![Page 1: Board of Visitors Audit, Compliance, and Risk …...September 2016 ERM Governance Architecture BOV – Audit, Compliance, and Risk President and Cabinet Risk Management Council Risk](https://reader034.vdocuments.mx/reader034/viewer/2022042219/5ec5d8bfa22b2a4c9112bf42/html5/thumbnails/1.jpg)
Board of VisitorsAudit, Compliance, and Risk Committee
September 16, 20161
![Page 2: Board of Visitors Audit, Compliance, and Risk …...September 2016 ERM Governance Architecture BOV – Audit, Compliance, and Risk President and Cabinet Risk Management Council Risk](https://reader034.vdocuments.mx/reader034/viewer/2022042219/5ec5d8bfa22b2a4c9112bf42/html5/thumbnails/2.jpg)
Audit Department Activities
2
![Page 3: Board of Visitors Audit, Compliance, and Risk …...September 2016 ERM Governance Architecture BOV – Audit, Compliance, and Risk President and Cabinet Risk Management Council Risk](https://reader034.vdocuments.mx/reader034/viewer/2022042219/5ec5d8bfa22b2a4c9112bf42/html5/thumbnails/3.jpg)
September 2016 Audit Department Status
Assurance and Advisory Projects: Completed FY 2017 To DateSubject UVA DivisionCurry School of Education Academic DivisionDarden Fund Transfers AcademicDistributed IT Systems Current State Assessment
Academic
FY2016 Inventories (UVA Bookstore, Pharmacy)
Academic, Health System
Action Plan Implementation Status— Follow Ups
Academic, Health System
3
![Page 4: Board of Visitors Audit, Compliance, and Risk …...September 2016 ERM Governance Architecture BOV – Audit, Compliance, and Risk President and Cabinet Risk Management Council Risk](https://reader034.vdocuments.mx/reader034/viewer/2022042219/5ec5d8bfa22b2a4c9112bf42/html5/thumbnails/4.jpg)
September 2016 Audit Department Status
4
Assurance and Advisory Projects: In Progress as of September 2016 BOV Meeting
Subject UVA DivisionEpic Phase 2 Implementation— Project Health Check w/ IT Security Focus
Health System
Fiscal Stewardship (Data-driven Internal Controls Analytics) Proof of Concept
Academic
Integrated Assurance – Compliance Assessment AcademicSystem Security: Privileged Access (Core Systems) Health SystemIvy Cloud — Project Health Check w/ Security and Governance Focus
Pan-University
Security Enhancement Plan (SEP) Project Health Check
Academic
SCADA Consultation Pan University
![Page 5: Board of Visitors Audit, Compliance, and Risk …...September 2016 ERM Governance Architecture BOV – Audit, Compliance, and Risk President and Cabinet Risk Management Council Risk](https://reader034.vdocuments.mx/reader034/viewer/2022042219/5ec5d8bfa22b2a4c9112bf42/html5/thumbnails/5.jpg)
September 2016 Audit Department Status
5
Current View of Risk Prioritized Future Projects (Remainder of FY17)Subject UVA Division340B Drug Discount Program Health SystemEnvironmental Health & Safety Compliance Health SystemHIPAA Risk Assessment AcademicUniform Guidance Implementation: Consultation with Office of Sponsored Programs
Academic
ARMICS (Agency Risk Management and Internal Control Standards) Consultation
Academic
Epic Phase 2 Implementation— Project Health Check w/ Control Framework Focus
Health System
Strategic Investment Fund Expenditures Monitoring Pan-University
UFirst HR Transformation— Project Health Check Pan-University
IT Change Controls Health SystemPresidential Travel and Expenses Pan-University
![Page 6: Board of Visitors Audit, Compliance, and Risk …...September 2016 ERM Governance Architecture BOV – Audit, Compliance, and Risk President and Cabinet Risk Management Council Risk](https://reader034.vdocuments.mx/reader034/viewer/2022042219/5ec5d8bfa22b2a4c9112bf42/html5/thumbnails/6.jpg)
6
1
2
25
3
2
2
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Priority 1
Priority 2
Legacy (Unrated)
By Priority Rating
Closed Open
Academic Division Health System College at WiseOpen 7 0 0Closed 16 5 7
0
5
10
15
20
25
By UVA Division
Closed Open
Actio
n Pl
an C
ompl
etio
n St
atus
