The need for enterprise risk management (ERM) in higher ed was underscored by the chaotic nature of 2020. However, as noted in two previous blogs, many higher education institutions are unsure why and how to develop this type of plan and then administrators’ roles in operationalizing this effort. This post addresses the other major component that needs to be addressed in creating an ERM plan—the important role the institution’s board plays in the ERM.
The Board of Trustees plays a crucial role in effective enterprise risk planning management, which is a critical part of higher education’s toolkit in preparing for and mitigating disruptions and disasters. These disruptions can involve hazards/accidents (such as hurricanes, floods, wildfires, or blizzards), societal movements (the pandemic, Black Lives Matter, MeToo!), governmental policies (higher education policy changes, visas for international students), and technology (ransomware, platform malfunctions).
Trustees are responsible for the risk oversight portion of enterprise risk management, whereas the institution’s administration handles risk planning. Therefore, it may be helpful to review the board’s primary purpose.
While remaining engaged, conscientious, curious, and optimistic, board members must be strategic and tactical—while avoiding micromanaging the institution’s day-to-day activities. Trustees need to embrace due diligence when contemplating a matter to prevent rubber-stamping ill-advised recommendations. They also have fiduciary responsibilities that cannot be delegated. Fiduciaries hold a position of trust, act with the organization’s highest good in mind, and maintain a higher standard than the professional staff.
There are three core fiduciary responsibilities – duty of care, the duty of loyalty, and duty of obedience.
Duty of care means treating the university’s affairs – financial oversight, compliance with laws, and commitment to the institutional mission and rules – with the same care as they do with their own individual responsibilities.
Duty of loyalty requires a trustee to put the university’s interests first, practice personal integrity and transparency, support the Board’s decisions and adhere to the university’s conflict of interest policy.
Duty of compliance (obedience) ensures that the university is in alignment with all federal, state, and local laws as well as institutional bylaws and policies.
Higher education institution boards must realize that they are legally responsible – and courts are holding them accountable – for their fiduciary duties, i.e., the duty of care, the duty of loyalty, and the duty of obedience. For instance, the Delaware Supreme Court refused to dismiss Blue Bell Creameries board’s responsibility for failure to create a system to monitor food safety performance or compliance. Boeing’s board has come under fire after two crashes of the 737 Max, which had been the subject of safety questions by test pilots in 2016. Messages suggest that Boeing tried to hide safety concerns from the FAA and other regulators.
Similar negligence has been seen in higher education, as well. Just think about the long-simmering rumors of Jerry Sandusky at Penn State. That scandal ended up engulfing the school’s administration and board, and resulted in the board being held partially responsible in the investigation conducted by Louis Freeh, former director of the FBI. In another case, Michigan State’s board came under heavy scrutiny for its role and lack of transparency in the Nassar sexual assault case.
Trustees’ Enterprise Risk Management Roles
Boards have specific oversight roles in relation to ERM. These roles are:
- Understanding the organization’s risk profile, especially the risks that are inherent in the institutional strategy and business model.
- Defining the institution’s risk appetite and adjusting when needed.
- Ensuring that management has a program to identify, assess, mitigate, and communicate risk.
- Providing oversight through each of the board’s committees.
- Ensuring the risk management program is functioning properly and monitoring progress against the mitigation of risk.
The board and its committees must be clear about their own roles as well as management’s role when it comes to risk planning (administration) and risk oversight (board), and trustees need to share a common understanding of these roles, responsibility, and accountability with administration leaders.
Risk oversight activities also need to be clearly differentiated between the full board and committees, as well as within the committees themselves. The board needs to have the appropriate committee structure in relation to its oversight responsibilities in relation to risk. They also need to have a protocol that defines these situations and identifies the threshold for reports on risks that need to be made to the board.
There are several red flags to consider:
- No mention of risk in the board’s governance guidelines or committee charters.
- No discussion of what risks should be reported by the management to the board or board committees, as well as how and when this reporting should take place.
- The reporting is fragmented across board committees, which prevents the full board from having the full picture of the institutional risk.
The risk profile is created through an assessment that examines the inherent risks posed to an institution by various disruptors, such as governmental decisions, societal factors, technology, and hazards and accidents. After identifying these disruptors, institutions should create a heat map that compares the potential impact level with the potential likelihood. From there, institutional leaders can create policies and procedures to operationalize protecting key assets.
In working with the administration, the board needs to identify and understand the institution’s risk profile. Board committees need to work with the appropriate administrators to review potential risks and to analyze mitigation plans. This involves verifying the institution’s strategic assets and confirming that the risk profile is aligned with key value drivers and strategies. The board should verify heat maps that identify the institutional risk appetite and profile.
