ROLE OF THE GENERAL COUNSEL IN INSTITUTIONAL RISK MANAGEMENT Marcia Isaacson, CUNY James J. Mingle,...
-
Upload
shannon-hart -
Category
Documents
-
view
217 -
download
1
Transcript of ROLE OF THE GENERAL COUNSEL IN INSTITUTIONAL RISK MANAGEMENT Marcia Isaacson, CUNY James J. Mingle,...
ROLE OF THE GENERAL COUNSEL IN INSTITUTIONAL RISK MANAGEMENT
Marcia Isaacson, CUNYJames J. Mingle, Cornell University
Stephen D. Sencer, Emory University
Introduction
• Jim Mingle – General Counsel of Cornell• Steve Sencer – General Counsel of Emory
Overview of this session
• Structures for Institutional Risk Management• Process for Risk Identification • Process for Risk Management• Board’s Role in Risk Oversight• Compliance vs. Risk Management
Key Questions
• How do you know if the right risks are being identified?
• How do you determine who is “in charge” of managing and mitigating the risks?
• How do you know if the “most serious risks” are being aptly assessed institutional resources are strategically directed?
• What oversight and support structure will aid in the overall risk management effort?
Structures for Institutional Risk Management
o Committee/Council model
o Chief Risk Officer Model
o Hybrid
o Role of Risk and Insurance Department
Cornell
• Committee chaired by General Counsel – has 21 members from broad range of offices, including Finance & Administration, HR, University Relations, Research, Audit, Risk Management & Insurance, Campus Health, Student and Academic Services, EH&S, IT, Police, Facilities.
• Meets at least quarterly.
• Five Main Risk Categories: Operations, Finance, Life & Safety, Reputation, Legal.
• Guiding principles include:• Identify main and specific risks and ensure that specific risks have
responsible managers• Enable an efficient system of guidance and support to individuals “in
charge,” through development of appropriate policies and assistance of risk advisory committees (ad hoc and standing), and elimination of silos which may inhibit institutional risk and management efforts.
• Other Structures Considered• Counsel’s Role in Shaping Structure
7
Emory’s ERM Structure
ERM Executive Committee
• President (Committee Chair)• Provost• EVP for Health Affairs
• EVP for F&A• SVP and General Counsel• SVP and Dean for Campus Life• SVP for Development
ERM Steering Committee
• Chief Risk Officer (Co-Chair)• Chief Audit Officer (Co-Chair)• Chief Investment Officer• Deputy General Counsel
• VP for Campus Services• VP for Finance• VP for Human Resources• VP for IT
Finance & Investment
Campus Safety&
Physical Plant
Healthcare
InformationTechnology
Governance& Corporate
Affairs
Academic &StudentAffairs
ResearchHumanResources
• VP and Secretary• VP of Communications• President and CEO, Emory Healthcare
• VP for Research Administration• Senior Vice Provost• Director of Student Activities• Director of CEPAR
CUNY• Risk Management and Business Continuity Council (47
members:22 from Central and 25 from campuses)• Chaired by the Director of Environmental, Health and Safety &
Risk Management.• Deputy General Counsel and Compliance Officer are members.• Standing Committees
o Preparedness committeeo Information Technology committeeo Travel and transportation committeeo Insurance committeeo Infectious disease committeeo Residence hall committee
• Ad hoc committees formed as needed• Monthly meetings include reports from standing committees
and educational risk-related presentations.
Role of Counsel Re: Structure
• Legal, compliance and risk management overlap, but are not the same function
• Counsel should advise “institution” on risk management structure– Management/Leadership– Board (typically through Audit Committee)
• Counsel should participate in committee (s)• Counsel should participate in risk briefings
• Cast a big net• Asked committees to identify EVERY risk• Generated 555 risks
• Eliminated duplicates• Reduced list to 140
• Assessed frequency and severity rankings
• Distilled the list to 50 “Key Risks”
Emory’s Risk Identification Process
10
International ProgramsSecurity Assessment & Advice
Due DiligenceFinancial Management
Intervention & EvacuationTravel Safety
Data Security (Paper & IT)PersonnelPayrollDonorStudentPatient
Patient CareMedical Malpractice
Compliance – Billing, etc.
