January 2004
Enterprise RiskManagement @ TSU
Enterprise Risk Management (ERM) Initiative
Presented on behalf of the Compliance Governance Committee by the
Department of Internal Audit & Assurance Services
Texas Southern University
2.
2
Agenda
Background
University Mission/Vision
Introducing anEnterprise Risk Management
(ERM) Strategy
What is ERM?
Risk Factors
Success Factors
Benefits of ERM
Risk Assessment Methodology
• COSO Framework
• Key Objectives of ERM
• Terminology
• Risk Assessments at TSU
Risk Management Assessment (RMA) Output
• Internal Control Maturity Levels
• Residual Risk Matrix
3.
Texas Southern University
Mission
TexasSouthern University is a comprehensive metropolitan
university. Building on its legacy as a historically black college/
university (HBCU), the university provides academic and
research programs that address critical urban issues and prepare
an ethnically diverse student population to become a force for
positive change in a global society.
In order to achieve this mission, Texas Southern University provides:
Quality instruction in a culture of innovative teaching and
learning
Basic and applied research and scholarship that is responsive to
community issues
Opportunities for public service that benefit the community and
the world.
3
4.
Texas Southern University
Vision
TexasSouthern University will become one of the
nation‟s pre-eminent comprehensive metropolitan
universities. We will be recognized by the excellence
of our programs, the quality of our instruction, our
innovative research, and our desire to be a contributing
partner to our community, state, nation, and world.
4
5.
Introducing Enterprise RiskManagement (ERM)
Achieving Success through ERM
The complex and rapid changes in today‟s world place unprecedented
pressures on the University. Events occur that have the potential to
adversely affect the University‟s ability to achieve its goals. The
possibility that an adverse event will occur is called “risk”. Risks can be
financial, operational, technological, environmental, regulatory,
competitive, strategic, legal, reputational, and/or political in nature.
They can affect the entire University, specific programs and/or
individual departments.
To facilitate our commitment to excellence and support the achievement
of the strategic plan, the University has decided to implement an
Enterprise Risk Management (ERM) initiative to establish a systematic
organization-wide approach that will allow us to proactively manage
risks.
5
6.
6
What is ERM?
EnterpriseRisk Management (ERM):
Is a process through which management identifies
significant threats (risks) that would prevent their
organization/unit from meeting stated goals and objectives
Assigns specific responsibility and accountability for
developing controls to mitigate risks
Implements those controls
Monitors the controls to verify they are working as
intended
Its about establishing the oversight, control and discipline
to drive continuous improvement of an entity‟s risk
management capabilities in a changing operating
environment.
7.
7
Enterprise Risk Management
•StrategicRisk –
high-level goals aligned with
the University’s mission (i.e.
Strategic Plan, QEP)
•Operational Risk –
ongoing management
processes
•Financial Risk –
protection of assets
•Compliance Risk –
adherence to laws and
regulations
8.
Enterprise Risk Management(ERM)
Authority and Support
The University has an established Compliance Governance Committee
(CGC) comprised of:
-University President
-Provost and Vice President for Academic Affairs
-Vice President of Administration and Finance/Chief
Financial Officer
-Vice President for Research
-Vice President/Chief Compliance Officer
-Vice President, Intercollegiate Athletics
-General Counsel
____________________________________________________________
_
Committee Advisory Liaison
Chief Audit Executive
8
9.
Why Should TSUImplement ERM?
Benefits of a Successful ERM Program:
Improves how the University actively manages financial,
compliance, strategic, reputational and other aspects of
risk
Creates decisive, resilient controls/action plans that deter
or minimize the impact of unexpected occurrences
Focuses on risks that could prevent success in achieving
University, collegiate and functional goals and objectives
and examines how to correctly mitigate them
Enables the University to actualize its vision to be forward-
thinking and futuristic; and assures stakeholders that we
are doing all that can be done to be sustainable
9
10.
Key Objectives ofthe Enterprise Risk Management Process
Risks arising from business strategies and activities are
identified and prioritized.
Management and the board have determined the level of risks
acceptable to the organization, including the acceptance of risks
designed to accomplish the organization‟s strategic plans.
Risk mitigation (controlled) activities are designed and
implemented to reduce, or otherwise manage, risk at levels that
were determined to be acceptable to management and the board.
Ongoing monitoring activities are conducted to periodically
reassess risk and the effectiveness of controls to manage risk.
Enterprise risk management deficiencies are reported upstream,
with serious matters reported to top management and the board.
10
11.
ERM Success Factors
KeyElements to an Effective ERM Initiative
– Acceptance of a Risk Management Framework and common
language regarding risks
– BOR, Executive, Management, Faculty and Staff Commitment
(it takes all of us)
– ERM Champion
– Communication & Training
– Reinforcement
(through University and/or HR mechanisms)
– Valid Process
– Internal Audit /Compliance monitoring
11
12.
