SlideShare ist ein Scribd-Unternehmen logo

ERM Frameworks (3)

B
Bmc123
1 von 16
Downloaden Sie, um offline zu lesen
©2015 The Advisory Board Company 1 eab.com Structure, Board of Regents/Trustees Involvement, and Impact ERM Frameworks Business Affairs Forum RESEARCH BRIEF
©2015 The Advisory Board Company 2 eab.com LEGAL CAVEAT The Advisory Board Company has made efforts to verify the accuracy of the information it provides to members. This report relies on data obtained from many sources, however, and The Advisory Board Company cannot guarantee the accuracy of the information provided or any analysis based thereon. In addition, The Advisory Board Company is not in the business of giving legal, medical, accounting, or other professional advice, and its reports should not be construed as professional advice. In particular, members should not rely on any legal commentary in this report as a basis for action, or assume that any tactics described herein would be permitted by applicable law or appropriate for a given member’s situation. Members are advised to consult with appropriate professionals concerning legal, medical, tax, or accounting issues, before implementing any of these tactics. Neither The Advisory Board Company nor its officers, directors, trustees, employees and agents shall be liable for any claims, liabilities, or expenses relating to (a) any errors or omissions in this report, whether caused by The Advisory Board Company or any of its employees or agents, or sources or other third parties, (b) any recommendation or graded ranking by The Advisory Board Company, or (c) failure of member and its employees and agents to abide by the terms set forth herein. The Advisory Board is a registered trademark of The Advisory Board Company in the United States and other countries. Members are not permitted to use this trademark, or any other Advisory Board trademark, product name, service name, trade name, and logo, without the prior written consent of The Advisory Board Company. All other trademarks, product names, service names, trade names, and logos used within these pages are the property of their respective holders. Use of other company trademarks, product names, service names, trade names and logos or images of the same does not necessarily constitute (a) an endorsement by such company of The Advisory Board Company and its products and services, or (b) an endorsement of the company or its products or services by The Advisory Board Company. The Advisory Board Company is not affiliated with any such company. IMPORTANT: Please read the following. The Advisory Board Company has prepared this report for the exclusive use of its members. Each member acknowledges and agrees that this report and the information contained herein (collectively, the “Report”) are confidential and proprietary to The Advisory Board Company. By accepting delivery of this Report, each member agrees to abide by the terms as stated herein, including the following: 1. The Advisory Board Company owns all right, title and interest in and to this Report. Except as stated herein, no right, license, permission or interest of any kind in this Report is intended to be given, transferred to or acquired by a member. Each member is authorized to use this Report only to the extent expressly authorized herein. 2. Each member shall not sell, license, or republish this Report. Each member shall not disseminate or permit the use of, and shall take reasonable precautions to prevent such dissemination or use of, this Report by (a) any of its employees and agents (except as stated below), or (b) any third party. 3. Each member may make this Report available solely to those of its employees and agents who (a) are registered for the workshop or membership program of which this Report is a part, (b) require access to this Report in order to learn from the information described herein, and (c) agree not to disclose this Report to other employees or agents or any third party. Each member shall use, and shall ensure that its employees and agents use, this Report for its internal use only. Each member may make a limited number of copies, solely as adequate for use by its employees and agents in accordance with the terms herein. 4. Each member shall not remove from this Report any confidential markings, copyright notices, and other similar indicia herein. 5. Each member is responsible for any breach of its obligations as stated herein by any of its employees or agents. 6. If a member is unwilling to abide by any of the foregoing obligations, then such member shall promptly return this Report and all copies thereof to The Advisory Board Company. LEGAL CAVEAT The Advisory Board Company has made efforts to verify the accuracy of the information it provides to members. This report relies on data obtained from many sources, however, and The Advisory Board Company cannot guarantee the accuracy of the information provided or any analysis based thereon. In addition, The Advisory Board Company is not in the business of giving legal, medical, accounting, or other professional advice, and its reports should not be construed as professional advice. In particular, members should not rely on any Business Affairs Forum Brittany Coppola Research Associate Anna Krenkel Senior Research Manager
©2015 The Advisory Board Company 3 eab.com Table of Contents 1) Executive Overview .....................................................................................................4 Key Observations ..............................................................................................................4 2) ERM Frameworks: Structure and Responsibilities.........................................................5 Institutions Create Frameworks...........................................................................................5 Common Risk Categories....................................................................................................7 ERM Reporting Structure ....................................................................................................8 3) Board of Regents/Trustees Involvement in ERM ........................................................10 Presenting ERM Activity to the Board ................................................................................. 10 4) Institutional Assessment of ERM Impact....................................................................12 Measuring ERM Impact..................................................................................................... 12 Implement Change .......................................................................................................... 13 5) Research Methodology...............................................................................................14 Project Challenge ............................................................................................................ 14 Project Sources ............................................................................................................... 15 Research Parameters ....................................................................................................... 15 Networking Contacts......................................................................................................16
©2015 The Advisory Board Company 4 eab.com 1) Executive Overview Most institutions create and use their own ERM frameworks best meet the needs of a higher education institution. Contacts indicate that the COSO and ISO 3100 risk management frameworks do not readily translate to the higher education industry because they are rooted in corporate business principles. Only contacts at East Carolina University use the ISO 3100 framework because of its rigor, which they transitioned to after years of modifying an internally developed framework. The five major risk categories at profiled institutions include compliance, finance, reputation, strategy, and operations. As with ERM frameworks, the risk categories that ERM staff develop as part of the ERM framework are unique to each institution. For example, the North Carolina State University is the only profiled institution to include drones and Greek life as risk areas. The university risk officer or ERM director oversees ERM activity. The university risk officer or ERM director typically reports to the vice chancellor of finance and administration who then reports to the board of regents/trustees. The university risk officer or ERM director assigns each risk a risk owner in the department most closely associated with the risk, and the risk officer or ERM director and risk owner collaborate to develop a risk mitigation plan. It is the responsibility of the risk owner to also document the stated controls. Institutions typically engage with the board of regents/trustees at least once annually, as the board of regents/trustees often has the final approval for risk mitigation strategies or approving changes to the risk management process. Presentations of ERM activity to the board range from ad hoc to highly systematized; the University of Georgia System has the most robust presentation requirements, which include biannual PowerPoint presentations to the full board and submission of supporting documents before the meeting to allow board members time to prepare questions. Measuring the impact of ERM is anecdotal and remains a growth opportunity for most institutions. At the Georgia Institute of Technology contacts cite that identifying a risk, assigning it a risk owner, and developing a risk mitigation plan are sufficient evidence to count as successful ERM. Risk directors at East Carolina State University use the Rim’s Risk Maturity Model (RMM), a free risk assessment tool, to measure the impact of their ERM framework. Incorporate feedback from ERM risk owners or the risk council (i.e., mid- level managers from across the institution who review ERM processes)to construct an action plan for incorporating changes to ERM. The risk owner is integral to creating changes to the ERM process because they provide the necessary feedback to determine the success of a risk mitigation strategy for eliminating or mitigating the assigned risk. At the Georgia Institute of Technology, administrators developed a campus-wide wellness initiative in response to recommendations from the risk owner charged with mitigating student health and safety risks. Key Observations
