AuthorDavid Anderson is President and Founder at RiskClimate. ArchivesCategories |
Back to Blog
David L. Anderson
Dr. Anne E. Lundquist “Educating students is the primary mission of a college or university, and the governing board is the primary steward of that mission” (AGB, 2018). Historically, the world of higher education has been a largely self-created, self-perpetuating, insular, isolated, and self-regulating environment. Colleges and universities perceived themselves as substantively different and separate from both for-profit and other not-for-profit entities, and the “outside world” viewed and treated them as such. In this culture, higher education institutions have generally been governed under traditional, independent “silos of power and silence” management models, with the right hand in one administrative area or unit often unaware of the left hand’s mission, objectives, programs, practices, and contributions in another. Today, all of that has changed. The proliferation of laws and regulations affecting institutions of higher education (IHEs), increased public scrutiny regarding the value and relevance of higher education itself, the rise of consumerism, and recent tragic and high profile adverse events at numerous institutions (including Virginia Tech, MIT, UVA, Michigan State and Penn State, among others), mean that higher education is under more scrutiny than ever and the stakes for not identifying and responding proactively to those risks are also high. How Poorly Handled Risk Events Destabilize Institutions of Higher Education Risk and potential crisis in higher education comes in many shapes and forms: financial, student safety and welfare, human resources, legal and contract, tenure, lawsuits regarding grades or wages, computer hacking and IT infrastructure failures, ethical breaches - the list seems endless. Colleges and universities face scrutiny from accreditation agencies, federal regulatory agencies, state legislators, and student and parent stakeholders; the media has a heightened focus on financial, governance, safety, and ethical matters at IHEs; shifting demographics, declining state support, competition from new education providers present emerging risks; and there is greater accountability for achieving institutional mission and goals. The pressure for university presidents and boards of trustees to not only respond effectively, but to anticipate the risks and their impact, is becoming an expectation, not only for the public, but also for accreditors, ratings agencies, and insurers. But anticipating and managing such a wide variety of intersecting risks is not an easy task, especially in the decentralized administrative governance structures at colleges and universities. When risk events are mishandled, the institutional and human toll can be devasting. At Michigan State, lives were ruined, careers ended, and the institution experienced unprecedented financial and reputational damage. When an identified risk event is not appropriately assessed and acted upon, the threat of multiple occurrences of similar events can quickly become a reality, resulting in excessive degradation of the original affected area, as well as a ripple effect across the institution. Recent tragedies and mishandled situations, along with positive responses to risk events, have taught us some things about what works - and what doesn't. Presidents, chancellors, and their senior administrators can learn a great deal from those instances where presidents and their administrations responded appropriately and effectively to risk and crisis scenarios and did things right, as well as the common themes present in situations when presidents, boards of trustees, and senior administrators got it wrong. The following commonalities were present when institutional leaders “got it right:”
Planning for and Responding to Risk and Crisis: The Evolution of Enterprise Risk Management At its core, ERM is integrated (spanning the entire organization and built into business practices), comprehensive (including all types of risks), and strategic (aligned with overall institutional strategy and mission). ERM is proactive in that it is objectives focused and uses predictive indicators to anticipate previously unforeseen events. ERM is an overarching process that provides a methodology, a common language, and a set of standards to identify, evaluate, prioritize, and manage risks inherent in university operations. ERM is “the commitment to managing risk as an integral component of an organization’s operations in order to maximize opportunities and minimize setbacks to the organization’s mission, strategies and objectives” (International Standards Organization 31000). Jean Chang, consultant and former associate director of ERM at Yale University, points out the important differences between traditional risk management approaches and ERM, noting that traditional risk management is reactive, responding to crises and incidents on an ad hoc basis, with departments operating in silos and no focus on risk interrelatedness. In this model, risk management is fragmented with limited alignment of risk to strategy. The two most widely adopted ERM frameworks (COSO and ISO 31000) ask organizations to think about risk management in the context of the institutional organizational structure and culture as well as across a variety and type of risks including:
