Risk Management: A Governance Brief

By AGB April 1, 2011 January 12th, 2021 Blog Post
Blog Post

  • Board members must ensure that the institution treats risk as inevitable. The key is to anticipate and respond rationally to the most serious exposures that could compromise the ability of the enterprise to function.
  • Keep in mind that financial risks are not the only type of risks to institutions.
  • Don’t overlook the link between risk and opportunity.
  • Governing boards should monitor institutional risk management through regular, formal reports by the administrator assigned responsibility.

According to a 2008 survey by AGB and United Educators, higher education is lagging behind private industry in incorporating consideration of risk into planning, management, and board oversight. Sixty percent of respondents said their institutions do not use comprehensive, strategic risk assessment to identify major risks to mission success. Only five percent of respondents said their institutions have exemplary practices for management of major risks to mission success.

While such challenges as the global financial crisis, the Virginia Tech shootings, and Hurricane Katrina could not have been foreseen, preparing for such risks—as well as more common but no less important risks—should be an integral part of the work of institutional leaders and governing boards.

DEFINING RISK MANAGEMENT

There are four types of risk that an institution might face:

  • Traditional operational risk, which could include a weather catastrophe or a fire that shuts down a building or the whole campus. Other less obvious examples include a strike or an accident at a nearby chemical or power plant.
  • Legal and regulatory risk, which includes, among other things, litigation by employees or students claiming discrimination or charges of failure to comply with safety requirements.
  • Financial risk, which includes, for example, a sudden drop in tuition revenue or enrollment, a decline in government appropriations in support of financial aid or faculty research, or a fundraising campaign that fails to meet expectations.
  • Political and reputational risk, which could include such things as loss of accreditation, the imposition of NCAA sanctions, or an adverse public response to a high-profile campus event.

Boards also need to weigh risks against potential rewards. Taking risks that are carefully considered can lead to success, as the most promising opportunities often involve heightened risk.

BOARD RESPONSIBILITY

The board’s responsibility for risk management has four components:

  • Establishing it as an institutional priority
  • Considering the institution’s tolerance for risk
  • Calling on senior administrators to establish a process for identifying, prioritizing and monitoring risk, with formal assignment of responsibility for risk assessment and management to an appropriate individual or office
  • Monitoring the plan’s implementation through regular, formal reporting to the board or an appropriate board committee by the appropriate senior administrator.

ORGANIZATIONAL STRUCTURE AND REPORTING

However an institution chooses to organize itself around risk assessment and management, the board can best monitor risk through its committees, locating the function in a single committee such as audit or finance, or charging all committees to monitor risks related to their areas of oversight. Additionally, all board members should receive an annual written risk management report from the administration, with a focus on the four or five risks of greatest significance.

KEY QUESTIONS

  • Has the board discussed its responsibility for risk management?
  • How frequently does the institution review major areas of risk exposure?
  • Does the board or an appropriate board committee regularly receive risk management reports?
  • As part of strategic planning, does the board consider major risks to the successful operation of the institution, as well as opportunities, and appropriate strategic responses?

LEARN MORE

One of AGB Consulting’s area of service is enterprise risk management.