Risk Management
advertisement
ROLE OF THE GENERAL COUNSEL IN INSTITUTIONAL RISK MANAGEMENT Marcia Isaacson, CUNY James J. Mingle, Cornell University Stephen D. Sencer, Emory University Introduction • Jim Mingle – General Counsel of Cornell • Steve Sencer – General Counsel of Emory Overview of this session • • • • • Structures for Institutional Risk Management Process for Risk Identification Process for Risk Management Board’s Role in Risk Oversight Compliance vs. Risk Management Key Questions • How do you know if the right risks are being identified? • How do you determine who is “in charge” of managing and mitigating the risks? • How do you know if the “most serious risks” are being aptly assessed institutional resources are strategically directed? • What oversight and support structure will aid in the overall risk management effort? Structures for Institutional Risk Management o Committee/Council model o Chief Risk Officer Model o Hybrid o Role of Risk and Insurance Department Cornell • Committee chaired by General Counsel – has 21 members from broad range of offices, including Finance & Administration, HR, University Relations, Research, Audit, Risk Management & Insurance, Campus Health, Student and Academic Services, EH&S, IT, Police, Facilities. • Meets at least quarterly. • Five Main Risk Categories: Operations, Finance, Life & Safety, Reputation, Legal. • Guiding principles include: • Identify main and specific risks and ensure that specific risks have responsible managers • Enable an efficient system of guidance and support to individuals “in charge,” through development of appropriate policies and assistance of risk advisory committees (ad hoc and standing), and elimination of silos which may inhibit institutional risk and management efforts. • Other Structures Considered • Counsel’s Role in Shaping Structure Emory’s ERM Structure ERM Executive Committee • President (Committee Chair) • Provost • EVP for Health Affairs • • • • EVP for F&A SVP and General Counsel SVP and Dean for Campus Life SVP for Development • VP and Secretary • VP of Communications • President and CEO, Emory Healthcare ERM Steering Committee • • • • Chief Risk Officer (Co-Chair) Chief Audit Officer (Co-Chair) Chief Investment Officer Deputy General Counsel Finance & Investment Campus Safety & Physical Plant • • • • • • • • VP for Campus Services VP for Finance VP for Human Resources VP for IT Healthcare Human Resources Information Technology VP for Research Administration Senior Vice Provost Director of Student Activities Director of CEPAR Governance & Corporate Affairs Academic & Student Affairs Research 7 • • • • CUNY Risk Management and Business Continuity Council (47 members:22 from Central and 25 from campuses) Chaired by the Director of Environmental, Health and Safety & Risk Management. Deputy General Counsel and Compliance Officer are members. Standing Committees o o o o o o Preparedness committee Information Technology committee Travel and transportation committee Insurance committee Infectious disease committee Residence hall committee • Ad hoc committees formed as needed • Monthly meetings include reports from standing committees and educational risk-related presentations. Role of Counsel Re: Structure • Legal, compliance and risk management overlap, but are not the same function • Counsel should advise “institution” on risk management structure – Management/Leadership – Board (typically through Audit Committee) • Counsel should participate in committee (s) • Counsel should participate in risk briefings Emory’s Risk Identification Process • Cast a big net • Asked committees to identify EVERY risk • Generated 555 risks • Eliminated duplicates • Reduced list to 140 • Assessed frequency and severity rankings • Distilled the list to 50 “Key Risks” 1 0 Identified “Specific Risks” SPECIFIC RISKS: SPECIFIC RISKS: MAIN RISKS: Public Safety & Security Campus Crime Control Campus Code of Conduct Faculty/Student/Staff Mental Health Substance Abuse Fraternal/ Student Organizations LIFE&& LIFE SAFETY SAFETY Health & Environment Hazards – Chemical, Biological, Radiological Occupational Health & Safety Fire Construction Accidents Campus Personal Injuries Financial Stewardship Accountability & Controls Endowment Management Subsidiaries Management Financial Fraud Effort Allocation Cost Allowability and Allocability Research Integrity & Assurance Human Subjects Conflicts of Interest, Commitment Research Misconduct Animal Research and Care Stem Cell Research Intellectual Property Protection & Infringement Equity Interests & Start-ups OPERATIONS REPUTATION FINANCIAL & PROPERTY LEGAL University Governance Autonomy Academic Freedom Critical Partnerships Ethical Conduct Patient Care Medical Malpractice Compliance – Billing, etc. Employment Issues Misfeasance & Malfeasance Discrimination Recruitment/Retention Sexual Harassment Affirmative Action Labor Relations Data Security (Paper & IT) Personnel Payroll Donor Student Patient Info Tech Security Recovery Licensing Emergencies & Crises Prevention Planning Notification Response Recovery Business Continuity Loss of Critical Infrastructure Buildings & Properties Utilities Transportation IT Athletics Controversies NCAA & Title IX Compliance International Programs Security Assessment & Advice Due Diligence Financial Management Intervention & Evacuation Travel Safety Risk Identification at CUNY – Units/departments on each campus must complete annual risk management survey/report • • • • • • • • • • • Academic Affairs Mental Health & Wellness Budget/Finance Human Resources Business Services Legal Affairs IT Environmental Health and Safety Facilities Public Safety Student Affairs – One person on campus designated to distribute/collect the risk surveys Risk Identification at CUNY (cont.) – Risk Surveys (in template form) request: o Risk Statement o Likelihood/Impact/Risk Score o Policy and Procedures (existing and potential) o Education Training and Awareness (existing and potential) o Operational Controls (existing and potential) o Oversight, Monitoring or Executive Controls (existing) o Audit Controls (Existing and Potential) o Other Controls o Responsible Person o Mitigation Cost o Scheduled Date to Revisit Plan – Reports are returned to EHS & RM where they are put into a database for analysis by EHS & RM. – CUNY Risk Manager visits each campus to review surveys. Staying on the lookout for emerging and overlooked risks o External Sources for Emerging Risks o Regulatory Actions (Dear Colleague Letters) o Agency/Inspector General/State Comptroller Audits o Problems facing Corporate America (Target Data Breach; FCPA) o Problems at other universities (overseas labor practices) o Emerging Internal Risks o Legal obligations with uncertain or multiple homes (privacy of student/patient information) o Revenue generating initiatives o International Programs o Learning from Crises o Non-governmental reporting of information Emory’s Risk Management Process • Assign Ownership – “Risk Management Process Owner” for each risk – Must be sufficiently familiar with the risk and best positioned to write a comprehensive Risk Management Plan • Review with Senior Leadership • Repeat 1 5 Risk Management Plans 16 Once you have all the data about risk, what does the risk committee (or others) do with it? • Gauging most serious risks, mitigation measures, risk tolerance • Addressing Same Risks Year after Year • What is counsel’s role? Counsel’s Role in Managing NonLegal Risks o Tending to boundaries o Identifying emerging risks o Avoiding operational roles o Ensuring reasonableness of risk management process Board’s Role in Risk Oversight • Board’s role is to oversee the risk management process, not manage day to day risks • Management must provide the right amount of information for Board to perform its role • Janice M. Abraham, Risk Management: An Accountability Guide for University and College Boards Compliance vs. Risk Management Risk Management Compliance • • • • Policies/Procedures/Controls Training/Education Monitoring Investigation Identify / manage legal and regulatory risk; Work with Responsible Owners • • • • Non-legal Risk Health and Safety Incident Response Disaster Recovery/Business Continuity • Infrastructure QUESTIONS?
