Download
1 / 60
600 likes | 602 Views
This workshop explores the use of SWOT analysis in establishing a risk framework, with a focus on education. Learn how to apply concepts from Sarbanes-Oxley Act, TEQSA, Baldrige Criteria, ISO 31000:2009, and COSO Framework.
E N D
Embedding a Risk Framework Using a SWOT Analysis Fernando F. Padró Director, Learning & Teaching Services (Acting) Ngaire Winwood Administrator (Audit & Risk), Internal Audit
Workshop objectives: Introduction Focus Rationale for application to education Sarbanes-Oxley Act of 2002 TEQSA Baldrige Criteria ISO 31000:2009 COSO Framework Evaluation and linkage to SWOT Exercises in using SWOT with risk framework This is an interactive sessions – ask and do, there’s some introduction, but the focus is in doing and talking
The focus of this workshop: Yes: Academic and student focus regarding risk management in education Yes: Managerial approaches in documenting risk management in support of academic activities No: The workshop will not focus on insurance and insurance issues, pure fiscal management issues, catasprophic/emergency response concerns, safety & health concerns – although some of the discussion can/does cross-over No: Establishing quantitative algorithms to frame decisions – that’s for another workshop and may not apply at the level of some of the factors being covered.
The workshop is mainly designed for higher education, but many of the issues do cross over to primary/secondary education. The basis of the presentation is on the developing increase in the use of enterprise risk management (ERM) concepts in higher education quality assurance, spearheaded by Australia’s Tertiary Education Quality and Standards Agency (TEQSA) and the longstanding research and adopted practices sponsored by the UK’s Higher Education Funding Council for England (HEFCE) In the USA, the main avenue for ERM is the Sarbanes-Oxley Act of 2002 ((Pub.L. 107–204, 116 Stat. 745 (July 30, 2002)). For higher education, the 2003 NACUBO (National Association of College and University Business Officers) recommendations suggested its adoption as best practice. The path is less clear for primary/secondary education institutions and systems except as part of state QA mandates (as with Australia).
Enterprise risk management (ERM combines aspects of quality assurance (QA) and quality control (QC). It’s the developing new wrinkle in QA in higher education (Padró, 2014), but it can easily apply to primary/secondary education as well because it seems to fit glove-in-hand with increased external regulatory oversight. Business risk assessment is both a symptom and definer of the times (Power, 2007).
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” … "In the wise leader's plans, considerations of advantage and of disadvantage will be blended together. If our expectation of advantage be tempered in this way, we may succeed in accomplishing the essential part of our schemes. If, on the other hand, in the midst of difficulties we are always ready to seize an advantage, we may extricate ourselves from misfortune." -- Sun Tsu “A risk is a chance you take; if it fails you can recover. A gamble is a chance taken; if it fails, recovery is impossible.” -- Erwin Rommel
Sarbanes-Oxley Act of 2002 The impetus behind its passage was to shore up the confidence crisis created by perceived lax corporate governance processes (Thapa & Brown, 2007; Rosenbloom, 2006; Padró, 2010). It legally codified many best practices which had been discussed before for a number of years (Fram & Zoffer, 2005). The passage of SoX upset the uneasy balance between state and federal law, potentially federalizing corporate law by taking over a realm heretofore taken care of by organizations themselves, state regulators, and court decisions (Wu, 2006; Parles, O’Sullivan, & Shannon, 2007). While the scope of SoX is limited to it only applies to publicly traded companies (Security Exchange Commission registrants), there has been increasing interest in its usefulness and applicability in the nonprofit sector (Vermeer, Raghunandan, & Forgione, 2006).
NACUBO 2003 recommendations on adopting SoX Title 3 – Corporate Responsibility Section 301: The creation of an independent audit committee, with operations based on notions of external review. Section 302: CEO and CFO required to assert the financial statements have no material misstatements or omissions and that they have evaluated “disclosure controls and procedures” (e.g., quality of overall disclosures such as notes to the financial statements, management discussion and analysis or selected financial data).