©2015 The Advisory Board Company 5 eab.com 2) ERM Frameworks: Structure and Responsibilities Risk Management Staff Create Their Own ERM Frameworks Administrators at all but one of the profiled institutions created and implemented ERM ERM frameworks unique to their institutions. Contacts indicate that traditional ERM frameworks (e.g., ISO 3100, COSO) cannot be copied and directly implemented for use by higher education institutions because they were originally intended for corporate use in for-profit environments. Administrators at East Carolina State University initially created and implemented a unique ERM framework, but eventually adopted the ISO 3100 framework after several years of changes and iterations to their original ERM framework (which they based off of Arthur J. Gallagher & Company’s report, “Road to Implementation: Enterprise Risk Management for Colleges and Universities.”) Contacts indicate that concerns about the rigor of the framework and its ability to reflect institutional growth led to this transition. ERM Framework Blueprint: Arthur J. Gallagher & Company1 1) McLaughlin, John et al. Road to Implementation: Enterprise Risk Management for Colleges and Universities. Arthur J. Gallagher & Company. 1 September 2015. http://www.ajg.com/. Institutions Create Frameworks 1 Understand the institution’s plans, environment, and culture. 2 Determine the status of existing risk management processes. 3 State goals and objectives. 4 Present the case for implementing ERM. 5 Present the case for implementing ERM. 6 Name an ERM leader. 7 Plan project and create a timeline. 8 Select/design ERM framework that fits institution’s goals and culture. 9 Create a cross-functional risk council. 10 Create a mission and goals statement for the risk council. 11 Develop a shared vocabulary and definitions. PHASE1PHASE2(includes step11) 12 Develop a risk portfolio. 13 Assess, validate, and prioritize risks. 14 Assign ownership and take action. 15 Assess results. 16 Meet and report. 17 Review and align risk treatment with available sources. 18 Do not neglect traditional risk management functions. 19 Review any ERM framework you have chosen to follow. 20 Develop an institution-wide system for communicating. PHASE3 Phase 1 Survey institution’s situation and from these factors prepare a case statement for ERM. Phase 2 Set the foundation to build, embed, and sustain an ERM process. Phase 3 Implement risk identification, risk evaluation, and take action in priority areas. Phase 4 Sustain your ERM program. PHASE4
©2015 The Advisory Board Company 6 eab.com ERM Framework and Process: University of Georgia System2 2) Internal Audit and Compliance. Enterprise Risk Management. “Detailed Presentation on the ERM Program.” University of Georgia System. 8 September 2015. http://www.usg.edu/audit/documents/ERM_Presentation.pdf. Step Action Execution 1 Establish ERM Framework A. Identify project champion B. Identify project owner C. Establish steering committee A. Project champion is chancellor/president who provides support to process B. Project owner is senior-level official who provides oversight of ERM implementation C. Executive/senior-level officials who represent key organizational areas. A. List key objectives B. Prioritize objectives C. Select objectives for assessment A. Steering committee identifies strategic objectives B. Steering committee uses ranking system to select top objectives C. Steering committee selects 4 to 6 top objectives for initial risk assessment 2 Identify Key Objectives 3 Identify Key Risks A. Brainstorm and assess risks; assign risks of 4 or higher to a risk owner A. Steering committee conducts initial risk assessment through calculation of risk impact without consideration of current controls or mitigation strategies 4 Manage Risks A. Identify controls and mitigation requirements B. Develop mitigation plan for key risks C. Conduct quarterly meetings to review status D. Repeat steps 2 through 4 for additional objectives A. Risk owners identify current controls or mitigation plans, or other actions institution has taken to reduce risk B. Risk owners develop mitigation plans for risks ranked 4 or higher C. Steering committee holds quarterly meetings to approve and review status of risk owner mitigation plans D. Steering committee incorporates new risks into ERM process as current risks are mitigated
©2015 The Advisory Board Company 7 eab.com Common ERM Risk Categories Include Compliance, Finance, Reputation, Strategy, and Operations Administrators at profiled institutions develop risk categories in one of two ways: 1) Hire a consulting agency to assess risks (contacts at the Georgia Institute of Technology hired an external consulting firm); 2) Create five to seven broad risk categories based on common patterns and themes of proposed risks. Creating Risk Categories Main Risk Categories at Profiled Institutions Institution East Carolina State University Georgia Institute of Technology North Carolina State University Pennsylvania State University University of Georgia System Compliance X X X X Finance X X X Reputation X X X Strategy X X X Operations X X X Campus security X Cyber security X Faculty retention X Admissions and recruitment X Fraternities and sororities X Common Risk Categories Propose and collate risks. Funnel proposed risks into broad categories by grouping risks with overlap and similarities. Prioritize determined risks. Administrators at Pennsylvania State University asked 54 campus leaders “what keeps you awake at night?” to gather diverse perspectives about risk facing the entire campus. Administrators at the Georgia Institute of Technology took several hundred proposed risk factors and grouped them into 40 risk areas. After funneling down top risk areas, create five to seven broad risk categories and assign remaining proposed risks to a category; prioritize risks according to urgency. The top five risk categories are most common across profiled institutions.
©2015 The Advisory Board Company 8 eab.com Institution East Carolina State University Georgia Institute of Technology North Carolina State University Pennsylvania State University University of Georgia System Drones X Title IX X Academic X Injuries X Fundraising X To prioritize risks and determine which to address first, the Compliance and Risk Management Network at the Georgia Institute of Technology scores risks. Risk Rubric at the Georgia Institute of Technology3 The University Risk Officer or Director Leads ERM The university risk officer typically reports to the vice chancellor of administration and finance or president. Although the reporting structures are different at all profiled institutions, most hierarchies contain a chancellor/president, board of regents, and risk owners. 3) Compliance and Risk Management Network. Legal Affairs and Risk Management. Georgia Institute of Technology. 9 September 2015. http://larm.gatech.edu/compliance-and-risk-management-network. ERM Reporting Structure The ERM department is housed under the office of the corporate controller at Pennsylvania State University. Impact Likelihood Velocity • Impairs achievement of strategic goals; • Substantial financial costs; • Damage to reputation; • Requires intervention • • Creates inefficiencies; • Fines, minor injuries, or moderate losses may result • Results in warning or reprimand; • Little effects on institute • Probability of risk occurrence > 75%; • Risk will occur frequently and predictably • Probability of risk occurrence between 50% and 75%; • Risk will occur unpredictably • Probability of risk occurrence less than 50% • May occur in 0-3 years • May occur in 4 to 6 years • May occur in 7 to 10 years HighMediumLow
©2015 The Advisory Board Company 9 eab.com ERM Reporting Structure at the Georgia Institute of Technology4,5 ERM is housed under the system-wide internal audit unit. 4) Compliance and Risk Management Network. Legal Affairs and Risk Management. Georgia Institute of Technology. 9 September 2015. http://larm.gatech.edu/compliance-and-risk-management-network. 5) Compliance Partner’s Group. Legal Affairs and Risk Management. Georgia Institute of Technology. 9 September 2015. http://larm.gatech.edu/compliance-partners-group Board of Regents Compliance and Risk Management Network Approves ERM strategy and additional resources needed to execute risk mitigation plans. ERM Director Composed of 20 members from administration and finance, provost’s office, and student life; examines campus-wide risks. Manages the Compliance and Risk Management Network Policy Steering Committee Compliance Partner’s Group (CPG) The CPG is composed of 40 administrators who are responsible for department-level compliance operations. Vets new policy proposals and manages policy reviews. Vice Chancellor or President Senior leader responsible for reporting ERM activity to the board; oversees ERM process management.
©2015 The Advisory Board Company 10 eab.com 3) Board of Regents/Trustees Involvement in ERM Engage at Least Once Annually with the Board of Regents/Trustees The ERM director or the board of trustees’ internal audit and risk committee update the full board of regents/trustees about ERM activity at least once per year at most profiled institutions, either through scheduled presentations or ad hoc discussions. Board of Regents/Trustees Engagement at Profiled Institutions AdhocSystematized ERM staff engage with the board of regents when the board requests an update on ERM. Georgia Institute of Technology ERM staff have made at least one presentation to the board of regents but do not meet with the board on a regular basis. North Carolina State University Board members participate in committees, and the audit and risk committee includes a sub-committee that focuses only on risk issues. This sub-committee meets three to six times per year to discuss how the university is managing risk. When the sub-committee deems risks to be high priority they assign it a board-level risk owner. For example, the sub- committee assigned dean of students as the “alcohol” risk owner; the dean then makes a presentation to academic and student affairs staff members about alcohol risk management. Pennsylvania State University The executive director for enterprise risk management makes semiannual presentations to the board of trustees regarding the status of ERM at each institution in the system. Board members sit on committees, and the internal audit risk and compliance committee meets monthly to discuss risk management.University of Georgia System A board of trustees audit committee exists to review risk audit and compliance. The assistant vice chancellor for enterprise risk management liaises with this committee, which communicates ERM activity to the full board of trustees. East Carolina State University Presenting ERM Activity to the Board
