Board of Governors, June 24, 1999 - APPENDIX III, Annex 4


(R. I. M.) GROUP

The proposal to create a Risk Identification and Management (R.I.M.) Group, is a logical extension of a more actively strategic approach to the internal audit function. Even as the number of staff members in Internal Audit has moved from four down to one during the last five years, the definition of its role has changed. According to the former, traditional model:

Internal auditing is an independent appraisal function established within an organization to examine and evaluate its activities as a service to the organization. The objective of internal auditing is to assist members of the organization in the effective discharge of their responsibilities. To that end, internal auditing furnishes them with analyses, appraisals, recommendations, counsel and information concerning the activities reviewed. The audit objective includes promoting effective control at reasonable cost.

Contrast this with the new definition proposed recently by the Institute of Internal Auditors (IIA):

Internal auditing is an independent and objective assurance and consulting activity that is guided by a philosophy of adding value to improve the operations of the organization. It assists an organization in accomplishing its objectives by bringing a systematic and disciplined approach to evaluating and improving the effectiveness of the organization's risk management, control and governance processes.

The IIA's definition assumes a dynamic and integrated risk management approach. As The University of Western Ontario's operations grow in size and complexity, and as entrepreneurial activities move increasingly away from the centre, a move to an integrated risk management model is essential. At present, problems of risk management may be identified as existing throughout an individual unit or (more likely) across units, but there are no mechanisms designed to address these systematic problems. The University's units still function largely as independent silos where the natural impulse, to be frank, is just as likely to be to suppress systemic problems as to attempt to address them, particularly where external assistance would be required in order to do so. I see the creation of this group as strategically necessary, both psychologically and operationally, in order to overcome this entrenched silo mentality.

The need for risk management goes well beyond issues of direct financial risks. These are still relatively easy to quantify and to manage according to well-established strategies. The nature and extent of the University's business (in the broad sense), operational and technological processes, however, are changing rapidly. We have gone through a protracted period of downsizing, rationalization and process review; we now need to transform the way in which we identify, define and manage the risks that Western faces as an organization. A genuine risk management strategy will enable us to focus our resources on the most critical risks facing the University.

In several respects, this proposal parallels the creation of the PeopleSoft Resource Group as a mechanism for addressing cross-functionally the systemic issues arising out of the PeopleSoft systems implementation. Here we moved from a virtually exclusive focus on the particular challenges of implementing each individual module to a broader concern with the implications of a broadly distributed administrative computing system. A similar transition is occurring with respect to the internal audit function. The reactive, unit based, after-the-fact walk through audit work is no longer appropriate. The movement towards a more participative workplace requires us to review the adequacy of our control framework and critically evaluate the control and risk management processes we have in place. The role of Internal Audit is already changing from a passive one of "bean counting" and checking compliance to a more active one of assessing control systems and working with individual units to improve them.

Future Vision

The lines between the internal audit function and the R.I.M. Group will blur as both functions work to develop processes to provide people throughout the University with an understanding and acceptance of risk in their decision making. All activities (operational, legal, reputation and financial) of the University and all types of risks should be covered. The identification of future risks is as important as monitoring existing risks. Both internal audit and the R.I.M. Group would work to answer the question, "has the risk been managed to a level appropriate for the University?".

The work of the R.I.M. Group will be problem and project oriented rather than unit task oriented. The group will not be involved in the daily risk management tasks. Those will be left with individual unit managers. The group should address cross-functional issues and have a broad impact.

Members should bring expertise in a particular risk area to the table. The group will be coordinated by our Internal Auditor, Sharon Farnell. Additional members chosen to participate would initially be individuals representing divisions that report to the Vice-President (Administration) and General Counsel. Those people will spend part of their time pursuing R.I.M. Group objectives as a natural and strategic extension of their existing duties.

