Enterprise Risk Management ERM at Clayton State University

Enterprise Risk Management (ERM) at Clayton State University Cheryl Jordan, CFE ERM Compliance Officer

What is ERM? ERM is a process-driven tool that enables senior management to visualize, assess, and manage significant risks that may adversely impact the attainment of key organizational objectives. USG Definition 10/26/2020 2

BOR 7. 15 Risk Management Policy • Each institution to: – Designate a Risk Management Policy Coordinator – Develop a Risk Management Framework and procedures based on ERM. • Chancellor to designate a position to oversee implementation of Risk Policy and develop Risk procedures for use System-wide and within USO. • Committee on Internal Audit, Risk and Compliance to provide oversight and to review Major Risks on behalf of the Board. http: //www. usg. edu/policymanual/section 7/policy/7. 15_risk_management_policy 10/26/2020 3

BOR 7. 15 Risk Management Policy • Risk refers to the probability of an event and potential consequences to an organization associated with that event’s occurrence. • Risks do not necessarily exist in isolation from other risks; as a result, a series of risk events may result in a collective set of consequences that is more impactful than the discrete set of consequences associated with risk events taking place in isolation. • Risk is inherent to any activity. It is neither possible, nor advantageous, to entirely eliminate risk from an activity without ceasing that activity. The safest ships are the ones that do not sail, but that is not what they are designed for. Strategic, Financial, Operations, Compliance, Reputation 10/26/2020 4

Reporting Risks to the BOR We have to identify all risks and report Major Risks to the Board of Regents A risk is defined as Major when the combination of an event’s probability and the potential consequences is likely to: 1. Impair the achievement of a University System of Georgia (USG) strategic goal or objective. 2. Result in substantial financial costs either in excess of the impacted institution’s ability to pay or in an amount that may jeopardize the institution’s core mission. 3. Create significant damage to an institution’s reputation or damage to the USG’s reputation. 4. Require intervention in institutional or USG operations by the Board of Regents and/or an external body. 10/26/2020 5

Measuring Risks Risk Identification – sorted by adjusted risk score Likelihood of occurring 1 - low 2 - medium 3 - high Potential impact 1 – minor; unlikely to have a permanent or significant effect on USG's/institution’s reputation or achievement of its strategic objectives. 2 - moderate; will have a significant impact on USG/institution but can be managed without major impact. 3 - serious; will have a significant effect on USG/institution and requires a major effort to manage and resolve the occurrence, as well as its ramifications. 4 - extreme; will threaten the existence of the USG/institution if not resolved. Note: The "Adjusted Risk Factor" gives 50% weight to the likelihood of occurrence; this adjustment is necessary to reach a more reasonable spread of risk across the enterprise. 10/26/2020 6

Policy Objectives • Ensure Major Risks are reported to the Board and the Chancellor for review and acceptance. • Manage risks to support stated USG goals and objectives – Multiple types or categories of risk: Strategic, Compliance, Reputational, Financial, and Operational. • Embed a risk culture within USG and USG institutions. • Allow measurement of risk across the System. • Meet legal and regulatory requirements. 10/26/2020 7

How was the Policy Developed? • Two Pilot Programs run: – Armstrong Atlantic State University – University System Office. • Risk Management Policy adopted by Board in August 2010. 10/26/2020 8

Compliance with BOR Policy 7. 15 Implement A Enterprise Risk Management Framework at Clayton State University We can Help Minimizing the Risks of non-compliance SAS 112 CONTROLS AND RISK ASSESSMENT 10/26/2020 9

Implementation Schedule 10/26/2020 10

ERM Sample Committee STEERING COMMITTEE (SC) • • • Chancellor (Committee Chair) Chief Academic Officer Chief Operating Officer • • • Senior VC for External Relations AVC Planning & Implementation Chief Audit Officer (Facilitator) WORKING GROUP (WG) • • • 10/26/2020 Chief of Staff - Academic Affairs Vice Chancellor for Fiscal Affairs Vice Chancellor for Legal Affairs Vice Chancellor for Facilities Vice Chancellor and CIO Vice Chancellor for Human Resources • • • AVC Student Affairs AVC Compliance & Operations Exec Director, Government Relations Chief Information Security Officer Director, Internal Audit ERM Compliance Officer (Facilitator) 11

Proposed CSU Committees 10/26/2020 12

USG Key Objectives and Risks 10/26/2020 13

USG Key Objectives and Risks 10/26/2020 14

USG Key Objectives and Risks 10/26/2020 15

BOR 7. 15 Risk Management Policy However, acceptance of risk shall not include: • Willful exposure of students, employees, or others to unsafe environments or activities; • Intentional violation of federal, state, or local laws; • Willful violation of contractual obligations; or, • Unethical behavior. For Clayton State University, acceptance of risks shall not include: • Willful omissions • Malfeasance • Fraud 10/26/2020 16

Next Steps Identify Key Objectives and Risks A. List key objectives – Working Group identifies institutional and USG strategic objectives. B. Prioritize objectives – Steering Committee uses ranking or other system to select top objectives (should not exceed 3 -5 objectives per division head). C. Select objectives for assessment – Steering Committee selects 4 -6 top objectives for initial risk assessment by the Working Group. (Note: Steering Committee will select next 4 -6 top objectives for risk assessment on an ongoing basis until all key objectives have undergone risk assessment). D. Brainstorm and assess risks – Working Group conducts initial risk assessment through calculation of impact and likelihood without consideration of current controls or mitigation plans. 1. Working Group must understand the key components/process associated with selected objectives. 2. Working Group performs risk ranking. 3. Steering Committee validates risk ranking. E. Steering Committee selects Key Risks and assigns to a specific Risk Owner. 10/26/2020 17

Managing Risks A. Identify current controls and mitigation requirements – Risk owners identify the current controls, mitigation steps, or other actions already taken by the institution to reduce risk. The risk is assessed again to determine likelihood and impact. B. Develop mitigation plan for key risks – Risk owners develop mitigation plans for risks still ranked 4 or higher. Conduct quarterly meetings to review status – Steering Committee holds quarterly meetings to approve and to review the status of risk owner mitigation plans. Risk scores may be adjusted by the Steering Committee to reflect the risk after implementation of the mitigation plan. D. Continue process – Steering Committee incorporates new risks into the ERM process (steps 2 -4) as current risks are mitigated. 10/26/2020 18

Risk Management Methodology Risks may be managed by using one or more of the following methods: • Avoid (eliminate, withdraw from or do not become involved in an activity creating risk). • Retain (accept the risk and plan for the expected impact). • Transfer/Share (move the risk to another party by hedging against undesired outcome or reduce the risk through processes such as insurance). • Reduce (control the risk through additional or optimized controls). 10/26/2020 19