About Enterprise Risk Management
Mission Statement
We promote appropriate internal controls and adherence to Upstate policies. Always striving to collaborate with teams across the Hospital and University, together we will focus on process improvements to lessen risk severity. Our practices are designed to promote Hospital and University priorities. This office serves as a Hospital and University wide resource assisting departments in optimizing resources while maintaining and developing mutually agreed upon procedures that contribute to an environment whereby negative surprises are minimized. Risks are unavoidable and always considered in relation to their ability to impact Upstate and its objectives.
Values
Working in an ethical manner, we will be accountable to those relying on us to be effective in every engagement we perform on behalf of Upstate. Our values align with those of Upstate with a focus on patient care, students, integrity, and intellectual life. We will demonstrate our commitment to these values through always exhibiting a high level of respect for others, honesty, and ongoing learning to be exhibited through our communication and actions.
Risk Management Upstate Medical University
Every employee shares a responsibility to make our working environment safe and effective. One important way we can help achieve this goal is to establish and follow appropriate Hospital and University policies and procedures.
Internal controls are methods and measures adopted by Upstate to promote the thoughtful and efficient use of state resources. Internal controls provide that complete and accurate records are kept of transactions involving patients, students, vendors, contractors, and that Upstate equipment is properly cared for and used only for its intended purposes. In short, a well-designed system on internal controls safeguards Upstate assets and ensures accuracy and reliability in the use of such assets and in the performance of our respective jobs. All of us are responsible for adhering to the institution’s applicable internal controls.
Committee of Sponsoring Organizations (COSO)
Enterprise Risk Management (ERM) is defined by the Committee of Sponsoring Organizations (COSO) as "a process, effected by an entity's directors/trustees, management and other personnel, applied in strategy-settings and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."
Upstate ERM
Having a risk-free environment is impossible, however it is our job as the Enterprise Risk Management office to assess risks, rank them, and make sure there is a balance between averting risk, and taking on risk that may benefit the University as a whole.
We follow a specific framework when assessing these risks, which allows us to have a standardized process so we may look at risks through a non-biased lens. This framework is called the COSO Framework and focuses on both upside and downside risks:
- Avoidance (terminate): Benefits to be gained from the practice are not worth the risks.
- Reduction (treat): Tolerate the risk by implementing internal controls such as separation of duties, account reconciliation and other preventative and detective controls.
- Sharing (transfer): Insurance, which SUNY prohibits (cyber fraud coverage is an exception) otherwise the SUNY system is self-insured, and our loses are limited by New York state court of claims.
- Accepting (tolerate): Risks of low likelihood or minimal impact may be tolerated. Sometimes risks are tolerated because there is no uncomplicated way to treat them.
How can you help?
One important facet of Risk Management is that we must all realize that everyone apart of Upstate is a Risk Manager. Conceptually, as well as in practice, Risk Management wouldn’t work if everyone didn’t play their part- whether that be a patient, student, employee or vendor reporting something suspicious that they saw taking place, all the way up to the Risk Management Office performing an audit of a department- we all have our roles in order to make it work!
Internal Controls
Now that we have talked about what Risk Management is, what is it the department does, and what role everyone plays in risk management, let us take a moment to talk about Internal Controls. Internal Controls are the foundation upon which our Risk Management Department’s assessments are attempting to improve. The internal control review analyzes procedures and policies to insure they are functioning as intended and that they assist the unit in meeting its goals and objectives. Upon completion of the internal control review, recommendations may be made. The recommendations may require adding, deleting, or changing internal controls or procedures for the unit. If recommendations are accepted, a timetable for implementation is agreed upon.
It is important to realize that the Enterprise Risk Management team, when performing a risk assessment and/or audit is there to help you and offer an outside perspective on the way that things are being done- not targeting you for scrutiny.
The final component in the internal control process is follow-up. This step is performed to verify that the recommended actions have been properly implemented and that the unit continues to function as intended.
Types of Risk
All risks can be categorized into distinct types, however that does not mean that a single risk cannot span across multiple categories- based on the possible affect that it will have on SUNY Upstate as a University following by the COSO Framework (coso.org). The risk categories that COSO defines are as follows:
- Compliance Risks
- Operations Risks
- Financial Risks
- Reputational Risks
- Reporting Risks
- Strategic Risks
Failure to identify risks and place them into categories may lead to negligence to not only deal with the risk, but also, hinder the process that Risk Management follows so steadfastly.
In addition to Upstate’s system of internal controls, the Governmental Accountability, Audit and Internal Control Act of 1987 formalizes New York State’s commitment to efficient and effective business practices, quality services, and ethics in the operations of state government. The Internal Control Act is the basis for Upstate’s Internal Control Program. It requires that all state agencies institute a formal internal control program. There are six requirements of the Internal Control Act of 1987 as shown below:
- Maintain written internal control guidelines.
