Good morning Meredith, While we are still working on our central policy function here at the University of Miami, ERM is something with which I am very familiar. We do have a central compliance function which is responsible for our compliance and accountability program. We do not have operational responsibility for any particular (such as research or athletics, tho I am a Deputy Title IX Coordinator) We assist others ensure their compliance processes are effective and we monitor that effectiveness. As noted by Eric, where ERM is housed is not as important as the Board and senior leadership embracing and supporting it. Ours has, and while we do not have an official Risk Officer, we have formed a committee of Risk Owners (and by best practice those should be the President's direct reports) chaired currently by the CFO. The process is supported by my office, mostly because I had previous experience implementing it. We are concluding our first year un ERM. In the best of all worlds we would have a complete Audit, Risk and Compliance function or Governance Risk and Compliance function which encompassed all these synergies under a Chief Risk Officer. But until we do it's good to know we are moving in the right direction. As a former chief auditor, I can tell you ERM should not be housed in Internal Audit. They can certainly help with the risk assessment portion of the initiative, and advise on risk controls, but in order to maintain their independence, they cannot be part of the risk mitigation, that's management's responsibility.
With regards to your Risk Manager, it really depends on what the scope of his/her responsibilities are. Predominantly in higher ed, and here at UM, most risk managers deal with insurable risk. They are concerned with risk transfer, as opposed to risk mitigation. Not to understate their importance, we have a close relationship with our Risk Management team and they are a valuable source of information with regards to certain risks around the University. But with regards to ERM, they are just a piece of the puzzle. Let me know if you have any questions about anything I've thrown up above. Warm regards, Doug Douglas D. Horr, CIA, CCEP, CBA Executive Director - University Compliance Services Deputy Title IX Coordinator University of Miami Gables One Tower Suite 700 Coral Gables FL 33146 305-284-4657 [http://www6.miami.edu/communications/logos/images/umiami_prime.gif] [Description: ACUA_1c_notag_sm] Understand the Value of Internal Auditing in Just 3 Minutes! www.acua.org/movie<http://www.acua.org/movie> From: [email protected] [mailto:[email protected]] On Behalf Of Meredith Canady Sent: Thursday, February 25, 2016 11:09 AM To: [email protected] Subject: [acupa-l] Enterprise Risk Management Good morning, all, I apologize that this question deviates from the traditional policy-related questions, but I am hoping for input from a policy-administrator perspective. Our policy management is housed in University Compliance, and as a department, we work closely with the Risk Manager on a daily basis. We are looking for models of organizational responsibility, function, and reporting regarding Enterprise Risk Management (ERM). Our 10,000 student public university has the Risk Manager charged with implementation. Would the reporting and oversight of ERM and the Risk Manager be best housed in Compliance? With the Executive Vice President? Internal Audit? Why or why not? Thank you all for any insight you may have! Meredith Canady, J.D. Deputy Compliance Officer Coastal Carolina University The Prudential Building- 114 P.O. Box 261954 | Conway, SC 29528 Tele: (843) 349-6984 [email protected]<mailto:[email protected]> [logo]<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.coastal.edu_&d=CwMFAg&c=y2w-uYmhgFWijp_IQN0DhA&r=FbxNVDpb0dMHqW5PgsfqtA&m=DSUWPTIR9-BevFgyc-N-3xp_AFuYSJ8ykG0gEGNNVdk&s=Js_tofEdBkrDrSuCqIJjaVNnYKPCrR-cx0q3jjcFkSA&e=> Confidentiality Notice This message is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged, confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by reply to this email and delete all copies of this message. Replying to Messages: Replying (using Reply) to an ACUPA-L e-mail will distribute your message to the ENTIRE list of members. To send a message privately, reply directly to the individual who sent the message (their e-mail address appears in the "From" line of their original e-mail). To Unsubscribe: Go to http://www.acupa.org/MembershipForm_Discontinue.html<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.acupa.org_MembershipForm-5FDiscontinue.html&d=CwMFAg&c=y2w-uYmhgFWijp_IQN0DhA&r=FbxNVDpb0dMHqW5PgsfqtA&m=DSUWPTIR9-BevFgyc-N-3xp_AFuYSJ8ykG0gEGNNVdk&s=jB5k6vyMPDqBe4lNzwV-WJz1ZQVh7ytzUUtkw50k4RY&e=> and complete the form. We will remove you from the list within 24 hours, during normal business hours. Questions about the ACUPA e-list? Contact Jamie Parris at [email protected]<mailto:[email protected]?subject=ACUPA%20e-list%20assistance> or 607-255-6837.
