ROLE OF THE GENERAL COUNSEL IN INSTITUTIONAL RISK MANAGEMENT

Marcia Isaacson, CUNYJames J. Mingle, Cornell University

Stephen D. Sencer, Emory University

Introduction

• Jim Mingle – General Counsel of Cornell• Steve Sencer – General Counsel of Emory

Overview of this session

• Structures for Institutional Risk Management• Process for Risk Identification • Process for Risk Management• Board’s Role in Risk Oversight• Compliance vs. Risk Management

Key Questions

• How do you know if the right risks are being identified?

• How do you determine who is “in charge” of managing and mitigating the risks?

• How do you know if the “most serious risks” are being aptly assessed institutional resources are strategically directed?

• What oversight and support structure will aid in the overall risk management effort?

Structures for Institutional Risk Management

o Committee/Council model

o Chief Risk Officer Model

o Hybrid

o Role of Risk and Insurance Department

Cornell

• Committee chaired by General Counsel – has 21 members from broad range of offices, including Finance & Administration, HR, University Relations, Research, Audit, Risk Management & Insurance, Campus Health, Student and Academic Services, EH&S, IT, Police, Facilities.

• Meets at least quarterly.

• Five Main Risk Categories: Operations, Finance, Life & Safety, Reputation, Legal.

• Guiding principles include:• Identify main and specific risks and ensure that specific risks have

responsible managers• Enable an efficient system of guidance and support to individuals “in

charge,” through development of appropriate policies and assistance of risk advisory committees (ad hoc and standing), and elimination of silos which may inhibit institutional risk and management efforts.

• Other Structures Considered• Counsel’s Role in Shaping Structure

7

Emory’s ERM Structure

ERM Executive Committee

• President (Committee Chair)• Provost• EVP for Health Affairs

• EVP for F&A• SVP and General Counsel• SVP and Dean for Campus Life• SVP for Development

ERM Steering Committee

• Chief Risk Officer (Co-Chair)• Chief Audit Officer (Co-Chair)• Chief Investment Officer• Deputy General Counsel

• VP for Campus Services• VP for Finance• VP for Human Resources• VP for IT

Finance & Investment

Campus Safety&

Physical Plant

Healthcare

InformationTechnology

Governance& Corporate

Affairs

Academic &StudentAffairs

ResearchHumanResources

• VP and Secretary• VP of Communications• President and CEO, Emory Healthcare

• VP for Research Administration• Senior Vice Provost• Director of Student Activities• Director of CEPAR

CUNY• Risk Management and Business Continuity Council (47

members:22 from Central and 25 from campuses)• Chaired by the Director of Environmental, Health and Safety &

Risk Management.• Deputy General Counsel and Compliance Officer are members.• Standing Committees

o Preparedness committeeo Information Technology committeeo Travel and transportation committeeo Insurance committeeo Infectious disease committeeo Residence hall committee

• Ad hoc committees formed as needed• Monthly meetings include reports from standing committees

and educational risk-related presentations.

Role of Counsel Re: Structure

• Legal, compliance and risk management overlap, but are not the same function

• Counsel should advise “institution” on risk management structure– Management/Leadership– Board (typically through Audit Committee)

• Counsel should participate in committee (s)• Counsel should participate in risk briefings

• Cast a big net• Asked committees to identify EVERY risk• Generated 555 risks

• Eliminated duplicates• Reduced list to 140

• Assessed frequency and severity rankings

• Distilled the list to 50 “Key Risks”

Emory’s Risk Identification Process

10

International ProgramsSecurity Assessment & Advice

Due DiligenceFinancial Management

Intervention & EvacuationTravel Safety

Data Security (Paper & IT)PersonnelPayrollDonorStudentPatient

Patient CareMedical Malpractice

Compliance – Billing, etc.

