Excellence in Risk Management via Enterprise Risk Management. Presentation to: Audit Committee Ashok K. Roy, Ph.D., CIA, CFSA, CBA September 18, 2015

Similar documents
Best Practices and Good Ideas for Engaging Your Board in ERM

Energize Your Enterprise Risk Management

Understanding Enterprise Risk Management: An Overview

ENTERPRISE RISK MANAGEMENT (ERM) POLICY Republic Glass Holdings Corporation. Purpose. Goals

Best Practices in ENTERPRISE RISK MANAGEMENT. [ Managing Risks Holistically ]

University of North Carolina at Greensboro Board of Trustees Audit, Risk Management, and Compliance Committee

GOV : Enterprise Risk Management Policy

Applying COSO s Enterprise Risk Management Integrated Framework

MEMORANDUM. To: From: Metrolinx Board of Directors Robert Siddall Chief Financial Officer Date: September 14, 2017 ERM Policy and Framework

Applying COSO s Enterprise Risk Management Integrated Framework. September 29, 2004

ENTERPRISE RISK MANAGEMENT IN HEALTH CARE. April 27, 2017

University Risk Management Policy

Alexander Hamilton Best Practices Summit. USAA Enterprise Risk Management

1st Capacity Building Seminar on Enterprise Risk Management

CATEGORY 8 PLANNING CONTINUOUS IMPROVEMENT

An Overview of the Enterprise Risk Management Process

GUIDE TO RISK ASSESSMENT AND RESPONSE

partnership charter I. Background II. Mission

STRATEGIC RISK MANAGEMENT

Enterprise Risk Management for Water Utilities. Justin Carlton, CMA, MBA Financial Analyst Tualatin Valley Water District

Global Tax Strategy November 2017

Senior Director, Fire Life Safety & Risk Management

INTERNAL AUDIT AND OPERATIONAL RISK T A C K L I N G T O D A Y S E M E R G I N G R I S K S T O G E T H E R

Enterprise Risk Management Program

ก ก Tools and Techniques for Enterprise Risk Management (ERM)

Enterprise Risk Management Integrated Framework

Principal risks and uncertainties

Enterprise Risk Management Perspectives

Enterprise Risk Management Focusing on the Right Risks

ENTERPRISE RISK MANAGEMENT POLICY FRAMEWORK

ERM: Lessons Learned and Tools Used from One University's Nearly 10-Year Implementation Journey. University Risk and Compliance

How Internal Audit Can Help Promote Effective ERM

UNITED NATIONS JOINT STAFF PENSION FUND. Enterprise-wide Risk Management Policy

Version 2.0- Project. Q: What is the current status of your project? A: Completed

Enterprise Risk Management

Enterprise Risk Management Sources. Universe. Tolerance. Appetite

Leveraging an organization s current risk management to create a sustainable ERM program. Thursday, January 15, 2015

Global Enterprise Risk Management in Insurance

FIRMA Nashville Tennessee April 21, 2015

BERGRIVIER MUNICIPALITY. Risk Management Risk Appetite Framework

Critical Reflection of Two State-of-the-Art Risk Management Frameworks (SRM004)

Enterprise Risk Management Balancing Risks & Identifying Opportunities WEBINAR

Outsourced Chief Investment Officer considerations

Risk Management Framework

Introduction. The Assessment consists of: Evaluation questions that assess best practices. A rating system to rank your board s current practices.

Infrastructure Prioritization Framework: Considering Resilience in Infrastructure Investment Decisions

Risks and uncertainties facing the business

Performance-Based Engineering and Resilience Management for Your Risk Control Program

NEWSLETTER ERM AND THE RATING AGENCIES WERF THE RATING AGENCY PERSPECTIVE

Thirty-Second Board Meeting Risk Management Policy

Presentation by: Nasumba Kizito Kwatukha CPA,CIA, CISA,CFE,CISSP,CRMA,CISM,IIK 6 th JULY 2017

F 4 STANDING COMMITTEES. Finance and Asset Management Committee. Debt Management Annual Report INFORMATION. For information only.

THE COLLEGE OF NEW JERSEY STRATEGIC BUDGET PLANNING FISCAL YEAR 2015

How we manage risk. Risk philosophy. Risk policy. Risk framework

Fiscal Year 2018 Proposed Budget

ENTERPRISE RISK MANAGEMENT (ERM) The Conceptual Framework

MISSION VALUES. This Framework has been printed by:

Product Recall Risk Assessment By Tony Munns. Product recall is a key area of risk for today s company. With greater focus

GENERAL RISK CONTROL AND MANAGEMENT POLICY

BUDGET REPORT GUIDANCE FOR FY19: ACTIVITY-BASED UNITS

An Introductory Presentation for ECU Staff

Risk Management and Insurance, M.S.

