大学风险管理[文献翻译].doc

原文：University Risk ManagementOrganizations around the world are facing challenging times due to continuing economic volatility and facing new risks that cause them continuously to assess the potential impact, financial and otherwise, of market conditions on the performance of their operations. And universities are no exception.Institutions of higher education have significant compliance requirements, and many have invested greatly in response to heightened expectations from stakeholders to stay competitively viable among other universities. However, many continue to approach risk and control requirements in silos, which leads to the creation of multiple frameworks for governance, infrastructure, and processes; fragmented risk and control activities; potential gaps in overall risk coverage; and duplication of effort. Understandably, there is a resulting concern about compliance breaches. Without a common basis for evaluation, audit committees struggle to determine the adequacy of risk and control efforts, and boards and executives want assurance that investments are appropriately focused, consistent with peers, and aligned to the institutions unique risk issues.Universities are also facing increased scrutiny from stakeholders regarding issues such as investments and spending, privacy, conflicts of interest, IT availability and security, fraud, research compliance, and transparency. Students, faculty members, staff, donors, and other interested parties are looking not only at what is being done, but how it is being done.Although the approach to risk management varies from institution to institution, there are clearly some common challenges and trends. Overall, a growing number of universities are integrating a risk management framework into their strategic planning and decision-making processes, but sustaining formal risk management and reporting process is a challenge. The board of governors, president, and other senior management members are often involved in ongoing risk identification and assessment, and are taking part in efforts to develop and implement both internal and external risk management processes and controls. The establishment of risk champions (members of the university beyond the universitys administration who can champion risk management) within the university is also increasing, which raises the awareness of risk, fosters better understanding of risk management programs and practices, and increases communication to relevant stakeholders. Applying ERT to universitesEnterprise risk management (ERM) can be described as a strategic process affected by a universitys governance structure, management, administration, and faculty, designed to: Help identify risks that may affect the institution. Manage identified risks within the universitys risk appetite. Provide assurance that the university can achieve its objectives.The values of the university influence how risk is perceived, and it is important that the culture reflects a risk management philosophy. Having a strong ERM framework can provide a common understanding of risk across the organization and help it achieve its strategic and academic objectives through focusing on the interrelated risks that could have the most significant impact. It drives the organization to integrate risk into its everyday planning and budgeting/forecasting process and operations, and strengthens its ability to deal vent unexpected or stealth risks.As in other organizations, a universitys risk management approach must grow and change with the environment in which it operates. An embedded, sustainable ERM approach allows management to assess, improve, and monitor consistently the way the university manages its evolving risks.A university risk management maturity modelThere are three stages of maturity that can be applied to universities. The risk management maturity model can be used as a roadmap for evaluating an institutions current state and defining next steps. The Baseline Practices stage typically consists of fundamental compliance activities. Typically, there are no established risk management roles, responsibilities, processes, or documentation, and most efforts are made in “silos” .Then, as the university improves its understanding of ERM and alters its practices accordingly, it progresses to an Improved Practices state. In this “alignment” phase, the organizations ERM efforts have moved beyond mere compliance. There is a certain level of risk ownership by the board of governors, but at this point the roles, responsibilities, and process have not been defined clearly and completely. Finally, in the Optimized Practices state, the university has reached a stage in which ERM processes and responsibilities are fully established and have become integrated into the organizations strategy and day to- day operations. The focus during this “integration” phase is now on continuously re-evaluating risk and performance, and adjusting its response accordingly.Universities without a robust risk management framework are increasingly exploring and implementing new ERM processes, and making risk management an integral part of their planning and decision- making processes, while universities that have already adopted ERM are altering their approach accordingly to reach an optimal state. Current trends include raising awareness through activities such as seeking internal and external stakeholder input, increasing communications of relevant risk management initiatives such as campus emergency communications, identifying risk champions to foster and develop new programs and processes, and involving university executives and the board in risk identification and assessment.Whos responsible for risk management?Risk management is everyones responsibility, and the roles and responsibilities of stakeholders must be defined