原文:
U niversity Risk Management
Organizations around the world are facing challenging times due to continuing economic volatility and facing new risks that cause them continuously to assess the potential impact, financial and otherwise, of market conditions on the performance of their operations. And universities are no exception.
Institutions of higher education have significant compliance requirements, and many have invested greatly in response to heightened expectations from stakeholders to stay competitively viable among other universities. However, many continue to approach risk and control requirements in silos, which leads to the creation of multiple frameworks for governance, infrastructure, and processes; fragmented risk and control activities; potential gaps in overall risk coverage; and duplication of effort. Understandably, there is a resulting concern about compliance breaches. Without a common basis for evaluation, audit committees struggle to determine the adequacy of risk and control efforts, and boards and executives want assurance that investments are appropriately focused, consistent with peers, and aligned to the institution’s unique risk issues.
Universities are also facing increased scrutiny from stakeholders regarding issues such as investments and spending, privacy, conflicts of interest, IT availability and security, fraud, research compliance, and transparency. Students, faculty members, staff, donors, and other interested parties are looking not only at what is being done, but how it is being done.
Although the approach to risk management varies from institution to institution, there are clearly some common challenges and trends. Overall, a growing number of universities are integrating a risk management framework into their strategic planning and decision-making processes, but sustaining formal risk management and reporting process is a challenge. The board of governors, president, and other senior management members are often involved in ongoing risk identification and assessment, and are taking part in efforts to develop and implement both internal and
external risk management processes and controls. The establishment of risk champions (members of the university beyond the university’s administration who can champion risk management) within the university is also increasing, which raises the awareness of risk, fosters better understanding of risk management programs and practices, and increases communication to relevant stakeholders.
Applying ERT to universites
Enterprise risk management (ERM) can be described as a strategic process affected by a u niversity’s governance structure, management, administration, and faculty, designed to:
• Help identify risks that may affect the institution.
• Manage identified risks within the university’s risk appetite.
• Provide assurance that the university can achieve its objectives.
The values of the university influence how risk is perceived, and it is important that the culture reflects a risk management philosophy. Having a strong ERM framework can provide a common understanding of risk across the organization and help it achieve its strategic and academic objectives through focusing on the interrelated risks that could have the most significant impact. It drives the organization to integrate risk into its everyday planning and budgeting/forecasting process and operations, and strengthens its ability to deal vent unexpected or stealth risks.
As in ot her organizations, a university’s risk management approach must grow and change with the environment in which it operates. An embedded, sustainable ERM approach allows management to assess, improve, and monitor consistently the way the university manages its evolving risks.
A university risk management maturity model
There are three stages of maturity that can be applied to universities. The risk management maturity model can be used as a roadmap for evaluating an institution's current state and defining next steps. The Baseline Practices stage typically consists of fundamental compliance activities. Typically, there are no established risk management roles, responsibilities, processes, or documentation, and most efforts are
