Board of Visitors Audit, Compliance, and Risk Committee March 2, … - BOV AC… · March 2, 2017...
Transcript of Board of Visitors Audit, Compliance, and Risk Committee March 2, … - BOV AC… · March 2, 2017...
Board of VisitorsAudit, Compliance, and Risk Committee
March 2, 20171
Audit Department Activities
2
PROJECT HEALTH CHECKS3
Program Governance
Executive Sponsorship & Leadership (Steering
Committee)
Program Structure & Monitoring
Roles and Responsibilities
Defined Goals, Objectives & Business
Case
Benefits Realization
Project Management
Scope & Integrated Plan
Risk & Issue Management
Financial Management
Resource Management
Time/ Milestone Management
Change Management
Change Approach & Strategy
Business Readiness
Transition from Current to Future State
People
Organization & Role Design
Education/ Training
Process
Future State Design Requirements
Business and Financial Controls
Technology
Future State Design & Proof of Concept
Information Security
Interfaces
Testing:System Integration & User Acceptance
Data Conversion
IT ChangeManagement
IT Quality Assurance
Large programs are inherently risky. A project health check is a feedback loop to sponsors and stakeholders focused on drivers of success.
Clearly defined goals and measures
Top management support and attention
Sufficient resources allocated
Competent project manager and project team
Effective communication and decision making
Risk and issue management
5
Assurance and Advisory Projects: In Progress as of March 2017 BOV Meeting
Subject Areas of Audit Focus UVA Division
Ufirst HR Transformation Project Health Check Program governance; project management; financial management
Pan-University
Epic Phase 2 Implementation—Project Health Check
Database security; operational readiness; project management; go-live criteria
Health System
IT System Security: Privileged Access Management of administrative access to keysystems
Health System
Incident Response: Malware Ransomware Health System
Medical Center Procurement Procurement processes and controls
Health System
Archive and Special Collections Library Safeguarding of assets Academic
IT Change Management General computing controls Academic
6
Other Audit Department Current PrioritiesTopic Key Tasks
FY 18 Audit Planning Process • Define audit risk universe• Gather stakeholder input• Conduct risk assessment• Develop audit plan for ACR Committee approval in June
2017
Hire and on-board IT Audit Director
Job is posted; candidate pool forming
Hire and on-board Health System auditor
Job is posted; candidate pool forming
University Compliance
7
Enterprise Risk Management Update
ERM First Year Priorities
ERM Priorities
Reposition Program
Enhance Board
ReportingOnboard Health System
9
10
Adopt ERM Charter
Create Risk Mgmt. Network
Develop Key Risk List
Develop Risk Management /Mitigation
Feb. 2016 Mar. 2016 Dec. 2016 Mar. 2017 Jun. 2017
Academic Division
Health System
Adopt ERM Charter
Create Risk Mgmt. Network
Develop Key Risk List
Develop Risk Management /Mitigation
ERM Priorities Timeline
December 2016ERM Key Risk Dashboard – Academic DivisionACADEMIC DIVISION KEY RISKS EXEC. OWNER
RESOURCES - diminished, or loss of, financial resources from major funding sources. (e.g., State, Advancement, Research, Endowment) EVP-COO
RESEARCH - research leadership, infrastructure, and funding to adequately support the accomplishment of our research objectives
EVP-ProvostEVP-Health Affairs
STATE - concern about whether public policy in the State will continue to be supportive of quality public higher education President
FACULTY - attracting, retaining, and developing a distinguished faculty EVP-Provost
LEADERSHIP – maintaining and renewing a highly skilled and cooperative executive team given the attractive alternatives for the best executives President
EXECUTIVE TRANSITION – preparing for an executive leadership transition and a potential change in the University’s strategic direction
BOVPresident
IT SECURITY – enhancing cybersecurity in an era of increasing threats EVP-COO
RESOURCE ALLOCATION – developing an optimal process for allocating resources in meeting strategic objectives EVP-COO
ADVANCEMENT – developing a campaign strategy that adequately addresses philanthropic investment, fundraising strategies, and the governance implications of the resulting distribution of resources between the University and foundations VP for Advancement
COMPETITIVE ENVIRONMENT – assessing the University's competitive space in undergraduate, graduate, and professional programs EVP-Provost
SAFETY – maintaining a safe environment for the University community EVP-COOVP for Student Affairs
INVESTMENTS - stewarding assets particularly related to investable assets EVP-COO
!
March 2017ERM Key Risk Dashboard – Health System
HEALTH SYSTEM KEY RISKS EXEC. OWNER
HEALTH REFORM: Government payer reform (Medicare, Medicaid, and ACA) EVP-Health Affairs
STRATEGY: Strategic direction in a changing competitive environment (flexibility around change) EVP-Health Affairs
TALENT MANAGEMENT: Recruitment and retention of key personnel (patient care services positions, research, and leadership) EVP-Health Affairs
ONE SYSTEM: Alignment of Health System entities towards a single system of operation EVP-Health Affairs
QUALITY: Achieving goals for national ranking/patient experience, quality, and care EVP-Health Affairs
RESEARCH: Research leadership, infrastructure and funding to adequately support the accomplishment of our research objectives EVP-Health Affairs
TECHNOLOGY: Technology investment and enablement EVP-Health Affairs
SAFETY: A major quality or safety event EVP-Health Affairs
PARTNERSHIPS: Maximize the benefits of off-grounds partnerships EVP-Health Affairs
FACULTY PRODUCTIVITY: Managing faculty productivity (clinical and research) EVP-Health Affairs
!
Key Risk List Overlap
Academic Division
• Resources• Research• State• Faculty• Leadership• Executive Transition• IT Security• Resource Allocation• Advancement• Competitive Environment• Safety• Investments
Health System
• Reform• Strategy• Talent Management• One System• Quality• Research• Technology• Safety• Partnerships• Faculty Productivity
13
CLOSED SESSIONDiscussion of proprietary, business related information pertaining to the operations of the Medical Center, where disclosure at this time would adversely affect the competitive position of the Medical Center; specifically confidential information and data related to the provision of patient care services, clinical documentation, and reimbursement as well as compliance with federal laws and regulations regarding the delivery and documentation of such care and related to confidentiality and privacy of protected health information, in consultation with legal counsel, as provided for in § 2.2-3711 (A)(22) of the Code of Virginia.
Audit, Compliance, and Risk Committee Agenda
14
15
Resume Open Session and Adjourn