The internal audit function will shift its focus from the past to the future and to risk-based auditing. This is a significant change. Instead of looking at the business process in a system of internal control, internal audit will view the business process in an environment of risk. Instead of identifying and testing controls, risks are identified and the way management mitigates those risks are tested. The difficulty with auditing to determine if there are sufficient controls mitigating a risk, is that over time, controls over controls are recommended. The result will be that senior management and Audit Committee members should be able to answer the following questions:

1. What are the University's five most important risks?

2. What are the quantitative means of measuring them?

3. What are the agreed-upon levels of risk tolerance within which the University operates?

In particular, Audit Committee members should be looking at key risk issues of today and tomorrow rather than yesterday's details.

The responsibilities of each function may look something like:

Goal: Provide advice in the use of controls to mitigate risks to an acceptable level. Complete audits in specific areas. Goal: To ensure risk assessment and control is approached in a co-ordinated and continuous manner across the University.
1. Monitor performance indicators and report to R.I.M. Identify gaps and recommend further action. 1. Develop a framework to assess risk. Include a risk definition, types of risk and level of acceptable risk.
2. Review specific units to ensure risk has been managed to an appropriate level. 2. Monitor the environment to anticipate and prevent business risk.
3. Develop in co-operation with specific units controls to mitigate risks. 3. Recommend/develop policies and/or processes relating to risk management.
4. Review the efficiency and effectiveness of risk management and communication techniques. 4. Communicate with the university community:

to develop an understanding of interrelationships.

to develop an ability to use risk management in their decision making.

to exchange information about possible future risks.

5. Where risks cross functions, review processes and recommend changes to the risk management.


This proposal offers a new model of maximizing existing resources to ensure that the corporate University can meet its legal duty of care and exercise due diligence in furtherance of its responsibilities. In this respect, it is superior to other options for meeting our internal audit needs in the newly-emerging environment. These options, and their estimated cost, are set out below:

This proposal offers a new model of maximizing existing resources to ensure that the corporate University can meet its legal duty of care and exercise due diligence in furtherance of its responsibilities. In this respect, it is superior to other options for meeting our internal audit needs in the newly-emerging environment. These options, and their estimated cost, are set out below:

1. Ignore the R.I.M. group proposal and continue to maintain the function at one person.

Cost: Approx. $80,000.

The audit plan would continue to cover a few high risk areas. For example, system upgrades, process change reviews, information security and one to two reviews of a unit or functional process.

The disadvantages:

The advantages:

2. Increase Internal Audit resources to two people.

Cost: Approx. $145,000.

The disadvantages:

The advantages:

3. Outsource the Internal Audit function.

Cost: $100,000.+

The disadvantages:

The advantages:

The perspective underlying this proposal is a broad one. It establishes a path to the future which assures that critical risks are not avoided or merely reacted to but instead are acknowledged, controlled and monitored. The model of active and dynamic management of risk meshes with the new approach to administrative systems management being undertaken by the PeopleSoft Resource Group and with the revitalized Human Resources management model whose promotion will coincide with the appointment of a new Senior Director.

There will be several challenges to face in making this proposal work. Even with initial support from P/VP, there will need to be adjustments and changes to the vision so continuous review will be required. It must also be acknowledged that the blurring of boundaries will sometimes make it difficult to distinguish between Internal Audit and the R.I.M. Group. Furthermore, there remains a substantial body of internal audit work to be done, especially around the PeopleSoft implementation.

As this proposal has received the initial approval of the President/Vice-Presidents group (PVP), to move it forward, an initial framework will be developed and test project selected. As an appendix to this memorandum, attached is a document prepared by The Economist Intelligence Unit and the Arthur Anderson consulting firm entitled "Summary of Managing Business Risks: An Integrated Approach".

Peter Mercer
May 12, 1999

Board of Governors, June 24, 1999 - APPENDIX III, Annex 4 - Appendix


Summary of

Managing Business Risks: An Integrated Approach

The Economist Intelligence Unit and Arthur Andersen