The AGB Council of Finance Committee Chairs earlier this summer identified several topics they wished to discuss at future council meetings. One of the timelier subjects given the rapid dislocation taking place in the higher education marketspace focused on enterprise risk management (ERM) and strategic risk taking. A topic highlighted in AGB’s Top Strategic Issues for Boards 2022-2023: “Looking ahead, colleges and universities face a welter of additional serious, foreseeable risks (post-COVID-19) that leadership must and should be ready for. Boards and chief executives must also develop strategic risk mitigation and crisis response plans to proactively prepare for, respond to, and recover from many threats.” At this past October’s meeting, council members acknowledged that risk management is a board responsibility—that is, tracking, evaluating, assessing, managing institutional risk—and that ERM as a solution offers a common platform for all colleges and universities regardless of complexity or size.
Risk Management Approaches for Boards
Members further noted that higher education’s approach to risk management has evolved over the last several decades as boards and senior leadership broadened their view of enterprise risk management as higher education adopted new risk mitigation strategies. They recognized that while many of the risks colleges and universities face today are not new, the speed at which institutions are operating is accelerating and institutions need to evolve and adapt to keep pace. Council members identified several resources to help guide colleges and universities in this new environment, one being AGB’s Risk Management: An Accountability Guide for University and College Boards, which calls upon higher education institutions to reimagine their approach to risk management as a business process based on four principal tenets:
- Identifying risks across the entire enterprise;
- Assessing the impact of risks to the operations and mission;
- Developing and practicing responses or mitigation plans; and
- Monitoring and identifying risks, holding the risk owner accountable, and consistently scanning for emerging risks.
Through this reimagination, institutional risks can be recategorized to broader themes—that is., strategic, operations, finance, and compliance from the more structured business-focused areas. By redefining risks, institutions would then be able to break down the organizational silos that had historically plagued the effectiveness of higher education’s approach to risk management by encouraging management to look across the entire enterprise while paying particular attention to those risks that occur in the gaps between the silos.
During the October meeting, several council members expanded on these concepts by dividing institutional risk into two buckets. The first they described as “tactical” (or day-to-day) which includes such areas as financial, legal, regulatory, and technology,. requiring screening mechanisms to assess and process the level of risk and then evaluate an institutional response using tools such as an institutional heat map and risk matrixes. The council members observed this effort requires a significant degree of administrative “horsepower”—that is , lgal, finance, audit, etc., and was more the responsibility of the administration. The second bucket included a smaller subset of key “strategic” institutional issues—that is, health care, research, athletics (NIL), financial aid and tuition—operations that represent a potentially significant threat to the institution’s business model. Items that do not fit well into a traditional ERM framework, thus requiring boards to consider and monitor them at a more strategic level.
Risk Tolerance and Intelligence Risk
In assessing risk, council members further noted one of the underlying challenges for boards and executive leadership is that of determining the institution’s appetite for risk—that is, “risk tolerance” when organizational change or transformation is required. They highlighted that when evaluating program and/or project risk, institutional leadership must consider both the “advantages” to undertaking an activity and its embedded risk with the “disadvantages” or negative consequences (strategic, operations, finance and/or compliance), that undertaking the activity may have on the institution. A need to assess whether the proposed activity offers a true competitive advantage (“intelligent risk taking”) or if its projected impact is more than outweighed by its potential downside. Council members agreed in such circumstances leadership must seek to find the balance between encouraging innovation and supporting high performing teams by creating an environment that supports a culture of “intelligent risk taking” and innovation, while simultaneously overseeing an institutional risk approach that monitors and identifies risks, holds the risk owners accountable, and consistently scans for new and/or emerging risks.
ERM Characteristics of High-Performing Institutions
While preparing for the October council meeting, several higher education risk managers were asked to define the characteristics of a soundly crafted approach to risk management and they offered the following observations shared with the council: a shared understanding of the institution’s tolerance for risk; a clear view of the institution’s strategic direction and competitive market position; agreement on the data analytics measuring institutional progress to plan, and a common understanding of the resiliency of the institution’s ecosystem to weather economic shock; agreed upon procedures for dealing with minor variances to key business model metrics and an ability to regularly monitor the underlying business data that can forewarn significant variance from plan and signal real underlying business risk; a senior leadership team that works seamlessly to protect the long-term sustainability of the institution and one that has built an institutional Business Continuity Plan that is dynamic and interactive; and a template that offers a step-by-step process that guides institutional stakeholders in building a simple, but effective, plan to minimize long-term damage to the institution with the urgency necessary to return to “normal” operations after the risks are mitigated.
ERM as a process requires significant self-examination by boards and senior institutional leadership. In order to assist an institution in this effort a series of questions have been identified that boards and leadership may want to ask to help prioritize the risks an institution may be facing and where there may be vulnerabilities.
- What are the top tier risks you see facing your institution over the next 2-3 or 5 years?
- How has your institution balanced the need to encourage innovation and supporting high-performing teams by creating an environment that supports a culture of “intelligent risk taking” and innovation, while simultaneously overseeing an institutional “risk approach” that monitors and identifies risks, holds the risk owners accountable, and consistently scans for emerging risks?
- Does the composition of your board (and committees) include the range of expertise and experience it needs to govern the institution through future crises? How was this accomplished or what more needs to be done?
- Does your institution have a risk management system that tracks issues before they become crises? Do the appropriate board committees have line of sight to inventory of risks?
- Has your board and administration game-planned a crisis scenario? Explain what types of scenarios have been reviewed.
- How does your institution maintain institution-wide engagement in risk management? How has it incorporated the enterprise risk management process into the campus culture?
- Does your institution have a crisis management team with a recognized leader? Does the institution have a playbook for dealing with crisis? Are the emergency response plans clear, distributed to the right people, accessible when needed, and periodically tested and updated? What role, if any, does the board have in the event of a crisis?
- What has your institution done to safeguard its people, systems, and data against cyberattacks?
Steve Golding is a senior consultant for AGB Consulting.
Opinions expressed in AGB blogs are those of the authors and not necessarily those of the institutions that employ them or of AGB.