©2015 The Advisory Board Company 11 eab.com Assess the backgrounds and career fields of board members. Identify members in business sectors where risk management practices are established and leverage board ERM experiences where possible (e.g., invite board member to address the university risk committee or steering group). Assemble a packet of ERM materials that explain ERM and outlines the institutions approach. Be sure to cite research to build credibility with the board. This strategy is especially impactful for newly appointed board members not well acquainted with ERM. Establish an “ERM cycle” that includes a standard reporting format. A standard template for reports and conveying information according to a schedule will acclimate board members to expect information about ERM. Propose a mini-class on ERM. If the board has an annual retreat or other opportunity to discuss each year’s agenda, use this time to educate board members about ERM in higher education. ERM Staff or Board Risk Committees Present ERM Activity to the Board of Regents/Trustees At both the Georgia Institute of Technology and East Carolina State University, the ERM director updates the board of trustees’ internal audit committee about ERM activity. It is then the responsibility of the internal audit committee to convey this information to the full board. At Pennsylvania State University, the risk manager is responsible for presentations to the board of regents/trustees, and he or she chooses the format and modality of presentation. The University of Georgia System has the most robust board of trustee/regents presentation requirements: the executive director for ERM reports to the board biannually via a PowerPoint presentation of five to 10 slides. The executive director of ERM also creates and distributes supporting documentation (e.g., audit reports, risk mitigation/control reports), which they distribute to the board between two and four weeks before the meeting so members have time to review the information in advance. This presentation lasts 30 minutes, and there is time for board Q&A afterward. Contacts at East Carolina State University recommend the following strategies for optimal communication and engagement about ERM with a university’s board members: Strategies to Engage with the Board of Regents/Trustees
©2015 The Advisory Board Company 12 eab.com 4) Institutional Assessment of ERM Impact Use Anecdotal Evidence and the Risk Maturity Model (RMM) to Measure the Impact of ERM Assessing the impact of ERM remains a growth opportunity at institutions, as the impact of ERM is primarily assessed through anecdotal evidence from risk owners. At the Georgia Institute of Technology ERM is successful if the following questions regarding risk can be answered: • Has the risk been identified? • Has a risk owner been assigned or agreed to take ownership of the risk? • Is there a mitigation plan in place for the risk in question (created by the risk owner)? In addition to asking risk management staff to provide anecdotal evidence of ERM impact, contacts at East Carolina State University use the Risk Maturity Model (RMM) through which the risk manager taking the assessment receives a score to determine if their ERM framework is meeting expectations. Rimms RMM for ERM: 7 Attributes Covered in the Assessment6 This assessment is free and risk officers can complete it in 30 minutes. 6) Source: Risk Management Society. RIMS Risk Maturity Model. Rims RMM for ERM. 2 September 2015. http://riskmaturitymodel.com/rims-risk-maturity-model-rmm-for-erm/. Measuring ERM Impact At the University of Georgia System the goal is not to mitigate all risk, but instead to mitigate risks to an acceptable level. Examines the quality of risk information collected. Uncovering Risk Determines the extent to which an organization links a risk to its root causes and source processes. Root Cause Discipline Includes the level of accountability for risk, defining appropriate risk tolerances, and closing the gap between perceived and actual risk. Risk Management Appetite Analyzes how well the risk management program identifies, assesses, evaluates, mitigates, and monitors risks. ERM Process Management Measures the degree of executive support for ERM, integration across processes, and risk communication. ERM-Based Approach
©2015 The Advisory Board Company 13 eab.com Use Feedback from ERM Risk Owners or the Risk Council to Construct an Action Plan for ERM Change Management Contacts at profiled institutions use anecdotal feedback from the risk manager or the risk council to make necessary changes to the ERM process. At the University of Georgia and the Georgia Institute of Technology the risk owner is an integral part of creating and managing changes to the ERM process and framework. ERM Change Management at the Georgia Institute of Technology Implement Change Determines the degree to which an organization executes on its visions and strategy. Performance Management Evaluates the extent to which sustainability plans are integrated into the Enterprise Risk Management process. Business Resiliency and Stability The ERM network presents an overall risk mitigation plan to the president’s cabinet. President’s Cabinet The risk owners make an annual presentation to the ERM network regarding the controls they have selected to mitigate their assigned risk. Risk Owner The ERM network asks the risk owners to document a risk mitigation plan; the ERM network adds recommended actions to this document. ERM Network The president reports this plan to the board of regents, which approves additional budget/resources needed to launch the amended mitigation plan. Board of Regents/Trustees
©2015 The Advisory Board Company 14 eab.com At Pennsylvania State University, a risk council meets once each month to discuss the quality of risk management oversight and discuss ways to strengthen the ERM management process. ERM Change Management at Pennsylvania State University 5) Research Methodology Leadership at a member institutions approached the Forum with the following questions: ▪ Which ERM framework or frameworks do contact institutions follow (e.g., ISO, COSO)? What are the main risk categories within the institution’s ERM structure? ▪ Which risk response strategy or combination of strategies is most often utilized at contact institutions? ▪ What is the reporting structure for ERM? Which individual(s) are responsible for the facilitation and oversight of ERM processes at contact institutions? ▪ What is the process and timeline for implementing a new ERM process? ▪ What metrics do institutions use to evaluate the effectiveness of their ERM processes? What measures do they take to address shortcomings? ▪ Who is responsible for constructing an action plan and initiating/following up on deadlines for implementing changes? ▪ Who is responsible for documenting stated controls in ERM? ▪ How often do contacts communicate with the Board of Trustees regarding ERM? ▪ To what degree is the Board of Trustees at contact institutions involved in ERM? ▪ How do institutions report ERM data to the Board of Trustees? ▪ Who is responsible for delivering ERM presentations or updates to the Board of Trustees? Are ERM documents distributed to the Board of Trustees prior to a board meeting or presentation? ▪ Is there communication outside of regular board meetings with select Trustees who are responsible for ERM? Project Challenge The risk council (a group of 12 mid-level managers from across the institutions) meets monthly to discuss risk management process improvement. Findings from the risk council are presented to the risk sub- committee, which is part of the audit and risk committee of the board of regents. The university risk officer directs the risk council.
©2015 The Advisory Board Company 15 eab.com The Forum consulted the following sources for this report: • Institution websites: – Georgia Institute of Technology: http://larm.gatech.edu/compliance-and-risk- management-network; http://larm.gatech.edu/compliance-partners-group – University of Georgia: http://www.usg.edu/audit/documents/ERM_Presentation.pdf • Gallagher and Company: http://www.ajg.com/. • Rims Risk Maturity Model (RMM): http://riskmaturitymodel.com/rims-risk- maturity-model-rmm-for-erm/ The Forum interviewed ERM risk managers and directors at the following institutions: A Guide to Institutions Profiled in this Brief Institution Location Approximate Institutional Enrollment (Undergraduate/Total) Classification East Carolina University Southeast 21,500 / 26,900 Doctoral/research universities Georgia Institute of Technology Southeast 14,500 / 21,500 Research universities North Carolina State University Southeast 24,500 / 34,000 Research universities Pennsylvania State University Northeast 40,000 / 46,600 Research universities University of Georgia System Southeast NA NA Project Sources Research Parameters
©2015 The Advisory Board Company 16 eab.com Networking Contacts East Carolina State University Tim Wiseman Assistant Vice Chancellor for Enterprise Risk Management/CRO Email – WISEMANW@ECU.EDU Georgia Institute of Technology Patrick McKenna Vice President, Legal Affairs and Risk Management Email: pat.mckenna@carnegie.gatech.edu North Carolina State University Jim Semple Director, Insurance and Risk Management Email: jrsemple@ncsu.edu Pennsylvania State University Gary Langsdale University Risk Officer Email: GWL3@psu.edu University of Georgia System Kenyatta Morrison Executive Director for Enterprise Risk Management Email: Kenyatta.Morrison@usg.edu

