Enterprise Risk Management (ERM) at Clayton State University Cheryl Jordan, CFE ERM Compliance Officer
What is ERM? USG Definition ERM is a process-driven tool that enables senior management to visualize, assess, and manage significant risks that may adversely impact the attainment of key organizational objectives. USG Definition 11/24/2018
BOR 7.15 Risk Management Policy Each institution to: Designate a Risk Management Policy Coordinator Develop a Risk Management Framework and procedures based on ERM. Chancellor to designate a position to oversee implementation of Risk Policy and develop Risk procedures for use System-wide and within USO. Committee on Internal Audit, Risk and Compliance to provide oversight and to review Major Risks on behalf of the Board. http://www.usg.edu/policymanual/section7/policy/7.15_risk_management_policy 11/24/2018
BOR 7.15 Risk Management Policy Risk refers to the probability of an event and potential consequences to an organization associated with that event’s occurrence. Risks do not necessarily exist in isolation from other risks; as a result, a series of risk events may result in a collective set of consequences that is more impactful than the discrete set of consequences associated with risk events taking place in isolation. Risk is inherent to any activity. It is neither possible, nor advantageous, to entirely eliminate risk from an activity without ceasing that activity. The safest ships are the ones that do not sail, but that is not what they are designed for. Strategic, Financial, Operations, Compliance, Reputation 11/24/2018
Reporting Risks to the BOR We have to identify all risks and report Major Risks to the Board of Regents A risk is defined as Major when the combination of an event’s probability and the potential consequences is likely to: Impair the achievement of a University System of Georgia (USG) strategic goal or objective. Result in substantial financial costs either in excess of the impacted institution’s ability to pay or in an amount that may jeopardize the institution’s core mission. Create significant damage to an institution’s reputation or damage to the USG’s reputation. Require intervention in institutional or USG operations by the Board of Regents and/or an external body. 11/24/2018
Measuring Risks Risk Identification – sorted by adjusted risk score Likelihood of occurring 1 - low 2 - medium 3 - high Potential impact 1 – minor; unlikely to have a permanent or significant effect on USG's/institution’s reputation or achievement of its strategic objectives. 2 - moderate; will have a significant impact on USG/institution but can be managed without major impact. 3 - serious; will have a significant effect on USG/institution and requires a major effort to manage and resolve the occurrence, as well as its ramifications. 4 - extreme; will threaten the existence of the USG/institution if not resolved. Note: The "Adjusted Risk Factor" gives 50% weight to the likelihood of occurrence; this adjustment is necessary to reach a more reasonable spread of risk across the enterprise. 11/24/2018
Policy Objectives Ensure Major Risks are reported to the Board and the Chancellor for review and acceptance. Manage risks to support stated USG goals and objectives Multiple types or categories of risk: Strategic, Compliance, Reputational, Financial, and Operational. Embed a risk culture within USG and USG institutions. Allow measurement of risk across the System. Meet legal and regulatory requirements. 11/24/2018
How was the Policy Developed? Two Pilot Programs run: Armstrong Atlantic State University University System Office. Risk Management Policy adopted by Board in August 2010. 11/24/2018
We can Help Minimizing the Risks of non-compliance SAS 112 CONTROLS AND RISK ASSESSMENT Compliance with BOR Policy 7.15 Implement A Enterprise Risk Management Framework at Clayton State University 11/24/2018
Implementation Schedule 11/24/2018
STEERING COMMITTEE (SC) ERM Sample Committee STEERING COMMITTEE (SC) Chancellor (Committee Chair) Chief Academic Officer Chief Operating Officer Senior VC for External Relations AVC Planning & Implementation Chief Audit Officer (Facilitator) WORKING GROUP (WG) Chief of Staff - Academic Affairs Vice Chancellor for Fiscal Affairs Vice Chancellor for Legal Affairs Vice Chancellor for Facilities Vice Chancellor and CIO Vice Chancellor for Human Resources AVC Student Affairs AVC Compliance & Operations Exec Director, Government Relations Chief Information Security Officer Director, Internal Audit ERM Compliance Officer (Facilitator) 11/24/2018
Proposed CSU Committees 11/24/2018
USG Key Objectives and Risks 11/24/2018
USG Key Objectives and Risks 11/24/2018
USG Key Objectives and Risks 11/24/2018
BOR 7.15 Risk Management Policy However, acceptance of risk shall not include: Willful exposure of students, employees, or others to unsafe environments or activities; Intentional violation of federal, state, or local laws; Willful violation of contractual obligations; or, Unethical behavior. For Clayton State University, acceptance of risks shall not include: Willful omissions Malfeasance Fraud 11/24/2018
Next Steps Identify Key Objectives and Risks List key objectives – Working Group identifies institutional and USG strategic objectives. Prioritize objectives – Steering Committee uses ranking or other system to select top objectives (should not exceed 3-5 objectives per division head). Select objectives for assessment – Steering Committee selects 4-6 top objectives for initial risk assessment by the Working Group. (Note: Steering Committee will select next 4-6 top objectives for risk assessment on an ongoing basis until all key objectives have undergone risk assessment). Brainstorm and assess risks – Working Group conducts initial risk assessment through calculation of impact and likelihood without consideration of current controls or mitigation plans. Working Group must understand the key components/process associated with selected objectives. Working Group performs risk ranking. Steering Committee validates risk ranking. Steering Committee selects Key Risks and assigns to a specific Risk Owner. 11/24/2018
Managing Risks Identify current controls and mitigation requirements – Risk owners identify the current controls, mitigation steps, or other actions already taken by the institution to reduce risk. The risk is assessed again to determine likelihood and impact. Develop mitigation plan for key risks – Risk owners develop mitigation plans for risks still ranked 4 or higher. Conduct quarterly meetings to review status – Steering Committee holds quarterly meetings to approve and to review the status of risk owner mitigation plans. Risk scores may be adjusted by the Steering Committee to reflect the risk after implementation of the mitigation plan. Continue process – Steering Committee incorporates new risks into the ERM process (steps 2-4) as current risks are mitigated. 11/24/2018
Risk Management Methodology Risks may be managed by using one or more of the following methods: Avoid (eliminate, withdraw from or do not become involved in an activity creating risk). Retain (accept the risk and plan for the expected impact). Transfer/Share (move the risk to another party by hedging against undesired outcome or reduce the risk through processes such as insurance). Reduce (control the risk through additional or optimized controls). 11/24/2018