The Case for Enterprise Risk Management in Higher Education

Companies have managed risk for years. Traditionally, each business unit evaluates and handles their own risk, then reports to the CEO. Now, conventionally, the practice is holistically evolving to “enterprise risk management” or “ERM.” The latter, says Smith’s Clifford Rossi, is a set of principles that lays out a foundation for how organizations should identify, measure, assess and manage their risks. It provides governance and oversight over the process touching the entire enterprise.

“The financial meltdown of the 2008 Great Financial Crisis stands in testimony to the fate of many banking institutions that failed to embrace enterprise risk management (ERM) principles,” he says, “Even today, the collapse of Silicon Valley Bank is a reminder that ERM is critical to franchise viability.”

Do colleges and universities need ERM?

“Yes, such institutions face many of the same risks as banks and federal agencies,” says Rossi, professor of the practice and executive-in-residence for the University of Maryland’s Robert H. Smith School of Business and director of the Smith Enterprise Risk Consortium.

“The complexity of institutions of higher education and the diversity of risks they face requires academic administrations to not just develop ERM functions and frameworks but build an institutional culture with the right risk ‘DNA’ to recognize the importance of this function,” Rossi writes in a recent piece at Newswise.

He further explains:

A wide range of financial, nonfinancial and nontraditional risks exist at campuses with many institutions unable to proactively identify, assess and manage their risks until they manifest. Injuries and deaths on campuses for various reasons, geopolitical unrest affecting campus activities, spiraling tuition and costs, and cyber threats are among the myriad risks challenging colleges and university administrations across the country.

Like other sectors, there have been a number of early adopters of ERM principles at colleges and universities. Stanford, for example, created an Office of the Chief Risk Officer, a senior administrative entity where the CRO is a member of the university cabinet and advises the audit, compliance and risk committees of Stanford’s Board of Trustees. While there is no best way of structuring an ERM function, Stanford’s approach is a good model that includes separate functions for ERM, Internal Audit, Risk and Insurance, Ethics and Compliance, Privacy and Information Security.

Good risk governance is paramount in achieving an effective ERM program. Having a board of trustees that is supportive and aware of the importance of risk management along with the President and other senior leaders greatly facilitates a risk-oriented culture throughout the campus. While everything we do as individuals or organizations entails some level of risk, having a well-articulated process for understanding, assessing and managing risks in a cohesive and standardized manner places those institutions that adopt ERM in the best position to prudently and proactively manage what seemingly is becoming an increasingly risky environment for higher education.

Read Rossi’s entire commentary: Op-ed: The Case for Enterprise Risk Management in Higher Education.