Risk practitioners and researchers identify several elements as necessary for an effective ERM program, including clear communication of the objectives and risk management policies throughout the organization and the necessity of sharing a common risk language within the organization. Emory University, in their ERM program, acknowledges that risk is inherent in all worthwhile endeavors and notes that "our goal is to assume risk judiciously, mitigate it when possible, and prepare ourselves to respond effectively and efficiently when necessary." ERM also includes a focus on optimizing risk-taking opportunities to achieve institutional mission and goals, something important to mission fulfillment in the college and university setting. Emory University, in their ERM program, acknowledges that risk is inherent in all worthwhile endeavors and notes that "our goal is to assume risk judiciously, mitigate it when possible, and prepare ourselves to respond effectively and efficiently when necessary." And the University of Oregon talks about “organizational resilience” as a fundamental premise of its ERM program, naming their associate vice president for safety and security their “chief resilience officer.” Development of ERM in the Higher Education Environment While widespread in the corporate sector, primarily in response to regulatory requirements in the wake of 1980s and 1990s financial crises, higher education lags other sectors in ERM adoption and implementation. In private industry, boards and chief executives routinely consider risk in strategic planning, but a 2009 survey by the Association of Governing Boards and United Educators, The State of Enterprise Risk Management at Colleges and Universities Today, reveals that higher education is behind in this important fiduciary responsibility. While higher education does not have explicit federal regulations requiring ERM, public scrutiny of higher education continues to increase. Accreditors, ratings agencies, regulators, legislators, students, and parents demand that IHEs engage in effective decision-making and governance that takes into consideration financial, compliance, and operational risks to meeting their strategic objectives and achieving their missions. Ratings agencies, internal audit, and legal counsel seek evidence of comprehensive risk management. “Unfortunately, a comparative analysis of [2008 and 2013] survey results suggest that higher education is conflicted when it comes to ERM. In many cases, institutions are not following any formal risk assessment processes (AGB and United Educators, 2014). AGB recommends making enterprise risk management an institutional priority with leadership from senior leaders and the board (AGB & UE, 2014). Major higher education associations have endorsed and recommended the ERM approach, including AGB, the National Association of College and University Attorneys (NACUA), the University Risk Management and Insurance Association (URMIA), and the National Association of College and University Attorneys (NACUA). Presidents, boards, internal auditors, legal counsel, and financial administrators are becoming more familiar with ERM and are many are calling for implementation. Because higher education has unique characteristics that differentiate it from other organizations, particularly a shared governance structure, the adoption and implementation decisions, and resulting ERM frameworks, have aspects that make them unique to the higher education environment. Benefits of ERM in Higher Education Dr. Anne E. Lundquist conducted research regarding the unique aspects of ERM in the higher education environment, Enterprise Risk Management (ERM) at US Colleges and Universities: Administration Process Regarding the Adoption, Implementation, and Integration of ERM. Findings from Lundquist’s research further highlight the unique aspects of higher education’s adoption and implementation of ERM:
Taking an integrated approach to risk management linked to strategic planning and decision-making positions an institution to coordinate their risk responses, avoid siloed decision-making, create cross-silo responses (and anticipate previously unforeseen events), guide strategic planning, reduce costs, and achieve mission fulfillment. Most ERM processes include a process to identify risks, assess the risks, create response plans for those risks, report on the risks, and continue to monitor and review the risks. Adopting an ERM approach can help an institution:
The Important Role of Presidents and Boards and ERM Because colleges and universities face increased scrutiny from accreditation agencies, federal regulatory agencies, state legislators, and student and parent stakeholders, many presidents, boards of trustees, risk managers and other senior administrators within higher education institutions see the value and merit of approaching risk management from a systemic perspective. The ERM literature is clear that the “tone at the top” is essential for effective ERM and higher education is no different. Most maturity models place this is as a necessary first step. If the impetus for ERM starts with the board or president, then that level of risk awareness and ownership already exists; if not, then strategies to gain that support and leadership need to be built into later levels and phases of implementation. Presidents, boards, internal auditors, legal counsel, and financial administrators in higher education have all become more familiar with the concept of ERM (Abraham, 2013; Gallagher, 2009; Roach, DeSouzat, & Kaufman, 2010; Siegrist, Gutscher, & Keller, 2007; Pelletier, 2007; Schwartz & Perregrine, 2004; URMIA, 2007). Lundquist's research results revealed that IHEs adopt ERM either as a proactive initiative by the board or president or - reactively - in response to a sentinel event (or a combination). The impetus for starting an ERM program came from the top of the organization in over half of the sample (31% at the board level and 24% from the president or chancellor). The remainder of the programs were initiated by a vice president (17%), internal audit (14%) or the risk manager (10%) (Lundquist, 2016). When asked by institutions decided to implement ERM, respondents stated that their IHE adopted ERM as a proactive measure (75%) identified as a best practice (37%) that would improve decision-making (19%) and allow for enterprise-wide assessment of risk (19%) as opposed to response to a compliance or regulatory failure (6%). In addition to any other reasons cited for starting ERM, 43% that the ERM adoption decision was a board or presidential mandate. Whether to respond to external scrutiny and compliance demands, or to integrate emerging best business practices into risk management and strategic decision-making (or both), IHEs are increasingly adopting and implementing ERM models. The Association of Governing Boards of Universities and Colleges (AGB) declares that “risk management is at its core a government and management discipline, not an end but a means to the end, with the end being the accomplishment of the institution’s mission” (Abraham, 2013, p. 3). Credit rating agencies are increasingly requiring evidence of comprehensive and integrated risk management plans to ensure a positive credit rating, including demonstration that the board is aware of, and involved in, risk management as a part of its decision-making. Internal Auditors at IHEs must provide independent assurance to boards of effective risk management and are held accountable for that role by the International Standards for the Professional Practice of Internal Auditing. Trustees and board members, many of whom are chief executive officers (CEOs) of corporations where ERM is a federally mandated requirement, are introducing the ERM concept to presidents and chief financial officers (CFO) of IHEs (Abraham, 2013; Gallagher, 2009). Major higher education associations have endorsed and recommended the ERM approach, including AGB, the National Association of College and University Attorneys (NACUA), the University Risk Management and Insurance Association (URMIA), and the National Association of College and University Attorneys (NACUA). Gurevitz (2009) describes ERM as the “holistic risk management tool of the future for higher education” (para 10). The Difficulty of Managing ERM at Colleges and Universities Findings from Dr. Lundquist’s earlier cited dissertation research also revealed that administrators responsible for implementing ERM describe the process as time consuming and complex but can also articulate the benefits. Chief amongst these benefits is cross-silo awareness of and dialogue about risks and the proactive response to them, something difficult to achieve in a decentralized higher education environment. This has not necessarily translated into higher ERM maturity for IHEs, particularly in the areas of embedding the ERM process into organizational processes, routinely incorporating explicit discussion of risk into decision-making, or shifting the culture so that all within it view ERM as essential for achieving the IHEs objectives. This difficulty in fully establishing ERM has resulted in well-established institutions of higher education are missing the mark when it comes to identifying, assessing and mitigating risks? All indicators point to a collision between outdated methodologies and human indecision or, more succinctly put, a human decision to do nothing. This lack of decisiveness, or making the choice to do nothing, is a likely result of a combination of not specifically understanding of the severity of the risk and