Auditor s Letter. Timothy M. O Brien, CPA Denver Auditor Annual Audit Plan

Presented by. Kristina Narvaez. President of ERM Strategies, LLC

Business Auditing - Enterprise Risk Management. October, 2018

OWN RISK AND SOLVENCY ASSESSMENT. ERM Seminar Compliance All Dealing from the same deck now

Executive Board Annual Session Rome, May 2015 POLICY ISSUES ENTERPRISE RISK For approval MANAGEMENT POLICY WFP/EB.A/2015/5-B

Risk Management. Webinar - July 2017

Enterprise Risk Management at Texas A&M University An Integrated Approach to Assessing and Managing Risks

Channel Islands Risk Management FY 17/18 Annual report and Cost of Risk FY 18/19 Work Plan

Enhanced Cyber Risk Management Standards. Advance Notice of Proposed Rulemaking

HOW HIGH-PERFORMING COMPANIES HARNESS OPPORTUNITIES THROUGH SRM SRM 401. Wednesday, April 18

Procedures for Management of Risk

Risk Management. Seminar June Compiled by: Raaghieb Najjaar, Yaeesh Yasseen & Rashied Small

SCCE 2012 COMPLIANCE & ETHICS INSTITUTE. Workshop Agenda

D7 Risk Management Policy

Journey of a Compliance Officer in ERM Implementation. SCCE Regional Conference September 8, Introduction

Planning and Budgeting Forum Mission Achievement Planning

Financial Review FISCAL YEAR 2015

CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK MANAGEMENT POLICY

I would like to thank the following organizations for sponsoring the course, which allows their employees/members to have the registration fee waived:

CCAC Comprehensive Planning, Budgeting & Assessment Process

PHASE 2 HAZARD IDENTIFICATION AND RISK ASSESSMENT

Client Risk Solutions Going beyond insurance. Risk solutions for the Healthcare sector. Start

Strategic Budgetary Plan

Risk management policy

Key ERM Components. November 2007

College Procedure. 1. Introduction

Mequon-Thiensville School District Releases Administrative Action Plan

4.1 Risk Assessment and Treatment Assessing Security Risks

Session 026 IF - Model Risk Management. Moderator: Yimin Yang. Presenters: George Alvites Charlie Anderson, Ph.D. Gang Ma, FSA

Summary of Submitted 2015 Budget From Rates

Risk category Category description Risk appetite

Risk Management Policy

An Introduction to Enterprise Risk Management. Mark Brown, SVP, Chief Financial Officer First Carolina Corporate Credit Union

Fiscal Years Financial Plan

Vanderbilt University, TN

TREASURY PROCEDURE. Treasury Policy Investment Policy Version Authorisation Approval Date Effective Date

Enterprise Risk Management. University of Nebraska Max J. Rudolph, FSA CFA CERA Rudolph Financial Consulting, LLC February 15, 2008

Risk Management Policy and Procedures.

Transcription:

Excellence in Risk Management via Enterprise Risk Management Presentation to: Audit Committee Ashok K. Roy, Ph.D., CIA, CFSA, CBA September 18, 2015

We need to migrate to ERM for holistic view of Risks. What is ERM? Enterprise Risk Management: is a process, effected by an entity s board of directors, management and other personnel, applied in strategy settings and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. * Notes: Several words are highlighted for emphasis: process, strategy, risk appetite, and objectives. Risk can be defined as any issue that impacts the University s ability to meet its objectives. Risks cannot be eliminated, but ERM can enable an institution to manage them more efficiently and effectively. *Committee of Sponsoring Organizations (COSO). Enterprise Risk Management Integrated Framework: Executive Summary. COSO, New York, 2004. Ashok K. Roy 2

ERM is a superior approach to traditional risk approach Under traditional model/paradigm: organizations approach risk as a silo or stovepipe where certain kinds of risk are pinpointed and then certain executives are charged with managing that risk(s). This often results in silo leaders lobbying a risk or categories of multiple risk to the other silos. Under ERM or new model/paradigm: organizations try to connect the silos to increase communications between silos to better recognize where one risk may impact multiple silos. Ashok K. Roy 3

Traditional vs. ERM approaches Ashok K. Roy 4

Examples of a few Universities who are using ERM approach University of California system University of Wisconsin system University of Colorado system Illinois State University University of North Carolina Chapel Hill North Carolina State University Maricopa County Community College District Auburn University Penn State University University of Denver Dartmouth College Princeton University Lehigh University Ashok K. Roy 5

The ERM processes in 8 steps 7. Information & Communication 8. Monitoring & Measuring 6. Internal Controls 1. Leadership, Culture and Values Enterprise Risk Management Process 5. Response (Risk transferred, eliminated, accepted) 2. Strategic Goals 4. Risk Assessment (via heat map) (Level of Risk Tolerance) 3. Risk Identification (Compile Risk Register) Steps: Setting the tone at the top with Leadership, Culture and Values, Establishing context, and the basis for how risk is viewed with strategic goals, Identifying risks, or the harm we are trying to avoid, Assessing risks using a central focus and common language, Aligning response options with the level of risk, Documenting internal controls for top risks, Communicating with stakeholders and implementing response plans. Monitoring and measuring to ensure responses have been carried out as intended. Ashok K. Roy 6

