Enterprise Risk Management for Higher Education Boards: Best Practices

Enterprise Risk Management for Higher Education Boards: Best Practices

by Angelique Ofrasio on and last update on February 17, 2020

Enterprises cannot get away from risk – part of what they do is a risk with potentially good or bad consequences. This is just as true for charities and for educational establishments as it is for private businesses. It is vital to have an enterprise risk management policy and a set of procedures.

The good news is that higher education establishments are adapting to these challenges. The bad news is that too many are not adapting fast enough to standards on issues like:

  • Technological infrastructure and industry standards
  • Cybersecurity, privacy matters, and data protection
  • State, national, and international data regulation standards
  • The global economic and social climate

Such risk management has traditionally been reactive rather than proactive. Thankfully, that is changing; higher education establishments are increasing budget and resources for enterprise risk management.

This is how your educational establishment can adapt.

 

Anticipate Risk with Proactive Planning

Best practices for any enterprise risk management policy should include identifying the types of risk the enterprise might face. This should apply as equally to the risk of students slipping on ice and experiencing an injury as it does to the risks of data protection, or major natural disasters.

It’s important to assign dealing with each risk to the right person or team. Regularly monitoring key risk indicators is vital for effective enterprise risk management and allow the assigned person or department to foresee any issues.

For each risk, create a list of questions centred on anticipating problems and knowing what to do when they arise. Questions such as “what are the most impactful threats and most likely threats?”, “What are the warning signs associated with each risk?” and “What is the most likely outcome?”

 

Risk Classification

Not every risk, or consequence of a negative event, is equal. Risk exists in every part of your operations and needs both classification and grouping. Enterprise risk management should always look at risk types. For an educational establishment, you can expect risks to fall into any of the following categories:

  • Financial risks which introduce unanticipated costs or lead to revenue loss
  • Health and safety risks which threaten the safety, or life quality, of students and employees. This may also include environmental issues
  • Legal risks which could lead to civil suits or criminal prosecution
  • Operational risks which affect efficiency, productivity, and profitability
  • Reputational risks which include public perception of your organisation
  • Strategic risks which are the big decisions that affect the direction of an organisation or plan
  • Technological risks are also plentiful including data security, malware, and OS and network issues (system integrity unrelated to malicious activity)

 

Consider Gains and Loss in a Risk Analysis

Much of the conversation surrounding enterprise risk management concerns only the potential negative outcomes – loss of money, data theft, and threats to health and safety. Potential losses from bad practice or investment can be catastrophic. However, risk also presents potential positives, and these should be considered in any risk analysis or ongoing monitoring. Financial risk often has as much chance of a successful investment as financial loss. A new IT infrastructure system has more chance of reducing productivity as increasing it.

 

Use Governance Risk and Compliance Software

Also known as GRC, this is a strategy for managing three areas of operation. Organisations require a framework for handling these major operational areas issues regardless of their size. There are software packages from well-known providers to help enterprises tackle them, enabling easier management, time and cost saving, and even automation of some processes that would take too long to execute manually. Almost any organisation can implement a GRC system but the larger your organisation, the more likely it is the organisation will need one.

Higher education is one of those areas that has traditionally been slow to take up a GRC framework. Yet new efficiency drives along with the understanding of the breadth and number of risks means this is becoming a vital aspect of operations.

 

Make ERM Institutional

Enterprise risk management impacts every area of higher education. Aim to raise awareness about the risk of every action in the enterprise, and the positive and negative consequences, at all levels. Prioritising tasks, and understanding legal and corporate responsibility to students, faculty, employees, and visitors can help mitigate the potential negative consequences of most risk factors. Ideally, invest in training for staff to understand risks associated with their job and department, and general risks over which they might have limited control. Training programmes should be made available to help them understand this and refresher courses where necessary.

ERM, however, should not stop there. Make it an ongoing process with regular checks, updates and reviews, to see how the existing system might be improved. No system is perfect, there will be problems even with a robust framework. Learn the lessons from the successes as well as the failures.

Management, Productivity, and Leadership
Share this article

Experience Azeus Convene