not understanding the relative effectiveness or ineffectiveness of specific responses. The problem is that the coordination of the risk management process, particularly in the nuanced complexity of the higher education environment, can be difficult to coordinate, manage, and report on. There is an underlying challenge presented by the complexity that exists related to the prioritization of risk areas at IHEs. The combination of institutional hierarchy combined with the desire to have egalitarian buy-in for a process that is as strategic as ERM can lead to lengthy and contentious institutional risk assessments resulting in siloed and disenfranchised participants. The result of this type of process is that ERM is not enthusiastically accepted and expertly practiced across the enterprise. Additionally, the heat maps that tend to result from risk identification exercises stand as outdated tools in the current information technology zeitgeist of data visualization. The Essence of the Problem In all the examples given here of mishandled risk events, the decisions makers had descriptive analytics. In other words, they knew of the risk event(s), the area the event(s) emanated from, who was involved, and the time frame the event(s) occurred in. The crucial factors missing that would have likely facilitated an effective ERM outcome, in each case, were:
Call for a New Model In the conclusion of her groundbreaking research study, Lundquist calls for a new approach, an alternative pathway to facilitate ERM at IHEs. As ERM matures in higher education, IHE decision-makers are finding ways to adopt the basic of tenants of ERM to the higher education culture, with an eye toward embedding risk management with business practices, institutional governance, and strategic planning, and including the explicit discussion of risk in institutional decision-making, to achieve institutional objectives and fulfill their missions. IHEs in the U.S. can develop a new model for ERM in higher education, one that isn’t bound up with the bureaucracy of “new managerialism,” but that integrates seamlessly with existing organizational structures and improves strategic decision-making in ways that ultimately lead to effective governance, accomplishing accountability goals with mission at the core. Questions for Boards to Consider
We are all looking forward to the full emergence of technologies that intersect in a manner that empowers the concepts put forth in this article. We should expect those technologies to be characterized by ease of use and optimization of strategic decision making. Relevancy for Presidents and Boards The most recent top strategic issues for boards as identified by the Association of Governing Boards in its 2018-2019 report on the topic are:
While the ability of any IHE to foster all of the above points will be crucial to mitigating risk, and at face value one might surmise that financial stability should be the greatest desired outcome of an effective ERM approach, perhaps the perception of relevance is even more primary than financial stability, Over half of the board members surveyed in a the AGB 2017 Trustee index agreed or strongly agreed that, over the past decade, the general public perception of US higher education has declined. Relevance and perception are reputational risks and as such can be attributed to any of the four other major risk types of strategic, operational, financial and compliance. If any of these occur on a major scale, reputational risk is sure to follow (Abraham, 2013). The implication is clear. Presidents and board must empower administrators across the institution to use emerging technologies to swiftly identify, assess, mitigate and report risk with an eye towards reputation, as that component of risk management is tethered to every major type of risk an IHE may face. At the end of the day, governing boards have the fiduciary and governance responsibility for the colleges and universities they serve. The strategic goals of IHEs are organized to ensure that they meet their mission, something that in most cases has at its core serving students. Anything that disrupts that mission – anticipated or unexpected, internal or external, large-scale or seemingly minute – can prevent the institution from fulfilling its mission and, thus, is the purview of the governing board. ERM serves as a process and a method to ensure that boards are appropriately aware of the things that stand in the way of meeting strategic objectives and mission fulfillment so that they can accurately and appropriately – and in a timely manner – respond to or guide the president and senior officers in ways that protect and preserve the institution. “The future is here. Risk management is at its core a governance and management discipline, not an end but a means to the end, with the end being the accomplishment of the institution’s mission….Effective risk management prepares an institution to weather literal and figurative storms and sets the course for