Empfohlen

Tuition Revenue Risk Analysis - UW Superior
Tuition Revenue Risk Analysis - UW SuperiorTuition Revenue Risk Analysis - UW Superior
Tuition Revenue Risk Analysis - UW SuperiorBmc123
 
Ha3032 auditing and assurance services
Ha3032 auditing and assurance servicesHa3032 auditing and assurance services
Ha3032 auditing and assurance servicesSazzad Hossain, ITP, MBA, CSCA™
 
ERM Presentation
ERM PresentationERM Presentation
ERM PresentationH Contrex
 
Dubai Nov08 Erm Gs Khoo
Dubai Nov08 Erm Gs KhooDubai Nov08 Erm Gs Khoo
Dubai Nov08 Erm Gs KhooGuan Khoo
 
UKTI Case Study Control Risks
UKTI Case Study Control RisksUKTI Case Study Control Risks
UKTI Case Study Control RisksMoshe Abudarham
 
Maintenance Managemant-LL
Maintenance Managemant-LLMaintenance Managemant-LL
Maintenance Managemant-LLKyaw Zin Win
 
LOR Ramsey_F.E.
LOR Ramsey_F.E.LOR Ramsey_F.E.
LOR Ramsey_F.E.Kailah Rockwood, MBA
 
LOR Ramsey_J.M.
LOR Ramsey_J.M.LOR Ramsey_J.M.
LOR Ramsey_J.M.Kailah Rockwood, MBA
 

Empfohlen

Tuition Revenue Risk Analysis - UW Superior
Tuition Revenue Risk Analysis - UW SuperiorTuition Revenue Risk Analysis - UW Superior
Tuition Revenue Risk Analysis - UW SuperiorBmc123
 
Ha3032 auditing and assurance services
Ha3032 auditing and assurance servicesHa3032 auditing and assurance services
Ha3032 auditing and assurance servicesSazzad Hossain, ITP, MBA, CSCA™
 
ERM Presentation
ERM PresentationERM Presentation
ERM PresentationH Contrex
 
Dubai Nov08 Erm Gs Khoo
Dubai Nov08 Erm Gs KhooDubai Nov08 Erm Gs Khoo
Dubai Nov08 Erm Gs KhooGuan Khoo
 
UKTI Case Study Control Risks
UKTI Case Study Control RisksUKTI Case Study Control Risks
UKTI Case Study Control RisksMoshe Abudarham
 
Maintenance Managemant-LL
Maintenance Managemant-LLMaintenance Managemant-LL
Maintenance Managemant-LLKyaw Zin Win
 
LOR Ramsey_F.E.
LOR Ramsey_F.E.LOR Ramsey_F.E.
LOR Ramsey_F.E.Kailah Rockwood, MBA
 
LOR Ramsey_J.M.
LOR Ramsey_J.M.LOR Ramsey_J.M.
LOR Ramsey_J.M.Kailah Rockwood, MBA
 
Jodie's Reference Letter
Jodie's Reference LetterJodie's Reference Letter
Jodie's Reference LetterKailah Rockwood, MBA
 
Act. 2 - Impacto ambiental - Tamary Bermeo
Act. 2 - Impacto ambiental - Tamary BermeoAct. 2 - Impacto ambiental - Tamary Bermeo
Act. 2 - Impacto ambiental - Tamary BermeoTamary Bermeo González
 
LOR Ramsey_M.S.
LOR Ramsey_M.S.LOR Ramsey_M.S.
LOR Ramsey_M.S.Kailah Rockwood, MBA
 
Together tn invite
Together tn inviteTogether tn invite
Together tn invitetyshe
 
LOC Ramsey_S.R.
LOC Ramsey_S.R.LOC Ramsey_S.R.
LOC Ramsey_S.R.Kailah Rockwood, MBA
 
Excerpts from Letters of Reference and Evaluations
Excerpts from Letters of Reference and EvaluationsExcerpts from Letters of Reference and Evaluations
Excerpts from Letters of Reference and EvaluationsBecky Frusher
 
Wes's resume
Wes's resumeWes's resume
Wes's resumewesley jordan
 
COSO ERM Topology
COSO ERM TopologyCOSO ERM Topology
COSO ERM TopologyJason Rusch - CISSP CGEIT CISM CISA GNSA
 
Anycast
AnycastAnycast
Anycastswapnil_123456
 
Print_Reduced
Print_ReducedPrint_Reduced
Print_ReducedRanjit Kumar Sharma (E.I.T.)
 
Enterprise risk management february 9th solution training
Enterprise risk management february 9th solution trainingEnterprise risk management february 9th solution training
Enterprise risk management february 9th solution trainingveritama
 
Control Risks-ERM-whitepaper
Control Risks-ERM-whitepaperControl Risks-ERM-whitepaper
Control Risks-ERM-whitepaperNadav Davidai, CBCP GRCP
 
GRI ERM Roadmap - Program Overview
GRI ERM Roadmap - Program OverviewGRI ERM Roadmap - Program Overview
GRI ERM Roadmap - Program OverviewDenise Robinson
 
Risk Management ERM Presentation
Risk Management ERM PresentationRisk Management ERM Presentation
Risk Management ERM Presentationalygale
 
Sirianni_EAB_program_review
Sirianni_EAB_program_reviewSirianni_EAB_program_review
Sirianni_EAB_program_reviewJim Sirianni
 
IFC_CG_Progression_Matrix_Listed_Companies_042219.pdf
IFC_CG_Progression_Matrix_Listed_Companies_042219.pdfIFC_CG_Progression_Matrix_Listed_Companies_042219.pdf
IFC_CG_Progression_Matrix_Listed_Companies_042219.pdfssuserd33630
 
Esms+handbook+construction v7
Esms+handbook+construction v7Esms+handbook+construction v7
Esms+handbook+construction v7Dr Lendy Spires
 
INDIPENDENT DIRECTOR
INDIPENDENT DIRECTORINDIPENDENT DIRECTOR
INDIPENDENT DIRECTORABC
 
Risk of Fraud Managing Business Risk
Risk of Fraud Managing Business RiskRisk of Fraud Managing Business Risk
Risk of Fraud Managing Business RiskMuna D. Buchahin
 
The Insurance Compliance Function - International Standards
The Insurance Compliance Function - International Standards The Insurance Compliance Function - International Standards
The Insurance Compliance Function - International Standards JasonSchupp1
 
Esms+handbook+anim production v8
Esms+handbook+anim production v8Esms+handbook+anim production v8
Esms+handbook+anim production v8Dr Lendy Spires
 
Esms+handbook+crop prod v7
Esms+handbook+crop prod v7Esms+handbook+crop prod v7
Esms+handbook+crop prod v7Dr Lendy Spires
 

Weitere ähnliche Inhalte

Andere mochten auch

Act. 2 - Impacto ambiental - Tamary Bermeo
Act. 2 - Impacto ambiental - Tamary BermeoAct. 2 - Impacto ambiental - Tamary Bermeo
Act. 2 - Impacto ambiental - Tamary BermeoTamary Bermeo González
 
Together tn invite
Together tn inviteTogether tn invite
Together tn invitetyshe
 
Excerpts from Letters of Reference and Evaluations
Excerpts from Letters of Reference and EvaluationsExcerpts from Letters of Reference and Evaluations
Excerpts from Letters of Reference and EvaluationsBecky Frusher
 
Enterprise risk management february 9th solution training
Enterprise risk management february 9th solution trainingEnterprise risk management february 9th solution training
Enterprise risk management february 9th solution trainingveritama
 
GRI ERM Roadmap - Program Overview
GRI ERM Roadmap - Program OverviewGRI ERM Roadmap - Program Overview
GRI ERM Roadmap - Program OverviewDenise Robinson
 
Risk Management ERM Presentation
Risk Management ERM PresentationRisk Management ERM Presentation
Risk Management ERM Presentationalygale
 

Andere mochten auch (14)

Jodie's Reference Letter
Jodie's Reference LetterJodie's Reference Letter
Jodie's Reference Letter
 
Act. 2 - Impacto ambiental - Tamary Bermeo
Act. 2 - Impacto ambiental - Tamary BermeoAct. 2 - Impacto ambiental - Tamary Bermeo
Act. 2 - Impacto ambiental - Tamary Bermeo
 
LOR Ramsey_M.S.
LOR Ramsey_M.S.LOR Ramsey_M.S.
LOR Ramsey_M.S.
 
Together tn invite
Together tn inviteTogether tn invite
Together tn invite
 
LOC Ramsey_S.R.
LOC Ramsey_S.R.LOC Ramsey_S.R.
LOC Ramsey_S.R.
 