clearly. The board of governors, senior administration, and risk management and internal audit teams are responsible for understanding principal risks in their areas, and for making effective risk management decisions.Board of governors The boards overall risk management mandate is to assess and recommend improvements on how the principal risks of the university are being managed through an effective risk management and internal control system that VSTU help the university achieve its mission. Board members are responsible for: Determining a risk-adjusted strategy. Facilitating and encouraging a risk management culture. Approving risk measurements, risk appetite, and tolerance levels. Ensuring the universitys senior administrators have an approach to identifying emerging issues and possible impacts on university operations and business risks. Reviewing controls and compliance with the universitys administration and audit teams, and seeking input on university and administrative best practices. Understanding and providing oversight on the quality of the universitys overall risk management program implementation and execution.In determining its risk oversight structure, the board should identify where within its governance practices it addresses risk management matters from an enterprise wide perspective. In most cases, the audit committee and the finance and administration vice presidents assume responsibility for risk oversight, including: Providing the necessary checks and balances so that they are operating in an active oversight capacity. Continuously reevaluating risk monitoring processes. Reviewing and approving governance practices, policies, priorities, and procedures against best practices. Ensuring that audit committee and executing members have instituted processes to identify and inform the board of key strategic, reputational, operational, compliance, and financial risks the organization faces. Advising and counseling the deans, professors, and functional unit heads.The boards role is to focus on the overall approach to risk management, rather than on the administrative details. The more tactical aspects of the risk strategy are generally the responsibility of the universitys team of senior administrators.Senior administration Overseeing the universitys compliance with generally accepted accounting principles, practices, and requirements, and evaluating the universitys finance and accounting practices, risk management, and internal controls to ensure that they are appropriate and adequate is the responsibility of senior administration. Their other responsibilities can include: Encouraging the right risks to drive business performance. Identifying and prioritizing key risks and aligning university resources accordingly. Improving alignment and coordination among risk and control activities. Leveraging best practices on managing and controlling key risks. Maintaining appropriate oversight of key controls. Monitoring and escalating risks.The universitys senior administrators are responsible for the management of the day-to-day functioning of the university, including strategic, financial, operational, and compliance activities.Risk management and internal auditingThe risk management and internal audit teams play an important role in university risk management. In general, internal auditions responsibilities can include: Understanding the universitys challenges and key objectives, and establishing an appropriate, detailed internal audit plan. Helping the universitys management and board understand, assess. and manage the organizations risk through consistent communication and reporting. Ensuring that processes are addressing changes and the associated risks adequately, and working as intended, especially during times of change. In general, risk managements responsibilities can include: Facilitating the completion of an enterprise risk assessment (ERA) and identifying risk mitigation and monitoring practices required for the university. Developing an ERM framework, approach, and program that will sustain risk management activities and better coordinate them where appropriate. Ensuring sufficient transparency of relevant risk management practices residing at the university either by way of training, awareness programs, or communication.In addition to the board and senior administrative members, internal auditors play a crucial role in a university risk management strategyregardless of whether the risk management group reports directly to the internal audit function.Improving risk management practicesThe steps required to improve a universitys risk management practices can be broken down into three general phases. The core risk management group should start by assessing the current situation to defame and prioritize the key risks that could prevent strategic objectives from being achieved. The group should then review the design and operation of the risk management and internal control framework to determine the areas where incremental enhancements would provide the greatest benefits. Once the necessary improvements and processes are in place, they must be monitored and modified, if necessary, to ensure that they are relevant and effective and that risks are being managed appropriately.One of the most important elements of a successful risk management function is ongoing and involves creating and maintaining a strong risk management culture and incorporating the implications of risk management into regular, everyday decision making. This type of environment can be facilitated through visible executive support for risk management programs, clear expectations, transparent communication and reporting, clearly defined roles and responsibilities, strong governance, and regular self-assessments to review risk exposure.Phase1:defining and prioritizing the risk that