What are the biggest risks to your institution? Once you’ve made a mental list, ask yourself another question: are those the same risks other key campus leadership and decision makers would cite if asked that question? If not, you may not be effectively managing risk.
While risk management should be a priority for all institutions, it’s especially important to have a shared understanding of the particular risks that challenge education operations. Higher education institutions depend on an open and inclusive culture, strive for transparency, and provide a wealth of easy-to-access information.While these practices might help institutions better engage with prospective applicants, students, alumni, parents, and constituents, that very open culture fundamentally also increases risk – making a risk management program essential.
Consider the facts: according to Symantec's 2016 Internet Security Threat Report, education was the second most-breached sector, responsible for 5 million entities being exposed during 2015. The number of security breaches, intrusions, and phishing attempts made every day targeting education is skyrocketing. The very openness of our culture and the presence of easily accessed information and intellectual property have made every institution a potential target. And the stakes couldn’t be higher – the vast amounts of entry points for accessing information are often distributed and decentralized. The pace of attacks and institutional vulnerability to individual errors that may provide an entry point for a breach represent the ‘new normal’ environment and demand a focused response.
Risk management should be like any other process in your institution that requires oversight, structure, policies, procedures, and people to carry out a coordinated strategy with assigned responsibility for specific security tasks. Institutions should consider the following steps to ensure they’re properly and effectively managing their risk.
Identify the risk universe
Facilitate a meeting with key decision makers, including your chief financial officer, chief information technology officer, and chief marketing/institutional relations officer and collectively discuss the biggest risks for the institution. Next, look to apply lessons already learned from other industry sectors, including financial, health, and social service sectors, and consider risks that similar organizations have faced. Become fluent with the experiences of other educational institutions, how they were impacted, and what types of security vulnerabilities they are now addressing. For a higher education institution, the list will likely include things like security breaches and cyber hacks. Educause has issued a particularly useful online library resource to share with colleagues; this site includes a sobering link to reported breaches in higher education.
- Rank inherent risks
Once all possible risks have been discussed, survey your results and conduct a workshop with key decision makers to determine the top risks to your institution.
- Inventory internal controls
Once you fully understand the risks to your institution, inventory the controls you already have in place to mitigate and manage them. You may find that you’ve already made important progress toward protecting your institution from some of its biggest threats.
- Conduct a gap analysis
After identifying the controls already in place, determine what you need to supplement and sustain them. Decide what additional risk treatment you need to enhance the control environment. This is also an appropriate time to go back to your documented risk universe and assign owners to manage all the risks identified.
- Develop a risk management plan
Use the information gathered above to develop a structured process to identify and mitigate risks. Share this plan with key decision makers in your institution and commit to a regular process of testing and reporting so that you enforce it. Also note that risk profiles are always changing, and key indicators need to be continuously monitored.
Higher education continues to provide an open and free exchange of ideas and opportunities for all, and, because of its structure, will be a likely target for criminal activity. To protect your institution, you must know what your risks are and properly manage them. Developing an enterprise-wide risk management process may seem daunting, but with focus and discipline an institution can conduct research and develop an effective plan in six to 10 weeks. While that’s still an investment, it’s very little compared to the time it takes to recover from a crisis.