The two greatest risks today for institutions involve generating sufficient resources to maintain their operations and preserving their reputations in increasingly volatile environments, insists Eric Hartman, vice president, risk management and institutional effectiveness, University of the South, Sewanee, Tenn. He believes that the pervasive nature of social media triples the possibility of both risks.
"The evolution of social media makes it very easy for a small group of adversaries to make life difficult for an institution," he says. "The news could be good in the morning and by afternoon, turn ugly. Negative rhetoric can make it difficult to recruit students and convince people that this expensive investment [in higher education] is worth it, which is why institutions have to be able to adapt and respond to issues as they arise."
Janice M. Abraham, president and chief executive officer, United Educators, Bethesda, Md., concurs. "The operating environment now is much more precarious and offers significantly more challenges than at any other time in my memory," she says. "The margin of error and the opportunity to be attacked by the news media, consumers, parents, or legislators are far greater. The adage ‘It’s better to prepare than repair’ has never been truer."
To prepare, both executives urge that leaders actively practice enterprise risk management. "ERM is really [about] looking at systems and structures to solve an issue, not just in an acute manner, but in a systemic way that has sustainability," says Hartman, whose institution adopted enterprise risk management in 2014 to deal with emerging risks, as well as potential opportunities.
"If boards are dealing with a crisis or a risk that is not well managed, it means that the senior leadership, CFO, president, and board are not dealing with strategy and the future," Abraham explains. "Every minute they spend cleaning up or trying to deal with a crisis means that they are not developing a new program to attract students."
Not Strictly Quantitative
According to Hartman, ERM is not strictly a quantitative process. "It has qualitative pieces to it and can be as much an art form as a science," he says.
Because implementation varies from institution to institution, Julie Zobel, assistant vice president, safety, emergency, and enterprise risk management at George Mason University, Fairfax, Va., offers these words of caution to those just now setting up ERM: "Do not get mired in the pursuit of a perfect process, but rather focus on risk mitigation as the priority."
An ERM process typically includes three steps:
1. Identify risks and opportunities. When he introduced ERM at the University of the South, Hartman developed a starter list from insurance applications, claims reports, and trends in the field. Now, he meets annually with more than 25 administrators from major divisions and sectors, where, together, they may identify 200 new risks that require progress.
"These are not challenges that I bring to them," he explains. "These issues emerge through this process in the spirit of shared vulnerability. Some are significant mainly to those divisions, so we only focus on about 40, and in any given year, we spend a significant amount of time on 10 or 12. What you have to worry about is what’s not on your list that should be."
On occasion, Hartman has encountered administrators who display an attitude of "Why are you messing in my business?" Most, however, appreciate the additional help that is part of the process. "We set this up so that if you have a top risk, you get added support," he emphasizes. "Our process shifts the paradigm from people feeling alone and wanting to keep things hidden to ‘If I shine some light on this, we have a system in place to get some help.’"
In fact, after ERM was first introduced, he noticed an interesting phenomenon—people were thinking independently about risks and taking actions on their own, by fixing railings on a staircase or hosting a mini retreat on risky student behaviors. "These had nothing to do with our process," Hartman says. "They were an independent outgrowth of what we wanted to see happen through training and improving manager skills in this area."
At George Mason University, risks are identified by senior leaders, the president’s cabinet, the president’s council, departments, and the ERM council—a group created in 2015 with 11 members from key risk areas, such as IT, athletics, HR, and internal audit.
"Depending on the issue, we might ask the primary risk owner to educate the council about the risk, whether positive or negative," explains Zobel, who is the chair of the ERM council. "We use that information to discuss the risk and the types of insurance coverage we might have to alleviate any of the risk, as well as any business plans that may be in place for such a risk."
Zobel believes managing enterprise risks allows institutions to be more nimble, prioritize scarce resources, identify the upside of risk, and enhance coordination and communication.
"Traditionally people view risks as negatives," she points out. "What an ERM program can do is show you not only the negative impacts, but also the positives."
For example, notes Zobel, the university is now getting more robustly involved in online education, which has its benefits and challenges. The upside: We can reach a broader audience, be more competitive, and meet the expectations of our customers because today’s millennial students expect hybrid and online programs. The challenge: To support online education, we need to invest in infrastructure, which includes technology and staff."
When compiling a list of risks and opportunities, Abraham also suggests checking with peer institutions, as well as books and reports, for existing risk registers. Institutions are very good about sharing their knowledge and best practices," she says.
