Enterprise risk management is a critical part of higher education’s toolkit in preparing for and mitigating disruptions. As mentioned in Part 1 of the Enterprise Risk Management in Higher Ed series, these disruptions can be hazards/accidents (such as hurricanes, floods, wildfires, or blizzards), societal (the pandemic, Black Lives Matter, MeToo!), governmental (policy changes, visas for international students), and technology (ransomware, platform malfunctions).
There are two parts of enterprise risk management—risk planning, which is done by the institution’s administration, and risk oversight, which is done by the institution’s board of trustees. This blog will focus specifically on risk planning and a later blog will address risk oversight.
Risk Planning 101
One of the most important parts of risk planning requires leaders to understand their role in these situations. This includes developing a common understanding among the higher education administrators at both the institutional and college/department level, the board of trustees, and its committees, about their respective roles and responsibilities. In fact, it is critical to include risk planning and mitigation responsibilities in administrative job descriptions.
As a part of risk planning, higher education administrators should work together to:
- Analyze the likelihood, impact, and velocity of risks across the institution.
- Identify and disclose key risks to the board of trustees.
- Build and sustain a risk management program that is effectively embedded into the institution’s operations. Accordingly, the executive team’s roles will differ from those at the college or department level, and that of the board.
- Mitigate risks and manage risk events.
- Ensure incentives are appropriately designed to allow employees to take the right types of risks while also avoiding undue risks.
Risk Heat Maps
Because an institutional risk profile varies from institution to institution, it is important to take the time to identify and analyze the risks your college or university may be facing.
One way to do this is the create a risk heat map. This four-quadrant diagram is used to analyze risks based on their potential impact (the vertical axis) and likelihood (the horizontal axis). This map assists the institutional leaders in visualizing how risks in one part of the organization can affect other operations across the college. This type of planning adds precision to the risk assessment strategy and helps leaders identify gaps in an organization’s risk management processes.
There are multiple variations of heat maps, but most commonly use a “double-axis” layout that has the “y-axis” as impact and the “x-axis” as likelihood.
The scale is what differs with these types of charts; some have a scale of 0-10 while others may be 1-5 or 0-1.
The most common heat maps require the planning team to decide the likelihood of disruption on a 1-10 scale and then identify the potential impact should the disruption occur, again on a 1-10 scale. This analysis requires plotting the event on the X- and Y-axes.
The below chart is an example of a simple heat map.
Another variation of a heat map is the 5×5, with risk being calculated with a 1-5 or 1-10 scale. Once the impact and likelihood are agreed upon, the risk is calculated through simple multiplication ad then plotted. For example, the below depiction uses a scale of 1-5 for each axis, and once you have totaled your disruptive event, you plot it on the graph to depict the risk quantitatively.
The colors have been assigned arbitrarily, especially the middle. And, just because a total comes out at a certain number doesn’t mean that it must be put in at particular box. This is up to the discretion of those calculating the risk.
Next, leaders need to determine how much risk appetite (tolerance) the institution has. This involves defining the maximum level of risk the institution can securely assume in each area of risk. Creating a risk scorecard and then regularly (at least annually) reviewing it helps to ensure that the institution does not exceed its risk appetite.
This effort also involves working with the CFO and/or internal audit to establish and reaffirm the institution’s risk profile on an annual basis. Audit and risk mitigation plans need to be approved based on critical risks.
At this point, the critical risks are prioritized so that an in-depth review can be done to assess how these identified risks affect institutional drivers and objectives. Leaders need to make sure that the risk profile anticipates both short- and long-term disruptions based on critical enterprise risks.
In assessing the institution’s risk appetite, it’s important to consider a variety of key questions, including:
- Given the risk profile identified in our strategy, what is the appropriate level of risk appetite?
- Has the risk appetite been clearly cascaded into operational-level decision-making processes?
- How can administrators prepare this information for regular discussions with the board?
- What signal is the institution sending to the stakeholder community about its willingness to take risks?
- Are there regular discussions about risk management between administrators, the board, and board committees?
- Is the institution too cautious or too reckless in its risk appetite? If so, delve deeper into the position.
- Are the risks the institution is willing to take commensurate with the rewards that are sought?
Some key points about risk appetite:
- Administration should watch for red flags in relation to risk appetite, and administration and the board should ask questions if the institution doesn’t factor in risk appetite when making key decisions.
