where innovation is tradition mason initiatives: efficiency & effectiveness enterprise risk...

Where Innovation Is Tradition1

Mason Initiatives:Efficiency & Effectiveness

Enterprise Risk Management

Beth Brock, Associate VP & Controller

George Mason University

May 21, 2010


Agenda

Efficiency & Effectiveness (E&E)• How we got started and the process• Where we are now, observations, questions

Enterprise Risk Management (ERM)• Overview• How we got started and the process• Where we are now, survey, questions


E&E Initiative

• Late 2010 - some members of BOV requested• All administrative functions in scope;

academics excluded• Spring 2011 - explored big firm and

boutique/trade assn approaches


E&E Study Advice

Do not underestimate:• Disruption in workplace• Time and effort to do properly• Impact on employee moral

Expect to make an investment


E&E Evolution

Issued RFP for benchmarking services in seven administrative areas:

• Auxiliaries & Affiliated Entities• Facilities• Information Technology• Purchasing• Enrollment Services• Human Resources• Accounting & Finance


RFP for Benchmarking Services

• Selection criteria emphasized higher ed experience, recommended benchmarks required

• Goal - inform a decision on areas for E&E review• Search committee: Controller; Director IA&MS;

Fiscal Projects Director• Two firms selected for oral presentations• Senior VP and Chief of Staff attended orals


Benchmarking Project

Huron Consulting selected for 3-4 month project:• Reviewed data on budgets and staffing• Interviewed unit heads• Confirmed benchmarks• Performed benchmarking and analysis• Delivered final report – functioning efficiently and

effectively• Discussing next phase for some opportunities


Efficiency & Effectiveness

Observations and Questions


ERM Defined

Enterprise Risk Management (ERM) is generally defined as:

a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives1.

1Standard ERM Model content adapted from: Committee of Sponsoring Organizations of the Treadway Commission


ERM Framework

Categorization of risks:• Strategic – organizational goals• Operations – executing objectives• Financial/Reporting – safeguarding assets• Compliance – adherence with laws and regs.• Reputational – public image• Cultural – character of university and personnel


ERM Initiative at Mason

• Late 2009 - BOV interested in risks other than financial risks

• Spring 2010 - Controller’s office and IA&MS collaborated to survey approx. 80 unit heads

• Responses reviewed, consolidated, reviewed again, 32 items presented to BOV


ERM Evolution

• Funding for next steps in FY11 budget• Issued RFP for assistance with designing a

sustainable ERM program• Responses from 14 firms; orals from 5• Sr. VP and Chief of Staff attended orals


ERM Project

Huron Consulting selected late 2010

Extensive data requests:

Org charts, audit reports, draft audit findings, budgets, IA&MS work plans, list of affiliates, strategic and/or business plans for IT, research, student, finance, President’s initiatives, ERM work to date


Huron Phase I

• Evaluated data • Met with about 25 unit heads• Identified common risks at other

institutions• Assigned one or more of 6 framework

categories • Assigned functional area: facilities, safety,

IT, academic, research, fiscal, HR, etc.


Assigning Risk Factors

Evaluated each risk using five factors:

1. External environment – e.g., federal regs

2. Reputational risk – level of public visibility

3. Financial exposure – e.g., budget, penalties

4. Vulnerability – likelihood of occurrence

5. Internal controls risk assessment


Ranking our Risks

• Used the collective high, medium, low scores for each factor to assign a relative impact score to each

• 40 risks prioritized as highest, high, medium• Eleven highest priority include fraud, research

compliance, succession planning• Phase I deliverable – modified risk inventory


ERM Implementation Plan

• Huron phase 2 deliverables:• Recommended organizational structure• Reviewed policies, provided gap analysis• Provided executive level reporting format

(heat map)• Provided risk mitigation strategy guidance


Hiring a Chief Risk Officer

• New admin. faculty position, reporting to Sr. VP• Advertised late November 2011 - late January 2012• Committee: Controller, Director IA&MS, Projects

Director, Assoc. Dean College of Science• About 45 applicants, 3 selected for interview• Reopened search April 2012


Interim Efforts

• Applying the committee-based organizational model

• Functional managers appointed to committee• Will develop mitigation strategies for highest

priority risks• Will update risk inventory, determine factors

for assessing relative degrees of risk


Audience Survey Question #1

Q: How has your institution’s approach to risk management changed over the past two years?

1. Significantly increased time and resources devoted to risk management

2. Somewhat increased time and resources devoted

3. Made few or no changes to risk-mgmt approach

4. Decreased time and resources devoted


Survey by CFO Magazine Q#1



Q: Who in your institution is most responsible for risk oversight?

1. CFO 5. Board of Visitors

2. President 6. Audit Committee

3. Risk committee 7. Director, Internal Audit

4. CRO



Q: Which would you say is the single biggest impediment to improved risk management within your institution?

1. Commitment of time/resources 5. N/A, adequate risk mgmt

2. Internal expertise 6. Implement. methodology

3. No clear mandate from top 7. Lack of IT system to

4. Organizational structure address risk mgmt.


Enterprise Risk Management

Observations and Questions

Contact information: Beth Brock

[email protected] 703-993-2660

mailto:[email protected]

where innovation is tradition mason initiatives: efficiency & effectiveness enterprise risk...

Documents