Running a campus community can be a risky business without an enterprise risk management (ERM) plan. Some skeptics argue that enterprise risk management is a corporate issue that bears little relevance to academic institutions. Others dismiss it as a fad created by consulting firms, with little value-adding potential.
These executives are missing the point: Risk oversight should be considered an important strategic tool for every institution, because uncertainties surround a college’s ability to maintain and enhance its mission and reputation. As campus leaders explore alternative approaches for the future, such as new delivery models, international programs, or different research areas of expertise, they must make assumptions about what lies ahead that might influence the college’s ability to achieve those objectives in the rapidly changing world of higher education.
Campus leaders must make assumptions about their ability to achieve the desired success, with no certainty that those assumptions are accurate for the long term. At the same time, hidden dangers can arise in nearly any area: finance; safety and security, especially in terms of sexual abuse or harassment; drug use or trafficking; compliance; sports; fires, tornadoes, and other disasters; even active shooters. The list of potential hazards is almost endless.
The ultimate goal of enterprise risk management is to achieve your organization’s objectives by robustly identifying and managing these—and other—potential risks. Once you become aware of the impending threats on the horizon, you and other leaders can navigate around such hazards to keep the university’s strategies on track for success.
I have worked with a number of organizations, including my own institution—North Carolina State University (NC State), Raleigh—as the university has launched a formal ERM process. Through all those efforts, we’ve learned a lot about effective approaches and techniques to facilitate widespread engagement. Following are some ideas related to identifying the institution’s most significant risks and projecting ahead of time what the potential outcomes might be if not addressed properly. (For a discussion focused on institutional reputation, read “Deflect Reputational Risk.”)
Testing 1, 2, 3
Today’s institutions face countless risk drivers. Among them: declining resources, a slowing demand for college graduates, endowment challenges, competitors with new education delivery systems, and questions involving physical security.
Take a look at Figure 1, and ask yourself the following questions:
- How would you score (on a scale of 1 to 10, with 1 being the weakest) your institution’s capabilities in managing each of these sample risks?
- How would scores from other executives or your board of trustees compare to your assessment?
- How easy would it be to articulate your institution’s process for managing risks?
- How is risk management viewed at your institution—as a compliance/loss prevention program or as a strategic tool?
- If asked to identify the top 10 most significant risks facing the institution over the next three to five years, what process would provide the basis for your answer?
- If you were to ask other executives at the institution for their list of the top 10, what would be the similarities and differences?
Depending on your answers to these questions, you may need to jump-start your enterprise risk management process. The first step: Understand the drivers of your institution’s mission and value. Only by seeing the big picture and understanding what makes your institution tick can your leaders obtain a rich strategic view of the enterprise so that they can identify and prioritize those risks most critical to the institution’s long-term strategic mission.
Figure 2 reflects what might be one of the most important strategic goals of any institution of higher learning: to protect and enhance the value of the institution’s mission and brand.
The red boxes contain hypothetical examples of current value drivers for a flagship university with extensive state funding, a world-renowned faculty, and national student applicant base. You should also be able to pinpoint specific strategic initiatives contained in the current strategic plan that are being implemented over time to enhance the value of the institution. For example, the three gray boxes contain hypothetical strategic initiatives that include efforts to promote research in emerging technologies, embrace new flexible teaching delivery models, and increase international partnerships.
Conduct a Deep Dive
To help you develop a strategic lens through which to view your risk identification process, try thinking about each of your institution’s core business drivers and new strategic initiatives along two primary themes:
What must go right for our institution to sustain the success of each of its core business drivers and new strategic initiatives? The following might help prompt answers to this question:
- What are the key inputs needed over time for the core driver or new initiative to retain its strategic value?
- What are the key processes and technologies that must be sustainable for that core driver or new strategic initiative to achieve and retain its value for the business?
- Who are the key players (including suppliers, faculty, employees, students, or funding agencies) essential to the success of the core driver or new strategic initiative?
- What must occur to ensure that the contributions and expectations of these key players are sustainable?
What assumptions are being made by management about the ability of the institution to obtain value from each current business driver and new strategic initiative over the long term?
- How are those assumptions developed?
