In large and complex organizations such as Penn, taking sensible risks is a key component of effective management. Whether seeking new revenue sources or implementing a new financial management system, the risks inherent in such ventures must continually be identified and assessed.

At Penn, anticipating and identifying such risks, as well as assuring that management controls and systems are in place to manage them, has assumed a prominent role in the University's strategic planning. The University's strategic plan, Agenda for Excellence, identifies managing risk and increasing accountability as one of its key strategic initiatives.

To that end, the Office of Internal Audit, under the leadership of Managing Director Rick Whitfield, has undertaken a broad-based restructuring designed to position Internal Audit as a business partner with the University and Health System management to anticipate and aggressively manage business risks, ensure strong stewardship and management accountability at all levels, and ensure the integrity of operational and financial information.

"We are shifting Internal Audit to a model of a partner in business practice with the University and Health System managers, rather than enforcers of rules and regulations," Whitfield said. "We want to take a problem solving approach to issues related to internal controls and risks. Over time, I'd like managers to view our department as a key resource for management advice at Penn."

The restructured Office of Internal Audit will develop the expertise needed to make the transition to business partner with the schools and administrative units. To achieve this, staff changes have been made, several positions have been eliminated, and the resulting resources have been reinvested in upgrading certain key positions and obtaining access to technology. In addition, new positions have been created to provide the growing audit services required in the Health System.

"We intend to provide on-going training and professional development for our staff, both current and new," Whitfield said. "We are trying to develop a core of superb people who can be positioned to transition to key management positions elsewhere within the University and the Health System."

In an environment full of risk and complexity, it is imperative that the University build a high quality internal audit capability, noted Executive Vice President John Fry. "We intend to create an internal audit function as capable as any first-class corporate model," he said. "We want to provide real value by helping Penn's managers function in today's complex world."

Whitfield identified five types of business risks which continually confront institutions. They are: strategic risks, which affect the overall direction of the organization; financial risks, which involve safeguarding assets; operational risks, which impact the processes that govern daily operations; regulatory risks, which apply to compliance with laws and regulations; and reputational risks, which affect the institution's public image.

"We are trying to get people to look at these issues , and, when making decisions, ask, 'What are the risks to us, and to the institution?'" Whitfield said. "Our role will then be to provide the tools to assess those risks, and monitor their effectiveness."

A key component of the department's plan is the deployment of new technologies designed to improve productivity and develop automated self-assessment tools which can be shared with management. The idea, Whitfield said, is to use technology that "allows us to do more with less."

This is particularly critical as Internal Audit moves forward with its mandate to integrate the Health System audit needs more fully into its area of operation. With the University moving to further decentralize some of its administrative services in order to improve response time, while the Health System is beginning to centralize certain functions that carry a high degree of risk, the challenge is to "develop highly cohesive professional teams to serve both sides," Whitfield said. Implementing technologies that integrate connectivity to comprehensive information systems will be a significant step toward realizing that goal, he added.

"As we proceed with this long-term process, we will continually focus on minimizing and controlling risk at the beginning of a venture, rather than just stepping in after a problem has been found," Whitfield said.

This heightened emphasis on managing risk is especially critical now, he said, as the University positions itself for the future by developing new educational tools, such as distance learning; deploying new and more complex information systems and technologies changing traditional business processes and internal control systems; seeking new business opportunities; and enhancing the University's compliance program.

In carrying out its new mandate, the department will be guided by an annual audit plan. A key component of the plan is to identify the "audit universe," that is, all those areas within the University and the Health System that should be served by the department. Internal Audit staff will then work with senior management to develop both short and long-term audit plans, with the goal of providing management with the expertise and tools it needs to make sound business decisions, enhance cost effectiveness and realize strategic goals.

"We want to provide managers with the tools to recognize, assess and manage risk," Whitfield said. "We want to help managers identify cost savings, and revenue enhancement opportunities. And we want to be positioned to provide management services to units who need them."

Return to Compass Features for September 10, 1996