role of the general counsel in institutional risk management marcia isaacson, cuny james j. mingle,...
TRANSCRIPT
![Page 1: ROLE OF THE GENERAL COUNSEL IN INSTITUTIONAL RISK MANAGEMENT Marcia Isaacson, CUNY James J. Mingle, Cornell University Stephen D. Sencer, Emory University](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e2b5503460f94b18f23/html5/thumbnails/1.jpg)
ROLE OF THE GENERAL COUNSEL IN INSTITUTIONAL RISK MANAGEMENT
Marcia Isaacson, CUNYJames J. Mingle, Cornell University
Stephen D. Sencer, Emory University
![Page 2: ROLE OF THE GENERAL COUNSEL IN INSTITUTIONAL RISK MANAGEMENT Marcia Isaacson, CUNY James J. Mingle, Cornell University Stephen D. Sencer, Emory University](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e2b5503460f94b18f23/html5/thumbnails/2.jpg)
Introduction
• Jim Mingle – General Counsel of Cornell• Steve Sencer – General Counsel of Emory
![Page 3: ROLE OF THE GENERAL COUNSEL IN INSTITUTIONAL RISK MANAGEMENT Marcia Isaacson, CUNY James J. Mingle, Cornell University Stephen D. Sencer, Emory University](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e2b5503460f94b18f23/html5/thumbnails/3.jpg)
Overview of this session
• Structures for Institutional Risk Management• Process for Risk Identification • Process for Risk Management• Board’s Role in Risk Oversight• Compliance vs. Risk Management
![Page 4: ROLE OF THE GENERAL COUNSEL IN INSTITUTIONAL RISK MANAGEMENT Marcia Isaacson, CUNY James J. Mingle, Cornell University Stephen D. Sencer, Emory University](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e2b5503460f94b18f23/html5/thumbnails/4.jpg)
Key Questions
• How do you know if the right risks are being identified?
• How do you determine who is “in charge” of managing and mitigating the risks?
• How do you know if the “most serious risks” are being aptly assessed institutional resources are strategically directed?
• What oversight and support structure will aid in the overall risk management effort?
![Page 5: ROLE OF THE GENERAL COUNSEL IN INSTITUTIONAL RISK MANAGEMENT Marcia Isaacson, CUNY James J. Mingle, Cornell University Stephen D. Sencer, Emory University](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e2b5503460f94b18f23/html5/thumbnails/5.jpg)
Structures for Institutional Risk Management
o Committee/Council model
o Chief Risk Officer Model
o Hybrid
o Role of Risk and Insurance Department
![Page 6: ROLE OF THE GENERAL COUNSEL IN INSTITUTIONAL RISK MANAGEMENT Marcia Isaacson, CUNY James J. Mingle, Cornell University Stephen D. Sencer, Emory University](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e2b5503460f94b18f23/html5/thumbnails/6.jpg)
Cornell
• Committee chaired by General Counsel – has 21 members from broad range of offices, including Finance & Administration, HR, University Relations, Research, Audit, Risk Management & Insurance, Campus Health, Student and Academic Services, EH&S, IT, Police, Facilities.
• Meets at least quarterly.
• Five Main Risk Categories: Operations, Finance, Life & Safety, Reputation, Legal.
• Guiding principles include:• Identify main and specific risks and ensure that specific risks have
responsible managers• Enable an efficient system of guidance and support to individuals “in
charge,” through development of appropriate policies and assistance of risk advisory committees (ad hoc and standing), and elimination of silos which may inhibit institutional risk and management efforts.
• Other Structures Considered• Counsel’s Role in Shaping Structure
![Page 7: ROLE OF THE GENERAL COUNSEL IN INSTITUTIONAL RISK MANAGEMENT Marcia Isaacson, CUNY James J. Mingle, Cornell University Stephen D. Sencer, Emory University](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e2b5503460f94b18f23/html5/thumbnails/7.jpg)
7
Emory’s ERM Structure
ERM Executive Committee
• President (Committee Chair)• Provost• EVP for Health Affairs
• EVP for F&A• SVP and General Counsel• SVP and Dean for Campus Life• SVP for Development
ERM Steering Committee
• Chief Risk Officer (Co-Chair)• Chief Audit Officer (Co-Chair)• Chief Investment Officer• Deputy General Counsel
• VP for Campus Services• VP for Finance• VP for Human Resources• VP for IT
Finance & Investment
Campus Safety&
Physical Plant
Healthcare
InformationTechnology
Governance& Corporate
Affairs
Academic &StudentAffairs
ResearchHumanResources
• VP and Secretary• VP of Communications• President and CEO, Emory Healthcare
• VP for Research Administration• Senior Vice Provost• Director of Student Activities• Director of CEPAR
![Page 8: ROLE OF THE GENERAL COUNSEL IN INSTITUTIONAL RISK MANAGEMENT Marcia Isaacson, CUNY James J. Mingle, Cornell University Stephen D. Sencer, Emory University](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e2b5503460f94b18f23/html5/thumbnails/8.jpg)
CUNY• Risk Management and Business Continuity Council (47
members:22 from Central and 25 from campuses)• Chaired by the Director of Environmental, Health and Safety &
Risk Management.• Deputy General Counsel and Compliance Officer are members.• Standing Committees
o Preparedness committeeo Information Technology committeeo Travel and transportation committeeo Insurance committeeo Infectious disease committeeo Residence hall committee
• Ad hoc committees formed as needed• Monthly meetings include reports from standing committees
and educational risk-related presentations.
