Higher Education Risk Management

Table of Contents

What is Enterprise Risk Management in Higher Education?

Enterprise Risk Management is the process by which higher education institutions plan for and mitigate risk to their institution that could prevent them from achieving their strategic goals and objectives.

Two components make up Enterprise Risk Management: risk planning and risk oversight.

Risk planning which is the administration’s responsibility – is the process that institutions use to identify potential disruptions, mitigate their impact, and manage potential risks. This process naturally dovetails with scenario planning and allows institutional leaders to achieve their strategic goals and objectives when integrated into strategic planning.

Risk oversight – which is the board’s purview – requires the board to evaluate whether the higher education executives are effectively managing the organization’s risks. Additionally, this process involves examining the scenarios that the administration builds (and building new scenarios themselves) upon which strategic plans can be built.


Institutional Risk Planning

Institutional risk planning should be a holistic process, and as part of every strategic planning process The Change Leader facilitates, we ensure:

  • risk planning is conducted, including doing scenario planning and developing mitigation strategies.
  • structures are put in place to monitor potential risks and disruptions.
  • metrics are developed that provide “early warning lines” for triggering mitigation actions.


Holistic institutional planning also includes regular updating of the strategic and implementation plans and the assumptions behind them, as well as updating the potential risks to the institution.

These are the differences between strategic planning and strategic management, the differences between The Change Leader and other firms’ planning processes.

Check out our articles and podcast on risk planning for higher ed.

Benefits of Good Risk Management Practices

Good risk management practices enable higher education institutions to:

Build a sure path to achieving your institutional strategic goals and objectives

Develop risk maps and scenarios that quantify risk and predict the impact, severity, and cost of disruptions

Create a more “risk-aware” culture that prevents derailment from achieving strategic goals and objectives

Maintain the financial health of the institution and adherence to its mission

Builds a culture of risk oversight on the board which ensures appropriate guardrails for managing risk are in place

Develop plans to mitigate potential risks and enable the institution to remain faithful to its mission

Operate with the highest integrity and ensure its institutional reputation remains excellent

Remain in good standing with its accreditor and be eligible to receive Title IV funds

Signs Your Risk Management Practices Need Improvement

There are many telltale signs that an institution’s enterprise risk management practices aren’t functioning properly. Unfortunately, most institutions do little if any risk planning or management, and when “life happens,” they are ill-prepared to continue in the directions they had planned. In reality, if institutions practiced good risk management, the institution and its board would not be at risk because disruptions had been properly planned for and mitigated. 


Your last strategic plan became irrelevant because unexpected disasters, pandemics, or man made crises strikes


Your governance documents (bylaws, committee charters, administration job descriptions) fail to address risk


Your board does not conduct annual risk oversight planning or assessments at least once per year


Risk is not quantified or based on metrics, or not considered in strategic planning


Your institution's risk profile has not been updated, and/or does not take into account future risks


Your employees "fear" that the company will "shoot the messenger" when it comes to delivering bad news about risks


Board discussions with administration do not include rigorous examinations of risk or underlying assumptions


Full board meetings do not include discussions on risk and/ or discussions are limited to committees


There is a lack of accountability for risk monitoring and mitigation by administration

Best Practices for Higher Education Risk Management

There are a number of higher education risk management best practices that institutions should follow to ensure they are helping their institutions be successful while overseeing and mitigating disruptions. These duties include:

Risk Management Best Practices for Higher Education Institutions Include:

Conduct risk profiling and disruption workshops at least semi-annually to review threats to the institution’s wellbeing

Build and/or update heat maps of potential disruptions, build mitigation strategies, and scenarios  for budget planning

Ensure the board committess have risk oversight as part of their duties in their committee charters

Brief responsible board committee(s) quarterly on new risks and their mitigation strategies, and the full board annually

Involve stakeholders in the risk management process, including risk identification and mitigation

Ensure accountability for risk management and mitigation by putting it as part of senior executives’ duties and responsibilities

Ensure responsibilities for managing risk are understood and embedded into the  institution’s culture

Communicate risks to stakeholders, and get them actively involved in risk identification and mitigation

Form stakeholder committees to identify and monitor risks to the institution

Incorporate risk planning into your annual strategic planning and budging processes

How We Help Our Clients with Higher Ed Risk Management and Planning

The Change Leader’s risk management consulting services provides proprietary processes and methods that have helped multiple universities and colleges improve their risk management processes, including integrating strategic planning and risk planning and providing board training for risk oversight.

Some of the areas we’ve helped boards with risk management include:

    • Established standing board committees, including drafting committee charters, that increased board engagement with campus leadership and stakeholders, addressed ongoing needs and concerns, and provided for improved academic, operational, and strategic risk management and oversight.

    • Created new ways for the board to communicate with faculty, staff, and stakeholders that created better lines of communication, increased transparency, and built trust that risk is mitigated.

    • Developed and administered a proprietary board independence assessment matrix that enabled the board to self-assess its level of independence against accreditation standards that got the institution off probation.

    • Updated the board and administration conflict of interest form to ensure members stay free of conflicts that would endanger its accreditation and risk oversight processes.

    • Established an annual board training cycle, including creating risk planning and oversight processes to ensure risk management is reviewed annually.

    • Created a board manual that became the “bible” for how the board operates and includes board guiding principles, an organization with job descriptions, committee charters and duties, election procedures, and board risk management best practices.

    • Created an annual board calendar that ensures needed governance and risk management oversight activities are conducted annually.

  • Facilitated the annual board retreat.

  • Developed an annual presidential evaluation that holds the president accountable and, through the president, the staff accountable for risk mitigation.

Risk Management Frequently Asked Questions (FAQs)

Most frequent questions and answers about risk management consulting for higher education

What are the eight steps involved in enterprise risk management for higher education?

The eight steps of enterprise risk management are:

  1. Clarifying roles of the board and management
  2. Defining and understanding the institution’s risk profile
  3. Defining the institution’s risk appetite
  4. Creating heat maps and mitigation strategies for risks
  5. Integrating strategic planning and risk planning
  6. Having detailed risk management discussions at all levels of the institution and especially with the board
  7. Ensuring accountability is assigned for risk planning and mitigation
  8. Creating a culture of risk recognition, reporting, and mitigation


What is the board's role in monitoring the institution's risk management processes?

Boards must oversee the administration and hold the president accountable for the achievement of student outcomes, its adherence to its mission, its strategic plan, risk mitigation, and other metrics. Unfortunately, this doesn’t happen as regularly as it should.

There are multiple mechanisms how this can be done; they include through board committees, including the executive committee; annual evaluations of the president; and by the full board. 


Do You Want To Grow Your Higher Education Institution?

Contact Us For A Consultation

Skip to content