Enterprise Risk Management and Regulatory Compliance Policy and Program
The purpose of the Enterprise Risk Management (“ERM”) and Regulatory Compliance Policy and Program is twofold. First, it is to strengthen the University’s management of risk through the proactive process of identifying, assessing, evaluating, mitigating and monitoring risk in all University operations and activities. Second, it is to ensure the University’s compliance with all applicable laws, regulations and policies through the proactive process of identifying, describing and assigning responsibility for compliance.
Risk management and regulatory compliance are fundamental responsibilities of University leadership and management. Seton Hall is committed to developing a culture that utilizes the ERM and Regulatory Compliance Program as a means of managing risk and enhancing compliance in all University operations and activities.
This policy is intended to implement the ERM and Regulatory Compliance Program approved by the Board of Regents on December 1, 2011 (BOR.Res.11.1201.01).
This policy is a University policy and applies to all administrators, faculty and staff.
- Risk refers to the probability of a negative event and potential consequences to the University if the event occurs. Risk is inherent in all academic, administrative and business activities of the University. Risk may adversely impact the attainment of the University’s strategic goals and objectives.
- Enterprise Risk Management (ERM) is the consistent, structured and process-driven tool that enables University leadership and management to identify, assess, evaluate, mitigate, monitor, prioritize and respond to risk that affects the achievement of University strategic goals and objectives. ERM enables the ongoing identification of risks and controls and monitoring of risk levels and trends over time.
- Regulatory Compliance is the process under the University’s ERM Program that assigns responsibility to Seton Hall administrators, faculty and staff for identifying and complying with applicable laws, regulations and policies.
It is the responsibility of each divisional vice president to identify, assess, evaluate, mitigate, monitor and report risks in their respective divisions utilizing the University’s ERM Program.
As part of an annual top-down risk assessment facilitated by Internal Audit, each divisional vice president defines 3-4 metrics that can be used to monitor and report on current risk levels and trends (i.e., discount rate, selectivity, or crime statistics). A tolerance is established for each risk metric – this is the maximum amount of risk the University is willing to accept in pursuit of its strategic objectives in this area. Then, on a quarterly basis, division management tracks the actual risk levels for the metric against the established tolerance and reports it to the Internal Audit Department. The Internal Audit Department analyzes metrics and identifies any risk trends from previous quarters (increase or decrease in risk levels). Finally, the Internal Audit Department presents a risk dashboard to the Audit Committee of the Board of Regents summarizing risk levels and trends for the period.
It is the responsibility of each divisional vice president to develop a Compliance Calendar listing all applicable federal, state and local laws and regulations for which his/her division is responsible. The template for the Compliance Calendar is included in the Procedures for implementing the ERM Program.
University leadership is required to create an environment where managing risk and ensuring regulatory compliance is the responsibility of each member of the Seton Hall community. The roles of administrators, faculty and staff may range from identifying and reporting risks associated with their job functions and responsibilities, to creating plans to mitigate or manage risks to taking action to comply with applicable law.
The Internal Audit Department will develop and maintain documented procedures for implementing the University’s ERM and Regulatory Compliance Program.
VI. Record Keeping and Confidentiality
The Internal Audit Department is responsible for maintaining the University’s records on risk identification, assessment and management. These records are confidential University records. The contents of records are shared on a need-to-know basis only as determined by the University or as otherwise required by law.
VVI. Responsible Offices
- Office of the President
- Office of the Provost and Executive Vice President
- Divisional Vice Presidents
- Executive Cabinet
- Director of Compliance and Risk Management
- Office of Internal Audit
This policy was approved and promulgated by the President on the recommendation of the Executive Cabinet on August 7, 2013. The President is empowered to amend and update the Policy and procedures as necessary. This policy is intended to implement the ERM Program approved by the Board of Regents on December 1, 2011 (BOR. Res. 11.1201.01). The University reserves the right to amend this policy at any time.
August 7, 2013