Excerpts from Letters of Reference and Evaluations
Excerpts from Letters of Reference and EvaluationsExcerpts from Letters of Reference and Evaluations
Excerpts from Letters of Reference and Evaluations
 
Wes's resume
Wes's resumeWes's resume
Wes's resume
 
COSO ERM Topology
COSO ERM TopologyCOSO ERM Topology
COSO ERM Topology
 
Anycast
AnycastAnycast
Anycast
 
Print_Reduced
Print_ReducedPrint_Reduced
Print_Reduced
 
Enterprise risk management february 9th solution training
Enterprise risk management february 9th solution trainingEnterprise risk management february 9th solution training
Enterprise risk management february 9th solution training
 
Control Risks-ERM-whitepaper
Control Risks-ERM-whitepaperControl Risks-ERM-whitepaper
Control Risks-ERM-whitepaper
 
GRI ERM Roadmap - Program Overview
GRI ERM Roadmap - Program OverviewGRI ERM Roadmap - Program Overview
GRI ERM Roadmap - Program Overview
 
Risk Management ERM Presentation
Risk Management ERM PresentationRisk Management ERM Presentation
Risk Management ERM Presentation
 

Ähnlich wie ERM Frameworks (3)

Sirianni_EAB_program_review
Sirianni_EAB_program_reviewSirianni_EAB_program_review
Sirianni_EAB_program_reviewJim Sirianni
 
IFC_CG_Progression_Matrix_Listed_Companies_042219.pdf
IFC_CG_Progression_Matrix_Listed_Companies_042219.pdfIFC_CG_Progression_Matrix_Listed_Companies_042219.pdf
IFC_CG_Progression_Matrix_Listed_Companies_042219.pdfssuserd33630
 
Esms+handbook+construction v7
Esms+handbook+construction v7Esms+handbook+construction v7
Esms+handbook+construction v7Dr Lendy Spires
 
INDIPENDENT DIRECTOR
INDIPENDENT DIRECTORINDIPENDENT DIRECTOR
INDIPENDENT DIRECTORABC
 
Risk of Fraud Managing Business Risk
Risk of Fraud Managing Business RiskRisk of Fraud Managing Business Risk
Risk of Fraud Managing Business RiskMuna D. Buchahin
 
The Insurance Compliance Function - International Standards
The Insurance Compliance Function - International Standards The Insurance Compliance Function - International Standards
The Insurance Compliance Function - International Standards JasonSchupp1
 
Esms+handbook+anim production v8
Esms+handbook+anim production v8Esms+handbook+anim production v8
Esms+handbook+anim production v8Dr Lendy Spires
 
Esms+handbook+crop prod v7
Esms+handbook+crop prod v7Esms+handbook+crop prod v7
Esms+handbook+crop prod v7Dr Lendy Spires
 
Aera note cfss 2020_ opportunity for defaulter organization
Aera note cfss 2020_ opportunity for defaulter organizationAera note cfss 2020_ opportunity for defaulter organization
Aera note cfss 2020_ opportunity for defaulter organizationvikash parakh
 
Esms+handbook+textiles&apparel v8
Esms+handbook+textiles&apparel v8Esms+handbook+textiles&apparel v8
Esms+handbook+textiles&apparel v8Dr Lendy Spires
 
pulte homes _CorporateGovernanceGuidelines_2009
pulte homes _CorporateGovernanceGuidelines_2009pulte homes _CorporateGovernanceGuidelines_2009
pulte homes _CorporateGovernanceGuidelines_2009finance42
 
pulte homes _CorporateGovernanceGuidelines_2009
pulte homes _CorporateGovernanceGuidelines_2009pulte homes _CorporateGovernanceGuidelines_2009
pulte homes _CorporateGovernanceGuidelines_2009finance42
 
How To Write A Interview Essay. Online assignment writing service.
How To Write A Interview Essay. Online assignment writing service.How To Write A Interview Essay. Online assignment writing service.
How To Write A Interview Essay. Online assignment writing service.Jessica Adams
 
Top pick of the month: Exide Industries
Top pick of the month: Exide IndustriesTop pick of the month: Exide Industries
Top pick of the month: Exide IndustriesIndiaNotes.com
 
TaaS : Transport as a Service, la prochaine disruption majeure
TaaS : Transport as a Service, la prochaine disruption majeureTaaS : Transport as a Service, la prochaine disruption majeure
TaaS : Transport as a Service, la prochaine disruption majeureAnne-Gaelle CHASLES
 
governance l3 comunications guidelines
governance l3 comunications guidelinesgovernance l3 comunications guidelines
governance l3 comunications guidelinesfinance19
 
l3 comunications governance guidelines
l3 comunications governance guidelines l3 comunications governance guidelines
l3 comunications governance guidelinesfinance19
 
Narayan murthy report on corporate governance
Narayan murthy report on corporate governanceNarayan murthy report on corporate governance
Narayan murthy report on corporate governanceDhruvKothari13
 

Ähnlich wie ERM Frameworks (3) (20)

Sirianni_EAB_program_review
Sirianni_EAB_program_reviewSirianni_EAB_program_review
Sirianni_EAB_program_review
 
IFC_CG_Progression_Matrix_Listed_Companies_042219.pdf
IFC_CG_Progression_Matrix_Listed_Companies_042219.pdfIFC_CG_Progression_Matrix_Listed_Companies_042219.pdf
IFC_CG_Progression_Matrix_Listed_Companies_042219.pdf
 
Esms+handbook+construction v7
Esms+handbook+construction v7Esms+handbook+construction v7
Esms+handbook+construction v7
 
INDIPENDENT DIRECTOR
INDIPENDENT DIRECTORINDIPENDENT DIRECTOR
INDIPENDENT DIRECTOR
 
Risk of Fraud Managing Business Risk
Risk of Fraud Managing Business RiskRisk of Fraud Managing Business Risk
Risk of Fraud Managing Business Risk
 
The Insurance Compliance Function - International Standards
The Insurance Compliance Function - International Standards The Insurance Compliance Function - International Standards
The Insurance Compliance Function - International Standards
 
Esms+handbook+anim production v8
Esms+handbook+anim production v8Esms+handbook+anim production v8
Esms+handbook+anim production v8
 
Esms+handbook+crop prod v7
Esms+handbook+crop prod v7Esms+handbook+crop prod v7
Esms+handbook+crop prod v7
 
Aera note cfss 2020_ opportunity for defaulter organization
Aera note cfss 2020_ opportunity for defaulter organizationAera note cfss 2020_ opportunity for defaulter organization
Aera note cfss 2020_ opportunity for defaulter organization
 
Esms+handbook+textiles&apparel v8
Esms+handbook+textiles&apparel v8Esms+handbook+textiles&apparel v8
Esms+handbook+textiles&apparel v8
 
pulte homes _CorporateGovernanceGuidelines_2009
pulte homes _CorporateGovernanceGuidelines_2009pulte homes _CorporateGovernanceGuidelines_2009
pulte homes _CorporateGovernanceGuidelines_2009
 
pulte homes _CorporateGovernanceGuidelines_2009
pulte homes _CorporateGovernanceGuidelines_2009pulte homes _CorporateGovernanceGuidelines_2009
pulte homes _CorporateGovernanceGuidelines_2009
 
How To Write A Interview Essay. Online assignment writing service.
How To Write A Interview Essay. Online assignment writing service.How To Write A Interview Essay. Online assignment writing service.
How To Write A Interview Essay. Online assignment writing service.
 