NACUBO 2003 recommendations on adopting SoX Title IV – Enhanced Financial Disclosures Section 401: Follow current and appropriate accounting standard guidance (i.e. FASB, GASB). Section 403: Board members should report financial conflict of interests. Section 404: Internal control requirements and managerial assessment of these controls. [Probably, the most important provision of SoX, which has imposed a large compliance burden (Rosenbloom, 2006).] Section 406: Code of ethics for senior financial managers. Section 407: At least one financial expert as member of audit committee. [Section 409: Obligation to report rapid changes impacting financial status (Maurizio, Girolami, & Jones, 2007).]
NACUBO 2003 recommendations on adopting SoX Title VIII -- Corporate and Criminal Fraud Section 802: It is good practice to ensure that documents and records sent or received in connection with the audit are retained for seven years. [Section 806: Whistleblower protection.] Title XII: Corporate Fraud Accountability Section 1105: Background checks for new employees.
TEQSA: TEQSA’s use of a risk framework is legislative based, with the original premise set by its predecessor the Australian Universities Quality Agency (AUQA) (Padró, 2014). Designed not to impose additional reporting burdens, ‘TEQSA relies heavily on existing data collected within the sector for its risk assessments, predominantly the national higher education collections managed by the Department of Education and survey data from Graduate Careers Australia (GCA)’ (TEQSA, 2014, p. 1). TEQSA defines risk as ‘actual or potential risk events (regarding a provider’s operations and performance) which indicate that the provider may not meet the Threshold Standards (either currently or in the future)’ (TEQSA, 2012, p. 34). Its Risk Assessment Framework (2014) identifies potential risks of non-compliance rather than drawing conclusions about compliance.
TEQSA (2014) aims: Reduce regulatory burden by using risk assessments to inform a differentiated approach to evidence and reporting requirements in regulatory processes; Strengthen the protection of students’ interests and the sector’s reputation by monitoring key aspects ofproviders’ operations during registration periods; Support TEQSA case managers and providers to engage in early discussion about emergent issues prior to any formal regulatory review; and Support quality improvement activities through the sharing of information with providers about potential risks and good practices in the sector (p. 2).
TEQSA: ‘TEQSA also recognises that innovation often involves a degree of risk taking and does not consider risk as necessarily negative or that all risk must be controlled or eliminated. To support this in practice, TEQSA’s approach allows for expert judgement and embeds providers’ history, context and own risk management within the risk assessment process’ (2014, p. 2). The Risk Assessment Framework is based on ISO 31000 risk standards, although in a modified form to fit its purposes. However, the argument can be said that the formative documents leading to TEQSA and its initial Regulatory Risk Framework (2012) was based on the COSO framework because of its top-down, external-internal regulatory compliance perspective.
Other student profile risk factors for TEQSA Student Load Attrition Rate Progression Rate Completions (by Undergraduate/Postgraduate Coursework and Higher Degree by Research, as applicable) Student Satisfaction (by Undergraduate /Postgraduate Coursework and Higher Degree by Research, as applicable) Graduate Destinations
TEQSA risk factor: Staff resource & profile The other risk factor is Academic staff on casual work contracts
2013-2014 Baldrige Criteria on Risk: Leadership (Criterion 1) 1.1a(3): … [C]reate an environment for INNOVATION and INTELLIGENT risk taking… 1.1b(2): How do senior leaders create a focus on action that will achieve the organization’s objectives, improve its performance, enable innovation and intelligent risk taking, and attain its vision? How do senior leaders identify needed actions? Note: ‘In the context of sustainability, the concept of innovation and taking intelligent risks includes both technological and organizational innovation to help the organization succeed in the future’ (p. 7). ‘A sustainable organization is capable of addressing risks and opportunities arising from environmental considerations and climate change’ (p. 8). ‘Senior leaders’ focus on action considers your strategy, workforce, work systems, and assets. It includes taking intelligent risks and implementing innovations and ongoing improvements in productivity’ (p. 8).
2013-2014 Baldrige Criteria on Risk: Leadership (Criterion 1) 1.2b(1): Legal Behavior, Regulatory Behavior, and Accreditation:… What are your key processes, measures, and goals for addressing risks associated with your educational programs and services and your operations? Re Visionary leadership: ‘Senior leaders should serve as role models through their ethical behavior and their personal involvement in planning, providing a supportive environment for taking intelligent risks, communicating, coaching and motivating the workforce, developing future leaders, reviewing organizational performance, and recognizing workforce members. As role models, they can reinforce ethics, values, and expectations while building leadership, commitment, and initiative throughout your organization’ (p. 37).
