Governance, Risk Management and Compliance: Summary of Basic Concepts & Program Goals Bob Kotic Chief Financial Officer University of Sydney

Questions that need Answers What are the greatest risks facing the University?What are the greatest risks facing the University? How does the University manage them?How does the University manage them? How do we monitor them?How do we monitor them?

Definitions Corporate Governance: The systems and processes by which the University is directed, controlled and held to accountCorporate Governance: The systems and processes by which the University is directed, controlled and held to account Risk: The potential for an event to occur that could have an effect on the Universitys objectives or operationsRisk: The potential for an event to occur that could have an effect on the Universitys objectives or operations Risk Management: The culture, processes and structures that are directed to the effective management of potential opportunities and adverse effectsRisk Management: The culture, processes and structures that are directed to the effective management of potential opportunities and adverse effects Compliance: The systems and processes that ensure conformity with business rules, policy and legislationCompliance: The systems and processes that ensure conformity with business rules, policy and legislation Governance Risk Management Compliance

Universitys Current Approach to Risk Management Silo approach to dealing with riskSilo approach to dealing with risk Specific administrative units have responsibility for specific risksSpecific administrative units have responsibility for specific risks –Hazard (Physical Risk) –Financial Threats –Acts of God OHS Staff Development Physical Security Legal Fraud Error Reporting Data Protection Academic Processes Insurance IT Security

Faculties Legal Physical Security Staff Development Fraud OHS IP Management Asset Management Data Protection Compliance

Program Goals Develop and implement an integrated approach to risk management and compliance and in turn, provide the framework to allow the University to demonstrate appropriate standards of governance.Develop and implement an integrated approach to risk management and compliance and in turn, provide the framework to allow the University to demonstrate appropriate standards of governance.

Program Goals contd Create a culture of risk awareness within the University which will promote the appropriate management of risk and compliance; minimising potential negative events and maximising the ability to seize opportunities.Create a culture of risk awareness within the University which will promote the appropriate management of risk and compliance; minimising potential negative events and maximising the ability to seize opportunities.

Program Objectives Identify major risks inherent in the Universitys operating environment & review the effectiveness of existing control measures.Identify major risks inherent in the Universitys operating environment & review the effectiveness of existing control measures. Develop new and more effective tools for monitoring and managing these risks.Develop new and more effective tools for monitoring and managing these risks. Develop a framework to connect the various disciplines currently managing risk to provide a consistent response to risks.Develop a framework to connect the various disciplines currently managing risk to provide a consistent response to risks. Align current activities, policies and procedures with the Universitys overall strategy and streamline deficient processes.Align current activities, policies and procedures with the Universitys overall strategy and streamline deficient processes.

Program Objectives contd Educate staff in the Universitys suite of policies, procedures and internal controls.Educate staff in the Universitys suite of policies, procedures and internal controls. Assign responsibilities for projects, activities, controls and compliance where there is no clear leader.Assign responsibilities for projects, activities, controls and compliance where there is no clear leader. Define key performance indicators and early warning systems to ensure quick response to risk.Define key performance indicators and early warning systems to ensure quick response to risk. Provide regular reporting to senior management, Senior Executive Group and the Audit & Risk Management Committee on risk management activities and internal controls.Provide regular reporting to senior management, Senior Executive Group and the Audit & Risk Management Committee on risk management activities and internal controls.

Common view of risk Understanding Dependencies Information Decisions, Direction, Controls Integrated Approach to Governance, Risk Management & Compliance Source: Barclays Bank Group Operational Risk

Benefits to the University Improved: Management Control & AdministrationManagement Control & Administration Decision MakingDecision Making Resource ManagementResource Management Ability to meet Strategic TargetsAbility to meet Strategic Targets Faculties Legal Physical Security Staff Development Fraud OHS IP Management Asset Management Data Protection Compliance Risk Management Controls

Typical Areas of Concern Alignment of current policies, procedures and processesAlignment of current policies, procedures and processes Strategic PlanningStrategic Planning Contracting/LitigationContracting/Litigation Consistency in TechnologyConsistency in Technology Consistency in Human ResourcesConsistency in Human Resources

Typical Areas of Concern contd Accountability for Legal ComplianceAccountability for Legal Compliance Management of assets (including acquisition and disposal)Management of assets (including acquisition and disposal) Provision of advice/consultancy agreementsProvision of advice/consultancy agreements Business ContinuityBusiness Continuity

Next Steps Identify the top operational risks to the UniversityIdentify the top operational risks to the University –Develop methodology to identify risks –the initial focus on risks and potential exposures that are currently controlled through central administrative support activities Select a risk area and complete full review to pilot an approachSelect a risk area and complete full review to pilot an approach Prioritise remaining risksPrioritise remaining risks

Next Steps contd Review the control measures relating to the administrative and financial processes that are currently in place to determine adequacyReview the control measures relating to the administrative and financial processes that are currently in place to determine adequacy Determine new procedures and control measures required and subsequent costsDetermine new procedures and control measures required and subsequent costs

Academic Support Administrative Support Risks identified & Control Measures developed Colleges College Risk Manager

Outcome List of top ten risks within the UniversityList of top ten risks within the University A risk treatment plan (control measures) by which each risk is managedA risk treatment plan (control measures) by which each risk is managed Risk and treatment plan assigned to a department/individualRisk and treatment plan assigned to a department/individual Performance measures that risks are reported againstPerformance measures that risks are reported against

Outcome contd Document as Risk Management PlanDocument as Risk Management Plan Communication and Training in new controls, policies and proceduresCommunication and Training in new controls, policies and procedures Structure within Colleges to assist with implementationStructure within Colleges to assist with implementation Set of procedures which can be audited to ensure complianceSet of procedures which can be audited to ensure compliance

Questions ?