Enterprise risk management: Lessons for higher education
It’s no secret that the threats facing higher education institutions are rising in frequency and complexity. You likely have your own list in mind — those scenarios that keep you awake at night thinking about the potential impact on your institution. But restlessness won’t lessen those risks. Nor will it ensure that leadership has a shared understanding of and playbook for mitigating them.
A proactive risk management program will mitigate risk — that is, a comprehensive process and overarching plan that helps institutions assess, implement, and monitor to reduce risk campuswide. Instituting an enterprise risk management (ERM) program doesn’t have to be expensive. It doesn’t have to take additional headcount or a lot of time. There are many practical, achievable steps to formalize your institution’s approach and, most importantly, make a case to your leadership, stakeholders, and board members to sponsor this mission-critical work.
"A proactive risk management program will mitigate risk..."
We asked three experts in the area of higher education risk management to share their insights about creating and leading an effective enterprise-wide initiative: Jeff Wright, senior manager of Plante Moran’s Enterprise Risk Services group; Vicki VanDenBerg, partner and Higher Education Practice leader; and Donna Freddolino, consulting manager with Plante Moran’s Information Technology group.
Before we dive into the details, what is enterprise risk management, and why is it so important for institutions to have a formal ERM program?
JEFF WRIGHT
ERM guides institutions to first assess and quantify the risks that could interfere with their ability to carry out their missions and then embed that process in their strategic decision-making.
Institutions should ask themselves the following questions: Have we identified the most likely and impactful threats? Do we have a plan to manage them? Are plans assigned to risk owners, who continually monitor key risk indicators? Risk is a fact of life, but answering these questions is what’s going to allow leaders to sleep at night.
VICKI VANDENBERG
Risk management is so important because it enables institutions to potentially avert crises and lessen the impact of those that do occur. In a sense, good risk management goes unseen. There are no headlines when institutions are able to deal with issues proactively.
We had a client, a Midwestern university, which fell prey to a sophisticated email phishing scam. The institution recovered most of the money it had lost, but the incident prompted them to put new processes and heightened controls in place. Months later, the con artists were back, this time making their request by phone rather than email. Because of the new processes and increased awareness, employees quickly recognized the fraudulent request for funds, and a potentially expensive incident was averted. To me, that’s a great example of what risk management means to an institution.
“Risk management is so important because it enables institutions to potentially avert crises and lessen the impact of those that do occur.”
What are some of the risks higher education institutions face?
JEFF WRIGHT
We group risk into four main categories: financial, operational, strategic, and compliance. Within those categories, risks that impact higher education institutions run the gamut.
VICKI VANDENBERG
Agreed. The risks include anything you can imagine. Outbreaks of foodborne illness, campus violence, scandals, laboratory accidents, construction accidents or drops in interest rates. In particular, the growing cybersecurity challenge is one that hits higher education all day long.
What are the implications of not managing risk well?
JUDY WRIGHT
For one, risk events can be exorbitantly expensive. The Madoff investment scheme cost some universities tens of millions of dollars. Associated costs of risk events can include crisis communications, legal costs, remediation, process changes, even fines. Related to cybersecurity and data breaches, data from Educause and the Ponemon Institute have shown that institutions spend $4 million on average per breach.
And then, there are the reputational costs — drops in applications and enrollment, donations and grants, a hit to bond ratings, or the negative impact to brand loyalty among alumni and in the community.
Who’s responsible for managing risk?
JEFF WRIGHT
This question is a two-sided coin: on one side, no one feels directly responsible for risk management, and on the other side, everyone is responsible. It has to start with institutional governance — leadership and your board. We can’t over-emphasize this fact. The board is responsible to assign risk management to an owner, who leads the build-out of risk management infrastructure. That infrastructure includes processes for identifying, classifying, and mitigating risk and a playbook to foresee and manage particular risk events as they occur.
Having an internal audit committee or department or a compliance manager is a great start. But none of those replaces a comprehensive ERM initiative in which everyone participates.
Many higher ed leaders struggle with making a case to the board for more formalized risk management efforts. Any suggestions?
