Back to Blog
By David L. Anderson, President & Founder, Admission Transit System
Enterprise Risk Management, more commonly known as ERM is the process of systematically identifying, assessing and mitigating risk across an institution. ERM can be applied in both for-profit and non-profit settings. In higher education there are two significant professional organizations that govern ERM, The Risk Management Society (RIMS) and The University Risk Management and Insurance Association (URMIA). RIMS is an industry agnostic organization, with a reach that also encompasses higher education, while URMIA exclusively serves colleges and universities. URMIA’s Risk Inventory classifies nearly 300 specific risk areas into 23 risk groupings (Florio, 2017) that are divided into five broad categories:
Risk Events in Higher Education
Of late, the most notable risk events plaguing institutions of higher education (IHE) have not been unavoidable natural disasters such as earthquakes, hurricanes, wildfires and other “acts of God,” that seem to be occurring with greater frequency and ferocity, but what we might refer to as preventable, “acts of man.” Most recently the horrific acts of Dr. Larry Nassar at Michigan State and similar incidents at University of Southern California. A couple of years prior, incidents that fall into the same category, perpetrated by Jerry Sandusky at Penn State, and a decade ago the incident at Virginia Tech that shepherded in the era of the active shooter. In addition to these high-profile cases, numerous other mishandled risk events occur on an annual basis across the higher education landscape.
How Poorly Handled Risk Events Destabilize Institutions of Higher Education
When identified risk events are mishandled the institutional and human toll can be devastating. At Michigan State, lives were ruined, careers ended, and the institution experienced unprecedented financial and reputational damage. When an identified risk event is not appropriately assessed and acted upon, the threat of multiple occurrences of similar events can quickly become a reality resulting in excessive degradation of the impacted area. The potential results are legal fees and liability costs that can far exceed institutional liability coverage, and negative PR that can linger for years, impacting enrollment management, human resources recruitment, and institutional advancement. The sum total effect is institutional instability and perhaps institutional failure. Broadly considered from this angle, the lack of effective ERM can result in the insolvency of IHEs and the destabilization of higher education.
So how is it that storied, well-established institutions of higher education are missing the mark when it comes to identifying, assessing and mitigating risks? All indicators point to a collision between outdated methodologies and human indecision or, more succinctly put, a human decision to do nothing. This lack of decisiveness, or making the choice to do nothing, is a likely result of a combination of not specifically understanding of the severity of the risk and not understanding the relative effectiveness or ineffectiveness of specific responses.
There is an underlying challenge presented by the complexity that exists related to the prioritization of risk areas at IHEs. The combination of institutional hierarchy combined with the desire to have egalitarian buy-in for a process that is as strategic as ERM can lead to lengthy and contentious institutional risk assessments resulting in siloed and disenfranchised participants. The result of this type of process is that ERM is not enthusiastically accepted and expertly practiced across the enterprise. Additionally, the heat maps that tend to result from risk identification exercises stand as outdated tools in the current information technology zeitgeist of data visualization.
In all the examples given here of mishandled risk events, the decisions makers had descriptive analytics. In other words, they knew of the risk event(s), the area the event(s) emanated from, who was involved, and the time frame the event(s) occurred in. The crucial factors missing that would have likely facilitated an effective ERM outcome, in each case, were predictive analytics – a specific projection of the financial and reputational costs, and prescriptive analytics – a projection of the most and least effective risk responses.
Call for a New Model
In the conclusion of her groundbreaking 2015 dissertation Enterprise Risk Management (ERM) at US Colleges and Universities: Administration Process Regarding the Adoption, Implementation, and Integration of ERM, Dr. Anne E. Lundquist calls for a new approach, an alternative pathway to facilitate ERM at IHEs.
As ERM matures in higher education, IHE decision-makers are finding ways to adopt the basic tenants of ERM to the higher education culture, with an eye toward embedding risk management with business practices, institutional governance, and strategic planning, and including the explicit discussion of risk in institutional decision-making, in order to achieve institutional objectives and fulfill their missions. IHEs in the U.S. have the opportunity to develop a new model for ERM in higher education, one that isn’t bound up with the bureaucracy of “new managerialism,” but that integrates seamlessly with existing organizational structures and improves strategic decision-making in ways that ultimately lead to effective governance, accomplishing accountability goals with mission at the core.
Emerging technologies now allow Dr. Lundquist’s theoretical perspective to have an immediate and lasting practical application. I believe the new model for ERM in higher education Dr. Lundquist called for lies squarely at the intersection of risk management, visual workflow management and virtual analytics powered by artificial intelligence and machine learning. This approach would utilize software that produces clear, concise, visualization of emerging risk events throughout an IHE with reports containing descriptive, predictive, and prescriptive analytics derived from regression based artificial intelligence with the analytics presented both in text and virtual format. The virtual visualization of risk associated analytics will allow decision makers to see patterns in their data leading to a better understanding of the severity of risk exposure and the effectiveness of various response options, not to mention greater ease in identifying emerging patterns in risk groupings. The end game here is more effective ERM resulting in greater institutional stability.