(风险管理)大学风险管理文献翻译

原文：
U niversity Risk Management
Organizations around the world are facing challenging times due to continuing economic volatility and facing new risks that cause them continuously to assess the potential impact, financial and otherwise, of market conditions on the performance of their operations. And universities are no exception.
Institutions of higher education have significant compliance requirements, and many have invested greatly in response to heightened expectations from stakeholders to stay competitively viable among other universities. However, many continue to approach risk and control requirements in silos, which leads to the creation of multiple frameworks for governance, infrastructure, and processes; fragmented risk and control activities; potential gaps in overall risk coverage; and duplication of effort. Understandably, there is a resulting concern about compliance breaches. Without a common basis for evaluation, audit committees struggle to determine the adequacy of risk and control efforts, and boards and executives want assurance that investments are appropriately focused, consistent with peers, and aligned to the institution’s unique risk issues.
Universities are also facing increased scrutiny from stakeholders regarding issues such as investments and spending, privacy, conflicts of interest, IT availability and security, fraud, research compliance, and transparency. Students, faculty members, staff, donors, and other interested parties are looking not only at what is being done, but how it is being done.
Although the approach to risk management varies from institution to institution, there are clearly some common challenges and trends. Overall, a growing number of universities are integrating a risk management framework into their strategic planning and decision-making processes, but sustaining formal risk management and reporting process is a challenge. The board of governors, president, and other senior management members are often involved in ongoing risk identification and assessment, and are taking part in efforts to develop and implement both internal and
external risk management processes and controls. The establishment of risk champions (members of the university beyond the university’s administration who can champion risk management) within the university is also increasing, which raises the awareness of risk, fosters better understanding of risk management programs and practices, and increases communication to relevant stakeholders.
Applying ERT to universites
Enterprise risk management (ERM) can be described as a strategic process affected by a u niversity’s governance structure, management, administration, and faculty, designed to:
• Help identify risks that may affect the institution.
• Manage identified risks within the university’s risk appetite.
• Provide assurance that the university can achieve its objectives.
The values of the university influence how risk is perceived, and it is important that the culture reflects a risk management philosophy. Having a strong ERM framework can provide a common understanding of risk across the organization and help it achieve its strategic and academic objectives through focusing on the interrelated risks that could have the most significant impact. It drives the organization to integrate risk into its everyday planning and budgeting/forecasting process and operations, and strengthens its ability to deal vent unexpected or stealth risks.
As in ot her organizations, a university’s risk management approach must grow and change with the environment in which it operates. An embedded, sustainable ERM approach allows management to assess, improve, and monitor consistently the way the university manages its evolving risks.
A university risk management maturity model
There are three stages of maturity that can be applied to universities. The risk management maturity model can be used as a roadmap for evaluating an institution's current state and defining next steps. The Baseline Practices stage typically consists of fundamental compliance activities. Typically, there are no established risk management roles, responsibilities, processes, or documentation, and most efforts are
made in “silos” .Then, as the university improves its understanding of ERM and alters its practices accordingly, it progresses to an Improved Practices state. In this “alignment”phase, the organizat ion’s ERM efforts have moved beyond mere compliance. There is a certain level of risk ownership by the board of governors, but at this point the roles, responsibilities, and process have not been defined clearly and completely. Finally, in the Optimized Practices state, the university has reached a stage in which ERM processes and responsibilities are fully established and have become integrated into the organization’s strategy and day to- day operations. The focus during this “integration” phase is now on continuously re-evaluating risk and performance, and adjusting its response accordingly.
Universities without a robust risk management framework are increasingly exploring and implementing new ERM processes, and making risk management an integral part of their planning and decision- making processes, while universities that have already adopted ERM are altering their approach accordingly to reach an optimal state. Current trends include raising awareness through activities such as seeking internal and external stakeholder input, increasing communications of relevant risk management initiatives such as campus emergency communications, identifying risk champions to foster and develop new programs and processes, and involving university executives and the board in risk identification and assessment. Who’s responsible for risk management?
