MAY 18, 2009

Linda Anderson Carnegie Mellon University

EASFAAEnterprise Risk Management

and theFinancial Aid Office

2

Definition: “…a process effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may effect the entity, and manage risk, to provide reasonable assurance regarding the achievement of entity objectives.”

Need to think of risk as a strategy and manage it as a bottom line driver.

ERM: Enterprise Risk Management

3

Risk is any issue that impacts an organization’s ability to meet its objectives.

Risk management is: A process of understanding, evaluating and taking action on

risks. Systematic and supports accountability. A process that considers the external and internal

environment. Need to define the risks which could impact our ability to

achieve our strategic objectives. Need to assess probability and impact of risk.

Risk Management

4

Purpose of the Project: to enable Management and the Board of Trustees to understand the types of risks facing the university, current methods to address risks, and mitigation steps.

Risk Management: Purpose

5

University Compliance and Risk Committee

Senior Director of University Risk Management Committee comprised of Departmental Directors Quarterly Committee Reporting and Review

Risk Management: University Structure

6

Strategic: High level goals aligned with and supporting the college’s mission.

Operational: Effective and efficient use of resources. Reporting: Reliability of external and internal reporting. Compliance: Compliance with applicable laws and

regulations. Reputational: Damage caused by any of the above four

that impacts how the university is valued or perceived.

5 Categories of Risk

7

Internal: Compliance is one of several categories: Institutional compliance concepts:

Coordination of compliance responsibilities through a formalized structure and network of functional compliance specialists.

Identify, assess and mitigate and monitor risk priorities and solutions.

Clarification and strengthen accountabilities for traditional functional compliance responsibilities.

Need to assign responsibility of risk management.

Risks in Higher Education: Internal Compliance

8

Define Objectives: determine risk objectives. Identify Events: which events could adversely impact risk objectives. Estimate Probability:/Likelihood that a risk will occur. Estimate Impact: negative impact resulting in potential University

financial losses and or reputational losses. Preliminary Risk Assessment: the risk of an event considering probability,

impact and existing policies and procedures and controls. Planned Risk Mitigation strategy: additional control procedures to

alleviate the preliminary risk assessment. Assess Residual Risks: the remaining risk subsequent to risk management

controls.

Financial Aid Office: Development of a Compliance Risk Profile

9

Financial Aid Strategy Financial Aid Compliance: federal and state

regulations. OMB A-133 Compliance FERPA,GLB HEOA of 2008 ARRA: 2009 HCERA: 2010

Possible Areas for Consideration in the Financial Aid Office:

10

Enrollment Growth Management. Financial Aid Compliance: Donor Restrictions. Student Records Management. Installation of new financial aid software/system. Institutional Loan Programs and Risk Assessment,

reserve for probable loan defaults. Increase in student loan defaults due to regulatory

changes.

Possible Areas for Consideration in the Financial Aid Office:

Definitions for Template Design and Use

Event: incident or occurrence that could affect the achievement of objectives (including compliance with regulations and policies.

Existing Policies and Procedures Probability/Likelihood: Qualitative measure

of the possibility that an event will occur within a 3 year timeframe. (likely, possible, unlikely, rare)

Definitions for Template Design and Use

Impact: measured financial and reputational impact; consider materiality and level of management concerns. (extreme, high, medium, low, negligible)

Preliminary Risk Assessment Planned Risk Mitigation Strategy Net Residual Risk Assessment

13

Financial Aid Office Compliance Risk Assessment Template

14

Financial Aid Office Compliance Risk Assessment Template

15

Financial Aid Office Compliance Risk Assessment Template

16

Financial Aid Office Compliance Risk Assessment Template

17

Financial Aid Office Operational Risk Assessment Template

18

Implementation of new regulations do not necessarily constitute an ‘event’.

Intersection of events among offices. Compliance and Operational events. Requires quarterly discussions and updating. A positive tool for Staff, Management and Audit

Committees An enterprise wide strategy.

Recommendations and Summary: