Managing financial risk, which is an essential component of financial stewardship, is the development of strategies to appropriately mitigate risks in order to protect Stanford University's financial assets. While risk is generally defined as anything that exposes an entity to danger, harm or loss, managing financial risk focuses on the protection and appropriate use of financial assets and resources to ensure that they are used in support of the mission and comply with policies, laws, and donor intent. 

The framework for managing financial risk includes the ongoing assessment of risk, clear identification of roles and responsibilities, appropriate internal controls to mitigate risk, availability of resources such as guidelines, policies and training, and intuitive processes that support best practices.  The goal of these activities is to maximize positive outcomes and minimize negative outcomes, while striking the right balance of risk tolerance and mitigation.

Managing financial risk starts with assessing an organization’s mission and the goals it sets to achieve that mission, then determining what could keep it from achieving these objectives. Several interrelated categories of risk must be considered:

  • Financial: the risk of losing current or future resources, or the risk of increased, and potentially unexpected, costs
  • Compliance: the risk of not following laws or regulations
  • Operational: the risk of poor processes that create errors or inefficiencies 
  • Reputational: even the appearance of risk, or improper business practices,  may impact the university’s reputation with its internal and external communities

Developing a strong internal control environment requires an engaging, collaborative and continuous improvement process. There are several strategies that organizations employ to reduce risk in a strong control environment. First, leadership identifies the enterprise risks and their related sub-risks while setting the tone at the top. Risk owners, including local units, assess the likelihood of occurrence and impact of each identified sub-risk and document the activities, tools and other mechanisms to mitigate or reduce risks to a tolerable level. Leadership, risk owners and local units monitor mitigation activities for ongoing effectiveness and continuous improvement. 

Additionally, management should review risks on a regular basis, considering any internal or external changes that may indicate new threats or surface the need for past mitigation activities to be revisited. After assessment, management must then prioritize risks based on the impact, likelihood and frequency that they might occur. Then, these prioritized risks inform the creation and implementation of risk management plans and protocols, which form our system of internal controls.

Financial risk management is an ongoing and evolving process, and every individual involved in a financial process or activity has a role to play. Active engagement from each individual in the financial ecosystem increases visibility of risks and strengthens the control environment in a continued effort to safeguard the university.   

All employees, including faculty and staff, have a key role in ensuring stewardship of university resources. Expectations for sound financial stewardship include each individual doing their part to reinforce the university's commitment to upholding its ethical, professional and legal standards. 

Stanford’s high ethical standards and values are captured in the university’s Code of Conduct, which serves as a “shared statement of our commitment to upholding the ethical, professional and legal standards we use as the basis for our daily and long-term decisions and actions.” The Code of Conduct also describes components of excellence in financial stewardship: “We all must be aware of and comply with the relevant policies, standards, laws and regulations that guide our work. We are each individually accountable for our own actions and, as members of the University Community, are collectively accountable for upholding these standards of behavior and for compliance with all applicable laws, regulations and policies.”

Also set forth broadly across the university community is the responsibility to report any suspected unusual financial activity. Administrative Guide Memo 3.5.1: Financial Irregularities outlines the procedures to follow when a suspicion or discovery of financial irregularities arise. Concerns can be reported confidentially or anonymously through the Ethics & Compliance Helpline.

Organizational Roles and Responsibilities

At Stanford, a distributed management model is employed to enable schools and departments to manage their unique business requirements in support of the university’s mission. This structure includes three lines of risk management: schools and units, central financial administration and the internal audit function. This structure is referred to as the Three Lines Model.

As two important layers of university management, distributed and central functions work together to uphold the shared responsibility for financial management and stewardship. It is critical that roles and responsibilities for financial management, including managing risks, are clearly defined and understood to avoid duplication of effort or gaps in oversight. The three lines within these layers include:

  • Schools and Unit Departments work within Stanford’s business ecosystem to own and manage operating risks, mindful of budget and stewardship of university resources. They are the first line of “checks and balances” when it comes to financial stewardship.
  • Central Financial Administration, which includes Financial Management Services (FMS), establishes and evolves the financial infrastructure to effectively balance controls with operational efficiency. This layer provides oversight, expertise and monitoring of compliance, financial and operating risks.
  • The Office of the Chief Risk Officer (OCRO), which includes Internal Audit and Ethics and Compliance, provides independent and objective assurance and advice on matters related to achievement of the university’s objectives (e.g., mission, compliance, etc.). 

These three groups or ‘lines’ work together to provide assurance to senior management in mitigating risk, ensuring compliance and achieving the university’s objectives.

Delegation of Authority

Under the Founding Grant, the Board of Trustees (“Board”) is the custodian of the endowment and all the properties of Stanford University. The Board delegates broad authority to the president to operate the university and to the faculty on certain academic matters.

Financial approval authority (and financial reporting authority) is granted by units through Authority Manager. Approval authority can be granted based on a specific Project-Task, specific Project, all Projects of a specific Owner (such as a faculty member who may have several research projects or gifts) or an organization (department, school or business unit), and is granted at specific dollar amounts. There are many types of approval authority and they must be granted considering the experience of the staff in the unit, their capability, training, reliability and integrity. Learn more on the Topic Overview: Financial System and Reporting Authority.

Managing authority is a critical component of financial risk management. When an employee terminates from Stanford their authority is automatically revoked. However, other employment status changes may not automatically initiate a change to the individual’s authority. Units should periodically review authority delegations to ensure they are still valid and make updates to financial authority assignments as necessary.

Key Roles and Responsibilities

While all roles at Stanford have a shared responsibility in the stewardship of financial resources, there are specific responsibilities depending on the role the individual plays within the financial ecosystem. Below are some of those examples and expectations. 

Role Key Responsibilities in Managing Financial Risk
University senior management Under the oversight of the Board, university senior management sets the tone at the top and ensures that their units and functions have the appropriate structures, resources and policies to achieve objectives while managing the related risks. This includes dean’s offices at the university’s schools, which have oversight over the needs and operations of their areas.
Fund manager or budget officer Individuals responsible for performing financial reconciliations review accounts, comparing activity to source data (often by drilling into the details in the system), investigating any transactions that look unclear or unfamiliar, and identifying and initiating any corrections that are needed. Reconciliations of financial information should be performed with a critical mindset.
Financial approvers

Financial approvers play a critical role in the stewardship of university funds.  In addition to ensuring proper documentation of each expense, as documented in AGM 3.2.1, Responsibility for University Funds, financial approvers are responsible for verifying that expenditures charged to their PTAs are:

  • Reasonable and necessary.
  • Consistent with established university policies and practices.
  • Consistent with sponsor or donor expenditure restrictions.
Transaction preparers or purchase requisitioners Transaction preparers facilitate transactions, including purchasing and other business expense transactions. Preparers are responsible for entering transactions accurately, while collecting, submitting or maintaining backup source documents for the transactions. Before purchasing items, it’s important that the individual understands university policy and guidance.

Internal controls are the mechanisms, rules, policies, system configurations and procedures implemented to help ensure the accuracy and integrity of financial activities. Controls are implemented to provide reasonable assurance that goals and objectives are achieved; that the work of the university will continue and the mission is accomplished. An example of an internal control at Stanford is the concept of separation of duties, where no one individual is responsible for a complete financial process. 

Internal controls mitigate risk by promoting accountability, protecting data and helping to prevent fraud. Controls protect not only Stanford, but its employees. Properly functioning internal controls can protect an employee from being accused of a misdeed or prevent an error from occurring. Internal controls help to focus our attention on the critical work of the university, rather than recovery from unexpected events or errors.

Types of Internal Controls

An effective internal control environment incorporates interrelated types of controls that are designed and implemented to mitigate risks based on where and when they occur. Some of the types of controls are illustrated in the table below. 

Category Type of Control Description and Example
Fundamental types of controls  Mitigating Mitigating controls attempt to discover mistakes and permanently reduce the possibility of occurrence. This may include a review of final activity and financial reports for discrepancies between planned and actual activities or regular comparison of budget to actual during the close process.
  Compensating Compensating controls are implemented when compliance cannot be met with existing controls or to offset  the absence of a key control. Separation of duties is a compensating control that helps safeguard University resources by separating responsibility for a task. For example, separation of duties between individuals responsible for ordering processes and those responsible for account reconciliations can ensure that potential errors are detected.   
Controls based on the point in the process when the risk occurs Preventative Preventative controls stop something from happening before it occurs. The pre-approval of a purchase requisition before a purchase is made is an example of a preventive control. 
  Detective Detective controls occur after an activity has already happened so that actions can be taken to reduce the risk or correct the error within a reasonable timeframe. The verification and approval of a PCard transaction is a detective control, as is regular review of expenditures against budget.
  Corrective Corrective controls are usually implemented after a detective control discovers a problem which requires remediation. Examples include filing incident reports and developing or updating policies to address why the problem occurred.  
Controls based on manner of implementation Automated Automated controls are built into a system and are carried out exactly the same way every time. These controls may still need a person to review them and take any appropriate action.  For example, when a capital equipment requisition is entered, an ‘end route’ approver is added to apply necessary expertise to this unique and high risk type of purchasing activity. 
  Manual Manual controls are performed by an individual and must be done consistently to maintain effectiveness. For example, manual sampling of random financial transactions on a quarterly basis.
Controls based on cadence and occurrence Routine Routine controls are always in place for each financial activity. For example, the requirement for a designated PTA approver to review and approve every transaction that meets a specific threshold.
  Periodic Periodic controls are performed on a regular cadence. For example, a weekly review of activity, a monthly reconciliation of an expenditure report, or an annual comparison of budget versus actual.