![Page 7: Board of Visitors Audit, Compliance, and Risk …...September 2016 ERM Governance Architecture BOV – Audit, Compliance, and Risk President and Cabinet Risk Management Council Risk](https://reader034.vdocuments.mx/reader034/viewer/2022042219/5ec5d8bfa22b2a4c9112bf42/html5/thumbnails/7.jpg)
Compliance-Related Action PlansBy Fiscal Year, By Compliance Subcategory
7
6
6
1
0
2
4
6
8
10
12
14
FY 2016 FY2017
Regulatory ComplianceUVA Policies & Procedures
![Page 8: Board of Visitors Audit, Compliance, and Risk …...September 2016 ERM Governance Architecture BOV – Audit, Compliance, and Risk President and Cabinet Risk Management Council Risk](https://reader034.vdocuments.mx/reader034/viewer/2022042219/5ec5d8bfa22b2a4c9112bf42/html5/thumbnails/8.jpg)
Operational Action Plans, By Fiscal Year, By Risk Subcategory
8
54
1
8
12
1
0
1
2
3
4
5
6
7
8
9
10
Cybersecurity Efficiency andEffectiveness
Key FinancialControls
Student Experience General IT Controls
FY 2016 FY2017
![Page 9: Board of Visitors Audit, Compliance, and Risk …...September 2016 ERM Governance Architecture BOV – Audit, Compliance, and Risk President and Cabinet Risk Management Council Risk](https://reader034.vdocuments.mx/reader034/viewer/2022042219/5ec5d8bfa22b2a4c9112bf42/html5/thumbnails/9.jpg)
University Compliance: Report on Medical Center Compliance and Privacy Officer Search
9
![Page 10: Board of Visitors Audit, Compliance, and Risk …...September 2016 ERM Governance Architecture BOV – Audit, Compliance, and Risk President and Cabinet Risk Management Council Risk](https://reader034.vdocuments.mx/reader034/viewer/2022042219/5ec5d8bfa22b2a4c9112bf42/html5/thumbnails/10.jpg)
SECTION TITLE
ERM Program Update
10
![Page 11: Board of Visitors Audit, Compliance, and Risk …...September 2016 ERM Governance Architecture BOV – Audit, Compliance, and Risk President and Cabinet Risk Management Council Risk](https://reader034.vdocuments.mx/reader034/viewer/2022042219/5ec5d8bfa22b2a4c9112bf42/html5/thumbnails/11.jpg)
ERM Priorities
ERM Priorities
Reposition & Enrich Program
Enhance Board
ReportingOnboard Health System
11
![Page 12: Board of Visitors Audit, Compliance, and Risk …...September 2016 ERM Governance Architecture BOV – Audit, Compliance, and Risk President and Cabinet Risk Management Council Risk](https://reader034.vdocuments.mx/reader034/viewer/2022042219/5ec5d8bfa22b2a4c9112bf42/html5/thumbnails/12.jpg)
5. Reporting to University Leadership
• Risk Management Council
4. Response and
Management of Key
Identified Risks
• Risk Management Council
• Risk Owners
3. Assessment of Identified
Risks
• Risk Management Council
• President/EVP’s
2. Identify Risks to Major
Objectives
• BOV• President’s
Cabinet• Risk Management
Council/Networks• Key Stakeholders
1. Clarify Major Objectives
• President/EVP’s
ERM Process Flowchart
![Page 13: Board of Visitors Audit, Compliance, and Risk …...September 2016 ERM Governance Architecture BOV – Audit, Compliance, and Risk President and Cabinet Risk Management Council Risk](https://reader034.vdocuments.mx/reader034/viewer/2022042219/5ec5d8bfa22b2a4c9112bf42/html5/thumbnails/13.jpg)
BOV – Audit, Compliance, and
Risk
President and Cabinet
Risk Management
Council
Risk Management Network – Health
System
Risk Management Network– Academic
Division
ERM Governance Architecture
13
![Page 14: Board of Visitors Audit, Compliance, and Risk …...September 2016 ERM Governance Architecture BOV – Audit, Compliance, and Risk President and Cabinet Risk Management Council Risk](https://reader034.vdocuments.mx/reader034/viewer/2022042219/5ec5d8bfa22b2a4c9112bf42/html5/thumbnails/14.jpg)
September 2016Key Risk Dashboard
RISKRISKOWNER
LAST REPORTED CURRENT
1-2 YEAR HORIZON
MITIGATIONCONFIDENCE
1 Risk 1 Owner name here
2 Risk 2 Owner name here
3 Risk 3 Owner name here
4 Risk 4 Owner name here
5 Risk 5 Owner name here
6 Risk 6 Owner name here
7 Risk 7 Owner name here
8 Risk 8 Owner name here
9 Risk 9 Owner name here
10 Risk 10 Owner name here
INHERENT RISK TREND
R Y GLow High
!