Abraham cautions, however, that each institution has its own culture, history, and challenges. "Some institutions in New England or the Midwest may be under much more pressure from demographic issues. Others in Arizona—that’s not their problem. They may be trying to convince the legislature that a private institution has as much value as a public institution, and that the diversity of higher education makes us strong."
2. Assess the impact. To pinpoint priorities, senior administrators need to determine which risks are more likely to happen and which would have the greatest impact. This exercise, according to Abraham, shouldn’t be tied solely to costs, and can be as simple as designing a quadrant where one axis is high/low impact and the other is high/low frequency or probability.
"That way an institution can determine, ‘These are the ones that would be the most serious for us and the ones most likely to happen,’" she says. "For example, an active shooter on campus would be horrific, but probably unlikely. However, ‘We’re not going to make our enrollment numbers this year, because we haven’t made our numbers for the past few years—and we’re a tuition-driven institution’—would be at the top right-hand quadrant, with high impact and high likelihood. I would assign that to someone at the senior level to develop a mitigation plan."
- Don’t try to tackle everything. Abraham encourages institutions to limit their choices. "My advice is to pick five or 10 risks and start on those," she says. "It may be IT, disaster recovery, succession planning, and compliance issues. Don’t pick 20."
From talking to business officers, Abraham knows that many institutions mistakenly go straight to the disasters that could happen—the active shooter, the earthquake, and other catastrophes. "Institutions that don’t have robust ERM tend to chase the latest crisis," she explains. "Instead, what we want them to do is to use ERM as a planning tool to look a year to three years ahead and ask, ‘What risks should we take on? What should we be doing? What do we need to step back from or reinforce so that the issue doesn’t disrupt our mission and goals?’"
- Conduct a risk assessment. Members of George Mason’s ERM council perform a traditional risk assessment to subjectively assign impact scores and probability scores to the identified risks. "Each member does that individually and anonymously, and responses are highlighted on a screen," Zobel says. "If we’re all clustered in the same area, we consider it consensus and move forward. If we have outliers, we ask those voters to explain their scores because they might have information the rest of us do not. We then make a prioritized list based on the scores. The risks that rise to the top are the ones on which we focus efforts."
3. Monitor plans that mitigate risks. "It is really considered a best practice among institutions to identify the top risks, share them with boards, find owners, and do regular reporting on how they are being addressed," Abraham says.
Hartman believes that the success of ERM at Sewanee can be tied to the adoption of its role-centric strategy, which requires risk owners to develop and monitor control strategies. "Risk management works best if you can integrate the change you want to see happen into specific roles," he says.
- Inventory risks and strategies. "We keep track of the raw number of control strategies," he continues. "We identify a risk, its likely impact, and control strategies, which can be a collection of actions to prevent this risk from happening. In the same way that we have an inventory of risks, we have an inventory of control strategies. We’ve been able to pretty much triple our control strategies from last year, particularly for our top risks."
For example, when cybersecurity was identified as a risk, staff with primary responsibility for that area knew that they would have to report to the board on their progress in six months or a year. "They know they are on the hook," he says. "That level of accountability demands focus and is one of the most significant underpinnings of our progress."
- Recognize the implications for change. Hartman compares the ERM process to change management. "You are trying to get people to identify vulnerability or an opportunity—either one—and make progress on it. That requires change. What can you stop doing so that you can spend more time on this area that matters more? That change process works best when given high-level support and expectations to deliver. Reporting to the board, in the presence of the entire cabinet, is one of those built-in expectations of the process."
An added benefit, he says, is that in the process "we have built the board’s confidence in our management skills by training them on relevant and complex issues."
What Happens If You Don’t?
If asked how much it costs to develop and implement an enterprise risk management plan, Abraham has a ready answer: "The better question is ‘What happens if you don’t?’" she says. "A functioning, efficient ERM process should be part of the regular operations of the institution. It should be incorporated into the regular planning process and regular board reporting, and shouldn’t have a particular line item attached to it. Some institutions have someone responsible for enterprise risk management, but I haven’t found that necessary."
At the University of the South in Sewanee, the cost of implementation is the full-time salary paid to Hartman, as well as an annual budget of $60,000, which is used to fund top priorities, primarily to jump-start them for the first year or two. "After that, we ask division managers to identify a multiyear plan to continue funding," he explains.
George Mason University incurred no startup costs because ERM responsibility was merged into existing staff portfolios. "Mitigation strategies are usually incorporated into department-level planning and budgets," Zobel reports. "If departments raise a risk through the ERM program, they must think it is significant. Thus far, risk owners have contributed resources already under their control, to at least partially address these risks."
MARGO VANOVER PORTER, Locust Grove, Va., covers higher education business issues for Business Officer.