Risk management is ever yone’s responsibility, and the roles and responsibilities of stakeholders must be defined clearly. The board of governors, senior administration, and risk management and internal audit teams are responsible for understanding principal risks in their areas, and for making effective risk management decisions. Board of governors
The board’s overall risk management mandate is to assess and recommend improvements on how the principal risks of the university are being managed through an effective risk management and internal control system that VSTU help the university achieve its mission. Board members are ¡responsible for:
• Determining a risk-adjusted strategy.
• Facilitating and encouraging a risk management culture.
• Approving risk measurements, risk appetite, and tolerance levels.
• Ensuring the university’s senior administrators have an approach to identifying emerging issues and possible impacts on university operations and business risks. • Reviewing controls and compliance with the university’s administration and audit teams, and seeking input on university and administrative best practices. • Understanding and providing oversight on the quality of the u niversity’s overall risk management program implementation and execution.
In determining its risk oversight structure, the board should identify where within its governance practices it addresses risk management matters from an enterprise wide perspective. In most cases, the audit committee and the finance and administration vice presidents assume responsibility for risk oversight, including:
• Providing the necessary checks and balances so that they are operating in an active oversight capacity.
• Continuously reevaluating risk monitoring processes.
• Reviewing and approving governance practices, policies, priorities, and procedures against best practices.
• Ensuring that audit committee and executing members have instituted processes to identify and inform the board of key strategic, reputational, operational, compliance, and financial risks the organization faces.
• Advising and counseling the deans,professors, and functional unit heads.
The board’s role is to focus on the overall approach to risk management, rather than on the administrative details. The more tactical aspects of the risk strategy are generally the r esponsibility of the university’s team of senior administrators. Senior administration
Overseeing the university’s compliance with generally accepted accounting principles, practices, and requirements, and evaluating the university’s finance and accounting practices, risk management, and internal controls to ensure that they are appropriate and adequate is the responsibility of senior administration. Their other
responsibilities can include:
• Encouraging the right risks to drive business performance.
• Identifying and prioritizing key risks and aligning university resources accordingly. • Improving alignment and coordination among risk and control activities. • Leveraging best practices on managing and controlling key risks.
• Maintaining appropriate oversight of key controls.
• Monitoring and escalating risks.
The university’s senior administrators are responsible for the management of the day-to-day functioning of the university, including strategic, financial, operational, and compliance activities.
Risk management and internal auditing
The risk management and internal audit teams play an important role in university risk management. In general, internal auditio n’s responsibilities can include:
• Understanding the university’s challenges and key objectives, and establishing an appropriate, detailed internal audit plan.
• Helping the university’s management and board understand, assess. and manage the organization’s risk through consistent communication and reporting.
• E nsuring that processes are addressing changes and the associated risks adequately, and working as intended, especially during times of change.
In general, risk management’s responsibilities can include:
• Facilitating the completion of an enterprise risk assessment (ERA) and identifying risk mitigation and monitoring practices required for the university.
• Developin g an ERM framework, approach, and program that will sustain risk management activities and better coordinate them —where appropriate. • Ensuring sufficient transparency of relevant risk management practices residing at the university either by way of training, awareness programs, or communication.
In addition to the board and senior administrative members, internal auditors play a crucial role in a university risk management strategy—regardless of whether the risk management group reports directly to the internal audit function.
Improving risk management practices
The steps r equired to improve a university’s risk management practices can be broken down into three general phases. The core risk management group should start by assessing the current situation to defame and prioritize the key risks that could prevent strategic objectives from being achieved. The group should then review the design and operation of the risk management and internal control framework to determine the areas where incremental enhancements would provide the greatest benefits. Once the necessary improvements and processes are in place, they must be monitored and modified, if necessary, to ensure that they are relevant and effective and that risks are being managed appropriately.
One of the most important elements of a successful risk management function is ongoing and involves creating and maintaining a strong risk management culture and incorporating the implications of risk management into regular, everyday decision making. This type of environment can be facilitated through visible executive support for risk management programs, clear expectations, transparent communication and reporting, clearly defined roles and responsibilities, strong governance, and regular self-assessments to review risk exposure.
