Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

University Risk Assessment - February 2008


Published on

  • Be the first to comment

  • Be the first to like this

University Risk Assessment - February 2008

  1. 1. University Risk Assessment Presentation February 20, 2008
  2. 2. Questions to Answer Today <ul><li>What is risk? </li></ul><ul><li>Why perform a risk assessment? </li></ul><ul><li>What is a risk assessment? </li></ul><ul><li>What is your role in the risk assessment? </li></ul>Office of Audit and Compliance
  3. 3. What is Risk? Anything that may impair the ability of the University to achieve its objectives. Risk can be viewed as “what can go wrong” or “what needs to go right” with respect to meeting objectives. Office of Audit and Compliance
  4. 4. Categories and Examples of Risk Office of Audit and Compliance
  5. 5. Why Perform a Risk Assessment? <ul><li>There has been a paradigm shift in the view of risk </li></ul><ul><ul><li>Inspect, detect, & react -> Anticipate, prevent, & monitor </li></ul></ul><ul><li>It helps the University focus on key issues </li></ul><ul><ul><li>Enhanced management and decision making </li></ul></ul><ul><ul><li>More effective use of University resources </li></ul></ul>Office of Audit and Compliance
  6. 6. What is a Risk Assessment? <ul><li>A process to identify and prioritize potential future events that may impact the ability of the University to achieve its objectives </li></ul><ul><ul><li>Assesses risks from two perspectives </li></ul></ul><ul><ul><ul><li>Likelihood </li></ul></ul></ul><ul><ul><ul><li>Magnitude </li></ul></ul></ul><ul><ul><li>Employs a combination of both qualitative and quantitative risk assessment methodologies </li></ul></ul><ul><ul><li>Primarily assesses risk on an inherent basis, with limited consideration to controls and/or processes in place, as gathered from interviews and survey responses </li></ul></ul>
  7. 7. The Risk Assessment Process Information Gathering Collect information through analysis, review of documents, surveys and/or interviews Clarification and Discussion Discuss and clarify the risks/issues that are identified through interviews and surveys Alignment Through Consensus Discuss initial results with management to obtain group consensus on key risks and prioritization of risks Commitment to Action Analyze and discuss results for agreement on specific commitments to action Assessment and Prioritization Prioritize the identified risks in terms of likelihood and impact
  8. 8. Risk Factors Considered <ul><li>Financial results </li></ul><ul><li>Operational complexity </li></ul><ul><li>New systems and changing technology </li></ul><ul><li>Past audit results </li></ul><ul><li>Regulatory compliance </li></ul><ul><li>Rapid growth </li></ul><ul><li>Degree of decentralization </li></ul><ul><li>Linkage to the operating plan </li></ul><ul><li>Management concerns </li></ul><ul><li>Industry drivers </li></ul><ul><li>Internal control environment </li></ul><ul><li>Reputational impact </li></ul><ul><li>Fraud potential </li></ul><ul><li>Geographical dispersion </li></ul>The following factors are generally considered when prioritizing risks in terms of likelihood and impact:
  9. 9. Output - University Risks LIKELIHOOD MAGNITUDE Financial Operational Strategic Info Technology Compliance MEDIUM RISK HIGH RISK LOW RISK MEDIUM RISK “ Share/Transfer/Contingency Plan” “ Eliminate or Mitigate” “ Accept” “ Mitigate” <ul><li>Faculty selection/retention/tenure </li></ul><ul><li>Scholarship/financial aid misconduct </li></ul><ul><li>Student safety </li></ul><ul><li>Capital investment </li></ul><ul><li>Data security and privacy </li></ul><ul><li>Government research funding </li></ul><ul><li>Alcohol and drug abuse </li></ul><ul><li>Donor stewardship </li></ul><ul><li>Endowment controls </li></ul>Examples of Risks:
  10. 10. Output – Key Risk Processes and Areas LIKELIHOOD MAGNITUDE <ul><li>Purchasing </li></ul><ul><li>NCAA compliance </li></ul><ul><li>Research grants cost appropriation </li></ul><ul><li>Payroll </li></ul><ul><li>Restricted funds/gifts </li></ul><ul><li>Information security controls </li></ul><ul><li>Financial reporting </li></ul><ul><li>Capital project management </li></ul><ul><li>Investment management </li></ul>These risks will be considered in the internal audit and compliance work plan. Examples of Risks:
  11. 11. Your Role <ul><li>Be an active and willing participant, a facilitator, a manager </li></ul><ul><li>Communicate the process to your organization/unit, decide interview and survey participants, and provide input for the process </li></ul><ul><li>Provide requested documentation regarding the key risks impacting your area of responsibility </li></ul><ul><li>Complete surveys </li></ul><ul><li>Make yourself available to be interviewed and communicate what is on your mind </li></ul><ul><li>Provide open honest input in risk identification and prioritization </li></ul>Office of Audit and Compliance In the coming months you may be asked to participate in this risk assessment process. If requested, we need you to:
  12. 12. Critical Success Factors <ul><li>Tone at the top: Executive management must endorse the risk assessment process </li></ul><ul><li>Access to key players: Timely access to key departmental/process owners is critical </li></ul><ul><li>Open-minded discussions about functional risk: Each person interviewed must understand that we are trying to help manage risk NOT impede their functional mission </li></ul><ul><li>Ownership: University management owns the risk assessment process, NOT the facilitator </li></ul><ul><li>Collaboration: Open discussions about cross-functional risk is critical to the success of the risk assessment </li></ul><ul><li>Understanding scores: Management must understand that a risk rating of “high” does NOT imply that the functional department or process is broken, rather an area/function to be monitored </li></ul><ul><li>Timely feedback: The risk assessment process is an iterative and collaborative effort that requires input and feedback. Timely responsiveness is important </li></ul><ul><li>Flexibility is key: As the risk environment changes, the risk map and the audit plan must “flex” </li></ul>Office of Audit and Compliance