- The risk appetite should not remain stagnant; it should evolve and adapt based on the changing environment and institutional needs.
- All administrators should be familiar with the risk appetite; otherwise, this will hinder their ability to make informed decisions.
- Risk appetite should always be built into key performance indicators.
Working Through Risk Planning
So how does this work? Let’s say you are a president of a small college scenically located on a Southern California canyon. The campus is only accessible by a two-lane winding road that is about three miles from a major highway. So what would a risk matrix example look like?
Breaking down the axes and potential disruption:
- A hurricane hitting the campus could have a large impact; however, given the geographical location of the university, it is highly unlikely that a hurricane would hit their area. Therefore, it is in the upper left box of the heat map – high impact / low likelihood.
- A water leak could potentially happen, but the impact of a water leak would be minimal. Therefore, it is assigned a low impact / low likelihood.
- An employee getting locked out of their computer has a high likelihood of occurring, but the impact of that occurring is low. Therefore, it is assigned a low impact / high likelihood rating.
- A wildfire, on the other hand, could be a huge disruption for the university. The university is located in a canyon, with one entrance and egress point. Given the drought in California and the proclivity of wildfires, this is assigned a high impact / high likelihood.
This is an example of risk planning in relation to hazards/accidents. A similar process should to be completed for the remaining three categories—governmental risks, societal risks, and technological risks.
Protecting Institutional Assets
At this point, it’s important to begin to look at the risks and determine what institutional assets you need to protect at any cost. Obviously, students are first on the list but are there other assets that need protection, such as proprietary information, research, or priceless artifacts. For example, the University of Texas’s Harry Ransom Center has one of only 20 complete copies of the Gutenberg Bible in the world as well as some of Albert Einstein’s unpublished notes and calculations for his work on general relativity. Those are assets that should be protected at nearly all costs.
Clear accountability is needed in relation to risks. This accountability needs to be formally assigned to members of the senior executive team and then cascaded throughout the institution. This accountability also needs to include budgetary authority to devote sufficient resources to mitigate risk and implement specific controls. Individuals at the appropriate levels need to be identified who will be responsible for monitoring indicators related to the key risks. Managers should be trained to anticipate and manage risk, and appropriate incentives need to be created at all institutional levels.
Finally, a reporting structure needs to be developed that focuses on risk management excellence. Quarterly updates—including risk assumptions–are recommended.
Scenario planning also is an important part of risk planning. This planning uses the information identified in the heat maps to develop lists of knowns and unknowns in which to create potential scenarios. The administrative team both at the institutional and the college/department level then can use these scenarios to develop mitigation strategies, policies, and controls. They also need to consider the financial impact and how that would be mitigated.
The old way of scenario planning used to be 10% above and 10% below what was expected. However, given the VUCA world in which we live, this isn’t good enough anymore. Successful risk management requires looking at each potential event and coming up with best-case and worst-case scenarios. Many times this will be 10% above and 10% below, but to do successful scenario planning, a more detailed and nuanced approach must be taken
Keys to Successful Enterprise Risk Management in Higher Ed
To have a successful enterprise risk management plan, higher education leaders should incorporate three key steps:
- Integrating strategy and risk discussions. The integration of these two areas is naturally complementary in that strategies can be built after potential risks are identified. By doing so, leaders can position their institution to quickly navigate these hazards in order to return to normal.
- Involving stakeholders in the enterprise risk management planning process. This is important because top leaders often don’t know everything that is happening across the campus, which leads to blind spots. Involving stakeholders allows the ERM process to be more comprehensive by identifying everything that needs to be considered across the campus.
- Seeking stakeholder attunement through the entire ERM process. This attunement effort will help get buy-in among faculty, staff, and students across the campus—which can be critical in helping an institution navigate a crisis situation when it comes.
As noted in this blog, higher education leaders need to be aware of their specific role in enterprise risk management efforts for their institution. This involves identifying potential risks, considering the institutional risk appetite, developing relevant scenarios and appropriate responses, creating a cascading approach to risk management across campus, and identifying a reporting structure that includes the board of trustees and board committees.
In our next (final) installment of this blog series, we’ll address risk oversight, the critical role boards and board committees play in enterprise risk management.