Phase1:defining and prioritizing the risk that matter for the university Before undertaking efforts to enhance the way risk is managed, it is important to understand the institution’s key risks by conducting an ERA. Defining the risks that matter is a critical step to understanding the key controls and decision-making processes, and developing an enterprise wide view of risk. The ERA is conducted as a facilitated self assessment, provides insight regarding the significant risks faced, and links them to the objectives, initiatives, and business processes. Although the approach is performed using standard tools and processes, the output must be validated and prioritized by senior management and the board. The risk assessment methodology assists with:
• Providing an insightful point of view on significant risks inherent to institutes of higher education.
• Efficiently capturing insight from across the university using a combination of
surveys and structured interviews.
• Validating and prioriti zing key risks for monitoring and testing.
• Defining opportunities for improvements to internal controls and management activities.
• Developing the foundational elements of a process that can be embedded and sustained within existing processes.
The four risk pillars that a university should consider during the ERA include: strategic risk, operational risk, financial risk, and compliance risk. These four categories should all be reviewed at the university, faculty, and functional level. Seeking external perspectives on university risk can also be useful. For example, groups such as the National Association of College and University Business Officers, the Association of College and University Auditors, and other sector-specific organizations are good resources.
Phase2:evaluating the university’s competencies to manage risk
The “Risk Management Performance Assessment” phase builds upon the results of the assessment completed in the first phase and provides a snapshot of the university’s risk management competencies. It is designed to identify opportunities for alignment and coordination across traditional organizational boundaries, as well as determine how well the functional and business operational areas manage risks. In general, this phase offers an overall review of:
• Responsibilities for key risks across functional activities and business processes. • The degree of alignment and coordination across the organization. • The maturity of risk management foundational components such as governance, infrastructure, operations, and people.
While performing the review, the following elements should be considered: • Risk strateg y —risk tolerance and appetite, alignment of risk management to university objectives, and risk-related policies and procedures.
• Risk management and assurance processes— risk assessment, risk communication, and reporting(e.g., dashboards).
• Governance structure—sponsorship by the board of governors; risk ownership, accountability, and related roles and responsibilities; appropriate technology (e.g., institution’s intranet and databases); early warning systems; and analytical and modeling tools.
• Culture and capability—measurement, reward, training, and behavior.
This phase helps management recognize how to make incremental enhancements to the existing infrastructure to embed and sustain risk management activities within the normal course of operations.
Phase3:building an enterprise approach to risk
The last phase involves defining and prioritizing opportunities for improvement, developing specific plans to improve and monitor significant risks, and then enforcing adherence to the established policies and procedures. All efforts to expand risk management competencies should be practical, be embedded within existing functions and processes where possible, support coordination and alignment for risk management and internal control, incorporate leading practices, be coordinated across the entire organization,support effective decision making,and align to industry standards and published frameworks.
Established control activities are only effective if they are implemented and monitored. Once the initial direction for risk management is set, it is important to verify that everyone is complying with the processes and that the changing exposures to risk are assessed consistently and modified as required.
Benefits of ERM
The decentralized nature of universities and the increasing competition over faculty, students, and funds amplifies their requirement for adopting an integrated risk management fame work. Universities must build on their present risk management culture, identify internal and external forces that could limit the ability to achieve strategic objectives, assess risks using the appropriate tools, develop an appropriate risk plan, implement the necessary controls and communications, and monitor ongoing risk management activities.
Regardless of a university’s current risk management philosophy and practices,
reviewing the risk management framework and adopting an embedded approach to the ERM process and culture will help the university’s board and administration make informed decisions that are aligned with its risk tolerance and strategy, remain confident of compliance with regulatory requirements, and achieve the transparency and outcomes desired by stakeholders.
Source: Carol.Wilson,2010.“University risk management”.Internal Auditor,vol.67 Issue 4 ,pp.65-68.
译文：
大学风险管理
由于经济的持续波动，各地有关组织正面临着挑战，使他们不断地评估金融、市场条件和其它方面对执行自己业务有潜在影响的情况。

