The State of Enterprise Risk Management at Colleges and Universities
Originally Published: July 01, 2009
The Association of Governing Boards of Universities and Colleges and United Educators conducted a survey in June 2008 regarding attitudes, practices, and policies about ERM at American colleges and universities. There were over 600 respondents from a mix of private and public schools of different sizes, with presidents and chancellors, CFOs, governing board members, chief academic officers, and risk managers comprising most of the respondents. Survey responses indicate that higher education is lagging behind private industry in considering risk at the strategic level.
Best Practices and Action Steps
There are several best practices and action steps presidents and boards can take to improve their strategic risk assessments:
• Define risk broadly incorporating many types
• Recognize the downsides as well as the opportunities of risk
• Develop a culture of evaluating and identifying risks at multiple levels so critical risks filter up to top decision-makers
• Examine the total cost of risk, including financial and non-financial costs
• Boards and presidents should collaborate and work together
• Develop a disciplined process to consider risk in strategic discussions
• Designate an owner of the risk identification process
• Require top administrators to prioritize risks based on likelihood and impact
• Identify and monitor risks that could interfere with strategic goals
• Require annual written reports on each high-priority risk being monitored
• Reassess priority risks at the board level at least once a year as circumstances change
• Look for risks that are being omitted
• Move risk identification deeper into the institution to employees most likely to first see risks
• Repeat the process as risk management is a continuous process, not a one-time endeavor
Worksheet for Oversight of Systematic Risk Assessment
A worksheet is provided to help higher education leaders begin the systematic risk assessment process by determining which potential risk areas are the most urgent. The worksheet provides a starting point for institutions, leaving room for institutions to add any of their own unique risk areas. Four main risk areas are included: operational, financial, compliance, and board governance. Operational risk areas include facilities, academic affairs, external relations, human resources, information technology, research, and student affairs. Financial risk areas cover risks such as budget, enrollment trends, and fundraising. Compliance risk areas include risks such as animal research, copyright and "fair use", and intellectual property rights. The board governance risk area covers risks such as board member independence, CEO compensation and assessment, and governance policies.
To use the worksheet, the president and board should review the different risk areas and assign each an urgency rating from 1 (risk area needs immediate assessment) to 4 (risk area not applicable to the institution). Risks areas with high urgency ratings should be assessed and responsibility for those risk areas should be assigned to a subject area expert on campus. Subject area experts can then assign priority rankings to the most critical risks in each area based on likelihood and severity of impact. There are many ways in which this can be done and three sample campus expert risk assessments are provided as an example. Institutions should choose a method that works best for their needs and resources. The board and president should then review the highest priority risks identified, decide which risks pose the greatest threats to the institution's strategic goals, and develop a procedure for monitoring efforts to mitigate them.
Key Survey Findings
Regarding attitudes towards institutional or enterprise risk, less than half of respondents "mostly agreed" that their institution's risk tolerance is understood (46.6%) and guides decision making (43.8%), and that risk management is a priority at their institutions (40.7%). This is important because these attitudes provide the foundation for understanding and using information about risk in decision making.
Considering strategies to manage risk and protect the institution, 84.2% of respondents somewhat or mostly agreed that board members and senior administrators at their institutions actively engage in discussions regarding institutional risks. These discussions primarily occur in finance committee meetings (67.1%) and audit committee meetings (63.2%). Despite these discussions, only 39.9% of respondents identify risks to the success of their institution's mission through comprehensive strategic risk assessments. Furthermore, 50.8% reported that their board members and senior administrators only evaluate major risks identified by strategic risk assessments on an as needed basis.
ERM policies and procedures in place also leave room for improvement, although only 11.4% of respondents reported less than average risk management performance by their own institution. Only 29.7% of respondents "mostly agreed" that their institutions' risk management philosophy is captured in policy statements, oral and written communications, and decision making. During board meetings, financial risks are most often discussed followed by legal and regulatory risks and operational risks, with political and reputational risks receiving the least amount of discussion. Primary responsibility for institutional risk management most often rests with the CFO (49.7%) or president (32.1%).
Boards are not routinely monitoring institutional risk, with only 53.2% somewhat or mostly agreeing that their boards monitor institutional risk through regular, formal reports from the administrator assigned responsibility. Furthermore, boards and senior administrators are not sufficiently informed about institutional risk as only 42.6% "mostly agree" that they are provided enough information about institutional risks to meet their legal and fiduciary responsibilities. These survey findings indicate that overall there is significant room for improvement in enterprise risk management at higher education institutions.