed/Attention Needed Red: Also identified as Compliance Risk = Not Started/Delayed

  23. URM: Proposed Board Committee Oversight and Reporting Academic Affairs and Student Life Finance Governance Medical Center (If Applicable) Advancement Audit & Compliance BOARD COMMITTEE • Academic Initiatives • Research • Student Life • Resource Generation • Controllership • Physical Environment • Health Sciences • Medical Center • James • Fundraising • Alumni Relations • Communications • Legal • Compliance • Internal Audit • Board Governance • Talent CURRENT TOPICS Strategic & Reputational Financial Talent, Culture & Human Resources Compliance Medical Advancement Physical Environment & Operational Research Affiliated Entities TOPICAL RISK ALIGNMENT Education & Scholarship Information Technology Athletics T1 Risk T2 Risk T1 Risk T1 Risk T1 Risk T1 Risk T1 Risk T1 Risk T1 Risk T2 Risk T2 Risk T1 Risk T1 Risk T1 Risk T1 Risk T1 Risk T1 Risk T1 Risk T2 Risk T2 Risk T2 Risk T2 Risk T2 Risk T2 Risk T2 Risk T2 Risk TIER 1 AND 2 RISK ALIGNMENT • Next Steps: • Finalize reporting schedule to Board Committees • Integrate risk mitigation planning into strategic planning and Board scorecards 4

  24. Mitigation Effectiveness Ratings

  25. What Makes ERM Work? • Focuses on BoT Mission and Objectives of Higher Education • Consistent Messaging and Support from the Board of Trustees • Formalizes Process and Governance • Preserves and Creates Value • Emboldens Innovation – Opportunity Risks • Enhances Agility and Resilience • Improves Quality of Strategic Decisions • Helps in Allocation of Resources / Budgeting • Empowers Subject Matter Experts • Improves Stakeholder Confidence and Trust (AMBest, Moody’s)

  26. Board of Trustee Allows for the Achievement of a University’s Mission Through ERM Oversight & Support ERM and its Components work to establish the foundation for sound internal control/audit/compliance within the university/college through directed leadership (tone at the top), shared values and a culture that emphasizes accountability for control.

  27. Board of Trustee Role in ERM • Trustee Involvement and Interest – Increasingly, board and committee members share perspectives with their respective institutions, and exchange information about other ERM models and programs • Executive Reporting – Require risk program status report (verbal / written) to executive leadership and oversight committees at every Board meeting • Link to Strategic Planning — Align risk topics to important strategic objectives • Measure Mitigation Effectiveness – Ensure that risk mitigation plans are assessed and reported on regularly • Attend Risk Committee Meeting – On an Annual basis, attend at least 1 Risk Committee Meeting

  28. QUESTIONS ?

More Related