Board of VisitorsAudit, Compliance, and Risk Committee

March 2, 20171

Audit Department Activities

2

PROJECT HEALTH CHECKS3

Program Governance

Executive Sponsorship & Leadership (Steering

Committee)

Program Structure & Monitoring

Roles and Responsibilities

Defined Goals, Objectives & Business

Case

Benefits Realization

Project Management

Scope & Integrated Plan

Risk & Issue Management

Financial Management

Resource Management

Time/ Milestone Management

Change Management

Change Approach & Strategy

Business Readiness

Transition from Current to Future State

People

Organization & Role Design

Education/ Training

Process

Future State Design Requirements

Business and Financial Controls

Technology

Future State Design & Proof of Concept

Information Security

Interfaces

Testing:System Integration & User Acceptance

Data Conversion

IT ChangeManagement

IT Quality Assurance

Large programs are inherently risky. A project health check is a feedback loop to sponsors and stakeholders focused on drivers of success.

Clearly defined goals and measures

Top management support and attention

Sufficient resources allocated

Competent project manager and project team

Effective communication and decision making

Risk and issue management

5

Assurance and Advisory Projects: In Progress as of March 2017 BOV Meeting

Subject Areas of Audit Focus UVA Division

Ufirst HR Transformation Project Health Check Program governance; project management; financial management

Pan-University

Epic Phase 2 Implementation—Project Health Check

Database security; operational readiness; project management; go-live criteria

Health System

IT System Security: Privileged Access Management of administrative access to keysystems

Health System

Incident Response: Malware Ransomware Health System

Medical Center Procurement Procurement processes and controls

Health System

Archive and Special Collections Library Safeguarding of assets Academic

IT Change Management General computing controls Academic

6

Other Audit Department Current PrioritiesTopic Key Tasks

FY 18 Audit Planning Process • Define audit risk universe• Gather stakeholder input• Conduct risk assessment• Develop audit plan for ACR Committee approval in June

2017

Hire and on-board IT Audit Director

Job is posted; candidate pool forming

Hire and on-board Health System auditor

Job is posted; candidate pool forming

University Compliance

7

Enterprise Risk Management Update

ERM First Year Priorities

ERM Priorities

Reposition Program

Enhance Board

ReportingOnboard Health System

9

10

Adopt ERM Charter

Create Risk Mgmt. Network

Develop Key Risk List

Develop Risk Management /Mitigation

Feb. 2016 Mar. 2016 Dec. 2016 Mar. 2017 Jun. 2017

Academic Division

Health System

Adopt ERM Charter

Create Risk Mgmt. Network

Develop Key Risk List

Develop Risk Management /Mitigation

ERM Priorities Timeline

December 2016ERM Key Risk Dashboard – Academic DivisionACADEMIC DIVISION KEY RISKS EXEC. OWNER

RESOURCES - diminished, or loss of, financial resources from major funding sources. (e.g., State, Advancement, Research, Endowment) EVP-COO

RESEARCH - research leadership, infrastructure, and funding to adequately support the accomplishment of our research objectives

EVP-ProvostEVP-Health Affairs

STATE - concern about whether public policy in the State will continue to be supportive of quality public higher education President

FACULTY - attracting, retaining, and developing a distinguished faculty EVP-Provost

LEADERSHIP – maintaining and renewing a highly skilled and cooperative executive team given the attractive alternatives for the best executives President

EXECUTIVE TRANSITION – preparing for an executive leadership transition and a potential change in the University’s strategic direction

BOVPresident

IT SECURITY – enhancing cybersecurity in an era of increasing threats EVP-COO

RESOURCE ALLOCATION – developing an optimal process for allocating resources in meeting strategic objectives EVP-COO

ADVANCEMENT – developing a campaign strategy that adequately addresses philanthropic investment, fundraising strategies, and the governance implications of the resulting distribution of resources between the University and foundations VP for Advancement

COMPETITIVE ENVIRONMENT – assessing the University's competitive space in undergraduate, graduate, and professional programs EVP-Provost

SAFETY – maintaining a safe environment for the University community EVP-COOVP for Student Affairs

INVESTMENTS - stewarding assets particularly related to investable assets EVP-COO

!

March 2017ERM Key Risk Dashboard – Health System

HEALTH SYSTEM KEY RISKS EXEC. OWNER

HEALTH REFORM: Government payer reform (Medicare, Medicaid, and ACA) EVP-Health Affairs

STRATEGY: Strategic direction in a changing competitive environment (flexibility around change) EVP-Health Affairs

TALENT MANAGEMENT: Recruitment and retention of key personnel (patient care services positions, research, and leadership) EVP-Health Affairs

ONE SYSTEM: Alignment of Health System entities towards a single system of operation EVP-Health Affairs

QUALITY: Achieving goals for national ranking/patient experience, quality, and care EVP-Health Affairs

RESEARCH: Research leadership, infrastructure and funding to adequately support the accomplishment of our research objectives EVP-Health Affairs

TECHNOLOGY: Technology investment and enablement EVP-Health Affairs

SAFETY: A major quality or safety event EVP-Health Affairs

PARTNERSHIPS: Maximize the benefits of off-grounds partnerships EVP-Health Affairs

FACULTY PRODUCTIVITY: Managing faculty productivity (clinical and research) EVP-Health Affairs

!

Key Risk List Overlap

Academic Division

• Resources• Research• State• Faculty• Leadership• Executive Transition• IT Security• Resource Allocation• Advancement• Competitive Environment• Safety• Investments

Health System

• Reform• Strategy• Talent Management• One System• Quality• Research• Technology• Safety• Partnerships• Faculty Productivity

13

CLOSED SESSIONDiscussion of proprietary, business related information pertaining to the operations of the Medical Center, where disclosure at this time would adversely affect the competitive position of the Medical Center; specifically confidential information and data related to the provision of patient care services, clinical documentation, and reimbursement as well as compliance with federal laws and regulations regarding the delivery and documentation of such care and related to confidentiality and privacy of protected health information, in consultation with legal counsel, as provided for in § 2.2-3711 (A)(22) of the Code of Virginia.

Audit, Compliance, and Risk Committee Agenda

14

15

Resume Open Session and Adjourn