University GovernanceAutonomy
Academic FreedomCritical Partnerships
Ethical Conduct
Employment IssuesMisfeasance & Malfeasance
DiscriminationRecruitment/Retention
Sexual HarassmentAffirmative Action
Labor RelationsEmergencies & CrisesPreventionPlanningNotificationResponseRecoveryBusiness Continuity
SPECIFIC RISKS:
AthleticsControversies
NCAA & Title IX Compliance
Info Tech SecurityRecoveryLicensing
SPECIFIC RISKS:
Loss of Critical InfrastructureBuildings & PropertiesUtilitiesTransportationIT
Public Safety & SecurityCampus Crime ControlCampus Code of ConductFaculty/Student/Staff Mental HealthSubstance AbuseFraternal/ Student Organizations
Health & EnvironmentHazards – Chemical, Biological, RadiologicalOccupational Health & SafetyFireConstruction AccidentsCampus Personal Injuries
Financial StewardshipAccountability & ControlsEndowment ManagementSubsidiaries ManagementFinancial FraudEffort AllocationCost Allowability and Allocability
Research Integrity & AssuranceHuman SubjectsConflicts of Interest, CommitmentResearch MisconductAnimal Research and CareStem Cell Research
Intellectual PropertyProtection & InfringementEquity Interests & Start-ups
Identified “Specific Risks”
MAIN RISKS:
LIFE & SAFETY
REPUTATION FINANCIAL & PROPERTY
OPERATIONS
LIFE &SAFETY
LEGAL
Risk Identification at CUNY
– Units/departments on each campus must complete annual risk management survey/report• Academic Affairs• Mental Health & Wellness• Budget/Finance• Human Resources• Business Services• Legal Affairs• IT • Environmental Health and Safety• Facilities• Public Safety• Student Affairs
– One person on campus designated to distribute/collect the risk surveys
Risk Identification at CUNY (cont.)
– Risk Surveys (in template form) request: o Risk Statemento Likelihood/Impact/Risk Scoreo Policy and Procedures (existing and potential)o Education Training and Awareness (existing and potential)o Operational Controls (existing and potential)o Oversight, Monitoring or Executive Controls (existing)o Audit Controls (Existing and Potential)o Other Controlso Responsible Persono Mitigation Costo Scheduled Date to Revisit Plan
– Reports are returned to EHS & RM where they are put into a database for analysis by EHS & RM.
– CUNY Risk Manager visits each campus to review surveys.
Staying on the lookout for emerging and overlooked risks
o External Sources for Emerging Riskso Regulatory Actions (Dear Colleague Letters)o Agency/Inspector General/State Comptroller Auditso Problems facing Corporate America (Target Data Breach; FCPA)o Problems at other universities (overseas labor practices)
o Emerging Internal Riskso Legal obligations with uncertain or multiple homes (privacy of
student/patient information) o Revenue generating initiativeso International Programs
o Learning from Criseso Non-governmental reporting of information
• Assign Ownership– “Risk Management Process Owner” for each risk
– Must be sufficiently familiar with the risk and best positioned to write a comprehensive Risk Management Plan
• Review with Senior Leadership
• Repeat
Emory’s Risk Management Process
15
Risk Management PlansPrivileged and ConfidentialAttorney-Client Communication
EMORY UNIVERSITYENTERPRISE RISK MANAGEMENT
RISK MANAGEMENT PLAN
Date: __________________Short Description of Risk:
__________________________________Risk Management Process Owner:
___________________________________
Describe the Risk, its Components, and Examples: Describe the Steps Being Taken to Manage the Risk at an
Acceptable Level: Describe the Operational Response to an Adverse Occurrence: Describe the Communication Response to an Adverse
Occurrence:
16
Once you have all the data about risk, what does the risk committee
(or others) do with it?
• Gauging most serious risks, mitigation measures, risk tolerance
• Addressing Same Risks Year after Year• What is counsel’s role?
Counsel’s Role in Managing Non-Legal Risks
o Tending to boundaries
o Identifying emerging risks
o Avoiding operational roles
o Ensuring reasonableness of risk management process
Board’s Role in Risk Oversight
• Board’s role is to oversee the risk management process, not manage day to day risks
• Management must provide the right amount of information for Board to perform its role
• Janice M. Abraham, Risk Management: An Accountability Guide for University and College Boards
Compliance vs. Risk Management
Compliance• Policies/Procedures/Controls• Training/Education• Monitoring• Investigation
Risk Management
• Non-legal Risk• Health and Safety• Incident Response• Disaster Recovery/Business
Continuity• Infrastructure
Identify / manage legal and regulatory risk; Work with Responsible Owners
QUESTIONS?