Asking the right questions is an important part of fulfilling a board’s fiduciary responsibilities, and boards need to get in the habit of asking those questions about risk. Whether it’s establishing a relationship with a university in another country for study abroad, allowing co-ed dorm rooms, purchasing land, closing a program, or launching a new one, boards should ask whether the upsides as well as the downsides have been considered. What if we approve this action? What if we don’t?
Some colleges and universities, like Duke University, have put in place comprehensive processes to help their board and top administrators stay abreast of the institution’s exposure and anticipate areas of vulnerability. (See page 14.) Such processes can safeguard an institution and help a board weigh options strategically.
But AGB recently conducted several surveys that probed board practices regarding risk and found that the majority of governing boards and their institutions don’t engage in comprehensive risk assessment. The 2011 AGB Survey of Higher Education Governance, with support from TIAACREF Institute, found that only about one-third of all colleges and universities (33 percent of publics and 34 percent of independents) had a formal process for comprehensive risk assessment. Boards that governed institutions with larger budgets (greater than $51 million) were more likely to engage in comprehensive risk assessment, but even among those, less than half did so. (See Table 1.)
The 2011 survey also looked at board engagement in typical areas of board responsibility—such as financial oversight, board-president relations, strategic planning, and risk assessment—to see whether boards tended to be appropriately engaged, overly engaged, or under-engaged. Among public and independent institutions, risk assessment was the only responsibility ranked among the top three areas for both sectors for under-engagement of their boards. As many as 55 percent of independent boards were underengaged in risk assessment, second only to fundraising (71 percent), and 56 percent of public boards were under-engaged in risk assessment, ranking just behind student learning outcomes (61 percent) and information technology (60 percent). (See Table 2.)
In “The State of Enterprise Risk Management at Colleges and Universities Today,” AGB and United Educators (2009) developed a worksheet for oversight of systemic risk assessment and recommended that presidents and boards collaborate in developing a system for evaluating risk. The report also offered these recommendations:
- Define risk broadly. Traditionally, institutions focused on financial risks covered by insurance. Current thinking defines “risk” as any impediment to accomplishing institutional goals. In a 2000 report, the National Association of College and Business Officers (NACUBO) discussed the “new language of risk” and identified five types of risk: strategic, financial, operational, compliance, and reputational.
- Recognize both the opportunities and downsides of risk. Many institutions focus only on the downsides of risk. In addition, they should weigh risks against potential rewards. All successful organizations take risks, and the most-promising opportunities often involve heightened risk.
- Develop a culture of evaluating and identifying risk at multiple levels. Presidents and board members rarely see the first warnings of risk. Institutions need to identify and assess risks regularly at multiple levels so that the most-critical ones filter up to top decision makers.
- Look at the total cost of risk. Risk is not just about dollars and cents. Institutions must consider all the consequences of risk. For example, in a lawsuit over denial of tenure, there are not only litigation costs, but also non-monetary costs such as lost productivity, distraction from mission, and negative publicity.
- Boards and presidents should collaborate. They need to engage in candid discussions at the strategic level. By working together, presidents and boards can fulfill their shared responsibility for ensuring the success of the mission and stability of the institution.
Few boards have a standing committee on institutional risk, according to AGB’s 2011 survey; most boards assign this responsibility to the audit or finance committees. In keeping with the best practice of defining risk broadly, boards should look beyond financial and compliance risks and ask each committee to take stock of risk and contribute to a comprehensive program of institutional risk assessment.
The board should start a conversation with the chief executive about developing a comprehensive risk assessment plan. The worksheet in “The State of Enterprise Risk Management at Colleges and Universities Today” lists 116 items in 10 risk areas (operational, academic, external relations, human resources, information technology, research, student affairs, financial, compliance, and board governance) and provides a solid starting point for constructing your own. To make risk assessment a regular part of the board’s work, follow these action steps recommended in the report:
- Develop a disciplined process to consider risk in strategic discussion.
- Designate an owner of the risk-identification process.
- Require all top administrators to prioritize risk.
- Sift through the prioritized risks to decide which ones warrant attention at the highest level.
- Require annual written reports on each highpriority risk being monitored.
- Reassess priority risks at the board level at least once a year.
- Look for blind spots.
- Move risk identification deeper into the institution each year.
- Keep repeating the process.