而大学也不例外。

高等教育机构有显著的合规性要求，许多投资者回应了利益相关者期望留在大学的竞争力是可行的。

然而，由于风险控制的要求，导致建立了多个框架，治理、基础设施、流程；分散风险控制活动；对潜在分歧进行采访报道；整体风险和重复努力。

可以理解的是，违反有关规定造成了关注。

没有共同的基础进行评估，审计委员会斗争，确定风险控制措施是否足够，以及管理人员要保证投资的适当集中，与同行一致，是机构所在的独特的风险问题。

大学也将面对更多的检验有利益相关者的问题，如投资和消费，隐私，利益冲突，资讯科技可用性和安全、欺诈、研究顺应性和透明度。

学生、教师、职员、捐赠者，及其他利益相关者注重的不仅是现在所做的，更注重的是它是怎么做。

虽然机构的风险管理方法各有差异，然而还有一些常见的挑战和趋势。

总的来说，越来越多的大学把风险管理框架纳入他们的战略规划和决策程序中，其中维持正式风险管理和过程报告是一个挑战。

董事会总监、主席和其他高级管理人员常常涉嫌正在进行的风险识别和评价，并且努力参与制定和实施内外部风险管理控制。

建立风险倡议(大学的成员超过大学的行政谁能捍卫风险管理) 也在大学不断增长，它反映了风险意识，培养更好的了解风险管理项目和实践，增加相关关系人的沟通。

大学风险管理的应用
风险管理(ERM)可以被描述成一个战略流程，影响一所大学的治理结构、经营、管理活动和教员，旨在:
•帮助识别影响机构的风险。

•在管理范围内确定本校的风险承受能力。

•大学提供保障，可以达到的目标。

影响大学价值的风险，认为最重要的是文化反映了风险管理理念。

拥有强健的风险管理框架可以提供一个共识的风险管理组织，加强相互关联的风险，可能最重大影响它实现其战略重点和教学目标。

它推动了组织纳入其日常规划、预算程序和操作风险，并增强其处理意外或潜在风险的能力。

正如其他组织，一所大学的风险管理方法必须随环境的变化而变化。

嵌入式、可持续的风险管理方法是允许评估，持续监控，提高管理大学风险的方式。

大学的风险管理成熟度模型
有三个阶段的成熟，可以应用于大学。

风险管理成熟度模型可以看为一个路线图，来评估机构的现状和定义下一步。

基线实践阶段通常是合规管理活动的。

通常，没有建立风险管理角色、职责、流程、文档，大多数的努力在“筒仓”。

随后，作为大学提高企业风险管理的认识，并改变其做法，因此，它发展为一种改进的实践状态。

在这个“路线”阶段，该组织的风险管理努力已经超越单纯的合规情况。

一定程度风险的管理理事会全民所有制，其作用、职责和过程并没有完全明确的解释。

最后，在优化常规状态下，大学已经达到了企业风险管理程序和责任制度，成为进入该组织战略和日常运作的整合阶段。

在这“整合”阶段，重点是不断重新评估风险和性能，并相应地调整其反应。

没有健全风险管理框架的高校越来越探索和实施新的企业风险管理流程，使风险管理成为其规划和决策过程的组成部分，而已经采用企业风险管理的大学正在改变他们的做法使其相应地达到最佳状态。

当前的趋势包括提高意识如寻求内部和外部利益相关者投入风险意识的活动，提高通信的相关风险管理项目如校园应急通讯，识别风险捍卫培育和发展新计划与进程，或涉及大学管理人员和董事会在风险的识别和评估。