Who Else HasImplemented ERM?
– Drexel University
– University System of
Georgia
– NC State University
– Penn State University
– Emory University
– Ohio University
12
– University of North Carolina
– University of Texas
– Texas A&M University
– University of Maryland
– Notre Dame University
– University of Wisconsin
13.
What to ExpectNext
Implementation teams will contact process owners
(function/department heads) to schedule facilitated sessions
– Will request departmental documentation, SOPs, etc. and may
provide common risks by area for preliminary review
Implementation team lead will host facilitated session(s) to
understand processes, and work with you to document risks and
controls, as well as:
– The probability of the risk occurring and the possible impact
should the risk occur
Risk universe will be compiled from the results of the facilitated
sessions, and key risks/controls identified (for high (p)/high (i))
scenarios
Risk information to be disclosed quarterly to the CGC and the
BOR
13
14.
Stay Engaged Duringthe ERM Process
Most colleges and universities focus on financial and
compliance risks and on building compliance programs.
ERM impacts not only the numbers, but also brand,
competitiveness and strategy.
Our University is only as good as the weakest link or most
ineffective process, thus:
– Let‟s move from adding controls to a process to building risk
management into the process.
14
What is COSO?
TheCommittee of Sponsoring Organizations of the
Treadway Commission
COSO was originally formed in 1985 to sponsor the National
Commission on Fraudulent Financial Reporting, an independent private
sector initiative which studied the causal factors that can lead to
fraudulent financial reporting and developed recommendations for public
companies and their independent auditors, for the SEC and other
regulators, and for educational institutions.
16
17.
(The Original) COSOFramework
Control Activities
• Policies/procedures that
ensure management
directives are carried out.
• Range of activities including
approvals, authorizations,
verifications,
recommendations
performance reviews, asset
security and segregation of
duties.
Risk Assessment
• Risk assessment is the
identification and analysis
of relevant risks to
achieving the entity’s
objectives and forming the
basis for determining
control activities.
Control Environment
• Sets tone of organization
influencing control
consciousness of its people.
• Factors include integrity,
ethical values, competence,
authority and responsibility.
• Foundation for all other
components of control.
Monitoring
• Assessment of a control
system’s performance over
time.
• Combination of ongoing
and separate evaluation.
• Management and
supervisory activities.
• Internal audit activities
Information and
Communication
• Pertinent information
identified, captured and
communicated in
a timely manner.
• Access to internal and
externally generated
information.
• Flow of information that
allows for successful
control actions from
instructions on
responsibilities to summary
of findings for management
action.
17
Risk Factors
Compliance
Compliance withlaws and
regulations, safety and
environmental issues,
conflicts of interest,
sponsoring agencies,
employment.
Financial
Budgets, financing, cash
flow, sources and uses of
funds reporting, preservation
of assets.
Legal
Outside demands and
restrictions, such as grants,
data retention, data
preservation
Operational
Considers the needs of the
delivery of core operations,
such as space/facilities,
utilities, personnel, student
services, information systems.
Reputational
Considers political and
outside perception of the
university („goodwill‟)
Strategic
Considers what needs to be
done to maintain and enhance
units and university‟s
competitiveness through
strategic initiatives.
Risk Factors
Technology
Academic and administrative
information systems and
infrastructure.
The Risk Factors considered during the risk assessment include:
19
20.
Risk Terminology
Risk Evaluation– An analysis by which risks are ranked (high, medium, low) and
prioritized considering: 1) the probability of occurrence (what is the likelihood that the risk
will happen), and 2) the impact (the consequences or outcome should the risk occur).
Risk Management Assessment (RMA) – The process used to identify, quantify, evaluate
and treat risks to the business/academic unit. (This process includes the documentation of
risks, control gaps, mitigating control activities (or compensating strategies), and monitoring
of processes. Output from the RMA is in the form of the ICM, Residual Risk Analysis and
Risk/Controls Matrix.
Risk – Any event or action that adversely affects the University‟s ability to achieve its
objectives (financial, operational, strategic, technology, compliance, reputational).
20
21.
Risk Terminology continued
DetailedControl Activities – Mitigating, controlled actions (generally documented within
policies and procedures) which are used to manage, limit and monitor risks.
21
Risk Mitigation Plan– is developed as a result of the Risk Management Assessment
(RMA); it defines how the risks identified are to be addressed through detailed control
activities (or mitigating/compensating controls), implementation time to completion, and
responsible party.
22.
Risk Assessments atTSU
Colleges and Schools (and related academic units)
• Thurgood Marshall School of Law
• Thomas F. Freeman Honors College
• College of Science and Technology
• Graduate School
• School of Communication
• College of Pharmacy and Health Sciences
• Jesse H. Jones School of Business
• College of Education
• Barbara Jordan/Mickey Leland School of Public Affairs
• College of Liberal Arts and Behavioral Sciences
• Libraries and Museums
– Additional/Related Academic Units
• Student Enhancement Success Services
• Online College
• Office of Continuing Education
• Center for Online Education & Instructional Technology
• Teaching Learning Excellence Center
22
23.
Risk Assessments atTSU (continued)
Academic Affairs
• Admissions
• Provost Business Services
• Director of Libraries
• Institutional Assessment,
Planning & Effectiveness
• International Student Affairs
• Registrar
• University Testing
• Enrollment Services
Office of Research
• Research Funding and Pre-award
Services
•Research Enhancement and
Compliance Services
•Research Financial Services (Grants &
Contracts)
Board Administration
• Department of Internal Audit
& Assurance Services
- Information Security
• Board Relations
Buildings & Ground Maintenance
• Customer Service
23
Risk Assessments atTSU (continued)
Information Technology
• Infrastructure and Operations
• Security
• Banner Application and Support
• Communications/Help Desk
Police Department
• Department of Public Safety
President
• Office of General Counsel
• Governmental Affairs
• Athletics – Administration
– NCAA Compliance
• Title III
Student Services
• Business Administration Services
• Counseling Center
• Health Center
• Judicial Affairs
• Music Activities/Band
• Career Planning & Placement
• Recreation Center
• Student Activities & Campus Events
• Student Center Operations
• Veteran Affairs
• Academic Services
25
26.
Risk Assessments atTSU (continued)
University Advancement
• Alumni Affairs
• Marketing
• Communications
• Special Events
• Development
• KTSU
Campus Services and Operations
• Bookstore
• Food Services
• Greystone Apartments
• Student Housing
• University Parking
Research and Outreach Centers
• A total of 25 (approx) Research and Outreach Centers are part of the
Annual Risk Assessment Process and would be included in the ERM
Strategy.
26
27.
Ranking Indexes
IMPACT Theeffect on achieving University objectives, the consequences
HIGH (Catastrophic) Sustained, long-term loss in shareholder value
Major impact on profitability
Loss of key relationships
MEDIUM (Moderate) Resolution of issues will handled by function head
and direct reports to function head
Moderate impact on profitability
Short-term impact on shareholder value and/or
reputation
LOW (Minimal
Impact)
Resolution of issues will be handled by junior
management and staff
Minimal impact on profitability
No potential impact on shareholder value
No impact on reputation
Probability – The likelihood that the risk will
happen.
HIGH Event happens frequently,
will occur, predictable
MEDIUM Event happens
infrequently, sometimes
occurs
LOW Event seldom happens,
rare, has not happened
Rankings are given to the Risks (for a reportable unit) based on Probability and Impact:
Probability Impact
27
28.
Internal Controls MaturityLevels
Level 1 – Unreliable
• Unpredictable environment where control activities are not designed or in place
Level 2 – Informal
• Disclosure Activities and Controls are designed and in place but are not adequately documented
• Controls mostly dependent on people
• No formal training or communication of control activities
Level 3 – Standardized
• Control activities are designed and in place
• Control activities have been documented and communicated to employees
• Deviations from control activities will likely not be detected
Level 4 – Monitored
• Standardized controls with periodic testing for effective design and operation with reporting to management
• Automation and tools may be used in a limited way to support control activities
Level 5 – Optimized
• An integrated internal control framework with real time monitoring by management with continuous improvement (Enterprise Wide Risk Management)
• Automation and tools are used to support controls activities and allow the organization to make rapid changes to the control activities if needed
Optimized
- Integrated
internal controls
with real time
monitoring by
management
and continuous
improvement
Monitored
- Standardized
controls with
periodic testing
for effective
design and
operation with
reporting to
management
Standardized
- Control activities
are designed, in
place and are
adequately
documented
Informal
- Control activities
are designed
and in place but
are not
adequately
documented
Unreliable
- Unpredictable
environment
where
control
activities are
not designed
or in place
Management ‘s Internal
Control Assertion
Where We Need To Be
28
29.
Internal Controls MaturityLevels
• Unpredictable
environment where
control activities are not
designed or in place
• Control activities
are designed and
in place but are
not adequately
documented
• Control activities
are designed, in
place and are
adequately
documented
• Standardized
controls with
periodic testing
for effective
design and
operation with
reporting to
management
• Integrated
internal controls
with real time
monitoring by
management
and continuous
improvement
Minimum
maturity level
desired for key
business
processes,
functions or
units.
Unreliable (1)
Maturity
Informal (2)
Standardized (3)
Monitored (4)
Optimized (5)
29
