Integrating corporate compliance programs into enterprise risk programs
Insights presented by Rick Moyer, Stanford University and Baker Tilly
The increasing complexity of higher education management compels institutional leadership to formalize its approach to risk and compliance management. This first requires management to define the roles and responsibilities of all involved in managing and mitigating risks (i.e., the board and its committees, senior leadership and other key risk owners and managers). The risk management process assesses risk at strategic, operational, financial, reputational and compliance levels. Thus, the formal structure of the compliance program should be consistent with the risk management structure.
The internal audit function can play several roles in the formalization of risk management and compliance processes. It could be a designer, implementer and/or facilitator of the process. Internal audit can provide assurance to senior leadership and the board that internal controls built into the processes are aligned with compliance requirements and working effectively to support the achievement of institutional objectives. For many colleges and universities with either a small or no internal audit function, leadership often looks for a strategic partner to foster an effective and intentional approach to managing risk, compliance and the alignment of organizational strategy and operational tactics.
Key takeaways for integrating compliance with enterprise risk management:
- Understanding an ERM process and the way a compliance program fits into it
- Exploring the structure of an ERM program and comparing it to a mature compliance program
- Identifying the places where risk tolerance enter into decisions made when developing a compliance program and ways a current program could begin to mature
For more information on this topic, or to learn how Baker Tilly Higher Education specialists can help, contact us.
