Op-ed: The Case for Enterprise Risk Management in Higher Education

Newswise — Poor risk management practices eventually come back to haunt those organizations that fail to take a broad and proactive view at managing risk.  Colleges and universities are not immune to major risk events. The financial meltdown of the 2008 Great Financial Crisis stands in testimony to the fate of many banking institutions that failed to embrace enterprise risk management (ERM) principles.  Even today, the collapse of Silicon Valley Bank is a reminder that ERM is critical to franchise viability.  The complexity of institutions of higher education and the diversity of risks they face requires academic administrations to not just develop ERM functions and frameworks but build an institutional culture with the right risk “DNA” to recognize the importance of this function.

My own story is a case in point.  I came to academia after a 25-year career in risk management in the financial services industry starting as a regulator during the Savings and Loan crisis of the 1980s and ending it during the 2008 crisis as the Chief Risk Officer for Citigroup’s Consumer Lending Division as well as other C-level stints at major financial services companies.  Some of those marquee name companies I worked for are no longer in business, largely because they relegated risk management to a secondary role in their organizations. 

Following the crisis, bank regulators recognized the importance of effective risk governance and ERM practices and now require the largest banks in the country to adhere to heightened expectations for risk management.  The banking sector is much further along in the maturity of their ERM programs than other private and public non-financial organizations as a result, though other organizations have ramped up their ERM capabilities in recent years.  This includes the federal government where large agencies are required to have ERM functions.  But what exactly is ERM and why does it apply to colleges and universities?

ERM is a set of principles that lays out a foundation for how organizations should identify, measure, assess and manage their risks.  It provides governance and oversight over the process touching the entire enterprise.  Risk management should be an integral part of the strategic planning process and incorporate several critical components.  These include establishing a risk appetite for the organization that articulates in qualitative and quantitative terms the tolerance for each potential risk the institution faces.  The ERM framework also includes a risk taxonomy that clearly describes each major risk type and its various subcomponents.  Depending on the firm this can include financial risks such as cash flow, credit, market and liquidity risks, non-financial risks such as operational, reputation, legal, regulatory and compliance, and nontraditional risks such as geopolitical, climate, AI, and cyber.

With these tools in hand, an organization’s risks can be assessed individually using various approaches that evaluate the likelihood of a risk event and its severity.  Some risks such as financial risk can be analytically measured while others such as operational risk typically rely on qualitative assessments of those specific risks. Scores for likelihood and severity can be developed based on specific risk outcomes and combined to demarcate risk levels.  Those risk levels can then be used to set risk appetite for the institution.

Armed with such information, organizations can determine expected and unexpected losses in developing a risk profile.  The risk profile requires organizations to determine their inherent and residual risk from each risk type.  For example, a university might find that they face operational risk from 100-year-old water supply infrastructure leading to frequent waterline breaks and damage to campus facilities.  That uncontrolled exposure is the university’s inherent risk.  Once that inherent risk is determined, a risk response is required.  The university could decide to accept that risk, avoid it altogether, reduce or share the risk.  If the university in this example decided to focus on a project to replace the water mains posing the largest risk of damage, estimates of the post-control (water main replacement) risk would be required.  This is referred to as residual risk and should be assessed against the risk appetite. Other critical components of the ERM framework include ongoing monitoring and review of risks including the development of key risk indicators (KRIs) used to determine the effectiveness of the risk management process and outcomes.  KRIs enable organizations to proactively address emerging risks before they exceed the organization's risk appetite.

Many organizations not familiar with ERM practices can easily dismiss them as administrative or audit-like in nature and over time that mindset will result in poor risk management.  Today, regulators require ERM organizations to have prominent roles in the company’s structure led by a Chief Risk Officer (CRO) that is part of the executive management team alongside other C-level executives such as the Chief Financial Officer.  The reason for this is simple, failure to manage risks effectively can be fatal to an organization’s strategy, reputation and ultimately its ability to operate.

With this backdrop then why do colleges and universities need ERM?  Such institutions face many of the same risks as banks and federal agencies.  A wide range of financial, nonfinancial and nontraditional risks exist at campuses with many institutions unable to proactively identify, assess and manage their risks until they manifest.  Injuries and deaths on campuses for various reasons, geopolitical unrest affecting campus activities, spiraling tuition and costs, and cyber threats are among the myriad risks challenging colleges and university administrations across the country.

Like other sectors, there have been a number of early adopters of ERM principles at colleges and universities.  Stanford, for example, created an Office of the Chief Risk Officer, a senior administrative entity where the CRO is a member of the university cabinet and advises the audit, compliance and risk committees of Stanford’s Board of Trustees.  While there is no best way of structuring and ERM function, Stanford’s approach is a good model, that includes separate functions for ERM, Internal Audit, Risk & Insurance, Ethics and Compliance, Privacy and Information Security. 

Good risk governance is paramount in achieving an effective ERM program.  Having a board of trustees that is supportive and aware of the importance of risk management along with the President and other senior leaders greatly facilitates a risk-oriented culture throughout the campus.  While everything we do as individuals or organizations entails some level of risk, having a well-articulated process for understanding, assessing and managing risks in a cohesive and standardized manner places those institutions that adopt ERM in the best position to prudently and proactively manage what seemingly is becoming an increasingly risky environment for higher education.

Clifford Rossi (PhD) is Director of the Smith Enterprise Risk Consortium at the University of Maryland and a Professor-of-the-Practice and Executive-in-Residence at UMD’s Robert H. Smith School of Business. Before joining academia, he spent 25-plus years in the financial sector, as both a C-level risk executive at several top financial institutions and a federal banking regulator. He is the former managing director and CRO of Citigroup’s Consumer Lending Group. Dr. Rossi may be reached at [email protected].