Contributed by: Gregg S. Despard, Senior IT Internal Auditor, Institute Audit, Compliance & Advisement
Over the years, many risk management standards with their own definitions, methods, and goals have been created by such diverse entities as the Project Management Institute (PMI), the National Institute of Standards and Technology (NIST), and International Organization for Standardization
(ISO). However, they all share the basic concept that risk management consists of the identification, assessment, and prioritization of risks in conjunction with efforts to minimize, monitor, and control the probability and/or impact of risk events. While countless books, articles, and other publications exist that explain the concept of risk management and its application, few are focused on risk management within Higher Education.
Like other industries, Higher Education operates in an inherently risky environment. Common risk categories include financial, operating, strategic, regulatory, environmental, and reputational risks.But unlike other industries, there are also risks unique to Higher Education such as FERPA, Title IX, and the Clery Act (Campus Safety).
Also unique to Higher Education is the often decentralized structure of the risk environment.The complexity of the Higher Education risk environment -made up of individual colleges, schools, departments, functional areas, and administrative departments -makes risk collection and prioritization a challenge from an enterprise risk management perspective.Below (fig. A) is a simple risk model illustrating risk ranking examples within a decentralized Higher Education risk environment as it relates to probability and impact.
Once risks have been identified, assessed, and prioritized within a risk inventory or portfolio, a strategy based on risk appetite is then implemented by management to minimize, monitor, and control the probability and/or impact of risk events.Strategies to manage risks typically include implementing measures to avoid the risk, transferring the risk to another party, reducing the negative effect or probability of the risk, or even accepting some or all of the potential or actual consequences of a particular risk.By effectively managing these risks, we can reduce the chance of loss, create greater stability, and protect resources to meet the expectations and needs of the faculty, staff and students.
To efficiently manage finite auditing resources, Institute Audit, Compliance & Advisement (IACA) has historically implemented a risk management based strategy to build our annual audit plan.On an annual basis IACA performs an internal risk assessment. The risk assessment process includes meeting with key stakeholders around campus to identify and assess risks.The identified risks are then used to populate a heat map of prioritized risks within the risk environment. Based on this heat map, the annual audit plan is created.
Committee of Sponsoring Organizations of the Treadway Commission (COSO) Corner
Contributed by: Nancy A. Nasca, Manager, Institute Audit, Compliance & Advisement, firstname.lastname@example.org
As explained in previous editions of the Quaestor Quarterly, the COSO Framework (an internationally recognized standard with which the adequacy and effectiveness of an organization’s internal controls are evaluated) was updated in May 2013 to further define the principles underlying the five components of internal control (Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring). According to the Framework, these principles are fundamental concepts that must be present and functioning in order to achieve an effective system of internal control.
In addition, the Framework includes points of focus or characteristics that are examples of behaviors or processes that would be expected to be in place to demonstrate that the related principle is in fact present and functioning. This edition of the COSO Corner will summarize the third principle relating to the Control Environment component of the COSO Framework, as well as the related points of focus.
Principle 3 – Management establishes—with board oversight—structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
Points of Focus:
Senior management and the board of directors establish the organizational structure and reporting lines necessary to plan, execute, control, and monitor operations. Key factors to consider when establishing organization structure include the nature and size of college and departmental operations; risks related to the Institute’s objectives and business processes; an appropriate segregation of duties to avoid conflicts of interest; and a structure which provides for clear accountability and information flows.
The BOT and senior management delegate authority and define and assign responsibility to enable personnel to make decisions according to management’s directives toward the achievement of the university’s objectives. Delegating authority increases responsiveness but also increases the complexity of the risks to be managed.
Senior management defines the limits of authority so that delegation occurs only to the extent required to achieve the university’s objectives and inappropriate risks are not accepted.
Committee of Sponsoring Organizations of the Treadway Commission (May 2013). “Internal Control – Integrated Framework – Framework and Appendices”
Our video series focuses on opportunities for improving internal controls and increasing awareness of various university processes, policies, and protocols. If you have questions, feel free to contact anyone in the IACA office using information on our webpage.
Just to name a few, past topics include: Travel Policy changes, FERPA Regulations, RIT’s Ethics & Compliance Hotline, Records Management Policy, Risk Assessment, and many others.