matter for the universityBefore undertaking efforts to enhance the way risk is managed, it is important to understand the institutions key risks by conducting an ERA. Defining the risks that matter is a critical step to understanding the key controls and decision-making processes, and developing an enterprise wide view of risk. The ERA is conducted as a facilitated self assessment, provides insight regarding the significant risks faced, and links them to the objectives, initiatives, and business processes. Although the approach is performed using standard tools and processes, the output must be validated and prioritized by senior management and the board. The risk assessment methodology assists with: Providing an insightful point of view on significant risks inherent to institutes of higher education. Efficiently capturing insight from across the university using a combination of surveys and structured interviews. Validating and prioritizing key risks for monitoring and testing. Defining opportunities for improvements to internal controls and management activities. Developing the foundational elements of a process that can be embedded and sustained within existing processes.The four risk pillars that a university should consider during the ERA include: strategic risk, operational risk, financial risk, and compliance risk. These four categories should all be reviewed at the university, faculty, and functional level. Seeking external perspectives on university risk can also be useful. For example, groups such as the National Association of College and University Business Officers, the Association of College and University Auditors, and other sector-specific organizations are good resources. Phase2:evaluating the universitys competencies to manage risk The “Risk Management Performance Assessment” phase builds upon the results of the assessment completed in the first phase and provides a snapshot of the universitys risk management competencies. It is designed to identify opportunities for alignment and coordination across traditional organizational boundaries, as well as determine how well the functional and business operational areas manage risks. In general, this phase offers an overall review of: Responsibilities for key risks across functional activities and business processes. The degree of alignment and coordination across the organization. The maturity of risk management foundational components such as governance, infrastructure, operations, and people.While performing the review, the following elements should be considered: Risk strategy risk tolerance and appetite, alignment of risk management to university objectives, and risk-related policies and procedures. Risk management and assurance processes risk assessment, risk communication, and reporting (e.g., dashboards). Governance structure sponsorship by the board of governors; risk ownership, accountability, and related roles and responsibilities; appropriate technology (e.g., institutions intranet and databases); early warning systems; and analytical and modeling tools. Culture and capability measurement, reward, training, and behavior. This phase helps management recognize how to make incremental enhancements to the existing infrastructure to embed and sustain risk management activities within the normal course of operations.Phase3:building an enterprise approach to risk The last phase involves defining and prioritizing opportunities for improvement, developing specific plans to improve and monitor significant risks, and then enforcing adherence to the established policies and procedures. All efforts to expand risk management competencies should be practical, be embedded within existing functions and processes where possible, support coordination and alignment for risk management and internal control, incorporate leading practices, be coordinated across the entire organization, support effective decision making, and align to industry standards and published frameworks. Established control activities are only effective if they are implemented and monitored. Once the initial direction for risk management is set, it is important to verify that everyone is complying with the processes and that the changing exposures to risk are assessed consistently and modified as required.Benefits of ERMThe decentralized nature of universities and the increasing competition over faculty, students, and funds amplifies their requirement for adopting an integrated risk management fame work. Universities must build on their present risk management culture, identify internal and external forces that could limit the ability to achieve strategic objectives, assess risks using the appropriate tools, develop an appropriate risk plan, implement the necessary controls and communications, and monitor ongoing risk management activities. Regardless of a universitys current risk management philosophy and practices, reviewing the risk management framework and adopting an embedded approach to the ERM process and culture will help the universitys board and administration make informed decisions that are aligned with its risk tolerance and strategy, remain confident of compliance with regulatory requirements, and achieve the transparency and outcomes desired by stakeholders.Source: Carol.Wilson,2010.“University risk management”. Internal Auditor,vol.67 Issue 4 ,pp.65-68.译文：大学风险管理由于经济的持续波动，各地有关组织正面临着挑战，使他们不断地评估金融、市场条件和其它方面对执行自己业务有潜在影响的情况。而大学也不例外。高等教育机构有显著的合规性要求，许多投资者回应了利益相关者期望留在大学的竞争力是可行的。然而，由于风险控制的要求，导致建立了多个框架，治理、基础设施、流程；分散风险控制活动；对潜在分歧进行采访报道；整体风险和重复努力。可以理解的是，违反有关规定造成了关注。没有共同的基础进行评估，审计委员会斗争，确定风险控制措施是否足够，以及管理人员要保证投资的适当集中，与同行一致，是机构所在的独特的风险问题。大学也将面对更多的检验有利益相关者的问题，如投资和消费，隐私，利益冲突，资讯科技可用性和安全、欺诈、研究顺应性和透明度。学生、教师、职员、捐赠者，及其他利益相关者注重的不仅是现在所做的，更注重的是它是怎么做。虽然机构的风险管理方法各有差异，然而还有一些常见的挑战和趋势。总的来说，越来越多的大学把风险管理框架纳入他们的战略规划和决策程序中，其中维持正式风险管理和过程报告是一个挑战。董事会总监、主席和其他高级管理人员常常涉嫌