690 likes | 702 Views
MSI Presidential Leadership Summit. Managing the Institution’s Most Critical Risks: An Enterprise Risk Management Approach to Managing Cyber and Fraud Risks. Dr. Michael Dean Dr. Charles Patterson Ms. Kathy Zelnik Dr. Linda Wilbanks Ms. Linda Hall U.S. Department of Education.
E N D
MSI Presidential Leadership Summit Managing the Institution’s Most Critical Risks: An Enterprise Risk Management Approach to Managing Cyber and Fraud Risks Dr. Michael Dean Dr. Charles Patterson Ms. Kathy Zelnik Dr. Linda Wilbanks Ms. Linda Hall U.S. Department of Education November 2018
Presenters Dr. Michael Dean is Chief Enterprise Risk Officer and Senior Executive Head of Enterprise Portfolio, Risk & Data at the U.S. Department of Education, Federal Student Aid (FSA). Dr. Dean is responsible for an operation overseeing the management of enterprise-wide risks including FSA’s $1.5 trillion portfolio, major operating units, cybersecurity, fraud, and transformation, and for leading a transformative effort to deliver commercial, best-in-business practices in portfolio management to achieve the best possible results for students and taxpayers. Dr. Dean has a passion for driving innovation and change in the higher education finance and has over 25 years of experience in leadership positions at both public and private universities, financial services, and financial technology enterprises. He received his BS in Accounting, MBA in Enterprise Systems and Brand Management, and PhD in Educational Administration and Higher Education with emphasis in quantitative research methods from Southern Illinois University Carbondale. He has completed Harvard University’s graduate program in Management and Leadership in Education. Dr. Michael Dean Dr. Charles Patterson serves as the Senior Advisor for Executive Outreach at the U.S. Department of Education, Federal Student Aid (FSA). Dr. Patterson leads executive engagement efforts for and on behalf of the Chief Operating Officer, coordinating outreach with presidents/chancellors of participating schools; partners in FSA’s loan programs; federal and state agencies; and key external stakeholders on the programmatic work of FSA. In addition to executive engagement, he leads studies of emerging trends, evaluates stakeholder positions, and leads strategic implementation efforts for FSA. Dr. Patterson also leads programs focused on risk assessment and risk mitigation including the development of early warning risk indicators and interventions for school closure, developed to alleviate or minimize the negative impacts of school closure on students and taxpayers. Dr. Patterson has served as an executive within university administration for more than 15 years, most recently as the Interim President of Georgia Southwestern State University. He graduated magna cum laude from Mississippi State University with a B.S. degree in biochemistry and earned his Ph.D. in biomedical sciences from the University of Texas Southwestern Medical Center at Dallas. Dr. Charles Patterson
Presenters Kathy Zelnik is Deputy Chief Enterprise Risk Officer at the U.S. Department of Education, Federal Student Aid (FSA). Ms. Zelnik supports the Chief Enterprise Risk Officer in the management of enterprise-wide risks associated with FSA’s $1.5 trillion portfolio representing over 40 million students. Ms. Zelnik has worked over 25 years to embed a proactive and dynamic risk management capability and mindset into business practices, starting from the onset of strategic planning and extending throughout strategy implementation and execution. She has designed and implemented ERM programs in both the commercial and Federal sectors. She has a BS from the University of Maryland and an MBA in Finance from Mercer University and a Black Belt certification from Villanova. She is a certified Project Management Professional (PMP). Ms. Zelnik was a part of the core team that has rewritten the COSO framework on Enterprise Risk Management (ERM): Enterprise Risk Management- Aligning with Strategy and Performance. Kathy Zelnik Dr. Wilbanks serves as the Sr. Cyber Risk Management Advisor at Federal Student Aid within the Department of Education. She is responsible for the cyber risk appetite and risk portfolio, ensuring all cyber security risks are identified and mitigations are developed and implemented. Prior to this position she served as the FSA Chief Information Security Officer (CISO). Dr. Wilbanks has also served as the Command Information Officer (CIO) at the Naval Criminal Investigative Service (NCIS), the CIO at the National Nuclear Security Administration (NNSA) and the Chief Information Officer (CIO) at NASA Goddard Space Flight Center (GSFC). Prior to joining federal service, Dr. Wilbanks was a professor of mathematics and computer science. Dr. Wilbanks hold a Bachelor’s degree in mathematics and secondary education, a Masters of Engineering Science and a Doctorate in Computer Science. She has published over 125 articles in referred journals in software metrics, quality assurance, cyber security and risk management. Dr. Linda Wilbanks