University GovernanceAutonomy

Academic FreedomCritical Partnerships

Ethical Conduct

Employment IssuesMisfeasance & Malfeasance

DiscriminationRecruitment/Retention

Sexual HarassmentAffirmative Action

Labor RelationsEmergencies & CrisesPreventionPlanningNotificationResponseRecoveryBusiness Continuity

SPECIFIC RISKS:

AthleticsControversies

NCAA & Title IX Compliance

Info Tech SecurityRecoveryLicensing

SPECIFIC RISKS:

Loss of Critical InfrastructureBuildings & PropertiesUtilitiesTransportationIT

Public Safety & SecurityCampus Crime ControlCampus Code of ConductFaculty/Student/Staff Mental HealthSubstance AbuseFraternal/ Student Organizations

Health & EnvironmentHazards – Chemical, Biological, RadiologicalOccupational Health & SafetyFireConstruction AccidentsCampus Personal Injuries

Financial StewardshipAccountability & ControlsEndowment ManagementSubsidiaries ManagementFinancial FraudEffort AllocationCost Allowability and Allocability

Research Integrity & AssuranceHuman SubjectsConflicts of Interest, CommitmentResearch MisconductAnimal Research and CareStem Cell Research

Intellectual PropertyProtection & InfringementEquity Interests & Start-ups

Identified “Specific Risks”

MAIN RISKS:

LIFE & SAFETY

REPUTATION FINANCIAL & PROPERTY

OPERATIONS

LIFE &SAFETY

LEGAL

Risk Identification at CUNY

– Units/departments on each campus must complete annual risk management survey/report• Academic Affairs• Mental Health & Wellness• Budget/Finance• Human Resources• Business Services• Legal Affairs• IT • Environmental Health and Safety• Facilities• Public Safety• Student Affairs

– One person on campus designated to distribute/collect the risk surveys

Risk Identification at CUNY (cont.)

– Risk Surveys (in template form) request: o Risk Statemento Likelihood/Impact/Risk Scoreo Policy and Procedures (existing and potential)o Education Training and Awareness (existing and potential)o Operational Controls (existing and potential)o Oversight, Monitoring or Executive Controls (existing)o Audit Controls (Existing and Potential)o Other Controlso Responsible Persono Mitigation Costo Scheduled Date to Revisit Plan

– Reports are returned to EHS & RM where they are put into a database for analysis by EHS & RM.

– CUNY Risk Manager visits each campus to review surveys.

Staying on the lookout for emerging and overlooked risks

o External Sources for Emerging Riskso Regulatory Actions (Dear Colleague Letters)o Agency/Inspector General/State Comptroller Auditso Problems facing Corporate America (Target Data Breach; FCPA)o Problems at other universities (overseas labor practices)

o Emerging Internal Riskso Legal obligations with uncertain or multiple homes (privacy of

student/patient information) o Revenue generating initiativeso International Programs

o Learning from Criseso Non-governmental reporting of information

• Assign Ownership– “Risk Management Process Owner” for each risk

– Must be sufficiently familiar with the risk and best positioned to write a comprehensive Risk Management Plan

• Review with Senior Leadership

• Repeat

Emory’s Risk Management Process

15

Risk Management PlansPrivileged and ConfidentialAttorney-Client Communication

EMORY UNIVERSITYENTERPRISE RISK MANAGEMENT

RISK MANAGEMENT PLAN

Date: __________________Short Description of Risk:

__________________________________Risk Management Process Owner:

___________________________________

Describe the Risk, its Components, and Examples: Describe the Steps Being Taken to Manage the Risk at an

Acceptable Level: Describe the Operational Response to an Adverse Occurrence: Describe the Communication Response to an Adverse

Occurrence:

16

Once you have all the data about risk, what does the risk committee

(or others) do with it?

• Gauging most serious risks, mitigation measures, risk tolerance

• Addressing Same Risks Year after Year• What is counsel’s role?

Counsel’s Role in Managing Non-Legal Risks

o Tending to boundaries

o Identifying emerging risks

o Avoiding operational roles

o Ensuring reasonableness of risk management process

Board’s Role in Risk Oversight

• Board’s role is to oversee the risk management process, not manage day to day risks

• Management must provide the right amount of information for Board to perform its role

• Janice M. Abraham, Risk Management: An Accountability Guide for University and College Boards

Compliance vs. Risk Management

Compliance• Policies/Procedures/Controls• Training/Education• Monitoring• Investigation

Risk Management

• Non-legal Risk• Health and Safety• Incident Response• Disaster Recovery/Business

Continuity• Infrastructure

Identify / manage legal and regulatory risk; Work with Responsible Owners

QUESTIONS?