The board also is responsible for approving the institutional strategic plan in conjunction with both the audit and risk management plans developed in relation to critical risks. Trustees need to ensure that there is transparency in reporting so that the board has all the information required to assess the institutional risk exposure, including management’s categorization of high- and low-risk scenarios.
Transparency and Accountability
The board and administration must have a clear and active two-way flow of information that allows management to convey risk exposure changes and track risk management effectiveness. This enables the board to make informed decisions.
This also brings accountability into the picture. The board must ensure that the management has created a robust internal governance model and created a formal accountability plan that describes where risk oversight is delegated and then holds executive management accountable for implementation (think Blue Bell Ice Cream). Trustees should have access to all data to assess situations and to hold management accountable, with this being part of the incentive structure. Additionally, risk, control, and compliance functions should be created that support the institution. Lastly, an internal audit provides independent assurance on the effectiveness of risk management.
The board also needs to review the institutional risk profile annually and be made aware of changes in the risk management portfolio. For instance, if something is no longer a risk, it should be removed from the heat map. This is important because the effect of risk mitigation is often underreported, which leaves boards in the dark about the status of risks that are minimized effectively over time.
Risk Culture in Higher Ed
The board also should support an institutional culture that identifies risk. This involves paying attention to whether the university and college’s administration, faculty, and staff demonstrate consistent norms and behaviors in both taking and reducing risks. Additionally, trustees should regularly and frequently assess whether the institution’s employees know how to take the right risks while also avoiding undue risks.
Risk culture is defined as the behaviors institutional personnel has toward risks that come from strategy execution and business operations. A strong risk culture averts issues and incidents that can hinder an institution from carrying out its mission, mitigates exposure to risks, and generates operational efficiencies that result in improved operations. In comparison, a weak risk culture displays significant fragmentation in expected behaviors as well as a low level of accountability for decisions and actions.
Therefore, it’s important to create a strong risk culture that emulates, according to the firm, displays “a unified approach to risk and a high degree of accountability for it.” These types of cultures fuel engagement, inspire innovation and deter fraud and abuse.
Boards play a crucial role in creating a strong risk culture through:
- Setting an example of this culture through being transparent and openly discussing concerns and dissenting views as part of the decision-making process
- Selecting an institutional president who is committed to and has a proven track record of building and maintaining a strong risk culture.
- Requesting information to gauge the understanding of the institution’s middle levels and front lines in relation to risk.
- Regularly having candid discussions with the executive team and middle management about risks.
- Designing a compensation plan and targets that reward taking the right Whereas compensation plans are usually considered the purview of corporate America, more and more higher ed institutions are doing employment contracts with senior cabinet members (beyond that of the president). The metrics against which their performance is based can influence in a large way risk planning and culture.
Four Critical Enterprise Risk Management Questions
In today’s turbulent society, it is important for every higher education institution to undertake enterprise risk management planning. Board members and administrators need to understand their specific roles, create a transparent plan to consider the institutional assets and risk appetite, and then make this part of the accountability process.
Ultimately, boards need to work closely with the administration to answer four critical questions:
- How much risk are we willing to accept?
- What constitutes a material risk to our institution?
- What is the range of acceptable variance from our key performance and operating metrics?
- How will we define our terms to evaluate the likelihood of risk events and the impact that they might have on our institution so that we can map our potential risk events to our heat map?
This ERM planning process should be integrated with the institution’s strategic planning process to create a workable plan that protects students, faculty, and staff, as well as institutional assets. This effort also helps leaders and key staff begin to prepare for potential crises—and provides legal protection to both the board and leaders when and if a crisis does emerge.
Summary – Bringing Enterprise Risk Management Together
Enterprise Risk Management is increasingly an important part of higher education’s landscape. This effort is critical as institutions simultaneously face the implications of increasingly diverse disruptors, such as COVID-19, Black Lives Matter, the MeToo! Movement, cybersecurity issues, state and federal policy decisions, and international decisions that affect international students.
Board members and higher education administrators have specific roles to play in ERM that, when combined, create a synergy that ensures that risk management is efficient and effective, while also ensuring both the board and the institution have addressed their legal responsibilities and fiduciary duties. This effort also involves identifying potential risk and institutional assets, considering risk appetite, and developing an operational schema for when a risk emerges.
The old adage—“The best offense is a good defense”—holds here. By creating an enterprise risk management system, higher education boards and leaders are positioning their institution to successfully navigate the ensuing chaos, no matter the type of risk—governmental, technological, societal, or hazards/accidents—is faced.