ACUA ERM Survey

February 1, 2019


The Accounting and Audit Principles Committee recently performed a survey of institutional representatives to understand your approach to enterprise risk management (ERM). Thank you for honest and clear input. We can infer from the responses that institutions are aware of ERM, but actual implementation appears limited.

A summary of the responses to the survey questions is presented in the following text.

Questions 2 – 5 were posed solely to respondents who affirmed they have an ERM process in place. Question 6 was posed for institutions that have not implemented ERM to gather information on their perceived barriers to implementation.

If you are on the ERM path, we hope that this information can be used to your benefit. Please see below for survey results by question:

graph-1and2.PNG

Other:

  • Our own policy with a basis in COSO
  • Self-developed framework based on COSO and other observed best practices
  • Crawford Model
  • Informal/institutional developed risk definitions and process
  • Crawford Model
  • Combination of frameworks
  • It is based on both COSO and our State of Illinois internal control framework under the Illinois Fiscal Control and Internal Auditing Act.

3. Briefly describe who ‘owns’ ERM and Internal Audit’s role, if any, in the process.

  • Owned by Vice Chancellor for Organizational Effectiveness and is coordinated frequently with internal audit.
  • The Associate Vice President and Treasurer owns ERM. Audit's role is to participate on Risk Management Council and support the ERM effort. We also audit risk mitigation plans, as applicable.
  • Executive Cabinet owns ERM and Internal Audit administrate the risk assessment process
  • Director, Risk and Assurance with IA basing their plans on the ECU Strategic Risk Register and reporting back on the effectiveness of treatments/controls and the impact on the assessed level of risk. This is used as part of the Strategic Risk Register refresh.
  • Management owns it; the Asst Controller facilitates quarterly ERM meetings, and IA is a participant and uses the results as a starting point for development on the annual internal audit plan.
  • VP of Finance. Internal Audit serves in advisory role.
  • Chancellor, Advisor to the ERM Team
  • Management (process facilitated by Chief Risk Officer). Internal audit serves on the risk committee that oversees the annual processes
  • for Business and Planning area. Internal Audit reviews all assessments as they are done and makes recommendations and verifies at the end of the process that the university followed the procedures.
  • VP of Finance & Administration owns ERM. Internal Audit works closely with finance and our risk management committee to evaluate and address risks.
  • Director of ERM - I sit on the ERM committee as an ex officio member
  • The VP-CFO "owns" ERM, with facilitation from Internal Audit. Internal Audit leads a coordination group among ERM, Ethics/Compliance, and Internal Audit
  • ERM owners have been identified. Internal Audit acts in an advisory role and facilitates ERM workshops.

4. How often are risk resgisters updated?

Annually............................................................................................... 7
Quarterly.............................................................................................. 2
All major functional areas on a 3 year cycle.................................... 2
18-24 months........................................................................................ 1
Unclear. The ERM program is being revamped this year................... 1
Operational - annually, Strategic - every second year...................... 1

5. How are gaps identified through ERM addressed and validated as closed?

  • Monitoring by Executive Director for ERM
  • The Executive Cabinet administrate, address, and validate the management of risks
  • Via the Recommendation tracking system which requires documentary evidence to substantiate closure
  • Departments identify their own risks; there is no validation of closure
  • Not very well
  • Follow up discussions
  • Management owners of each risk are designated. Risk owners present annual to ERM steering committee (any gaps discussed at Committee; and follow up reporting to committee is required for any disclosed significant gaps)
  • Corrective action plans document gaps that need to be closed. Progress on closing the gap in documented annually until the problem has been dealt with.
  • Risk Management Committee meets regularly (about every other month) to make and follow-up on assignments to address gaps.
  • Reported to ERM committee
  • This is still in progress. Depends in the significance of the issue. Those at the highest level are reported to by senior leader "risk owners" to an Executive Risk Management Group comprised of the President, Chancellors, and Vice Presidents of the System.
  • At this time, internal audit does not validate closures. This is in the future state plan

6. If ERM is not in place, what do you consider to be the barriers to implementation?

Constrained budget or staffing.................................................    22
Lack of leadership willing to 'own'................................................9
Other similar risk process already in place..................................5
Lack of perceived benefit by leadership......................................2
 

About the Author