Role of the general counsel in institutional risk management Marcia Isaacson, CUNY James J. Mingle, Cornell University Stephen D. Sencer, Emory University
Introduction Jim Mingle – General Counsel of Cornell Steve Sencer – General Counsel of Emory
Overview of this session Structures for Institutional Risk Management Process for Risk Identification Process for Risk Management Board’s Role in Risk Oversight Compliance vs. Risk Management
Key Questions How do you know if the right risks are being identified? How do you determine who is “in charge” of managing and mitigating the risks? How do you know if the “most serious risks” are being aptly assessed institutional resources are strategically directed? What oversight and support structure will aid in the overall risk management effort?
Structures for Institutional Risk Management Committee/Council model Chief Risk Officer Model Hybrid Role of Risk and Insurance Department
Cornell Committee chaired by General Counsel – has 21 members from broad range of offices, including Finance & Administration, HR, University Relations, Research, Audit, Risk Management & Insurance, Campus Health, Student and Academic Services, EH&S, IT, Police, Facilities. Meets at least quarterly. Five Main Risk Categories: Operations, Finance, Life & Safety, Reputation, Legal. Guiding principles include: Identify main and specific risks and ensure that specific risks have responsible managers Enable an efficient system of guidance and support to individuals “in charge,” through development of appropriate policies and assistance of risk advisory committees (ad hoc and standing), and elimination of silos which may inhibit institutional risk and management efforts. Other Structures Considered Counsel’s Role in Shaping Structure
ERM Executive Committee ERM Steering Committee Emory’s ERM Structure ERM Executive Committee President (Committee Chair) Provost EVP for Health Affairs EVP for F&A SVP and General Counsel SVP and Dean for Campus Life SVP for Development VP and Secretary VP of Communications President and CEO, Emory Healthcare ERM Steering Committee Chief Risk Officer (Co-Chair) Chief Audit Officer (Co-Chair) Chief Investment Officer Deputy General Counsel VP for Campus Services VP for Finance VP for Human Resources VP for IT VP for Research Administration Senior Vice Provost Director of Student Activities Director of CEPAR Finance & Investment Campus Safety & Physical Plant Healthcare Information Technology Governance & Corporate Affairs Academic & Student Research Human Resources
Deputy General Counsel and Compliance Officer are members. CUNY Risk Management and Business Continuity Council (47 members:22 from Central and 25 from campuses) Chaired by the Director of Environmental, Health and Safety & Risk Management. Deputy General Counsel and Compliance Officer are members. Standing Committees Preparedness committee Information Technology committee Travel and transportation committee Insurance committee Infectious disease committee Residence hall committee Ad hoc committees formed as needed Monthly meetings include reports from standing committees and educational risk-related presentations.
Role of Counsel Re: Structure Legal, compliance and risk management overlap, but are not the same function Counsel should advise “institution” on risk management structure Management/Leadership Board (typically through Audit Committee) Counsel should participate in committee (s) Counsel should participate in risk briefings
Emory’s Risk Identification Process Cast a big net Asked committees to identify EVERY risk Generated 555 risks Eliminated duplicates Reduced list to 140 Assessed frequency and severity rankings Distilled the list to 50 “Key Risks”
Identified “Specific Risks” MAIN RISKS: University Governance Autonomy Academic Freedom Critical Partnerships Ethical Conduct Public Safety & Security Campus Crime Control Campus Code of Conduct Faculty/Student/Staff Mental Health Substance Abuse Fraternal/ Student Organizations LIFE & SAFETY LIFE & SAFETY REPUTATION FINANCIAL & PROPERTY Patient Care Medical Malpractice Compliance – Billing, etc. Health & Environment Hazards – Chemical, Biological, Radiological Occupational Health & Safety Fire Construction Accidents Campus Personal Injuries LEGAL OPERATIONS Employment Issues Misfeasance & Malfeasance Discrimination Recruitment/Retention Sexual Harassment Affirmative Action Labor Relations Financial Stewardship Accountability & Controls Endowment Management Subsidiaries Management Financial Fraud Effort Allocation Cost Allowability and Allocability Emergencies & Crises Prevention Planning Notification Response Recovery Business Continuity Data Security (Paper & IT) Personnel Payroll Donor Student Patient Athletics Controversies NCAA & Title IX Compliance Research Integrity & Assurance Human Subjects Conflicts of Interest, Commitment Research Misconduct Animal Research and Care Stem Cell Research International Programs Security Assessment & Advice Due Diligence Financial Management Intervention & Evacuation Travel Safety Info Tech Security Recovery Licensing Loss of Critical Infrastructure Buildings & Properties Utilities Transportation IT Intellectual Property Protection & Infringement Equity Interests & Start-ups
Risk Identification at CUNY Units/departments on each campus must complete annual risk management survey/report Academic Affairs Mental Health & Wellness Budget/Finance Human Resources Business Services Legal Affairs IT Environmental Health and Safety Facilities Public Safety Student Affairs One person on campus designated to distribute/collect the risk surveys
Risk Identification at CUNY (cont.) Risk Surveys (in template form) request: Risk Statement Likelihood/Impact/Risk Score Policy and Procedures (existing and potential) Education Training and Awareness (existing and potential) Operational Controls (existing and potential) Oversight, Monitoring or Executive Controls (existing) Audit Controls (Existing and Potential) Other Controls Responsible Person Mitigation Cost Scheduled Date to Revisit Plan Reports are returned to EHS & RM where they are put into a database for analysis by EHS & RM. CUNY Risk Manager visits each campus to review surveys.
Staying on the lookout for emerging and overlooked risks External Sources for Emerging Risks Regulatory Actions (Dear Colleague Letters) Agency/Inspector General/State Comptroller Audits Problems facing Corporate America (Target Data Breach; FCPA) Problems at other universities (overseas labor practices) Emerging Internal Risks Legal obligations with uncertain or multiple homes (privacy of student/patient information) Revenue generating initiatives International Programs Learning from Crises Non-governmental reporting of information
Emory’s Risk Management Process Assign Ownership “Risk Management Process Owner” for each risk Must be sufficiently familiar with the risk and best positioned to write a comprehensive Risk Management Plan Review with Senior Leadership Repeat
ENTERPRISE RISK MANAGEMENT Risk Management Plans Privileged and Confidential Attorney-Client Communication EMORY UNIVERSITY ENTERPRISE RISK MANAGEMENT RISK MANAGEMENT PLAN Date: __________________ Short Description of Risk: __________________________________ Risk Management Process Owner: ___________________________________ Describe the Risk, its Components, and Examples: Describe the Steps Being Taken to Manage the Risk at an Acceptable Level: Describe the Operational Response to an Adverse Occurrence: Describe the Communication Response to an Adverse Occurrence:
Once you have all the data about risk, what does the risk committee (or others) do with it? Gauging most serious risks, mitigation measures, risk tolerance Addressing Same Risks Year after Year What is counsel’s role?
Counsel’s Role in Managing Non-Legal Risks Tending to boundaries Identifying emerging risks Avoiding operational roles Ensuring reasonableness of risk management process
Board’s Role in Risk Oversight Board’s role is to oversee the risk management process, not manage day to day risks Management must provide the right amount of information for Board to perform its role Janice M. Abraham, Risk Management: An Accountability Guide for University and College Boards
Compliance vs. Risk Management Policies/Procedures/Controls Training/Education Monitoring Investigation Risk Management Non-legal Risk Health and Safety Incident Response Disaster Recovery/Business Continuity Infrastructure Identify / manage legal and regulatory risk; Work with Responsible Owners
QUESTIONS?