![Page 9: ROLE OF THE GENERAL COUNSEL IN INSTITUTIONAL RISK MANAGEMENT Marcia Isaacson, CUNY James J. Mingle, Cornell University Stephen D. Sencer, Emory University](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e2b5503460f94b18f23/html5/thumbnails/9.jpg)
Role of Counsel Re: Structure
• Legal, compliance and risk management overlap, but are not the same function
• Counsel should advise “institution” on risk management structure– Management/Leadership– Board (typically through Audit Committee)
• Counsel should participate in committee (s)• Counsel should participate in risk briefings
![Page 10: ROLE OF THE GENERAL COUNSEL IN INSTITUTIONAL RISK MANAGEMENT Marcia Isaacson, CUNY James J. Mingle, Cornell University Stephen D. Sencer, Emory University](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e2b5503460f94b18f23/html5/thumbnails/10.jpg)
• Cast a big net• Asked committees to identify EVERY risk• Generated 555 risks
• Eliminated duplicates• Reduced list to 140
• Assessed frequency and severity rankings
• Distilled the list to 50 “Key Risks”
Emory’s Risk Identification Process
10
![Page 11: ROLE OF THE GENERAL COUNSEL IN INSTITUTIONAL RISK MANAGEMENT Marcia Isaacson, CUNY James J. Mingle, Cornell University Stephen D. Sencer, Emory University](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e2b5503460f94b18f23/html5/thumbnails/11.jpg)
International ProgramsSecurity Assessment & Advice
Due DiligenceFinancial Management
Intervention & EvacuationTravel Safety
Data Security (Paper & IT)PersonnelPayrollDonorStudentPatient
Patient CareMedical Malpractice
Compliance – Billing, etc.
University GovernanceAutonomy
Academic FreedomCritical Partnerships
Ethical Conduct
Employment IssuesMisfeasance & Malfeasance
DiscriminationRecruitment/Retention
Sexual HarassmentAffirmative Action
Labor RelationsEmergencies & CrisesPreventionPlanningNotificationResponseRecoveryBusiness Continuity
SPECIFIC RISKS:
AthleticsControversies
NCAA & Title IX Compliance
Info Tech SecurityRecoveryLicensing
SPECIFIC RISKS:
Loss of Critical InfrastructureBuildings & PropertiesUtilitiesTransportationIT
Public Safety & SecurityCampus Crime ControlCampus Code of ConductFaculty/Student/Staff Mental HealthSubstance AbuseFraternal/ Student Organizations
Health & EnvironmentHazards – Chemical, Biological, RadiologicalOccupational Health & SafetyFireConstruction AccidentsCampus Personal Injuries
Financial StewardshipAccountability & ControlsEndowment ManagementSubsidiaries ManagementFinancial FraudEffort AllocationCost Allowability and Allocability
Research Integrity & AssuranceHuman SubjectsConflicts of Interest, CommitmentResearch MisconductAnimal Research and CareStem Cell Research
Intellectual PropertyProtection & InfringementEquity Interests & Start-ups
Identified “Specific Risks”
MAIN RISKS:
LIFE & SAFETY
REPUTATION FINANCIAL & PROPERTY
OPERATIONS
LIFE &SAFETY
LEGAL
![Page 12: ROLE OF THE GENERAL COUNSEL IN INSTITUTIONAL RISK MANAGEMENT Marcia Isaacson, CUNY James J. Mingle, Cornell University Stephen D. Sencer, Emory University](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e2b5503460f94b18f23/html5/thumbnails/12.jpg)
Risk Identification at CUNY
– Units/departments on each campus must complete annual risk management survey/report• Academic Affairs• Mental Health & Wellness• Budget/Finance• Human Resources• Business Services• Legal Affairs• IT • Environmental Health and Safety• Facilities• Public Safety• Student Affairs
– One person on campus designated to distribute/collect the risk surveys
![Page 13: ROLE OF THE GENERAL COUNSEL IN INSTITUTIONAL RISK MANAGEMENT Marcia Isaacson, CUNY James J. Mingle, Cornell University Stephen D. Sencer, Emory University](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e2b5503460f94b18f23/html5/thumbnails/13.jpg)
Risk Identification at CUNY (cont.)
– Risk Surveys (in template form) request: o Risk Statemento Likelihood/Impact/Risk Scoreo Policy and Procedures (existing and potential)o Education Training and Awareness (existing and potential)o Operational Controls (existing and potential)o Oversight, Monitoring or Executive Controls (existing)o Audit Controls (Existing and Potential)o Other Controlso Responsible Persono Mitigation Costo Scheduled Date to Revisit Plan
– Reports are returned to EHS & RM where they are put into a database for analysis by EHS & RM.