There is not one type of control that mitigates all risks. The type of control or combination of controls implemented must support the specific intended risk mitigation. To avoid some risks, a preventive control may be required, whereas for others, a detective control may be more appropriate, and in some cases, a combination of controls is the best approach.

Control and Mitigation Activities

There is a range of activities that are implemented within a control environment to support ongoing financial risk management. Below are a few key activities within the university’s financial ecosystem.

Separation of Duties

Separation of duties is a specific type of control and mitigation activity where more than one person is required to complete a single task, ensuring that no one individual has sole oversight over the full transaction. Duties are separated, as a preventative control, among different individuals to reduce the risk of error or inappropriate action. Normally, responsibilities for authorizing transactions (approval), maintaining custody of assets (receiving), recording transactions (accounting) and handling the related asset are divided. 

For example, the same person should not authorize a transaction for goods, approve the request, receive the goods ordered, record the transaction (such as authorizing the invoice for payment or deciding the PTA to charge the goods) and reconcile it (ensuring cost is reasonable, appropriate and charged to the correct PTA).  

Clearly designed, assigned and documented separation of duties allows for operational management to occur with those most familiar with a business transaction, but in a controlled manner that allows for issues to be quickly identified and resolved. Separation of duties should be a key consideration when delegating financial approval authority in a unit. 

Transaction and System Controls

System controls are systematic mechanisms implemented to mitigate the risk of error, fraud, waste and abuse. System controls are built into an application, such as Oracle Financials, and carried out exactly the same way every time, leading to automation. These controls may still need a person to review them and take appropriate action. Transaction and system controls continue to evolve to ensure that knowledgeable staff can originate, approve and review a transaction within an established structure that supports compliance and financial reporting. 

Reconciliation

Reconciliation, which is another type of control activity, is the process of comparing transactions and activity to supporting documentation for validation. It ensures that two complete sets of related data match and are in agreement. Reconciliations provide an after-the-fact review; a detective control to identify anomalies when reviewing aggregated data. Having an internal structure for expenditure type usage and budget rolls-ups creates efficiencies in this review. For schools and departments that use conventions around expenditure types and budget rollups, there is the ability to capture anomalies across large budget segments. 

Reconciliations of financial information should be performed with a critical mindset, which includes asking oneself important questions such as:

  • Was the expenditure allocable to the right PTA? 
  • Do the charges from other units or service centers represent services that were requested and received?
  • Is the travel or equipment charges accurate, not duplicated and related to the project? 
  • Was the correct expenditure type used and was it reviewed to ensure accuracy?
  • Were any costs allocated to more than one PTA shared equitably, and the allocation documented per policy guidance? 
  • Are all expected costs posted and if not, have they been investigated? 
  • Are open items or variances resolved in a timely manner?

Learn more about one type of reconciliation at Stanford on the Topic Overview: Balance Sheet Account Balance Reconciliation.

Training

Training, which is another type of control activity, helps ensure that staff are able to understand and gain practice with the various types of transactions and how to understand the “why” behind them, mechanics of processes and systems and their supporting policies. This, in turn, allows them to focus on the critical components of their work, doing what they do best and escalating concerns as needed. Training may occur through courses, practical exercises and ongoing assessment and feedback cycles. Examples of training and resources related to financial risk management are available under ‘Resources and Training.’

Establishing Controls

It’s important to recognize that controls are not always perfectly effective and must be implemented alongside other measures to reduce and mitigate risk. With any control or risk management strategy comes a cost to the organization, whether through resources such as costs for training or technology, increased administration and/or business delays. Striking the balance between the right degree of controls that mitigate risk but do not overly hinder the organization’s goals is an ongoing, evolving process.

To establish internal controls, management collaborates with their team to consider the risks to the team’s goals, and sets procedures in place to reduce the risks. Management should evaluate the likelihood and frequency of the risk, the cost of the risk, the cost of the control procedure, and make decisions on the control design, including the level of risk the organization can accept and the impact the risk may have to its objectives.

There are many resources and training provided by the university that support financial risk management. Below is a sample of those offerings:

Training
Administrative Policies and Guides
Support and Assistance
  • Financial Risk Management team: This team works collaboratively with schools and unit departments to identify, assess and mitigate financial risk for the Stanford community. Services include the development of risk mitigating solutions, frameworks, policies, training and consultations.
  • Financial Support Center: This is the primary method of receiving individualized support for all types of financial tasks and transactions such as purchasing, business and travel expense policies and procedures. 
  • Ethics & Compliance Hotline: Members of the Stanford community who have concerns may report them, anonymously if desired, and knowledgeable individuals will provide a resolution. Stanford policy prohibits retaliation against an individual who in good faith reports or provides information about concerns or suspected violations.