As I look back on 30 years of service in education, the trends in risk management for this area are clearer than ever to me.
With the exception of the best-funded private K-12 schools, colleges, and universities, educational institutions are increasingly cash-strapped. Schools of different sizes, types, and geographies are feeling the strain on their business model as students and families ask tough questions about tuition and the need for traditional degrees. The disruption of the COVID-19 pandemic has forced us all to do things differently. And inflation drives up costs even more.
At the same time, the risk portfolio that institutions have to contend with is broader and more complex.
Decades ago, campus risk management was primarily responsible for obtaining insurance and perhaps campus security. But today’s top risks reported by members of United Educators (UE) in our Top Risks survey — declining enrollments, data security, pandemics, deferred child support, student (often underage) sexual misconduct, student mental health — include Not limited to a single person or department, they can affect the entire campus and require mitigation from the frontline to the boardroom.
Amidst these challenges, education leaders must ensure that the limited dollars they spend on insurance and risk management are focused on activities with the greatest impact.
Every institution has unique challenges and its own risk management maturity level. As with differentiated learning, leaders must find their own way to build a risk management program based on the institution’s mission, goals, and available resources. This endeavor begins with limiting risk to a level that is meaningful to the institution’s success.
Risk management is not just a security issue. It needs to be looked at with a broad, enterprise-wide approach. It must be intertwined with strategy and mission. It requires continuous investment over time. It is not the responsibility of a single person, but the product of an organizational mindset.
Institutions are well served when they build and build capacity to continually scan the landscape, identify priority areas of risk most likely to pull the institution off course, and develop mitigation plans that provide a broad, holistic response. Whether you are new to the concept of Enterprise Risk Management (ERM) or have already initiated an ERM process on campus, at UE we recommend three key steps to ensure program success over time.
1) Get the buy-in of the lead. ERM is particularly useful for risks that are cross-institutional, have no formal ownership, and require cross-functional coordination for effective management. As a result, an ERM program can quickly be marginalized if not prioritized at the highest echelons of an institution. The tone at the top is critical.
Long-term success depends on visible leadership support, which means that the board, president, and/or principal make clear to the community the importance of ERM and appoint a champion with significant authority to drive the program forward and provide accountability throughout request institution.
In comparison, traditional risk management tends to focus on a narrower set of risks that are managed within a function or written into the job responsibility of a single administrator or team, such as some compliance or threat risks.
2) action. ERM is less about precision and absolutes and more about relativism and action. As the saying goes, don’t let the perfect be the enemy of the good. Doing something “quickly and about right” is almost always better than doing nothing.
Many institutions overwhelm themselves organizing or identifying and assessing risks, spending 80% of their time and effort on this and 20% on treatment and implementation. At your institution, we recommend the opposite: Spend 20% of your time planning and 80% doing.
ERM is not a project with an end date; the process grows and matures over time. You don’t have to immediately dig out every brick in your facility or get bogged down in formulating a specific risk. Treat one or more risks at once and gradually expand your program. Get small wins early and learn as you go.
3) Aim for broader engagement. Institutions are rich in talent and expertise. Seeking broad input leads to better decisions about the most critical risks and the solutions put in place to address them. Key components of this process are the following:
- Define program scope on a regular basis—annual works best for most institutions—and adjust to available resources. A manageable effort increases the likelihood that steps in the ERM process—identifying risk, planning mitigation actions, assigning risk owners, and even the ultimate goals of the program—are more achievable.
- Identify and engage a key champion who can bring energy to the process. The champion could be part of a functional or operational team that inherently manages risk and could gain new visibility with your program; a key administrator who anticipates a major risk and wants help; or someone with a dynamic, popular personality who can inspire others to get involved.
- Deliver meaningful results by assembling a cross-functional team to share the work that ERM requires. The team will also bring a broader range of perspectives to the development of risk mitigation plans and solutions.
While we focus on educational institutions, these ideas also apply to other organizations looking to evolve their risk management program.
ERM can seem daunting, but with the increasing challenges of the day, it is necessary. Embracing these keys to success can help you launch or mature your endeavors, even in the face of today’s daunting challenges. &