Does the risk present a material threat to the achievement of our objectives?
R Y G
R Y G
R Y G
R Y G
R Y G
R Y G
R Y G
R Y G
R Y G
R Y GYes NoMaybe
![Page 15: Board of Visitors Audit, Compliance, and Risk …...September 2016 ERM Governance Architecture BOV – Audit, Compliance, and Risk President and Cabinet Risk Management Council Risk](https://reader034.vdocuments.mx/reader034/viewer/2022042219/5ec5d8bfa22b2a4c9112bf42/html5/thumbnails/15.jpg)
Enterprise Risk Management (ERM) Updates
Key Risk Update: Mitigation ConfidenceChange in the status of a key risk
Owner:
Description:
Mitigation (Actions to date and Future Actions):
Low High
!
Emerging Risk Update: Mitigation ConfidenceRisks on the horizon that have the potential to be significant
Owner:
Description:
Mitigation (Actions to date and Future Actions):
Low High
!
September 2016
![Page 16: Board of Visitors Audit, Compliance, and Risk …...September 2016 ERM Governance Architecture BOV – Audit, Compliance, and Risk President and Cabinet Risk Management Council Risk](https://reader034.vdocuments.mx/reader034/viewer/2022042219/5ec5d8bfa22b2a4c9112bf42/html5/thumbnails/16.jpg)
ERM Governance ArchitectureBOV – Audit,
Compliance, and Risk
President and Cabinet
Risk Management
Council
Risk Management Network – Health
System
Risk Management Network– Academic
Division
Jim Matteo (Chair) Carolyn SaintGary Nimax Archie Holmes Michael Marquardt
Jim Matteo (Chair) Nancy Rivers Carolyn Saint Pam Sellers Melody Bianchetto Virginia Evans Bryan Garey Gary Nimax Colette Sheehy Jeff Legro Dorrie Fontaine Josh Bowers Cindy Frederick Elisa HolquistAnthony De Bruyn Dave HudsonCraig Littlepaige Sim Ewing
Mike Marquardt (Chair)Sally BarberLarry FitzgeraldKathy PeckNick MendykaBill FulkersonRebecca HillMichelle HerefordBrad HawsRick Skinner
![Page 17: Board of Visitors Audit, Compliance, and Risk …...September 2016 ERM Governance Architecture BOV – Audit, Compliance, and Risk President and Cabinet Risk Management Council Risk](https://reader034.vdocuments.mx/reader034/viewer/2022042219/5ec5d8bfa22b2a4c9112bf42/html5/thumbnails/17.jpg)
17
Closed Session
![Page 18: Board of Visitors Audit, Compliance, and Risk …...September 2016 ERM Governance Architecture BOV – Audit, Compliance, and Risk President and Cabinet Risk Management Council Risk](https://reader034.vdocuments.mx/reader034/viewer/2022042219/5ec5d8bfa22b2a4c9112bf42/html5/thumbnails/18.jpg)
Audit, Compliance, and Risk Committee Agenda
CLOSED SESSIONDiscussion of Medical Center operations as provided for in Section 2.2-3711(A) (22) of the Code of Virginia
18
![Page 19: Board of Visitors Audit, Compliance, and Risk …...September 2016 ERM Governance Architecture BOV – Audit, Compliance, and Risk President and Cabinet Risk Management Council Risk](https://reader034.vdocuments.mx/reader034/viewer/2022042219/5ec5d8bfa22b2a4c9112bf42/html5/thumbnails/19.jpg)
19
Resume Open Session and Adjourn