Institutional Risk Management
Why Institutional Risk Management?
Risk, broadly defined is anything that could prevent the University from achieving its objectives and is inherent in pursuing our mission. This initiative is not to eliminate risk but to identify and manage those risks necessary to accomplish our key strategic goals.
The need for the Institutional Risk Management (IRM) initiative is best described by Chancellor Zeppos when he stated, “Because of our institution’s broad academic, healthcare, and research initiatives, the University is subject to extensive regulation and oversight. As a nonprofit organization, Vanderbilt is also obliged by federal tax law and society’s expectation to serve the public good. Along with this regulatory system and public duty, it is essential that Vanderbilt University sets high standards and establishes structures, processes, and systems to identify and effectively manage risk. In April 2007, Vanderbilt’s administration, working with the Board of Trust Audit Committee, established the Office of Institutional Risk Management.”
Dr. Jeff Balser, Vice Chancellor of Health Affairs and Dean of the School of Medicine, further stated, “This is not an audit activity, and is not intended as an evaluation of management effectiveness or the efficiency of work flow processes … rather, the goal of this effort is to create an accurate profile of our risk across all mission areas, with a view to facilitating prioritization of future institutional efforts and resources.” This University wide initiative is “aimed at identifying the key risks that we see as potential obstacles to achieving our strategic objectives.”
As previously mentioned, this is not an audit activity. Our role in this initiative is to:
1. Facilitate indentification and evaluation of risks
2. Facilitate the reporting of key risks
3. Evaluate risk management processes
4. Coordinate risk management activities
Management’s role is to:
1. Identify risks and determine risk tolerance
2. Implement and manage risk responses
3. Provide assurance on the effectiveness of risk responses and/or controls
4. Accept accountability of risk processes and controls
5. Reassess risks and controls as the environment changes (annually)
The indentification of risks began by defining ten major institutional categories listed below:
- Financial reporting
- Employee Matters
- Clinical Safety
- Patient Care
- Risk and Safety
- Information Technology
For each of those major categories, we meet with senior management to identify sub-categories and individuals that are responsible for each area identified. Meetings are then scheduled with participants to discuss risks, impact and the likelihood of risks, controls and mitigating control processes, and management's assessment of the effectiveness of these controls. From these facilitated discussions, a draft document is developed of the information captured during the facilitated meeting which is forwarded to the participants for review and editing. After the risks for each sub-category are recorded, senior management reviews the final draft for all sub-categories along with the "heat map" matrix which graphically depicts where each risk is plotted based on impact and likelihood. A final review of the deliverables is performed by senior management prior to distribution to executive management and the Board of Trust Audit Committee.
Participants of the meetings should prepare by thinking about what the key risks and mitigating controls for the sub-category scheduled for discussion. Consideration should be given to risks that are strategic, affecting the institution's mission; operational, affecting the effective and efficient use of resources; reporting, reliability of internal and external reporting; and compliance, the ability to comply with applicable laws and regulations.
For these risks, we want to consider the impact and likelihood. When thinking about likelihood, we want to examine the likelihood absent of any controls or mitigating processes. In viewing the uncontrolled likelihood of a risk, we are able to assess the inherent risk. Next, we want to document the controls or processes that mitigate these risks and finally assess the effectiveness of these controls.
What Happens Next?
As previously mentioned in the discussion of the risk assessment process, a draft document is developed of all the risks identified during the facilitated discussion and distributed to the participants for review and editing. Input is received from senior management prior to the distribution of final copies to executive managment and the Board of Trust Audit Committee.
Annual Update of IRM Assessments
The risk environment is constantly changing and as such, the risk assessments need to be updated for changes in management initiatives, objectives, controls and regulatory and reporting requirements. Annually, the Chancellor will request that each risk owner review and update the assessments for any changes to risks, controls or the assessment of controls, as deemed necessary. Management will attest their review and all assessments will be reviewed and certified annually by the related Vice Chancellor(s). However, changes to the assessments in the Vanderbilt IRM System can be made at any time. To access the Vanderbilt IRM System, please click on the following link: https://irm.mis.vanderbilt.edu/IRM/IrmLogin.aspx
For additional information about the Vanderbilt IRM System, including an overview of the annual update process, reports, data structure and administrator contact information, see the following resources:
• Getting Started Guide (link to attached document)
• Case Study (link to attached document)