谁负责风险管理?
风险管理是每个人的责任，其利益相关者的作用和职责必须有明确的界定。

在董事会总监、高级理事，风险管理及内部审计人员的责任是了解他们主要的风险领域，并作出有效的风险管理决策。

管理理事会
委员会全面风险管理职责就是通过有效的风险管理和内部控制系统，评估和推荐大学的主要风险管理，帮助大学实现其管理的改善。

董事会成员是主要责任: •确定风险调整后的策略。

•促进和鼓励风险管理文化。

•批准风险测量、风险偏好和风险承受能力。

•大学的高级管理人员识别新出现的问题和对大学的经营和业务可能产生影响的风险。

•控制及合规审查大学的管理和审计人员，谋求大学行政投入的最佳做法。

•了解并提供有关大学整体风险管理项目的实施计划和执行质量监督。

在确定其风险监督，董事会应注意内部治理，风险管理事项它涉及全局视角。

在大多数情况下，审计委员会、财务总监和行政副理事承担风险监管的责任，包括:
•提供必要的制衡，并使他们在监督下能活跃运作。

•不断重新评估风险监控流程。

•审批治理实践、政策、优先事项以及最佳实践的程序。

•确保审计委员会的成员已经制定和执行，查明并告知关键战略、信誉、运作，并组织管理所面临的财务风险。

•通知、咨询学院院长、教授和单位主管。

委员会的角色是把焦点放在整体的风险管理，而不是行政的细节。

风险战略战术方面更是大学高级行政人员的责任。

高级行政
监督该大学公认的会计准则、惯例和要求，评价大学的财务和会计实务、风险管理、内部控制，是高级管理人员的责任。

他们的其他职责包括:
•鼓励适当风险，提高业务绩效。

•确定和排列主要风险及相应的调整高校资源。

•协调提高风险控制活动。

•管理最佳实践和控制关键风险。

•维护关键控制的适当监督。

•监测不断上涨的风险。

大学的高级管理人员负责管理的大学的日常运作，包括战略、财务、运行，并且服从活动。

风险管理和内部审计
风险管理和内部审计小组在大学风险管理中起重要作用。

一般来说，内部审计的责任包括:
•了解大学的挑战和关键目标，建立一个合适的、详细的内部审计计划。

•与管理机构通过一致的沟通和风险报告，帮助大学的管理层和董事会了解、评估风险。

•相关风险在不断变化，管理进程应作相应调整，特别是在变化的时代，工作应该灵活。

一般来说，风险管理的职责包括:
•促进大学完成传统风险评估和识别监测大学风险。

•开发一个风险管理框架、方法和程序，维持风险管理活动，更好地协调以适应。

•确保足够的透明度并订定、宣传或沟通相关风险管理计划。

除了董事会和高级管理人员，无论大学风险管理分组报告是否直接面向内部审计部，内部审计人员在风险管理中都发挥了至关重要的作用。

提高风险管理实践
提高大学风险管理的做法可分为三个基本阶段。

核心风险管理小组应该先评估现状的关键风险及轻重缓急，这将有利于战略目标的实现。

该小组应审议风险
管理和内部控制框架的设计和运行，以确定最有力的风险管理。

一旦必要的改进和程序已经到位，他们必须被监测和修改，如果必要还要去确保它们的相关有效性，风险得到适当管理等。

对一个成功的风险管理职能的最重要的因素之一是持续进行、创造和维持一个强大的风险管理文化，并将其纳入正常的日常风险管理决策中。

这种类型的环境，可以促进行政推动有行的管理方案，透明的沟通和报告，明确的角色和责任，强势的管理，定期的自我评估及审查风险。

第一阶段: 确定和排列大学的优先风险问题
努力提高风险管理方式，重要的是要了解该机构的关键风险。

定义风险问题的一个关键步骤是了解风险控制和决策过程，并制定风险范围。

在一个便利进行自评的时代，提供面对重大风险的洞察，并链接到他们的目标，倡议业务流程。

方法是使用标准的工具进行，输出必须经过验证和资深管理专家和董事会优先。

风险评估方法协助:
•提供颇有见地的高等教育学院所固有的重要风险。

•有效地捕捉来自全国各地大学使用的调查和结构化面试相结合的洞察力。

•优先为关键风险监控和测试。

•界定内部控制和改进管理活动。

•发展基础元素过程，可以安装和持续现有的工艺。

大学的四个主要风险，包括:战略风险、操作风险、财务风险、合规风险。

大学老师们都应该考虑这四类风险。

寻求外部学界对大学的风险管理也很有帮助。

例如，团体如民族学院和大学事务人员联合会、各学院协会和大学审计组和其他专业组织是良好的资源。

第二阶段：评价大学的能力，以管理风险
“风险管理绩效考核”阶段是建立在第一阶段完成的结果上评估，并提供了该大学的风险管理能力的信息。

它的目的是确定和调整跨越传统的组织界限，
以及如何确定功能以及业务领域的管理风险。

一般来说，这个阶段提供了一个全面的检讨：
•责任关键风险功能性动作和业务流程。

•整个组织路线和协调度。

•成熟的风险管理基础部件，如治理、基础设施、营运和人。

在执行审查时，应当考虑下列因素：
•风险策略，风险承受能力和偏好，风险管理，大学目标，与风险有关的政策和程序保持一致。

•风险管理和质量保证过程——风险评估、风险沟通和报告(例如，仪表板)。

•治理结构——管理理事会；风险所有权、责任制及相关的角色和职责；适当技术(例如，机构的网络和数据库)；预警系统；分析和建模工具。

这个阶段有助于管理层逐步认识到如何使现有基础设施的增强和维持正常经营过程中嵌入的风险管理活动。

第三阶段:监督建立企业风险处理方法
这一阶段包括定义优先改进的机会，提高特定计划，监控重要的风险，然后坚持执行既定的政策和程序。

所有努力扩大风险管理能力应该是实用性的，并嵌入在现存的功能和过程中，可能的话，支持协调风险管理和调整内部控制，还包括先进的做法协调整个组织，支持有效的决策，并对齐行业标准，公布框架。

只有建立了有效的控制活动，他们才可以实施和监测。

一旦风险管理的初始方向已定，重要的是要确认每个人都遵守验证过程的变化，而这种变化的风险，应与风险评估和修改的要求一致。

高校风险管理的益处
大学的自然分散和教师、学生日益激烈的竞争和资金的放大，要求采用综合风险管理框架。

高校必须建立风险管理文化，识别可能会限制战略目标实现的内部和外部力量，使用适当的评估风险工具，制定适当的风险计划，实施必要的控制和通讯，进行风险管理和监控活动。

无论一所大学目前的风险管理理念和实践是什么，都应该在风险管理文化中，回顾风险管理框架，采用嵌入式的方法，帮助该大学的董事会和管理者作出与它的风险承受能力和战略保持一致的明智决定，无论如何要深信遵守法规要求，实现透明度和利益相关者期望的结果。

出处:卡罗尔.威尔逊，《大学风险管理》， Internal Auditor，第67卷（4），2010: 65-68.。