- Maintain an internal control system for continuous review of operations.
- Make a concise statement of policy and standards available to all employees.
- Designate an Internal Control Officer.
- Educate and train all employees on internal controls.
- Evaluate the need for an internal audit function.
- Internal Control Foundations
- Risk Assessment and Management
- Preventative and Detective Controls
- Internal Control Standards
- Who's Responsible and For What?
Risk Assessment and Management
After the Hospital and University is segmented into assessable units, each unit's risk is assessed. Risk management is an approach to aligning strategy, process, and knowledge to curtail negative surprises and financial losses. This process may be done through a self - assessment survey or a one-on-one discussion with the unit manager and the risk management officer. By means of this evaluation, the Hospital and University evaluates its susceptibility to conscious or unintended abuses and reduced operational efficiencies. International Organization for Standardization (ISO) 9001 is applicable and adaptable for the work performed.
The scope of this approach to risk management is to enable all strategic, management and operational tasks of an organization throughout projects, functions, and processes to be aligned to a common set of risk management objectives.
Some of the factors examined in the risk assessment are inherent risk of the unit, management's attitude toward internal controls, physical location, frequency of review, and the rate of personnel turnover.
Upon completing a risk assessment, a rating of low, average, or high risk is assigned to the assessable Unit. These ratings are considered when scheduling internal control reviews.
Internal Control Review
The internal control review analyzes procedures and policies to insure they are functioning as intended and that they assist the unit in meeting its goals and objectives. Examples of procedures and policies that may be reviewed include, planning activities, program evaluations, the budget cycle, personnel transactions, and information systems, cash activities, contract management and capital programs.
Upon completion of the internal control review, recommendations may be made. The recommendations may require adding, deleting, or changing internal controls or procedures for the department. If recommendations are accepted, a timetable for implementation is agreed upon.
Follow-Up
The final component in the internal control process is follow-up. This step is performed to verify that the recommended actions have been properly implemented and that the unit continues to function as intended.
Internal Control Standards
Internal controls must meet basic standards to ensure that adequate internal control systems are established and maintained. There are two types of internal control standards: general and specific. General internal control standards describe what we want to achieve while specific internal control standards tell us how to achieve those objectives. Below are examples of general and specific internal control standards. Each example is followed by a brief explanation.
General Standards
- Reasonable Assurance
Internal control systems should provide reasonable assurance that the objectives of Upstate will be accomplished.
- Supportive Attitude
Managers and employees should always maintain and demonstrate a positive and supportive attitude toward internal controls.
- Competent Personnel
Managers and employees should have personal and professional integrity and maintain a level of competence that allows them to accomplish their assigned duties, as well as understand the importance of developing and implementing good internal controls.
- Control Objectives
Internal control systems should help to assure compliance with laws and that the Hospital and University meets its goals and objectives.
- Control Techniques
These are the means to accomplishing the objectives of the internal control systems (i.e., Specific Internal Control Standards).
Specific Standards
- Documentation
Adequate records of all internal control systems, transactions and events should be maintained.
- Records
All transactions and events should be recorded promptly and accurately.
- Authorization
All transactions and events should be authorized and executed by persons within the scope of their authority.
- Structure
Key duties and responsibilities in authorizing, processing, recording, and reviewing transactions should be separated.
- Supervision
Adequate supervision must be provided to ensure that internal control objectives are achieved.
- Security
Access and accountability to assets and records should be limited to authorized individuals.
Responsibilities
Risk Management Officer Responsibilities:
The Risk Management Officer spearheads the Hospital and University' internal controls, enterprise risk management, and compliance programs. This position is responsible for directing Upstate’s internal control, enterprise risk management, and compliance programs by developing, implementing, and/or evaluating internal control policies and procedures to ensure a system of accountability and oversight of Upstate’s operations to effectively and efficiently meet its goals and objectives while minimizing exposure to risk.
Other duties of the position include:
- Monitor and evaluate the organization's overall internal control system.
- Coordinating the development and implementation of the Hospital and University' Internal Control Program.
- Monitoring identified weaknesses and required corrective actions.
- Ensuring that employees are informed of applicable policies and receive appropriate training in internal control.
- Report progress and status of internal control program and areas of risk to senior Hospital and University management and to the university auditor when appropriate.
- Complete Central Administration required reporting requirements.
- Manage required certifications by outside agencies such as the Office of the State Comptroller (OSC)
- Collaborate with the University Auditor to incorporate mandated compliance directives into Upstate’s existing internal control program.