- What ensures that the assumptions are accurate and reliable?
- Who monitors those assumptions for changes?
These questions and others can be addressed through management interviews, surveys, or workshops.
Prompt Explicit Thinking
The goal of enterprise risk management is to engage leaders in a process that helps them pinpoint the institution’s most significant risks to the core business drivers and strategies (see Figure 3).
To help populate risks to the college or university’s business model and strategy, senior managers should be asked to think about answers to these questions for each new strategic initiative:
What could damage critical elements of the institution’s core business drivers and new strategic initiatives over the next two to three years?
- What might emerge that limits or eliminates access to key inputs that will be needed for the core driver or new initiative to retain its strategic value over the next several years?
- What might emerge that restricts, eliminates, or displaces the organization’s ability to sustain key processes and technologies?
- What might influence the contributions and availability of key players to this process? For example, what might affect the abilities of suppliers, faculty, employees, students, and funding agencies to continue adding value to the institution?
What might trigger changes in factors that support management’s key assumptions about the ability to sustain its core business drivers and new strategic initiatives? Your leadership team can use a variety of techniques to encourage this kind of thinking, such as interviews of key executives, and management workshops or surveys. When NC State launched its enterprise risk management process in 2011, our leadership conducted one-on-one interviews of senior executives, deans, and leaders in athletics and security. Other organizations have used risk workshops in which executives are asked these kinds of questions and then led in facilitated discussions to work on fine-tuning the understanding of each risk.
Another helpful technique is a premortem analysis. Using this process, participants think about a negative outcome that might be realized in the future. Senior managers then analyze what might have occurred to cause that outcome.
Assessing Risk Probabilities
Once they begin thinking about potential threats on the horizon, leaders suddenly realize that their institution’s risk universe could reach hundreds or thousands of potential events. If they become overwhelmed with too much risk detail, they can lose sight of what to do next.
Because the board and senior executives can practically manage only 10 to 20major risk areas or themes, one of the objectives of the risk assessment process is to prioritize risks. To assess and prioritize risks, you can choose from several techniques. Some institutions interview executives about specific risk probabilities and impacts. Others rely on risk workshops where executives use anonymous voting technologies to score specific risks along probability and impact dimensions.
At NC State, we opted for a survey. Executives responded anonymously to an online survey that asked them to score approximately 50 risks along a number of dimensions, including probability, impact, and preparedness for managing the risk.
The key to the success of any of these approaches is providing guidance to help executives think about probability and impact. We chose the five-point scale in Figure 4 to assess the probability of each risk, and we developed other five-point scales to assess impact and preparedness.
Develop Key Risk Indicators
Another step in enterprise risk management is the development of key risk indicators (KRIs) or metrics that monitor top risk exposures. Business officers are very familiar with key performance indicators (KPIs) that measure and report their institutions’ performance on a historical basis. By design, key performance indicators usually reveal a risk event after it has occurred.
Key risk indicators are somewhat different. They provide a forward-looking picture. They are designed to help management “peek around the corner” at risks that are beginning to emerge before they influence the institution (see Figure 5). While they can be based on internal information, the most effective and relevant key risk indicators require analysis of data outside the institution.
For example, to address risk concerns about recruitment and retention of key faculty talent, an institution may want to measure demographics about the number of individuals entering and exiting Ph.D. programs across the United States or national forecasts of faculty retirements for research and critical teaching fields. Monitoring these kinds of trends helps position management to be in a proactive versus reactive posture for responding to risks.
With extensive experience in identifying, measuring, and reporting financial and operating performance data, business officers are uniquely qualified to identify and measure data that might serve as effective key risk indicators.
Seeing the Big Picture
Declining resources, new education delivery models, and questions about the value of research are just a few of the risks on the horizon that offer both opportunities and threats to higher education. As a business officer, you have a big-picture perspective of your institution and can take a leadership role in strengthening its risk oversight process to take advantage of upcoming opportunities and minimize potential threats.
MARK S. BEASLEY is Deloitte Professor of Enterprise Risk Management and director of the ERM initiative at NC State’s Poole College of Management, North Carolina State University, Raleigh (see www.erm.ncsu.edu).