Enterprise Risk Management and Higher Education Institutions…Where is the Disconnect?

For the past few months, I have been in conversations with multiple?Higher Education institutions about their enterprise risk management strategy and have been surprised by the lack of investment in resources to support the risk management function. For this week's edition of GRC after Dark, I am going to talk about what an ERM strategy should look like for a Higher Education institution (HEI), and why it is important in a post-pandemic world.

?Where most HEIs stand today

Most higher education institutions I talk to facilitate what is called a traditional risk management process. Traditional risk management is defined as “the process of making and implementing decisions that will minimize the adverse effects of accidental losses on an organization” (Baranoff, Harrington, & Niehaus, 2005, p. 1.5). This approach to risk management aims to identify potential loss exposures and examine the feasibility of various strategies to limit these exposures. Strategies utilized to manage risk fall into two categories: risk control and risk finance.

Traditional risk management techniques fail to address the full range of risk exposures a Higher Education institution may face. Traditional risk management functions have often been in the accounting, financial, compliance, and internal auditor areas of organizations oversimplify human behavior and thus do not accurately explain how managers perceive risk.

?Where risk management is heading in higher education

?ERM overcomes the limits of traditional risk management approaches that manage risk in “silos”. ERM does this by positioning risk management as a senior leadership responsibility, assessing risk from an entity-wide perspective, aligning business strategies with risk tolerances levels, and integrating accountability for managing risk across the entity

?ERM focuses on an HEI’s achievement of its objectives in the following five areas:

Business model risks

Business model risks challenge an institution's ability to generate adequate revenue and, in some cases, to even exist. The factors below impact the sustainability and relevance of college and university business models in an environment where innovative approaches to education delivery, revenue generation, and enrollment are evolving rapidly. Institutions that do not plan for these factors may find themselves outpaced by more agile competitors.

Reputation risks

In the 24/7 news cycle where negative headlines score highly, higher education institutions have frequently become the target. Schools can lose alumni and business relationships, brand favorability, etc. Institutions with reputational awareness and control over their increasingly vast presence in the media can reduce the risk of damaging a reputation they have spent years building.

Operating model risks

Operating model risks stem from inadequate processes, people, and systems that affect an institution's ability to function efficiently and effectively. Operational agility is critical to staying competitive, flexible, and relevant as strategies and business models shift. As shown below, college and university operating models involve a range of activities such as how to deliver academic programs, conduct research, make decisions, manage relationships with vendors, sustain enrollment, or maintain accreditation status.

?Enrollment supply risks

In the absence of robust, consistent student enrollment, tuition-dependent institutions cannot sustain their financial health and fund operations. Gaps between estimates and actual student enrollment limit a school's ability to forecast faculty turnover, resource use, and infrastructure needs to support the student population. Current trends have pointed to declining student populations (between 2026 and 2031 the number of high school graduates is expected to drop by nine percent), as well as shifting demographics.

Compliance risks

Higher education leadership and governance bodies are expected to remain compliant with a growing array of state, local, federal, and private regulations. Failure to meet compliance standards can lead to consequences ranging from loss of funding, loss of accreditation, or, in extreme cases, to lawsuits and/or criminal charges against leadership.

What Components should be included in a Higher Education ERM Strategy

Objective Setting

Objective setting means that management sets goals that align with the HEI's mission and its appetite for risk.?Strategy is the glue that binds the approach to the objective – and an institution’s approach should take risk into consideration.

Event Identification

Event identification requires the institution to identify activities that may impact its ability to achieve objectives. An important aspect of event identification is to distinguish risks from opportunities.?

Risk Assessment and Risk Response

Risk Assessment involves analyzing the impact of identified risks; response addresses degrees of avoidance or acceptance of the risk.?In general, there are four responses to risk:

Accept – When the impact and the probability is low, accept the risk.

Control – When there is a high probability of a risk but its impact would be low, ensure that appropriate controls are in place.?

Share – When there is high impact but low probability, share the risk with others (e.g., insurance companies, cooperative agreements, third party outsourcing).

Mitigate and Control – When both the probability and the impact are high, design controls and processes to reduce the exposure to the risk.

Control Activities and Monitoring Activities?

Control means that management requires adherence to policies and procedures that reduce risk. Monitoring, which is a follow-up activity, ensures that the policies and procedures have been carried out as intended. If proper procedures have not been followed, management should take corrective actions. Both control and monitoring activities are interlocked and extremely important to the risk management function.

Who Should be involved in the ERM process?

The Board

The board must understand and have a commitment to ERM as a multi-year initiative.

?The Board also should:?

1) support its case with cost/benefit analysis,

2) be prepared to invest in

people and training, and

?3) develop metrics to measure progress.?

The President?

?The president must engage both the faculty and the board in?a partnership that yields effective governance and motivates the institution to meet the challenges of an evolving HEI marketplace. The president should work with the board to?set the high-level ERM agenda.?

The Chief Risk Officer (CRO)

The CRO is a leader and the internal champion of the ERM initiative. Technology is a significant component of this CRO’s ERM vision. The CRO is always considering modern technology that will provide dashboards so that departments?can focus on applicable metrics.?The president should support this action and curiosity.

Why ERM is important for HEIs?

The reason ERM is important for HEIs is that ERM is the evaluation of the intersection between internal audit, risk, and compliance in relation to an institutional strategy. Evaluating the intersection of internal audit, compliance and ERM can identify opportunities to enhance value to the institution. Rather than viewing these functions as silos, or as cost centers, many institutions have begun to embrace the synergies that can be realized across these important functions and leverage them to create a new paradigm for supporting effective risk management. Some of the common intersections of these functions include:

Identifying risks

Performing risk assessments

Evaluating and prioritizing enterprise-level risks

Monitoring and communicating risk mitigation efforts

Providing training and education related to key risk areas

In conclusion

Implementation of ERM strategies?is important for the continued growth and impact HEIs in North America. The board and president must provide the resources/tools necessary for the risk management team to effectively manage the ERM process. ERM teams need to be seen as value centers in HEIs. The HEIs that embrace this idea will be extremely successful in a post-pandemic world.

If you are a risk professional with questions about ERM, GRC, Audit, Compliance, or GRC technology please comment below or message me directly. Follow me on LinkedIn for future editions of GRC after dark.

Deck, Steven Christopher. University of Maryland University College. ProQuest Dissertations Publishing, 2015. 10020370.

Lessons from Leading ERM Programs in Higher Education. https://www.bakertilly.com/insights/lessons-from-leading-erm-programs-in-higher-education. Accessed 1 Dec. 2021.

Risk Management Magazine - ERM in Action in Higher Education. https://www.rmmagazine.com/articles/article/2019/09/16/-ERM-in-Action-in-Higher-Education-. Accessed 1 Dec. 2021.

?