2013-2014 Baldrige Criteria on Risk: Strategic Planning (Criterion 2) 2.1a(2): How do you decide which strategic opportunities are intelligent risks for pursuing? 2.1a(3): How do you collect and analyze relevant data and develop information on these KEY elements as part of your strategic planning PROCESS?...Risks to your organization’s SUSTAINABILITY. 2.2a(3): Resource allocation: … How do you manage the financial and other risks associated with the plans to ensure your financial viability?
2013-2014 Baldrige Criteria on Risk: Strategic Planning (Criterion 2) Note: ‘Choosing which strategic opportunities to pursue involves considering relative risk, financial and otherwise, and then making intelligent choices (“intelligent risks”)’ (p. 11). ‘Data and information might relate to student, other customer, and market requirements, expectations, and opportunities; learning-centered education to ensure student achievement; your core competencies; the competitive environment and your performance now and in the future relative to competitors and comparable organizations; education reform; technological and other key innovations or changes that might affect your programs and services and the way you operate, as well as the rate of innovation; workforce and other resource needs; your ability to capitalize on diversity; opportunities to redirect resources to higher-priority programs or services; financial, societal, ethical, regulatory, technological, security, and other potential risks and opportunities; your ability to prevent and respond to emergencies, including natural or other disasters; changes in the local, national, or global economy; requirements for and strengths and weaknesses of your partners and supply chain; changes in your parent organization; and other factors unique to your organization’ (p. 11). [presenters’ bold and italics]
2013-2014 Baldrige Criteria on Risk: Workforce Focus (Criterion 5) 5.2a(3): Performance management: HOW does it reinforce INTELLIGENT RISK taking to achieve INNOVATION; reinforce a focus on students, other CUSTOMERS, and student LEARNING; and reinforce achievement of your ACTION PLANS? Re Valuing workforce members: ‘… (5) creating an environment that encourages intelligent risk taking to achieve innovation … (p. 38)
2013-2014 Baldrige Criteria on Risk: Operations Focus (Criterion 6) 6.2d: Innovation management: …HOW do you pursue the STRATEGIC OPPORTUNITIES that you determine are INTELLIGENT RISKS? A ‘focus on the future includes developing your leaders, workforce, and suppliers; accomplishing effective succession planning; creating a supportive environment for taking intelligent risks and encouraging innovation; and anticipating societal responsibilities and concerns’ (p. 39).
2013-2014 Baldrige Criteria on Risk: Results (Criterion 7) 7.4b: What are your RESULTS for KEY MEASURES or INDICATORS of the achievement of your organizational strategy and ACTION PLANS, including taking INTELLIGENT RISKS and building and strengthening CORE COMPETENCIES? Indirect: 7.4a(2): Governance: What are your KEY current findings and TRENDS in KEY MEASURES or INDICATORS of GOVERNANCE and internal and external fiscal accountability, as appropriate? Note: For 7.4a(2), ‘Responses might include financial statement issues and risks, important internal and external auditor recommendations, and management’s response to these matters’ (p. 26).
2013-2014 Baldrige on Governance ‘Governance processes may include the approval of strategic direction, policy creation and enforcement, the monitoring and evaluation of the senior leader’s performance, the establishment of senior leaders’ compensation and benefits, succession planning, financial auditing, and risk management. Ensuring effective governance is important to stakeholders’ and the larger society’s trust and to organizational effectiveness’ (p. 46).
2013-2014 Baldrige Criteria: Managing for innovation ‘Innovation means making meaningful change to improve your organization’s educational programs and services, processes, operations, and business model, with the purpose of creating new value for stakeholders. Innovation should lead your organization to new dimensions of performance. Innovation requires a supportive environment, a process for identifying strategic opportunities, and the pursuit of intelligent risks’ (p. 40).
