The Quaestor - Volume 9, Issue 3

Like other industries, Higher Education operates in an inherently risky environment. Common risk categories include financial, operating, strategic, regulatory, environmental, and reputational risks. But unlike other industries, there are also risks unique to Higher Education such as FERPA, Title IX, and the Clery Act (Campus Safety).

Also unique to Higher Education is the often decentralized structure of the risk environment. The complexity of the Higher Education risk environment - made up of individual colleges, schools, departments, functional areas, and administrative departments - makes risk collection and prioritization a challenge from an enterprise risk management perspective. Below (fig. A) is a simple risk model illustrating risk ranking examples within a decentralized Higher Education risk environment as it relates to probability and impact.

​

Once risks have been identified, assessed, and prioritized within a risk inventory or portfolio, a strategy based on risk appetite is then implemented by management to minimize, monitor, and control the probability and/or impact of risk events. Strategies to manage risks typically include implementing measures to avoid the risk, transferring the risk to another party, reducing the negative effect or probability of the risk, or even accepting some or all of the potential or actual consequences of a particular risk. By effectively managing these risks, we can reduce the chance of loss, create greater stability, and protect resources to meet the expectations and needs of the faculty, staff and students.

To efficiently manage finite auditing resources, Institute Audit, Compliance & Advisement (IACA) has historically implemented a risk management based strategy to build our annual audit plan. On an annual basis IACA performs an internal risk assessment. The risk assessment process includes meeting with key stakeholders around campus to identify and assess risks. The identified risks are then used to populate a heat map of prioritized risks within the risk environment. Based on this heat map, the annual audit plan is created.

In addition, the Framework includes points of focus or characteristics that are examples of behaviors or  processes that  would be  expected to  be in  place to demonstrate that the related principle is in fact present and functioning.  This edition of the COSO Corner will summarize the third  principle relating to the Control Environment component of the COSO Framework, as well as the related points of focus.

Principle 3 –   Management establishes—with board oversight—structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

Points of Focus:

• Senior management and the board of directors establish the organizational structure and  reporting  lines  necessary  to  plan,  execute,  control,  and  monitor  operations.  Key factors to consider when establishing organization structure include the nature and  size  of  college  and  departmental  operations;  risks  related  to  the  Institute’s objectives  and  business  processes;  an  appropriate  segregation  of  duties  to  avoid conflicts  of  interest;  and  a  structure  which  provides  for  clear  accountability  and information flows.
• The BOT and senior management delegate authority and define and assign responsibility  to  enable  personnel  to  make  decisions  according  to  management’s directives  toward  the  achievement  of  the  university’s  objectives. Delegating authority increases responsiveness but also increases the complexity of the risks to be managed.
• Senior management defines the limits of authority so that delegation occurs only to the extent required to achieve the university’s objectives and inappropriate risks are not accepted.

Reference
Committee of Sponsoring Organizations of the Treadway Commission (May 2013). “Internal Control – Integrated Framework – Framework and Appendices”