– CUNY Risk Manager visits each campus to review surveys.
![Page 14: ROLE OF THE GENERAL COUNSEL IN INSTITUTIONAL RISK MANAGEMENT Marcia Isaacson, CUNY James J. Mingle, Cornell University Stephen D. Sencer, Emory University](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e2b5503460f94b18f23/html5/thumbnails/14.jpg)
Staying on the lookout for emerging and overlooked risks
o External Sources for Emerging Riskso Regulatory Actions (Dear Colleague Letters)o Agency/Inspector General/State Comptroller Auditso Problems facing Corporate America (Target Data Breach; FCPA)o Problems at other universities (overseas labor practices)
o Emerging Internal Riskso Legal obligations with uncertain or multiple homes (privacy of
student/patient information) o Revenue generating initiativeso International Programs
o Learning from Criseso Non-governmental reporting of information
![Page 15: ROLE OF THE GENERAL COUNSEL IN INSTITUTIONAL RISK MANAGEMENT Marcia Isaacson, CUNY James J. Mingle, Cornell University Stephen D. Sencer, Emory University](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e2b5503460f94b18f23/html5/thumbnails/15.jpg)
• Assign Ownership– “Risk Management Process Owner” for each risk
– Must be sufficiently familiar with the risk and best positioned to write a comprehensive Risk Management Plan
• Review with Senior Leadership
• Repeat
Emory’s Risk Management Process
15
![Page 16: ROLE OF THE GENERAL COUNSEL IN INSTITUTIONAL RISK MANAGEMENT Marcia Isaacson, CUNY James J. Mingle, Cornell University Stephen D. Sencer, Emory University](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e2b5503460f94b18f23/html5/thumbnails/16.jpg)
Risk Management PlansPrivileged and ConfidentialAttorney-Client Communication
EMORY UNIVERSITYENTERPRISE RISK MANAGEMENT
RISK MANAGEMENT PLAN
Date: __________________Short Description of Risk:
__________________________________Risk Management Process Owner:
___________________________________
Describe the Risk, its Components, and Examples: Describe the Steps Being Taken to Manage the Risk at an
Acceptable Level: Describe the Operational Response to an Adverse Occurrence: Describe the Communication Response to an Adverse
Occurrence:
16
![Page 17: ROLE OF THE GENERAL COUNSEL IN INSTITUTIONAL RISK MANAGEMENT Marcia Isaacson, CUNY James J. Mingle, Cornell University Stephen D. Sencer, Emory University](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e2b5503460f94b18f23/html5/thumbnails/17.jpg)
Once you have all the data about risk, what does the risk committee
(or others) do with it?
• Gauging most serious risks, mitigation measures, risk tolerance
• Addressing Same Risks Year after Year• What is counsel’s role?
![Page 18: ROLE OF THE GENERAL COUNSEL IN INSTITUTIONAL RISK MANAGEMENT Marcia Isaacson, CUNY James J. Mingle, Cornell University Stephen D. Sencer, Emory University](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e2b5503460f94b18f23/html5/thumbnails/18.jpg)
Counsel’s Role in Managing Non-Legal Risks
o Tending to boundaries
o Identifying emerging risks
o Avoiding operational roles
o Ensuring reasonableness of risk management process
![Page 19: ROLE OF THE GENERAL COUNSEL IN INSTITUTIONAL RISK MANAGEMENT Marcia Isaacson, CUNY James J. Mingle, Cornell University Stephen D. Sencer, Emory University](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e2b5503460f94b18f23/html5/thumbnails/19.jpg)
Board’s Role in Risk Oversight
• Board’s role is to oversee the risk management process, not manage day to day risks
• Management must provide the right amount of information for Board to perform its role
• Janice M. Abraham, Risk Management: An Accountability Guide for University and College Boards
![Page 20: ROLE OF THE GENERAL COUNSEL IN INSTITUTIONAL RISK MANAGEMENT Marcia Isaacson, CUNY James J. Mingle, Cornell University Stephen D. Sencer, Emory University](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e2b5503460f94b18f23/html5/thumbnails/20.jpg)
![Page 21: ROLE OF THE GENERAL COUNSEL IN INSTITUTIONAL RISK MANAGEMENT Marcia Isaacson, CUNY James J. Mingle, Cornell University Stephen D. Sencer, Emory University](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e2b5503460f94b18f23/html5/thumbnails/21.jpg)
Compliance vs. Risk Management
Compliance• Policies/Procedures/Controls• Training/Education• Monitoring• Investigation
Risk Management
• Non-legal Risk• Health and Safety• Incident Response• Disaster Recovery/Business
Continuity• Infrastructure
Identify / manage legal and regulatory risk; Work with Responsible Owners
![Page 22: ROLE OF THE GENERAL COUNSEL IN INSTITUTIONAL RISK MANAGEMENT Marcia Isaacson, CUNY James J. Mingle, Cornell University Stephen D. Sencer, Emory University](https://reader035.vdocument.in/reader035/viewer/2022062407/56649e2b5503460f94b18f23/html5/thumbnails/22.jpg)
QUESTIONS?