JUDY WRIGHT
To manage risk effectively, you have to be proactive instead of reactive. If the board’s tendency is the latter, make sure there’s a cycle for your board to address risk management. At least annually, there should be a risk management review or board briefing. Have a deliberate process, so that information flows to the board on a regular cycle.
Better yet, provide training so that board members are intelligent and informed reviewers of the information you provide. It’s not enough to put risk management on the agenda; you have to feed that agenda with content, especially peer experiences, and also ensure that your directors have the appropriate knowledge and context to understand the implications.
VICKI VANDENBERG
Once directors understand what risk means to the institution, are they making a conscious decision to stay in the dark? Bring issues into the light? Can’t decide what to do? Doing nothing is a decision, too. Institutions have to take the time and invest the resources to do risk management right.
Where and how do you start?
VICKI VANDENBERG
As the sponsor of a risk management initiative, the board establishes a risk management charter and designates an owner — oftentimes, the chief legal officer or the chief compliance officer — are responsible for overseeing the ERM build-out. People commonly think risk management falls to the chief financial officer because they’re thinking about risk only in financial terms. But that’s not how it should be; everyone in the organization plays a role.
The designated owner then creates a senior-level ERM committee to drive the risk management infrastructure building process, which includes:
- Identifying inherent risks by assessing the internal environment and defining your risk universe.
- Holding facilitated discussions to determine the likelihood and impact of inherent risks. This methodology provides a grading scale by which an institution can prioritize risk across functions.
- Evaluating mitigating activities and controls already in place and determining the residual risk.
- Prioritizing net residual risks, developing new strategies, and making improvements to current control activities. This becomes the playbook.
- Sharing risk rankings and mitigation strategies with the board and leadership on a routine basis.
During this process, the ERM committee assigns residual risks to risk owners, who identify specific threats within their functional areas, and signs the risk event may occur (referred to as Key Risk Indicators). For example, the campus security director might be appointed a risk owner of physical security for the institution. The security director cannot be in all places at once, so the security director enlists control owners across campus to monitor the key risk indicators. These control owners are the boots-on-the-ground, the people most familiar with day-to-day security-related risks. Control owners know the key risk indicators — the signals that herald a risk event, such as a broken window in an academic building, a suspicious vehicle, or a tampered lock at one of the dorms.
JUDY WRIGHT
Another example is third-party risk. Often institutions rely on third-party vendors or service providers to address critical business functions and the failure of that third-party could have a devastating impact on the institution. Think about potential vulnerabilities not under your direct control when your data is managed in the cloud for example. Best practice is for the third-party risk to be assigned to a risk owner who is responsible for monitoring the status (operating performance, contract compliance, financial stability, etc.) of each vendor. The risk owner will then recruit control owners across the institution (usually someone with direct contact to the vendor or supplier) to monitor provider performance and financial stability. Any detection of deterioration of the third-party relationship and the control owners must notify the risk owner immediately to kick off the mitigation strategy, or playbook, to remedy the situation.
If you had to identify a single factor of successful ERM programs, what would it be?
JEFF WRIGHT
Board sponsorship and, inextricably connected, information flow. Information must flow from the board down the pyramid to share expectations with risk and controls owners and then back up the {pyramid} so leadership learns about key risk indicators and whether risk events have occurred. In other words, accountability and policies flow downward from the board; information about risk flows upward to risk owners, ERM committee members, and ultimately to the board. There needs to be a continuous feedback loop.
“If a strategic plan calls for reducing costs, at the same time institutions need to ask what the impact will be on their risk universe.”
How should risk management relate to institutional strategic planning?
VICKI VANDENBERG
Among institutions with a more mature risk management process, we want to see the two completely woven together. At institutions with less mature and robust ERM, risk management and strategic planning tend to be disconnected, and that fact alone creates risk. The adage, “If you build it, they will come,” does not apply to ERM; you have to tie risk management directly to strategy and performance.
