Transcript RISK MANAGEMENT AT HARVARD – PANEL DISCUSSION HARVARD IT SUMMIT June 23, 2011

RISK MANAGEMENT AT
HARVARD – PANEL DISCUSSION
HARVARD IT SUMMIT
June 23, 2011
Introductions

Panel Members:





Rick Mills, Executive Dean for Administration, Harvard Medical
School
Mary Ann Bradley, Associate Dean for Administrative Operations,
Faculty of Arts and Sciences
Ben Gaucherin, Chief Information and Technology officer,
Harvard Law School
Eileen Sullivan, Controller, Harvard Business School
Presenters:


Gail McDermott, Director, Risk Management and Audit Services
Amanda McDonnell, Manager of Strategic Planning, Risk
Management and Audit Services
Agenda




Overview of risk management and risk assessment
Overview of Harvard Risk Management Program
Panel discussion
Open questions
Definition of "Risk"
"Risk is the possibility that an event will occur and
adversely affect the achievement of objectives."
- COSO Enterprise Risk Management –
Integrated Framework
"Anything that may significantly affect the operations of
the school in a way that limits the ability to achieve its
mission."
- A member of the Harvard Faculty
Definition of Risk Management
A PROCESS, effected by an entity’s board of directors,
management and other personnel, applied in strategysetting and across the enterprise, designed to identify
potential events that may affect the entity, and
manage risk to be within its risk appetite, to provide
reasonable assurance regarding the achievement of
entity objectives.
Risk Management – A Continuous Process
• Vision
• Infrastructure
• Goals, objectives and
context
• Culture
• Tolerate the risk
• Treat the risk
• Transfer the risk
• Terminate the risk
Develop Risk
Management
Strategy
Respond to
Risk Events
Assess Risk
Monitor Risk
Indicators
and Events •
• Identifying risks
• Rating/prioritizing risks
• Action planning
• Reporting
Monitoring of risks and
new risk events that may
influence risk response
The Value of Risk Management
Why Risk Management?
• Improve the likelihood of success for strategic planning initiatives by
recognizing the risk associated with opportunities and forcing discussion of
mitigation techniques
• Prevent high impact risks from happening at your University or reduce impact
of risk and to protect the University Reputation
• Enable the University to make timely and informed decisions
• Support Corporation responsibilities
• Establish a culture of transparency and accountability through the explicit
discussion of risks and mitigation practices and bring management team to
consensus on risk management
• Prioritize the allocation of resources to the most significant risks and effectively
manage costs and eliminate redundancies.
Risk management at Harvard

Risk Management in 2008
Pockets of risk management activity across the University
 Risk Management and Audit Services performs Universitywide risk assessment
 Risk Management Committee in place
 Limited executive sponsorship


Changes since 2009 – 2010
New Executive Vice President (EVP) joins Harvard
 EVP Champions ERM
 Internal socialization of ERM
 Developed new ERM structure
 Approval by JCI (Audit Committee)

Harvard University - Enterprise risk management
Capabilities Maturity Model
Initial
Ad-Hoc
Capabilities
characteristics of
individuals
Process
Established in
parts of the
organization
Formalized
Formal Consistent
processes in each
department
Embedded
Integrated
processes are
embedded in the
business planning
Systemically build and improve enterprise risk management capabilities
Harvard in FY2008
Harvard today
Harvard planned for FY2013
Optimized
Organization
focused on ERM as
source of
competitive
advantage
ERM Strategy and Value
• Strategy: Provide an integrated, holistic approach to managing risk across the University – one
that creates accountability and defines a process for identifying and mitigating risk. Implementing
the approach should be an elastic process, flexing and expanding as prescribed by the needs of
stakeholders.
• Value
• Establishes a culture of transparency and accountability through the explicit discussion
of risks and mitigation practices
• Improves the likelihood of success for strategic planning initiatives by recognizing the
risk associated with opportunities and forcing discussion of mitigation techniques
• Coordination and transparency assists in allocating resources to the most significant risks
and may eliminate redundancies
• Aggregation of risks at the University level allows for timely and informed decision
making
• Risk awareness should be embedded in all layers of the organization
Harvard University - Risk Management Structure
• University Risk Management Council (URMC) established
•
•
•
Co chaired by EVP and Provost
Reports out to President and Audit Committee on risk management program
results
Monitors the program and evaluates risk mitigation strategies
• Central Administration Risk Management Committee created
•
Risk Assessment and prioritization for centrally managed functions for report
out to URMC
• Each School creates a risk management committee – recommended cochairs are Administrative Dean and Academic Dean
•
•
•
Complete risk assessment and prioritize issues identified
Submit risk management report to the URMC in Summer, 2011
Begin to develop a risk mitigation plan and approach for monitoring for the
top 3-5 risks
Responsibility for Risk Management
Everyone is a Risk Manager