Top pick of the month: Exide Industries
Top pick of the month: Exide IndustriesTop pick of the month: Exide Industries
Top pick of the month: Exide Industries
 
Ranbaxy 19.12
Ranbaxy 19.12Ranbaxy 19.12
Ranbaxy 19.12
 
Ranbaxy Corporate Governance
Ranbaxy Corporate GovernanceRanbaxy Corporate Governance
Ranbaxy Corporate Governance
 
TaaS : Transport as a Service, la prochaine disruption majeure
TaaS : Transport as a Service, la prochaine disruption majeureTaaS : Transport as a Service, la prochaine disruption majeure
TaaS : Transport as a Service, la prochaine disruption majeure
 
governance l3 comunications guidelines
governance l3 comunications guidelinesgovernance l3 comunications guidelines
governance l3 comunications guidelines
 
l3 comunications governance guidelines
l3 comunications governance guidelines l3 comunications governance guidelines
l3 comunications governance guidelines
 
Narayan murthy report on corporate governance
Narayan murthy report on corporate governanceNarayan murthy report on corporate governance
Narayan murthy report on corporate governance
 

ERM Frameworks (3)

  • 1. ©2015 The Advisory Board Company 1 eab.com Structure, Board of Regents/Trustees Involvement, and Impact ERM Frameworks Business Affairs Forum RESEARCH BRIEF
  • 2. ©2015 The Advisory Board Company 2 eab.com LEGAL CAVEAT The Advisory Board Company has made efforts to verify the accuracy of the information it provides to members. This report relies on data obtained from many sources, however, and The Advisory Board Company cannot guarantee the accuracy of the information provided or any analysis based thereon. In addition, The Advisory Board Company is not in the business of giving legal, medical, accounting, or other professional advice, and its reports should not be construed as professional advice. In particular, members should not rely on any legal commentary in this report as a basis for action, or assume that any tactics described herein would be permitted by applicable law or appropriate for a given member’s situation. Members are advised to consult with appropriate professionals concerning legal, medical, tax, or accounting issues, before implementing any of these tactics. Neither The Advisory Board Company nor its officers, directors, trustees, employees and agents shall be liable for any claims, liabilities, or expenses relating to (a) any errors or omissions in this report, whether caused by The Advisory Board Company or any of its employees or agents, or sources or other third parties, (b) any recommendation or graded ranking by The Advisory Board Company, or (c) failure of member and its employees and agents to abide by the terms set forth herein. The Advisory Board is a registered trademark of The Advisory Board Company in the United States and other countries. Members are not permitted to use this trademark, or any other Advisory Board trademark, product name, service name, trade name, and logo, without the prior written consent of The Advisory Board Company. All other trademarks, product names, service names, trade names, and logos used within these pages are the property of their respective holders. Use of other company trademarks, product names, service names, trade names and logos or images of the same does not necessarily constitute (a) an endorsement by such company of The Advisory Board Company and its products and services, or (b) an endorsement of the company or its products or services by The Advisory Board Company. The Advisory Board Company is not affiliated with any such company. IMPORTANT: Please read the following. The Advisory Board Company has prepared this report for the exclusive use of its members. Each member acknowledges and agrees that this report and the information contained herein (collectively, the “Report”) are confidential and proprietary to The Advisory Board Company. By accepting delivery of this Report, each member agrees to abide by the terms as stated herein, including the following: 1. The Advisory Board Company owns all right, title and interest in and to this Report. Except as stated herein, no right, license, permission or interest of any kind in this Report is intended to be given, transferred to or acquired by a member. Each member is authorized to use this Report only to the extent expressly authorized herein. 2. Each member shall not sell, license, or republish this Report. Each member shall not disseminate or permit the use of, and shall take reasonable precautions to prevent such dissemination or use of, this Report by (a) any of its employees and agents (except as stated below), or (b) any third party. 3. Each member may make this Report available solely to those of its employees and agents who (a) are registered for the workshop or membership program of which this Report is a part, (b) require access to this Report in order to learn from the information described herein, and (c) agree not to disclose this Report to other employees or agents or any third party. Each member shall use, and shall ensure that its employees and agents use, this Report for its internal use only. Each member may make a limited number of copies, solely as adequate for use by its employees and agents in accordance with the terms herein. 4. Each member shall not remove from this Report any confidential markings, copyright notices, and other similar indicia herein. 5. Each member is responsible for any breach of its obligations as stated herein by any of its employees or agents. 6. If a member is unwilling to abide by any of the foregoing obligations, then such member shall promptly return this Report and all copies thereof to The Advisory Board Company. LEGAL CAVEAT The Advisory Board Company has made efforts to verify the accuracy of the information it provides to members. This report relies on data obtained from many sources, however, and The Advisory Board Company cannot guarantee the accuracy of the information provided or any analysis based thereon. In addition, The Advisory Board Company is not in the business of giving legal, medical, accounting, or other professional advice, and its reports should not be construed as professional advice. In particular, members should not rely on any Business Affairs Forum Brittany Coppola Research Associate Anna Krenkel Senior Research Manager
  • 3. ©2015 The Advisory Board Company 3 eab.com Table of Contents 1) Executive Overview .....................................................................................................4 Key Observations ..............................................................................................................4 2) ERM Frameworks: Structure and Responsibilities.........................................................5 Institutions Create Frameworks...........................................................................................5 Common Risk Categories....................................................................................................7 ERM Reporting Structure ....................................................................................................8 3) Board of Regents/Trustees Involvement in ERM ........................................................10 Presenting ERM Activity to the Board ................................................................................. 10 4) Institutional Assessment of ERM Impact....................................................................12 Measuring ERM Impact..................................................................................................... 12 Implement Change .......................................................................................................... 13 5) Research Methodology...............................................................................................14 Project Challenge ............................................................................................................ 14 Project Sources ............................................................................................................... 15 Research Parameters ....................................................................................................... 15 Networking Contacts......................................................................................................16
  • 4. ©2015 The Advisory Board Company 4 eab.com 1) Executive Overview Most institutions create and use their own ERM frameworks best meet the needs of a higher education institution. Contacts indicate that the COSO and ISO 3100 risk management frameworks do not readily translate to the higher education industry because they are rooted in corporate business principles. Only contacts at East Carolina University use the ISO 3100 framework because of its rigor, which they transitioned to after years of modifying an internally developed framework. The five major risk categories at profiled institutions include compliance, finance, reputation, strategy, and operations. As with ERM frameworks, the risk categories that ERM staff develop as part of the ERM framework are unique to each institution. For example, the North Carolina State University is the only profiled institution to include drones and Greek life as risk areas. The university risk officer or ERM director oversees ERM activity. The university risk officer or ERM director typically reports to the vice chancellor of finance and administration who then reports to the board of regents/trustees. The university risk officer or ERM director assigns each risk a risk owner in the department most closely associated with the risk, and the risk officer or ERM director and risk owner collaborate to develop a risk mitigation plan. It is the responsibility of the risk owner to also document the stated controls. Institutions typically engage with the board of regents/trustees at least once annually, as the board of regents/trustees often has the final approval for risk mitigation strategies or approving changes to the risk management process. Presentations of ERM activity to the board range from ad hoc to highly systematized; the University of Georgia System has the most robust presentation requirements, which include biannual PowerPoint presentations to the full board and submission of supporting documents before the meeting to allow board members time to prepare questions. Measuring the impact of ERM is anecdotal and remains a growth opportunity for most institutions. At the Georgia Institute of Technology contacts cite that identifying a risk, assigning it a risk owner, and developing a risk mitigation plan are sufficient evidence to count as successful ERM. Risk directors at East Carolina State University use the Rim’s Risk Maturity Model (RMM), a free risk assessment tool, to measure the impact of their ERM framework. Incorporate feedback from ERM risk owners or the risk council (i.e., mid- level managers from across the institution who review ERM processes)to construct an action plan for incorporating changes to ERM. The risk owner is integral to creating changes to the ERM process because they provide the necessary feedback to determine the success of a risk mitigation strategy for eliminating or mitigating the assigned risk. At the Georgia Institute of Technology, administrators developed a campus-wide wellness initiative in response to recommendations from the risk owner charged with mitigating student health and safety risks. Key Observations