accomplishing the institution’s strategic plan.” (Abraham, 2013). Further Reading and Learning for Presidents and Boards If your interest is piqued and you (and/or your colleagues) want to learn more about the role of ERM in colleges and universities, we recommend the following resources: Abraham, J. M. (2013). Risk management: An accountability guide for university and college boards. Washington, D.C.: Association of Governing Boards of Universities and Colleges. Janice Abraham video: Enterprise Risk Management for Boards: https://www.agb.org/agbu/video/video-enterprise-risk-management-in-higher-education Association of Governing Boards of Universities and Colleges and United Educators (2014). A wake-up call: Enterprise risk management at colleges and universities today. https://www.agb.org/sites/default/files/legacy/RiskSurvey2014.pdf Smith, P. (2015). Engaging risk: A guide for college leaders. United Kingdom: Rowman & Littlefield Lundquist, A.E. Enterprise risk management: Why now? Free webcast recording. Academic Impressions. https://www.academicimpressions.com/product/0415-erm-free-on-demand/. References Abraham, J. M. (2013). Risk management: An accountability guide for university and college boards. Washington, D.C.: Association of Governing Boards of Universities and Colleges. Anderson, David L. (2018). An alternative pathway for enterprise risk management in higher education, Retrieved from http://www.admissiontransit.com Association of Governing Boards of Universities and Colleges and United Educators (2009). The state of enterprise risk management at colleges and universities today. Retrieved from http //www.agb.org. Association of Governing Boards of Universities and Colleges and United Educators (2014). A wake-up call: Enterprise risk management at colleges and universities today. Association of Governing Boards of Universities and Colleges (2018). Top strategic issues for boards 2018-2019. Washington DC: AGB Press Beggan, N. & Hester, S. (2011). Enterprise risk management at colleges and universities. 155 Cherry, Baekert, & Holland, LLP. PowerPoint presentation for Clemson University. Retrieved from http://media.clemson.edu/administration/cfo/comptroller/sacubo/4- risk.pdf Committee of Sponsoring Organizations of the Treadway Commission (2011). Internal Control – Integrated Framework. Retrieved fromhttp://kontrol.bumko.gov.tr/Eklenti/6877,cosodraftinternal-control-framewor… Fraser, R. S., Simkins, B. J., & Narvaez, K. (Eds.). (2015). Implementing enterprise risk management: Case studies and best practices. Hoboken, New Jersey: John Wiley & Sons Gallagher Higher Education Practice (2009). Road to implementation: Enterprise risk management for colleges and universities. Arthur Gallagher & Co. Retrieved from http://www.nacua.org/documents/ERM_Report_GallagherSep09.pdf. Lermack, H. B. (2008). ERM in action. Risk Management, 55(5), 50-54. Retrieved from http://search.proquest.com/docview/226982904/fulltext?accountid=11782 Lundquist, A. E., "Enterprise Risk Management (ERM) at U.S. Colleges and Universities: Administration Processes Regarding the Adoption, Implementation, and Integration of ERM" (2015). Dissertations. 1181. https://scholarworks.wmich.edu/dissertations/1181 Lundquist, A. E. (2012). College and university presidents: Risk managers-in-chief. URMIA Journal (Summer 2012). Lundquist, A.E. Enterprise risk management: Why now? Free webcast recording. Academic Impressions. https://www.academicimpressions.com/product/0415-erm-free-on-demand/. Lundquist, A. E. (2013). Enterprise risk management in higher education: There’s still a lot to learn. Risk Management Today. 145 - 149. Lundquist, A. E. (2015). Lessons from the academy: ERM implementation in the university setting, In B. Simkins, J. Fraser, & K. Narvaez (Eds.), Enterprise risk management: Case studies for executives, risk practitioners, and educators. Hoboken, NJ: John Wiley & Sons. Lundqvist, S.A. (2014). An Exploratory Study of Enterprise Risk Management: Pillars of ERM. Journal of Accounting, Auditing & Finance Vol 29, Issue 3, pp. 393 - 429 https://doi.org/10.1177/0148558X14535780 Matisoff, Eric (2018). It's time to democratize data for everyone in your organization. Retrieved from https://theblog.adobe.com/time-democratize-data-everyone-marketing-organiza… National Association of College and University Business Officers and the Association of Governing Boards of Universities and Colleges (2007). Meeting the challenges of enterprise risk management in higher education. Retrieved fromhttp://www.ucop.edu/enterprise-risk-management/_files/agb_nacubo_hied.pdf Smith, P. (2015). Engaging risk: A guide for college leaders. United Kingdom: Rowman & Littlefield University of Oregon Safety and Risk Services web site: https://safety.uoregon.edu/chief-resilience-officer-0 University Risk Management and Insurance Association (2007). ERM in higher education. 178 Retrieved fromhttp://www.urmia.org/library/docs/reports/URMIA_ERM_White_Paper.pdf.
1 Comment
Read More
|