2013-2014 Baldrige Criteria: More on innovation ‘Innovation results from a supportive environment, a process for identifying strategic opportunities, and the pursuit of those strategic opportunities that you identify as intelligent risks. Achieving innovation requires resource support and the tolerance of failure. Fostering the right climate is the domain of senior leaders, identifying strategic opportunities and intelligent risks is part of strategy, and pursuing the intelligent risks must be embedded in managing organizational operations’ (p. 42). ‘Innovation benefits from a supportive environment, a process for identifying strategic opportunities, and a willingness to pursue intelligent risks’ (p. 47)
Definitions of risk: Baldrige Intelligent Risks: ‘Opportunities for which the potential gain outweighs the potential harm or loss to your organization’s sustainability if you do not explore them. Taking intelligent risks requires a tolerance for failure and an expectation that innovation is not achieved by initiating only successful endeavors. At the outset, education organizations must invest in potential successes while realizing that some will lead to failure. The degree of risk that is intelligent to take will vary by the pace and level of threat and opportunity in the education sector. In a rapidly changing environment with constant introductions of new programs, services, processes, or business models, there is an obvious need to invest more resources in intelligent risks than in a stable environment. In the latter, organizations must monitor and explore growth potential and change but, most likely, with a less significant commitment of resources’ (p. 47). ‘External strategic challenges may relate to student, other customer, or market needs or expectations; changes in educational programs and services; technological changes; or budgetary, financial, societal, and other risks or needs. Internal strategic challenges may relate to capabilities or human and other resources’. (p. 50).
Definitions of risk: Baldrige Strategic opportunities: ‘Prospects that arise from outside-the-box thinking, brainstorming, capitalizing on serendipity, research and innovation processes, nonlinear extrapolation of current conditions, and other approaches to imagining a different future. The generation of ideas that lead to strategic opportunities benefits from an environment that encourages nondirected, free thought. Choosing which strategic opportunities to pursue involves consideration of relative risk, financial and otherwise, and then making intelligent choices (intelligent risks)’ (p. 50).
ISO 31000 (2012): ISO 31000 looks at and handles risk from the standpoint of risk having positive as well as negative consequences (Padró, 2014). Creation and protection of value; Being an integral part of all [organizational] processes; Being part of decision-making; [Having] capacity to explicitly address uncertainty; Being systematic, structured and timely; Basing decisions on best available information; [Tailoring process] to the institution – [making it the university’s own]; Transparency and inclusiveness; [Being] dynamic, iterative and responsive to change; and Facilitating the organisation’s continual improvement (ISO 31000, 2012, pp. 7-8).
COSO framework The Committee of Sponsoring Organizations of the Treadway Commission (COSO, 2013) defines risk as the possibility that an event will occur and adversely affect the achievement of objectives. According to Padró (2014), there are two overall approaches espoused in the literature and defined standards by differing organizations that can be applied to forming a risk management framework within an educational institution setting. One approach is the one currently promoted by COSO which reflects the Basel II definition. This methodology is internal control driven, with activities constructed to look at the degree of organizational compliance to a defined set of standards or expectations. The second approach is based on the ISO 31000 standard that embeds risk within an organisation’s QA and QC schema to counteract and explicitly address uncertainty. ‘The success of risk management will depend on the effectiveness of the management framework providing the foundations and arrangements that will embed it throughout the organisation at all levels’ (ISO 31000, 2009, p. 8).
Update articulates principles of effective internal control source: COSO, May 2013 Control Environment Demonstrates commitment to integrity and ethical values Exercises oversight responsibility Establishes structure, authority and responsibility Demonstrates commitment to competence Enforces accountability Risk Assessment Specifies suitable objectives Identifies and analyzes risk Assesses fraud risk Identifies and analyzes significant change Control Activities Selects and develops control activities 11. Selects and develops general controls over technology Deploys through policies and procedures Information & Communication Uses relevant information Communicates internally Communicates externally Monitoring Activities Conducts ongoing and/or separate evaluations Evaluates and communicates deficiencies
Developing risk appetite the COSO way (Rittenberg & Martens, 2012)
How COSO sees inter-relationships (Rittenberg & Martens, 2012)
How risk appetite controls process in COSO (Rittenberg & Martens, 2012)
It’s about mapping opportunities as well as risks (Curtis & Carey, 2012)