  • 5. ©2015 The Advisory Board Company 5 eab.com 2) ERM Frameworks: Structure and Responsibilities Risk Management Staff Create Their Own ERM Frameworks Administrators at all but one of the profiled institutions created and implemented ERM ERM frameworks unique to their institutions. Contacts indicate that traditional ERM frameworks (e.g., ISO 3100, COSO) cannot be copied and directly implemented for use by higher education institutions because they were originally intended for corporate use in for-profit environments. Administrators at East Carolina State University initially created and implemented a unique ERM framework, but eventually adopted the ISO 3100 framework after several years of changes and iterations to their original ERM framework (which they based off of Arthur J. Gallagher & Company’s report, “Road to Implementation: Enterprise Risk Management for Colleges and Universities.”) Contacts indicate that concerns about the rigor of the framework and its ability to reflect institutional growth led to this transition. ERM Framework Blueprint: Arthur J. Gallagher & Company1 1) McLaughlin, John et al. Road to Implementation: Enterprise Risk Management for Colleges and Universities. Arthur J. Gallagher & Company. 1 September 2015. http://www.ajg.com/. Institutions Create Frameworks 1 Understand the institution’s plans, environment, and culture. 2 Determine the status of existing risk management processes. 3 State goals and objectives. 4 Present the case for implementing ERM. 5 Present the case for implementing ERM. 6 Name an ERM leader. 7 Plan project and create a timeline. 8 Select/design ERM framework that fits institution’s goals and culture. 9 Create a cross-functional risk council. 10 Create a mission and goals statement for the risk council. 11 Develop a shared vocabulary and definitions. PHASE1PHASE2(includes step11) 12 Develop a risk portfolio. 13 Assess, validate, and prioritize risks. 14 Assign ownership and take action. 15 Assess results. 16 Meet and report. 17 Review and align risk treatment with available sources. 18 Do not neglect traditional risk management functions. 19 Review any ERM framework you have chosen to follow. 20 Develop an institution-wide system for communicating. PHASE3 Phase 1 Survey institution’s situation and from these factors prepare a case statement for ERM. Phase 2 Set the foundation to build, embed, and sustain an ERM process. Phase 3 Implement risk identification, risk evaluation, and take action in priority areas. Phase 4 Sustain your ERM program. PHASE4
  • 6. ©2015 The Advisory Board Company 6 eab.com ERM Framework and Process: University of Georgia System2 2) Internal Audit and Compliance. Enterprise Risk Management. “Detailed Presentation on the ERM Program.” University of Georgia System. 8 September 2015. http://www.usg.edu/audit/documents/ERM_Presentation.pdf. Step Action Execution 1 Establish ERM Framework A. Identify project champion B. Identify project owner C. Establish steering committee A. Project champion is chancellor/president who provides support to process B. Project owner is senior-level official who provides oversight of ERM implementation C. Executive/senior-level officials who represent key organizational areas. A. List key objectives B. Prioritize objectives C. Select objectives for assessment A. Steering committee identifies strategic objectives B. Steering committee uses ranking system to select top objectives C. Steering committee selects 4 to 6 top objectives for initial risk assessment 2 Identify Key Objectives 3 Identify Key Risks A. Brainstorm and assess risks; assign risks of 4 or higher to a risk owner A. Steering committee conducts initial risk assessment through calculation of risk impact without consideration of current controls or mitigation strategies 4 Manage Risks A. Identify controls and mitigation requirements B. Develop mitigation plan for key risks C. Conduct quarterly meetings to review status D. Repeat steps 2 through 4 for additional objectives A. Risk owners identify current controls or mitigation plans, or other actions institution has taken to reduce risk B. Risk owners develop mitigation plans for risks ranked 4 or higher C. Steering committee holds quarterly meetings to approve and review status of risk owner mitigation plans D. Steering committee incorporates new risks into ERM process as current risks are mitigated
  • 7. ©2015 The Advisory Board Company 7 eab.com Common ERM Risk Categories Include Compliance, Finance, Reputation, Strategy, and Operations Administrators at profiled institutions develop risk categories in one of two ways: 1) Hire a consulting agency to assess risks (contacts at the Georgia Institute of Technology hired an external consulting firm); 2) Create five to seven broad risk categories based on common patterns and themes of proposed risks. Creating Risk Categories Main Risk Categories at Profiled Institutions Institution East Carolina State University Georgia Institute of Technology North Carolina State University Pennsylvania State University University of Georgia System Compliance X X X X Finance X X X Reputation X X X Strategy X X X Operations X X X Campus security X Cyber security X Faculty retention X Admissions and recruitment X Fraternities and sororities X Common Risk Categories Propose and collate risks. Funnel proposed risks into broad categories by grouping risks with overlap and similarities. Prioritize determined risks. Administrators at Pennsylvania State University asked 54 campus leaders “what keeps you awake at night?” to gather diverse perspectives about risk facing the entire campus. Administrators at the Georgia Institute of Technology took several hundred proposed risk factors and grouped them into 40 risk areas. After funneling down top risk areas, create five to seven broad risk categories and assign remaining proposed risks to a category; prioritize risks according to urgency. The top five risk categories are most common across profiled institutions.
  • 8. ©2015 The Advisory Board Company 8 eab.com Institution East Carolina State University Georgia Institute of Technology North Carolina State University Pennsylvania State University University of Georgia System Drones X Title IX X Academic X Injuries X Fundraising X To prioritize risks and determine which to address first, the Compliance and Risk Management Network at the Georgia Institute of Technology scores risks. Risk Rubric at the Georgia Institute of Technology3 The University Risk Officer or Director Leads ERM The university risk officer typically reports to the vice chancellor of administration and finance or president. Although the reporting structures are different at all profiled institutions, most hierarchies contain a chancellor/president, board of regents, and risk owners. 3) Compliance and Risk Management Network. Legal Affairs and Risk Management. Georgia Institute of Technology. 9 September 2015. http://larm.gatech.edu/compliance-and-risk-management-network. ERM Reporting Structure The ERM department is housed under the office of the corporate controller at Pennsylvania State University. Impact Likelihood Velocity • Impairs achievement of strategic goals; • Substantial financial costs; • Damage to reputation; • Requires intervention • • Creates inefficiencies; • Fines, minor injuries, or moderate losses may result • Results in warning or reprimand; • Little effects on institute • Probability of risk occurrence > 75%; • Risk will occur frequently and predictably • Probability of risk occurrence between 50% and 75%; • Risk will occur unpredictably • Probability of risk occurrence less than 50% • May occur in 0-3 years • May occur in 4 to 6 years • May occur in 7 to 10 years HighMediumLow
  • 9. ©2015 The Advisory Board Company 9 eab.com ERM Reporting Structure at the Georgia Institute of Technology4,5 ERM is housed under the system-wide internal audit unit. 4) Compliance and Risk Management Network. Legal Affairs and Risk Management. Georgia Institute of Technology. 9 September 2015. http://larm.gatech.edu/compliance-and-risk-management-network. 5) Compliance Partner’s Group. Legal Affairs and Risk Management. Georgia Institute of Technology. 9 September 2015. http://larm.gatech.edu/compliance-partners-group Board of Regents Compliance and Risk Management Network Approves ERM strategy and additional resources needed to execute risk mitigation plans. ERM Director Composed of 20 members from administration and finance, provost’s office, and student life; examines campus-wide risks. Manages the Compliance and Risk Management Network Policy Steering Committee Compliance Partner’s Group (CPG) The CPG is composed of 40 administrators who are responsible for department-level compliance operations. Vets new policy proposals and manages policy reviews. Vice Chancellor or President Senior leader responsible for reporting ERM activity to the board; oversees ERM process management.
