Mason Initiatives: Efficiency & Effectiveness - PowerPoint Presentation

1. Mason Initiatives:Efficiency & EffectivenessEnterprise Risk ManagementBeth Brock, Associate VP & ControllerGeorge Mason UniversityMay 21, 20101

2. AgendaEfficiency & Effectiveness (E&E)How we got started and the processWhere we are now, observations, questionsEnterprise Risk Management (ERM)OverviewHow we got started and the processWhere we are now, survey, questions2

3. E&E InitiativeLate 2010 - some members of BOV requestedAll administrative functions in scope; academics excludedSpring 2011 - explored big firm and boutique/trade assn approaches3

4. E&E Study AdviceDo not underestimate:Disruption in workplaceTime and effort to do properlyImpact on employee moralExpect to make an investment4

5. E&E EvolutionIssued RFP for benchmarking services in seven administrative areas:Auxiliaries & Affiliated EntitiesFacilitiesInformation TechnologyPurchasingEnrollment ServicesHuman ResourcesAccounting & Finance5

6. RFP for Benchmarking ServicesSelection criteria emphasized higher ed experience, recommended benchmarks requiredGoal - inform a decision on areas for E&E reviewSearch committee: Controller; Director IA&MS; Fiscal Projects DirectorTwo firms selected for oral presentationsSenior VP and Chief of Staff attended orals6

7. Benchmarking ProjectHuron Consulting selected for 3-4 month project:Reviewed data on budgets and staffingInterviewed unit headsConfirmed benchmarksPerformed benchmarking and analysisDelivered final report – functioning efficiently and effectivelyDiscussing next phase for some opportunities7

8. Efficiency & EffectivenessObservations and Questions8

9. ERM DefinedEnterprise Risk Management (ERM) is generally defined as: a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives1.1Standard ERM Model content adapted from: Committee of Sponsoring Organizations of the Treadway Commission9

10. ERM FrameworkCategorization of risks:Strategic – organizational goalsOperations – executing objectivesFinancial/Reporting – safeguarding assetsCompliance – adherence with laws and regs.Reputational – public imageCultural – character of university and personnel10

11. ERM Initiative at MasonLate 2009 - BOV interested in risks other than financial risksSpring 2010 - Controller’s office and IA&MS collaborated to survey approx. 80 unit headsResponses reviewed, consolidated, reviewed again, 32 items presented to BOV11

12. ERM EvolutionFunding for next steps in FY11 budgetIssued RFP for assistance with designing a sustainable ERM programResponses from 14 firms; orals from 5Sr. VP and Chief of Staff attended orals12

13. ERM ProjectHuron Consulting selected late 2010Extensive data requests: Org charts, audit reports, draft audit findings, budgets, IA&MS work plans, list of affiliates, strategic and/or business plans for IT, research, student, finance, President’s initiatives, ERM work to date13

14. Huron Phase I Evaluated data Met with about 25 unit headsIdentified common risks at other institutionsAssigned one or more of 6 framework categories Assigned functional area: facilities, safety, IT, academic, research, fiscal, HR, etc.14

15. Assigning Risk Factors Evaluated each risk using five factors:External environment – e.g., federal regsReputational risk – level of public visibilityFinancial exposure – e.g., budget, penaltiesVulnerability – likelihood of occurrenceInternal controls risk assessment15

16. Ranking our RisksUsed the collective high, medium, low scores for each factor to assign a relative impact score to each40 risks prioritized as highest, high, mediumEleven highest priority include fraud, research compliance, succession planningPhase I deliverable – modified risk inventory16

17. ERM Implementation PlanHuron phase 2 deliverables:Recommended organizational structureReviewed policies, provided gap analysisProvided executive level reporting format (heat map)Provided risk mitigation strategy guidance17

18. Hiring a Chief Risk OfficerNew admin. faculty position, reporting to Sr. VPAdvertised late November 2011 - late January 2012Committee: Controller, Director IA&MS, Projects Director, Assoc. Dean College of ScienceAbout 45 applicants, 3 selected for interviewReopened search April 201218

19. Interim EffortsApplying the committee-based organizational modelFunctional managers appointed to committeeWill develop mitigation strategies for highest priority risksWill update risk inventory, determine factors for assessing relative degrees of risk19

20. Audience Survey Question #1Q: How has your institution’s approach to risk management changed over the past two years?Significantly increased time and resources devoted to risk managementSomewhat increased time and resources devotedMade few or no changes to risk-mgmt approachDecreased time and resources devoted20

21. Survey by CFO Magazine Q#121

22. Audience Survey Question #2 Q: Who in your institution is most responsible for risk oversight? CFO 5. Board of VisitorsPresident 6. Audit CommitteeRisk committee 7. Director, Internal AuditCRO22

23. Survey by CFO Magazine Q#223

24. Audience Survey Question #3Q: Which would you say is the single biggest impediment to improved risk management within your institution?Commitment of time/resources 5. N/A, adequate risk mgmtInternal expertise 6. Implement. methodologyNo clear mandate from top 7. Lack of IT system to Organizational structure address risk mgmt.24

25. Survey by CFO Magazine Q#325

26. Enterprise Risk ManagementObservations and QuestionsContact information: Beth Brock ebrock1@gmu.edu 703-993-2660 26