UNIVERSITY OF PENNSYLVANIA 1 ASSESSING AND MITIGATING BUSINESS RISK USING INTEGRATED INTERNAL CONTROL FRAMEWORK

UNIVERSITY OF PENNSYLVANIA

1

ASSESSING AND MITIGATING

BUSINESS RISK

USING INTEGRATED INTERNAL CONTROL FRAMEWORK


2

BUSINESS RISK - WHAT IS IT?

Threats to achieving organization’s business objectives


3

EXAMPLES OF BUSINESS RISK

Having shortsighted goals Processes are ineffective to achieve progressive goalsFinancial fraudFailure to comply with government regulationsTarnishing reputation


4

WHY BE CONCERNED ABOUT RISK?

Fierce competition Pressure for increased productivity,

responsiveness and responsibility, while reducing costs

Powerful new technologies Increased external scrutinyMore decentralized accountability


5

BUSINESS RISK CAN BE CATEGORIZED

• - type of business risk that most quickly comes to mind

• Financial* - protecting monetary funds• Strategic - goals of the organization• Operational - processes that operationalize goals• Compliance - laws and regulations• Reputational - public image


6

CURRENT EXAMPLES OF FINANCIAL AND REPUTATIONAL DAMAGE

Public Demandfor

Improved Control

University of MinnesotaMisuse federal grants

$32 mil

New York University Medical CenterInflated research grant costs

$15.5 mil

Duke UniversitySexual harassment

$0.5 mil

University of ChicagoResearch fraud and abuse

$650,000

Miscellaneous Scientific MisconductJohns Hopkins

Harvard (2)Yale

University of MichiganConflict of Interest

$100,000 penalty/1 year probationFor Chief Urologist

Duke University Medical CenterHuman Subject Protections

University of Wisconsin-Madison

False Statements$10,000 Fine/ Prison

Birmingham-Southern CollegeGift/Development Impropriety

Columbia/HCA$745 mil

Medicare billing


7

WHO NEEDS TO BE CONCERNED ABOUT RISK?

Everyone in the organization– Agenda for Excellence: “Upgrade the University’s

Internal Controls and Compliance mechanisms”1

Understand your role in identifying and mitigating risk

1 - Source:Agenda for Excellence, Strategic Goal 3, Subgoal 3(b),page S-6


8

WHAT CAN BE DONE ABOUT RISK?

EliminateAcceptTransfer - insure, outsourceMitigate


9

HOW DO YOU MITIGATE RISK?

Brainstorm ways to reduce or remove riskResearch best practices Select the best alternative (cost-effective)


10

WHERE IS RISK FOUND?


11

CONTROL ENVIRONMENT:tone at the top, infrastructure, compliance; culture: integrity and competence of people

RISK ASSESSMENT: identify, prioritize, mitigate risks;

ongoing; wide participation

CONTROLACTIVITIES:

processes, procedures, safeguards, access

security, authorization

MONITORING:throughout

INTEGRATED INTERNAL CONTROL FRAMEWORK

Adapted from Committee of Sponsoring Organizations of the Treadway Commission (COSO) http://www.coso.org/

INFO

RM

ATI

ON

& C

OM

MUNIC

ATI

ON

INFO

RM

ATIO

N &

CO

MM

UNIC

ATIO

N


12

CONTROL ENVIRONMENT: FOUNDATION OF ALL OTHER COMPONENTS

Established by an institution’s senior management group (President, Provost, EVP, CEO UPHS and Deans) - “tone at the top”

Based on attitudes and practices of those in positions of authority

Influences the “risk consciousness” of personnelAn element in establishing an organization’s

culturePeople


13

CONTROL ENVIRONMENT FACTORS

Integrity and ethical valuesCompetence Management's philosophy and operating styleResponsibility, authority and accountabilityHuman resource practices and policies


14

RISK ASSESSMENT: PROCESSES TO IDENTIFY AND ANALYZE BUSINESS RISK

Managing in a changing environment requires a constant assessment of risk

No practical way exists to reduce risks to zeroManagement must decide how much risk is

acceptableMethods of managing significant risks must be

established


15

ONGOING RISK ASSESSMENT ACTIVITIES

Identify external and internal risks to business objectives

Anticipate worst case scenariosEstimate the probability and impact of each riskEstablish a proactive, cost-effective plan for

managing risksUse this process periodically or ad hoc

(restructuring, launching new programs)


16

CONTROL ACTIVITIES: SPECIFIC POLICIES AND PROCEDURES DESIGNED TO MITIGATE RISK

Policies establish behavioral guidelines Processes and procedures establish how work is to be

performed Risk control activities need to occur throughout the

organizationat all levels and in all functions


17

TYPES OF CONTROL ACTIVITIES

Review reports of operational performance

Information systems and data processing security

Segregation of duties(custody, record-keeping, approval/review)

Annual performance reviewsReconciliationsLimits of authority and access

(signatures, ID badges, user IDs, locks)


18

INFORMATION AND COMMUNICATION

Information systems must provide data that is:– Accurate, reliable and sufficiently detailed– Timely, understandable and useable

Information must be provided to the right people in time to allow appropriate response

Communication flow must be:– Up and down through the organization– Across organizational boundaries


19

INFORMATION AND COMMUNICATION SYSTEMS

Information systems should:– Allow systematic monitoring of strategic plans– Provide operational, financial and compliance-

related informationCommunication systems should ensure:

– Responsibilities are effectively communicated to all employees

– Channels exist for suspected improprieties to be reported without fear of retribution

– Employees’ ideas and suggestions are solicited, acknowledged and considered


20

MONITORING

Processes assessing quality of institution's performance over time - feedback loop

Control environment, risk assessment activities, control activities, and information channels should be monitored and periodically evaluated for effectiveness

Provides early warning signs


21

ONGOING MONITORING ACTIVITIES

CE: Culture studyRA: Annual assessment of risksCA: Monitoring of performance indicators I&C: Determining emerging information needsObjective external reviews


22

SUMMARY

Business risk encompasses strategic, operational, financial, compliance, reputational risk

Everyone is responsible to assess and mitigate risk

Documents

UNIVERSITY OF PENNSYLVANIA 1 ASSESSING AND MITIGATING BUSINESS RISK USING INTEGRATED INTERNAL CONTROL FRAMEWORK