ERM focus is on 4 areas 1. Strategic high-level goals that are aligned with and support the institution s mission 2. Operational ongoing management process 3. Financial protection of institution's assets 4. Compliance the institution's adherence to applicable laws and regulations Reputational risk is often included as a critical higher education risk. However, a serious event in the above listed areas can cause reputational risks. In other words, reputation is always at risk, but not a risk. Hazard risks (generally covered by insurance, e.g. workers compensation, natural hazards, environmental impairment). Ashok K. Roy 7

8 Components of ERM cut across 4 areas For example, there are strategic, operation, reporting, and compliance aspects of the internal environment. 1. Internal environment the culture, values, and environment in which an institution operates 2. Objective setting the process that management uses to set its strategic goals and objectives 3. Event identification internal and external events that could affect an institution's ability to achieve its objectives 4. Risk assessment assessment of the impact of risks and prioritization of those risks Ashok K. Roy 8

8 Components of ERM cut across 4 areas (Continued) 5. Risk response how management will respond to the risks an institution faces (e.g., mitigate the risk, or share the risk) 6. Control activities policies and procedures that an institution establishes to ensure that it responds to risks 7. Information and communication identification and communication of the right information to the right people 8. Monitoring monitoring and taking corrective action as needed To be successful, risk must be managed across the 4 areas, the 8 components, and at each organizational level (i.e., functional unit, department, school, and the institution as a whole). Ashok K. Roy 9

Assessing Institutional Financial Strength In May 2015, in context of our UAF Power Plant Bond issue, Moody s affirmed the University s Aa2 credit rating but revised the outlook from stable to negative. S&P credit rating for the University remains AA- and stable. Notes: The State of Alaska has been assigned a negative outlook by both rating agencies, Moody s and S&P. Ashok K. Roy 10

UA will be Financially Healthy if It 1. Achieves market leadership as demonstrated by Global reputation Top-ranked programs 2. Increases Enrollment 3. Attracts and retains top students and faculty 4. Enhances diversity of funding sources by having Multiple business lines and revenue sources Low reliance on state support 5. Develops strong donor and community support 6. Maintains access to debt markets at attractive rates by exhibiting Strong balance sheet Prudent debt management Sustainable academic business plan Ashok K. Roy 11

Board needs to be aware of Areas of Institutional Risks Note: I wish to refer to my Presentation on September 19, 2014, titled Common Issues & Risks for Audit Committee Focus (attached). 1. Cyber security 2. Aging infrastructure and systems 3. Title IX campus sexual assault 4. Declines in research funding and state support 5. Declining Enrollment 6. Inflating costs such as energy and healthcare 7. Philanthropy and investment returns 8. Managing talent 9. Shifts in competition and consumer demand for higher education Ashok K. Roy 12

What is a Risk Map? A risk map, plots probability and impact of risk. It is a good tool for assessing the risks that have been identified and deciding how to respond to them. Ashok K. Roy 13

What is a Risk Map? (continued) In general, there are 4 responses to risk, which also are depicted on the risk map: Accept Control Share Mitigate and Control When both the impact and the probability are low (i.e., in the lower left quadrant), institutions would be likely to simply accept the risk. When both the probability and the impact are high (i.e., in the top right quadrant), institutions would be well advised to design controls that would, in totality, reduce the risk to an acceptable level. In this case, management would design appropriate controls under the oversight of the board. Ashok K. Roy 14

How is Cyber Risk managed? Intergovernmental agreements and cooperation Indemnification Regulatory/ administrative law Criminal law Contractual service agreements and federations 4. Legal Remedies Investigation & measure initiation Provide basis for actions Legal remedies may also institute protective measures 2. Measures for threat detection Reputation sanctions Patch development 3. Measures for remediation Threat analysis Provide data for analysis Blacklists & whitelists Real-time data availability Vulnerability notices Data retention and auditing Restrict resources 1. Measures for protection Identity Management Provide awareness of vulnerabilities and remediations Encryption/ VPNs Resilient infrastructure State & integrity Routing & resource constraints = information exchange for analysis = information exchange for actions Public Interest Report 2012 Goodman-Lukasik-Rutkowski Model http://fas.org/pubs/pir Ashok K. Roy 15

What is the Role of the Board? Setting the correct tone and demonstrating strong commitment to ERM Principal benefits of ERM* Demonstrates compliance (92%) Improves organizational performance & efficiency (69%) Reduces cost of risk (54%) *AON survey on ERM Ashok K. Roy 16

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback