NACUBO

My NacuboWhy Join: Benefits of Membership

E-mail:   Password:   

 Remember Me? | Forgot password? | Need an online account?

Business Officer Magazine
Loading

Identify and Manage Risks

In these sessions, attendees heard how to manage risk, address security concerns, systematically evaluate facility and energy needs, and more.

The Need for IT Risk Management

The need for institutions to develop and adopt IT risk management plans has increased recently due to several factors. These include increased accountability for accuracy and integrity in business operations, heightened board expectations, audit committees' interest in reviewing key controls, and concerns about reputational risk, said Mark Oster, national managing partner, not-for-profit and higher education practices, Grant Thornton, at the session "Understanding IT Risks: A Primer for CFOs and Finance Professionals."

For institutions that are just starting out on this path, it's best to tackle risk management gradually. Stephen Landry, chief information officer, Seton Hall University, South Orange, N.J., explained how the university implemented its risk initiatives in three phases, spread over 10 years. Kicking off efforts in 2005, the university implemented a Banner enterprise resource planning (ERP) system and launched a systematic review of risks. In 2009, it expanded risk assessment to include all IT-related tasks, followed by the launch of an enterprise risk management (ERM) program in 2013.

Grant Thornton's Oster, who defined risk management as the process used to identify, source, and measure risk, and the development of strategies to manage it, said institutions can avoid or reduce IT risks by:

  • Putting policies and procedures in place.
  • Training staff.
  • Implementing physical access restrictions and conducting regular review of access rights.
  • Using intrusion detection and network monitoring software.
  • Developing proper backup and recovery procedures.
  • Implementing remote access restrictions.
  • Conducting regular software updates.

Category: Facilities

Using a lively Jeopardy game format, James Kadamus, vice president of Sightlines, led three experienced business officers in a competitive question-and-answer session, testing their knowledge of capital and facilities management. Answers were based on Sightlines' recently released State of Higher Education report.

Sherri Tonn, Pacific Lutheran University. Tacoma, Wash., led the trio in the number of correct questions corresponding to the multiple-choice answers listed in categories such as "Before the Roof Caves In" and "Going Green." Roger Bruszewski, Millersville University, Millersville, Pa., gained momentum in the "Act Your Age" category, correctly responding that since 1880, the most college and university space was constructed during the 1960s. In the "Move Over, I'm Crowded" category, Pamela Elliott Cain, Iowa State University, knew that research universities are the only constituent group where growth in enrollment is outpacing space.

Panel participants provided additional insights as they tackled the data points on the Jeopardy grid. Tonn noted that at her university, leadership is viewing deferred maintenance and capital expenditures in terms of building systems and envelopes. "We are trying to work on designated portfolios, building by building, and have identified one- to three-year plans to refresh space before infrastructure failure occurs."

Cain explained her institution's recently set goal of 9 percent of the daily service facilities budget for planned and preventative maintenance—up from 4 percent previously. The Sightlines report notes that best-practice campuses budget 10 to 14 percent for such maintenance.

A Coordinated Effort

Both top-down and bottom-up communication are key to building an effective enterprise risk management (ERM) culture on campus. Faculty and staff at all levels need to be empowered to take an active role and speak up, according to Patti Snopkowski, chief audit executive, Oregon State University, and Ellen Holland, chief risk officer with Oregon's multicampus Public University Risk Management and Insurance Trust. In a session titled "Leveraging Collaboration to Mitigate Risk," the two shared what they have learned in developing and implementing a systemwide ERM strategy for Oregon's public universities.

Using a collaborative process that encouraged broad involvement of a number of different parties has strengthened the Oregon effort. Under ERM principles, process owners take responsibility for identified risks within their purview, but many other parties or offices may play a role in supporting their efforts. Among the offices that should be involved are risk, audit, compliance, and legal counsel.

It is important, however, that each understand its proper role. Risk and compliance personnel have much useful knowledge and experience and make excellent facilitators who can support process owners. They can "roll up their sleeves" and help with implementation.

The roles of internal audit and legal counsel need to be more circumspect: They should function as advisers only, so they maintain the independence necessary to fulfill their core functions. All these offices can make significant contributions as champions of the ERM model and as trainers for process owners and other staff.

Read the main story.