Enterprise Risk Management In Higher Ed Part 1: An Overview of the Planning Process

Enterprise risk management (ERM) in higher education is widely ignored, but in the traditional business world, enterprise risk management has become an integral part of the business vocabulary.

In this three-part blog series, we aim to shed light on how vitally important the ERM framework is to higher education institutions and highlight the benefits you’ll receive by incorporating it into a routine part of your college or universities business model.

Part 1 — An Overview of the Planning Process

Part 2 — Risk Planning And Its Critical Role In Higher Education

Part 3 — Risk Oversight And The Board’s Role In Higher Education Risk Management

Living in a VUCA World

We currently live in a VUCA (volatile, uncertain, complex, ambiguous) environment due to a myriad of factors that cause chaos. These disruptions, some of which can be forecast while others are unforeseen, create short-term or long-term change that can be positive or negative. Just think of the implications of COVID-19, which has turned everything in the world upside down.

Most businesses, especially publicly traded companies who are required to project future earnings, have risk management down to a science. However, higher education is surprisingly slow in adopting this type of planning. In fact, 90–95% of higher education boards and leaders report that they do not incorporate risk planning into their planning efforts — and if they do, it is only done at the CFO level and is used to build budgetary assumptions.

But because of the growing climate of uncertainty (whether that is created by the COVID-19 pandemic, a forecast for an active hurricane season, or the turbulence in the international political sphere), higher education’s standard approach to enterprise risk management that involves sticking the institutional head into the sand needs to change. This means that higher education boards must work in partnership with the president and other members of the C-Suite to integrate enterprise risk management into the fabric of the university or college.

Every year, higher education institutions face the potential for numerous disruptions. When they happen, these events can generate positive or negative impacts that can prove to be temporary or create a new normal (like the pandemic). Here are some examples:

• Many students at Texas universities faced physical, emotional, and mental challenges during the February 2021 winter storm, much like the psychological impact the COVID crisis brought on when students were shuttered in. Power across the state went out and rolling blackouts became the norm. Water pipes burst and caused flooding. Toilets stopped working. Food became difficult to find, and many could not access drinkable water. According to the Texas Tribune, students who live in large residence halls had an especially difficult time because they often did not have access to extra clothing, food, or a car. Universities also struggled to provide up-to-date information to students because of unstable cell and internet service.
• Tulane University, which has proudly used its location in the colorful and historic city of New Orleans to draw a strong student enrollment, found that prime placement quickly became a liability during Hurricane Katrina in 2005. The storm slammed into the city, causing a dangerous disruption that threatened students, faculty, staff, and administrators. The university had to find ways to both protect students during the storm and its immediate aftermath. The campus was deluged by water, forcing it to close for nearly a year. The crisis recovery efforts lasted for nearly a year as university president Scott Cowen and his leadership team were forced to go into full crisis recovery mode. They literally ran Tulane from a hotel room in Houston for eight months, until the university could reopen and students could return to campus.
• Penn State faced severe repercussions after trustees and leaders long ignored the signs of misconduct by football coach Jerry Sandusky. Once the allegations surfaced, the university’s sterling reputation was dragged through the mud.

Risk Management from Disruptions to Strategic Plans

As these news-worthy incidents underscore, it is important for boards and leaders to take time to categorize the different types of risk their institution may face. The National Association of Corporate Directors (NACD) uses four broad categories to categorize risk; they are governmental, societal, technology, and hazards/accidents. Each poses different challenges for higher education, such as:

• Governmental disruptors: Radical regulatory changes (such as those with Title IX), geopolitical conflicts (which can affect branch campuses, overseas exchange programs, or student trips abroad), and protectionist programs (which can cause issues in recruiting and retaining international students).
• Societal disruptors: Demographic shifts (such as the enrollment cliff and the economic situation caused by the pandemic); discontent (Black Lives Matter, MeToo, and other social movements); acts of terrorism (UC Berkley and alt-right/Antifa riots in 2019); and lack of a skilled workforce (such as older faculty who lack the knowledge base to move to online classes or to teach AI)
• Technology disruptors: Cyber-attacks (such as those faced by Rutgers and the University of Utah involving ransomware); new technology-driven business models (such as implementing online education and AI); problems with technology implementation (such as a failed rollout of ERP/CRM systems); and false information (such as fast-spreading rumors and lies on social media).
• Hazards and accidents disruptors: Natural disasters (hurricanes, blizzards, wildfires, tornadoes); climate change (such as the risking sea’s impact on Miami as well as New York University; public health crises (such as the current pandemic); and man-made disasters (such as riots at sporting events that result in fans being crushed; and transportation accidents that involve colleges transporting athletic teams, e.g., Marshall).

Adopting Enterprise Risk Management in Higher Education

Enterprise risk management (ERM) is a term used to describe the systemic way institutions can deal with risks. There are two parts to this: risk management planning and risk oversight.

Risk management — which is the administration’s responsibility — is the process that institutions use to identify potential disruptions, mitigate their impact, and manage potential risks. This process naturally dovetails with scenario planning and strategic planning, which leaders can use to guide the institution’s efforts.

Risk oversight — which is the board’s purview — requires the board to evaluate whether the higher education executives are effectively managing the organization’s risks. Additionally, this process involves developing scenarios upon which strategic plans can be built.

We will go into more details about both processes for adopting risk management in higher ed in future blogs, but for now, it is important to note that both require a well-defined effort that includes:

• Clarifying roles, responsibilities, and accountability
• Understanding the institution’s risk profile
• Defining the institution’s risk tolerance
• Integrating strategy and risk discussion
• Committing to transparent and dynamic risk reporting
• Ensuring accountability
• Risk mitigation
• Understanding the risk culture

Risk Planning Complements Strategic Planning

Risk planning goes hand-in-hand with strategic planning. In fact, strategic planning should be the first step taken in the enterprise risk management process. The strategic planning process naturally leads into the remaining steps, which include defining and categorizing potential disruptions and risks with areas of potential impact, getting stakeholder involvement, developing a heat map, identifying mitigation strategies, planning different scenarios, and inclusion in the strategic plan with scenarios and projected budgets.

Therefore, it is important to review the institution’s strategic planning process. The Change Leader uses a strategic planning process with our higher ed consulting clients that is infused with regular stakeholder attunement to ensure buy-in and mitigate resistance to change. The process includes:

• Future environmental scanning designed to analyze socio-demographic, kompetitive, economic/environmental, political, technological, industry, and customer/supplier factors.
• Positioning and brand promise to determine an institution’s unique qualities that set it apart from the higher education marketplace among customers and future employers.
• An ideal future vision that revisits the college or university’s vision and mission.
• Setting metrics for accountability.
• Identifying the current state using a SWOT analysis.
• Selecting strategies.
• Developing an overarching three-year business plan as well as business plans for each year.
• Developing and committing to an implementation plan, which includes risk planning.
• Implementing the strategic plan.
• Regularly reviewing annual progress.

Risk management in higher ed can easily be seen as something to defer; however, recent events — whether that’s COVID-19, Black Lives Matter, economic ups and downs, a record hurricane season, or SNOVID (the Texas winter storm) show that risks are common and, in some cases, may be increasing. When considering enterprise risk management, higher education leaders should take a page from Dwight D. Eisenhower, who said he learned an important lesson while serving as Supreme Commander of the Allied Expeditionary Forces in Europe during World War II:

“Plans are worthless, but planning is everything.”

In our next blog in the Enterprise Risk Management in Higher Ed series, we will discuss the process of risk management from the administration’s perspective. In the final installment of the series, we will discuss risk oversight — the role of the board in enterprise risk management in higher ed.

Dr. Drumm McNaughton provides Risk Management consulting services to help colleges and universities mitigate risk and be prepared for any situation.