  • 10. ©2015 The Advisory Board Company 10 eab.com 3) Board of Regents/Trustees Involvement in ERM Engage at Least Once Annually with the Board of Regents/Trustees The ERM director or the board of trustees’ internal audit and risk committee update the full board of regents/trustees about ERM activity at least once per year at most profiled institutions, either through scheduled presentations or ad hoc discussions. Board of Regents/Trustees Engagement at Profiled Institutions AdhocSystematized ERM staff engage with the board of regents when the board requests an update on ERM. Georgia Institute of Technology ERM staff have made at least one presentation to the board of regents but do not meet with the board on a regular basis. North Carolina State University Board members participate in committees, and the audit and risk committee includes a sub-committee that focuses only on risk issues. This sub-committee meets three to six times per year to discuss how the university is managing risk. When the sub-committee deems risks to be high priority they assign it a board-level risk owner. For example, the sub- committee assigned dean of students as the “alcohol” risk owner; the dean then makes a presentation to academic and student affairs staff members about alcohol risk management. Pennsylvania State University The executive director for enterprise risk management makes semiannual presentations to the board of trustees regarding the status of ERM at each institution in the system. Board members sit on committees, and the internal audit risk and compliance committee meets monthly to discuss risk management.University of Georgia System A board of trustees audit committee exists to review risk audit and compliance. The assistant vice chancellor for enterprise risk management liaises with this committee, which communicates ERM activity to the full board of trustees. East Carolina State University Presenting ERM Activity to the Board
  • 11. ©2015 The Advisory Board Company 11 eab.com Assess the backgrounds and career fields of board members. Identify members in business sectors where risk management practices are established and leverage board ERM experiences where possible (e.g., invite board member to address the university risk committee or steering group). Assemble a packet of ERM materials that explain ERM and outlines the institutions approach. Be sure to cite research to build credibility with the board. This strategy is especially impactful for newly appointed board members not well acquainted with ERM. Establish an “ERM cycle” that includes a standard reporting format. A standard template for reports and conveying information according to a schedule will acclimate board members to expect information about ERM. Propose a mini-class on ERM. If the board has an annual retreat or other opportunity to discuss each year’s agenda, use this time to educate board members about ERM in higher education. ERM Staff or Board Risk Committees Present ERM Activity to the Board of Regents/Trustees At both the Georgia Institute of Technology and East Carolina State University, the ERM director updates the board of trustees’ internal audit committee about ERM activity. It is then the responsibility of the internal audit committee to convey this information to the full board. At Pennsylvania State University, the risk manager is responsible for presentations to the board of regents/trustees, and he or she chooses the format and modality of presentation. The University of Georgia System has the most robust board of trustee/regents presentation requirements: the executive director for ERM reports to the board biannually via a PowerPoint presentation of five to 10 slides. The executive director of ERM also creates and distributes supporting documentation (e.g., audit reports, risk mitigation/control reports), which they distribute to the board between two and four weeks before the meeting so members have time to review the information in advance. This presentation lasts 30 minutes, and there is time for board Q&A afterward. Contacts at East Carolina State University recommend the following strategies for optimal communication and engagement about ERM with a university’s board members: Strategies to Engage with the Board of Regents/Trustees
  • 12. ©2015 The Advisory Board Company 12 eab.com 4) Institutional Assessment of ERM Impact Use Anecdotal Evidence and the Risk Maturity Model (RMM) to Measure the Impact of ERM Assessing the impact of ERM remains a growth opportunity at institutions, as the impact of ERM is primarily assessed through anecdotal evidence from risk owners. At the Georgia Institute of Technology ERM is successful if the following questions regarding risk can be answered: • Has the risk been identified? • Has a risk owner been assigned or agreed to take ownership of the risk? • Is there a mitigation plan in place for the risk in question (created by the risk owner)? In addition to asking risk management staff to provide anecdotal evidence of ERM impact, contacts at East Carolina State University use the Risk Maturity Model (RMM) through which the risk manager taking the assessment receives a score to determine if their ERM framework is meeting expectations. Rimms RMM for ERM: 7 Attributes Covered in the Assessment6 This assessment is free and risk officers can complete it in 30 minutes. 6) Source: Risk Management Society. RIMS Risk Maturity Model. Rims RMM for ERM. 2 September 2015. http://riskmaturitymodel.com/rims-risk-maturity-model-rmm-for-erm/. Measuring ERM Impact At the University of Georgia System the goal is not to mitigate all risk, but instead to mitigate risks to an acceptable level. Examines the quality of risk information collected. Uncovering Risk Determines the extent to which an organization links a risk to its root causes and source processes. Root Cause Discipline Includes the level of accountability for risk, defining appropriate risk tolerances, and closing the gap between perceived and actual risk. Risk Management Appetite Analyzes how well the risk management program identifies, assesses, evaluates, mitigates, and monitors risks. ERM Process Management Measures the degree of executive support for ERM, integration across processes, and risk communication. ERM-Based Approach
  • 13. ©2015 The Advisory Board Company 13 eab.com Use Feedback from ERM Risk Owners or the Risk Council to Construct an Action Plan for ERM Change Management Contacts at profiled institutions use anecdotal feedback from the risk manager or the risk council to make necessary changes to the ERM process. At the University of Georgia and the Georgia Institute of Technology the risk owner is an integral part of creating and managing changes to the ERM process and framework. ERM Change Management at the Georgia Institute of Technology Implement Change Determines the degree to which an organization executes on its visions and strategy. Performance Management Evaluates the extent to which sustainability plans are integrated into the Enterprise Risk Management process. Business Resiliency and Stability The ERM network presents an overall risk mitigation plan to the president’s cabinet. President’s Cabinet The risk owners make an annual presentation to the ERM network regarding the controls they have selected to mitigate their assigned risk. Risk Owner The ERM network asks the risk owners to document a risk mitigation plan; the ERM network adds recommended actions to this document. ERM Network The president reports this plan to the board of regents, which approves additional budget/resources needed to launch the amended mitigation plan. Board of Regents/Trustees
  • 14. ©2015 The Advisory Board Company 14 eab.com At Pennsylvania State University, a risk council meets once each month to discuss the quality of risk management oversight and discuss ways to strengthen the ERM management process. ERM Change Management at Pennsylvania State University 5) Research Methodology Leadership at a member institutions approached the Forum with the following questions: ▪ Which ERM framework or frameworks do contact institutions follow (e.g., ISO, COSO)? What are the main risk categories within the institution’s ERM structure? ▪ Which risk response strategy or combination of strategies is most often utilized at contact institutions? ▪ What is the reporting structure for ERM? Which individual(s) are responsible for the facilitation and oversight of ERM processes at contact institutions? ▪ What is the process and timeline for implementing a new ERM process? ▪ What metrics do institutions use to evaluate the effectiveness of their ERM processes? What measures do they take to address shortcomings? ▪ Who is responsible for constructing an action plan and initiating/following up on deadlines for implementing changes? ▪ Who is responsible for documenting stated controls in ERM? ▪ How often do contacts communicate with the Board of Trustees regarding ERM? ▪ To what degree is the Board of Trustees at contact institutions involved in ERM? ▪ How do institutions report ERM data to the Board of Trustees? ▪ Who is responsible for delivering ERM presentations or updates to the Board of Trustees? Are ERM documents distributed to the Board of Trustees prior to a board meeting or presentation? ▪ Is there communication outside of regular board meetings with select Trustees who are responsible for ERM? Project Challenge The risk council (a group of 12 mid-level managers from across the institutions) meets monthly to discuss risk management process improvement. Findings from the risk council are presented to the risk sub- committee, which is part of the audit and risk committee of the board of regents. The university risk officer directs the risk council.
  • 15. ©2015 The Advisory Board Company 15 eab.com The Forum consulted the following sources for this report: • Institution websites: – Georgia Institute of Technology: http://larm.gatech.edu/compliance-and-risk- management-network; http://larm.gatech.edu/compliance-partners-group – University of Georgia: http://www.usg.edu/audit/documents/ERM_Presentation.pdf • Gallagher and Company: http://www.ajg.com/. • Rims Risk Maturity Model (RMM): http://riskmaturitymodel.com/rims-risk- maturity-model-rmm-for-erm/ The Forum interviewed ERM risk managers and directors at the following institutions: A Guide to Institutions Profiled in this Brief Institution Location Approximate Institutional Enrollment (Undergraduate/Total) Classification East Carolina University Southeast 21,500 / 26,900 Doctoral/research universities Georgia Institute of Technology Southeast 14,500 / 21,500 Research universities North Carolina State University Southeast 24,500 / 34,000 Research universities Pennsylvania State University Northeast 40,000 / 46,600 Research universities University of Georgia System Southeast NA NA Project Sources Research Parameters
  • 16. ©2015 The Advisory Board Company 16 eab.com Networking Contacts East Carolina State University Tim Wiseman Assistant Vice Chancellor for Enterprise Risk Management/CRO Email – WISEMANW@ECU.EDU Georgia Institute of Technology Patrick McKenna Vice President, Legal Affairs and Risk Management Email: pat.mckenna@carnegie.gatech.edu North Carolina State University Jim Semple Director, Insurance and Risk Management Email: jrsemple@ncsu.edu Pennsylvania State University Gary Langsdale University Risk Officer Email: GWL3@psu.edu University of Georgia System Kenyatta Morrison Executive Director for Enterprise Risk Management Email: Kenyatta.Morrison@usg.edu