Presenters Ms. Hall serves as the Senior Fraud Risk Advisor in the Enterprise Risk Management Office of Federal Student Aid (FSA). She is responsible for ensuring compliance with federal statutes and directives governing management of enterprise-wide fraud risk activities. She also ensures the integrity of FSA programs by identifying fraud risks and mitigation processes. As a member of the Senior Executive Service at the Department of Education (ED), Ms. Hall has served in a variety of managerial roles. Prior to this position, Ms. Hall was FSA’s Internal Review Officer, responsible for the analytical and advisory work supporting audits and internal reviews. She has served as ED’s Director of Rural Outreach and Executive Director of the former Rural Education Task Force. A former White House Fellow, Ms. Hall holds a Bachelor of Science in Commerce from the McIntire School of Commerce of the University of Virginia. She holds a Masters of Business Administration from the Wharton Graduate Division of the University of Pennsylvania. She is a certified Project Management Professional (PMP) and a certified mediator. Linda Hall
Agenda Objectives 1 Institutional Leadership and Risk Context 2 Enterprise Risk Management: Enabling Strategy 3 Managing Cybersecurity Risk 4 Managing Fraud Risk 5 Moving Forward with ERM 6
Objectives To discuss the increasing complexity of the presidential role, issues, and risks at higher education To improve cybersecurity risk knowledge and discuss management of cybersecurity risks To discuss how Enterprise Risk Management may be used to enable strategy and manage risks institution-wide To improve fraud risk knowledge and discuss management of fraud risks To discuss moving your institution toward proactive enterprise risk management as a way to achieve your strategic objectives
Institutional Leadership and Risk Context Dr. Michael Dean and Dr. Charles Patterson
Institutional Leadership and Risk Context Complexity and the Presidential Role College presidents find themselves in a setting that is unprecedented in its complexity. American Council on Education (2018) Complexity Accountability Visibility 2018 1995
Institutional Leadership and Risk Context Complexity and the Presidential Role As complexity, accountability, and visibility of institutional leadership has grown, so has the urgency to proactively manage risks across the enterprise.
Institutional Leadership and Risk Context Seven Critical Issues Facing Higher Education Risk and Insurance (2018) Rising college costs and stagnant or declining pecuniary benefits have led more persons to ask: “is college worth it?” or, “do I get a good return on my college investment?” Forbes Magazine (2017) • Fiscal Solvency • Athletic Concussion Injury • Sexual Assault • Gender Equality Issues • Erosion of Public Trust in Higher Education • Campus Crisis Readiness • Cybersecurity
Institutional Leadership and Risk Context • Cost is turning off potential customers, alienating public • Increase in federal financial aid linked to increase in regulation • Less expensive approaches to certifying competence, disruption of traditional higher ed • Traditional role of colleges as a place for divergent ideas continually under attack • Slow economic growth and aging population reducing resources • The value of a college degree as a device to signal knowledge, intelligence, and skills is fraying • At large campuses intercollegiate athletics has become too costly, exploitive, and heightened public awareness of scandals Seven Challenges Facing Higher Education Forbes Magazine (2017)
Institutional Leadership and Risk Context Critical risks across the institution have interdependencies and cannot be managed effectively in silos.
Enterprise Risk Management and Enabling Strategy - Kathy Zelnik
Why ERM? “Bad news isn’t wine. It doesn’t improve with age.” “The day soldiers stop bringing you their problems is the day you have stopped leading them.” If this were a litmus test, the majority of CEOs would fail. One, they build so many barriers to upward communication that the very idea of someone lower in the hierarchy looking up to the leader for help is ludicrous. Two, the corporate culture they foster often defines asking for help as weakness or failure, so people cover up their gaps, and the organization suffers accordingly.
Why ERM? “You can’t manage a secret.”
Why ERM? “Without risk, there is no discovery, there’s no new knowledge, there’s no bold adventure… the greatest risk is to take no risk.” ~ June Rogers, widow of Challenger commander Dick Scobee To let them go faster Why cars have brakes? ~ John Reed, former Chairman and CEO, CitiBank Risk management is not eliminating or even minimizing risk; it is understanding risk to intelligently take advantage of opportunities in a balanced way that maximizes value.
Why ERM? Avoid Crisis Management Early identification increases the opportunity to take action to mitigate the risk by decreasing the likelihood or impact of the risk. Waiting to address the risk reduces the options available as the risk becomes an issue and potentially a crisis. “The key is that we create the kind of culture, the kind of organization, so we don’t get to this point,” he [General Manager Paul Wiedefeld] said Wednesday. … “It’s basically about making [sound] decisions day to day,” he said. “That prevents you from having to make these kinds of decisions, like shuttering the nation’s second-busiest subway.” (The Washington Post, March 19, 2016)
ERM’s Value: Improving Business Outcomes • IRS • Understood relationship between performance and risk • Made defensible decisions using risk information • Used risk-based decisions to improve outcomes • Reduced backlog, increased throughput, increased transparency, improved public perception • Alcoa • Established powerful and persistent tone at the top • Increased risk transparency, monitoring, and reporting • Encouraged proactive action to reduce safety risk • Improved risk management produced measurable business improvements • Decreased lost workdays, improved employee morale, improved bottom line
ERM’s Value: Improving Business Outcomes • Opens and improves the channels for communication and dialogue about opportunities and risks by providing transparency at the enterprise level. • Increases positive outcomes while reducing negative surprises. • Offers a comprehensive view of risk across an organization from both a “top-down” and “bottom-up” perspective.| • Allows for more informed decision-making. • Encourages a more proactive approach to risk management resulting in “fewer surprises” that may negatively impact the organization’s mission and reputation. • Provides and organization with standardized tools to use in managing risk and sharing risk information.
What is Enterprise Risk Management (ERM)? • Risk: • The possibility that events will occur and affect the achievement of strategy and business objectives. • Enterprise Risk Management: • The culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value.
Introduction to ERM • A risk is neither good nor bad. • Risk is an event that may occur and affect the achievement of a business objective. • Source of such events: • External environment (e.g., economic trends, regulatory landscape, and competition) • Internal environment (e.g., people, process, and infrastructure) • Risk can occur at any level of the organization, such as: • Enterprise Level • Business Unit Level • Program Level • Process Level
Integrating Risk and Strategy Discussion of integrating strategy and risk is elevated through three different dimensions The possibility of strategy not aligning with mission, vision and core values The implications from the strategy chosen Risk to strategy and performance Graphic from COSO’s Enterprise Risk Management – Integrating with Strategy and Performance
Attributes of a Strong ERM Program Graphic from COSO’s Enterprise Risk Management – Integrating with Strategy and Performance • ERM is a mission-oriented, holistic approach to risk management that links risk to organizational strategy and performance. • ERM typically encompasses all of the strategic, reputational, operational, financial, and compliance risks that an organization might encounter in its attempt to achieve its mission. • The value of ERM is realized when ERM is embedded into day-to-day decision-making around strategy and performance. • By joining risk into performance discussion / strategy setting activities, ERM encourages a risk aware culture that is be prepared and informed to make early risk-based decisions. • ERM considers business context to capture forward-looking changesin the business environment, both internally and externally, that could impact the ability to meet the mission, which informs the identification and assessment of risks.
Who is Responsible for Risk Management? Enterprise Risk Officer EVERYONE
Where Does Risk Management Start? • At the Top • Embrace a risk-aware culture • Keep communication open and free from retribution • Send clear messages on acceptable behavior • Enforce accountability for all actions • Include risk in conversations about strategy-setting and performance Risk Transparency Risk “Secretive” Risk Aware
Managing Cybersecurity Risk -Dr. Linda Wilbanks
IT / Cyber Security Risk: • The risk associated with computers, e-commerce, and on-line technology; applications, systems, data • Cyber security risk exposes Schools to exploitation of vulnerabilities to compromise confidentiality, integrity or availability of information processed, stored, or transmitted. • Cannot focus on cyber security risks in a silo to be effective, the entire Enterprise must participate!
Cyber Risk – Are you Prepared? Virginia Are your networks and data secure? North Carolina Texas California
Are You Addressing Your Cyber Risks? Is your data protected?
Who is Responsible for Cyber Risk? Cyber Risk Management IT Operations Enterprise Risk Officer EVERYONE
Cyber Risk + IT Operations = Partners Cyber Risk Team identifies risks Works with IT Operations on mitigations Validations mitigations have reduced the risks IT Operations Team Works with Cyber Risk on mitigations Implements mitigations Continuously monitors mitigations REQUIRED PARTNERSHIP FOR SUCCESSFUL CYBER RISK MANAGEMENT
Cyber Risks are Everywhere • Internal / external • Natural or man-made • Intentional or accidental
There’s No Such Thing as Worthless Data The Bad Guys Gather Seemingly Worthless Bits of Data to Launch Social Engineering Attacks or Use a Small Piece of Information to Complete the Attack Puzzle. Student financial data needs to be protected YOU need to ensure Enterprise Risk Mitigations are in place!