JEFF WRIGHT
If a strategic plan calls for reducing costs, at the same time, institutions need to ask what the impact will be on their risk universe. If the strategic plan calls for increasing enrollment, what are the impacts on infrastructure, including class size, student services, housing, and food service? If the board wants to see a 10 percent increase in admissions, it’s important to think through the consequences and incorporate the added risk into the strategic decision-making. The two processes should feed off of each other synergistically.
How does an institution’s culture impact ERM efforts?
JUDY WRIGHT
Culture has a huge impact on risk management, in both positive and negative ways. Culture can, for example, encourage a whistleblower to report a risk event or a risk indicator; culture can also subtly, or not so subtly, pressure people to look the other way and keep silent.
To put a finer point on it, no one sets out deliberately to have a poor culture or to penalize employees; it’s more that people don’t realize, and aren’t being told, what their duty is. Communicating to employees what they need to be alert to, what they need to be looking for, and what information they need to be sharing must be embedded in day-to-day operations. Mid-level management is the connector, and there needs to be emphasis on how that middle group understands its duties up and down the organizational spectrum.
JEFF WRIGHT
Yes, everyone tends to talk about the tone at the top, but I like to talk about the tone at the middle. Middle managers must embrace policies and procedures, enforce strong internal controls, follow the code of conduct, and require their staff to do the same. That’s all part of culture. If that isn’t happening — if no one is actively speaking up, or if people are penalized for speaking up — that leads to risk events.
Expected risk management norms need to be communicated so that employees embrace those processes, procedures, and controls and are clear what their responsibilities are. Some of our clients have “If you see something, say something” posters around their workplaces with toll-free hotline numbers for reporting. That’s indicative of the type of culture that can minimize institutional risk.
JUDY WRIGHT
Going back to the phishing incident and attempted follow-on attack, it’s important for managers to encourage employees to stop and think: Does this sound right? Does this make sense? Is there a verification process in place? Most employees are busy, multi-tasking, and are trying to be responsive to incoming requests, but they need to know that the duty is to take a moment and consider the broader context. The more education and training an institution gives about why this is so important, the better.
But that’s a big gap I see. For example, related to information technology, 74 percent of institutions mandate information security training for faculty or staff and only 27 percent for students, according to recent data from Educause. Higher education institutions have identified cybersecurity as a top IT issue, and addressing those risks is going to take resources — time, dollars, training — if we’re going to walk the talk.
VICKI VANDENBERG
Culture influences how you manage risk, and a formalized ERM program also helps shape culture. A good ERM system encourages information flow throughout the organization. It encourages explicit definitions of and expectations for accountability and responsibility in daily work. It provides the framework and methodology for allocating resources for managing risk in ways everyone understands.
“74 percent of institutions mandate information security training for faculty or staff and only 27 percent for students...”
What are the biggest myths you encounter about ERM?
JEFF WRIGHT
“We don’t have the resources to do this” is a common one. I like to say that you don’t have the resources not to do it. Recovering from risk events is expensive, not only financially but in other ways. Invest in proactive, preventive activities, rather than spending on recovery later.
An ERM initiative doesn’t have to require additional headcount if you shift the culture and explicitly communicate new expectations. This can be a stumbling block to execution for a lot of organizations. It takes a change in human resource objectives, and it may require changes to job descriptions, evaluation and bonus criteria and pay scales. Good communication is critical.
We’re sometimes asked if there’s an ERM “light” for institutions that don’t feel ready for a full-blown consulting implementation. Start the conversation. Build out the infrastructure. Identify the top risks in terms of impact and likelihood. Assign risk and controls owners. Report back up the chain of command. Each of those steps can be an undertaking in itself, but those are the key pieces of a successful ERM program.
VICKI VANDENBERG
A common myth I hear is, “We put the infrastructure in place, and our culture’s great so we’re done.” But as your environment changes — changes in regulations, in elected officials and institutional leaders, in the construction projects you have underway, you name it — your risk universe changes. That’s why it’s critical to continuously report on the highest priority risks to the board at least quarterly. And it’s why I tell clients, “You’re never done. Risk management doesn’t work like that.”
What resources do you suggest for readers who want to learn more?
JUDY WRIGHT
We welcome conversations about the topic, so feel free to contact us with questions.