Identify Risks - Protection Standards is CRITICAL Recent survey: 64% of users do not want elaborate passwords - 16 character, mix of numbers, letters, symbols However – Data needs to be protected to the appropriate level! Identify your cyber risks and work with IT to mitigate them.
Conclusion • Cyber Security risk management strategy comes from the leaders – have responsibility to ensure cyber risk management is in place. • Cyber risks need to be identified. • Mitigations of cyber risks requires coordination with IT Operations. • Student data is currency to hackers, it has value, the associated risks need to be addressed. • Verify Disaster and Contingency risks are identified and mitigated to ensure continuity of operations in the event of an emergency. • EVERY SCHOOL NEEDS TO HAVE AN ENTERPRISE CYBER RISK MANAGEMENT PROGRAM
Managing Fraud Risk -Linda Hall
Benjamin Franklin “There is no kind of dishonesty into which otherwise good people more easily and frequently fall than that of defrauding the government.”
Is Fraud Risk Management required? 34 CFR 668.16 - Standards of administrative capability. (g) Refers to the Office of Inspector General of the Department of Education for investigation – (1) After conducting the review of an application provided for under paragraph (f) of this section, any credible information indicating that an applicant for Title IV, HEA program assistance may have engaged in fraud or other criminal misconduct in connection with his or her application. The type of information that an institution must refer is that which is relevant to the eligibility of the applicant for Title IV, HEA program assistance, or the amount of the assistance. Examples of this type of information are - (i) False claims of independent student status; (ii) False claims of citizenship; (iii) Use of false identities; (iv) Forgery of signatures or certifications; and (v) False statements of income; and (2) Any credible information indicating that any employee, third-party servicer, or other agent of the institution that acts in a capacity that involves the administration of the Title IV, HEA programs, or the receipt of funds under those programs, may have engaged in fraud, misrepresentation, conversion or breach of fiduciary responsibility, or other illegal conduct involving the Title IV, HEA programs. The type of information that an institution must refer is that which is relevant to the eligibility and funding of the institution and its students through the Title IV, HEA programs;
WHAT RISK FACTORS MAY LEAD TO FRAUD? THE FRAUD TRIANGLE • Weak or ineffective controls • Little or no oversight • Lax rules • Management Override • Personal Financial Obligations/Debt • Addictions • Expectations of third parties/Status • Greed OPPORTUNITY MOTIVATION/ PRESSURE RATIONALIZATION/ATTITUDE • Changes in lifestyle • Everyone does it • I was only borrowing the money • I was underpaid and deserve it
Where are your Fraud Risks? • School Employees, Officials, Financial Managers, and Instructors • Lenders and Lender Servicers • Guarantee Agencies • Award Recipients • Contractors • Students • Others
Establish a Fraud Risk Management Program • Ask strategic questions: • Who is the senior-level leader who will take ownership of this program? • How will you motivate people to collaborate across the various disciplines and • share information? • What are the tools and technology available on your campus? • How will you measure success? • How will you meet the challenges?
Fraud Risk Management Program • Internal Controls are a strong Deterrent • What is an internal control? • A process effected by management to ensure: • Financial reporting is reliable • Operations are effective and efficient • Compliance with laws and regulations
What is Fraud Risk Management? PREVENTION – Controls designed to keep fraud and abuse from occurring in the first place. DETECTION – Controls designed to detect fraud and abuse that may have occurred.
Who is Responsible for Fraud Risk? Fraud Risk Management Enterprise Risk Officer EVERYONE
Fraud Risk Management Program • TONE AT THE TOP: • Encourage staff to identify and report patterns of fraudulent behavior • Stay vigilant and remain persistent • Constantly monitor information for triggers of suspicion and request additional information based on reasonable suspicion • Investigate allegations of fraud or abuse • Ensure there are consequences
Assess your Fraud Risks • Tailor your fraud risk assessment to your school: • Who are the relevant stakeholders? • What are your data sources? • What analytic tools are available? • What controls are in place?
Common question: Is an improper payment fraud? Not all improper payments are fraud Not all improper payments represent a loss to the Government BUT…… All improper payments degrade the integrity of Government programs and compromise citizens’ trust in Government.