It’s an especially challenging time to serve on a board of trustees in higher education.
Issues range from declining enrollment, diminishing trust in institutions, challenges to the traditional business model, a polarized political climate, charges of misconduct, policies on academic freedom, controversy over diversity, equity, and inclusion (DEI), and the value of a college education—all under the glaring spotlight of the news media.
When a serious risk event occurs, key stakeholders, including students, parents, alumni, the community, and regulators, inevitably ask: Where were the trustees? Were they aware of these risks? Did they exercise proper oversight?
Trustees, therefore, need to better understand their role in risk governance at colleges and universities, including specific risk-management tasks as a trustee and how enterprise risk management (ERM) can support governance.
Trustees will need to carefully guide colleges and universities through a decision-making process addressing five broad emerging trends.1
These trends herald a new era for colleges and universities, signaling a need for transformation rather than marginal change at the edges. As a result of these trends, colleges and universities are subject to more stakeholder demands, with stakeholders expressing their views on strategic and operational decisions with more assertiveness and higher expectations. Rising compliance costs and complex regulations are fueling a need for greater investment in systems that enable controls, reporting, and compliance.
Colleges and universities are also experiencing the call for digitalization that has revolutionized other industries. There is also a need for greater analytical capabilities while being mindful of data and information security risks. Perhaps the most significant challenge is the push for hypertransparency. Stakeholders now expect colleges and universities to communicate with clarity and candor, and to closely monitor risks that could impact an institution’s brand and reputation.
The board of trustees is responsible for risk oversight, while the president and those who report to them are responsible for risk management. A robust risk-management program includes embedding risk awareness into the institution’s culture, including the following key functions:
When operating effectively, these functions identify, assess, and prioritize risk information and provide it in an easily digestible format within the context of the other roles trustees serve. Trustees should see that there is an ERM program established and that it is operating effectively; they should also have a solid understanding of the institution’s risks and how they are being managed. In addition, formal escalation criteria and a defined process are necessary to ensure risk information is raised at the right time. The ERM program typically will be responsible for managing operational risks, while the board oversees strategic and reputational risks, ensuring they do not interfere with the ERM program’s role in risk management.
Through the development of ERM programs, institutions can identify, assess, prioritize, and respond to the wide variety and criticality of risk. While each college and university has a unique risk profile, there are common risks that most institutions face and trustees should be familiar with, including:
In addition, emerging risks include:
Trustees often become victims of asymmetric information and may not be able to provide the level of oversight required to effectively navigate colleges and universities through the challenges they face. To combat this dynamic, effective boards employ an inform-and-decide meeting structure to help facilitate action-oriented meetings. Trustees review key information during the initial portion of the meeting and focus on decision-making for the remaining portion. Here’s an example of this structure:
Colleges and universities can apply this model to the entire board of trustees, as well as at the board committee level charged with risk oversight, such as a governance committee or a risk committee.
When briefing risk information to trustees, there are several key practices that help in the communication with trustees:
Colleges and universities must understand that the role of trustees is to provide governance and, more specifically, the structure by which risks are directed and managed across the institution. It’s also important that they outline how risk governance fits within their institution to provide oversight of the enterprise risk portfolio, make decisions, and hold risk owners accountable. Risk can be the missing link within governance, so providing a clear framework is vital for sound risk governance.
A governance framework is a fundamental tool for enabling sound governance. Each element of the overall governance framework impacts virtually all functions, operations, and processes across the institution.
We’ve devised a framework that provides an end-to-end view of organizational governance and helps to identify improvement opportunities. The framework places risk at the center because all functions, operations, and processes are subject to risk. Rather than replacing existing models, the framework aims to connect them to present an integrated picture of the institution’s governance system. It can also help define roles and responsibilities within those models.
Within each element of the framework, there are specific requirements for management and the board. That is, each component encompasses various needs as well as processes for meeting those needs. This framework illustrates that risk is the underpinning and connection point to each element of the framework and ultimately helps create broader risk awareness throughout the institution.
This framework can also complement existing risk frameworks from organizations such as the Committee of Sponsoring Organizations of the Treadway Commission (COSO)5 and the US National Institute of Standards and Technology (NIST).6 Trustees should be aware of those frameworks and how they may apply to their institutions.
Trustees may serve several roles on boards, but having a solid command over the following tasks is critical to enhancing risk governance:
These areas cover a lot of ground. So, trustees should prioritize which key tasks are essential to preserving and enhancing value. The board should avoid getting bogged down in details and establish governance mechanisms that ensure accurate reporting, clear lines of communication, and trusted relationships with management and independent sources of assurance. The sooner a board gets these mechanisms in place, the sooner it can enhance risk governance.
Risk management involves addressing functional level risks, such as financial, cyber, and health and safety. ERM applies at the enterprise level, specifically looking at risks across the organization that could hinder the institution’s ability to achieve its goals and fulfill its mission. Deloitte defines ERM as the discipline of engaging all the organization’s risks—and opportunities—and integrating risk management at the enterprise level to support strategic decision-making and mission fulfillment.
By delivering a panoramic view of risk, ERM enables colleges and universities to manage enterprise risk and also enables the board to govern them. ERM also facilitates risk-based strategic, financial, and operational decision-making. Effective ERM programs ensure that all risks (and opportunities) associated with a decision, investment, or initiative are considered, and resources (including risk management resources) are allocated according to the likelihood and impact of a risk event. The following figure illustrates the ERM life cycle and how high-quality risk information is identified, assessed, prioritized, responded to, and monitored to facilitate the ERM process.
Since the early 2000s, ERM has become widely adopted across organizations. Commercial entities, such as those within financial services, have embraced ERM, and US federal agencies have been implementing ERM programs since they were mandated by the Office of Management and Budget (OMB) in 2016.7 Colleges and universities have more recently joined them, often as late adopters. For example, a survey of 348 colleges and universities8 found that 55% of respondents said they had an ERM program in place, leaving 45% without an established program.
In addition, among those that did have an ERM program:
These responses indicate that many colleges and universities are either operating without a formal ERM program or with potentially under-resourced programs. Such shortcomings may deprive an institution’s leadership team of adequate risk information and the ability to provide trustees with risk information on the institution.
Late adoption is one reason that trustees from outside higher education may find colleges and universities’ risk management relatively immature. Trustees can and should—within their risk governance remit—play a leadership and advisory role in promulgating ERM within their institutions.
Considering the recent trends and evolving risk landscape colleges and universities currently face, now is the time for trustees to evaluate their institution’s risk management practices and the quality of risk information they are receiving. To jumpstart this initiative, formally discuss the following risk-related elements—and the extent to which the institution has them in place—with fellow trustees:
The discussion and the development of these elements should ultimately be a collaborative endeavor between management and the board, potentially conducted by a special-purpose committee and facilitated by an experienced external advisor.
Sample questions for the board to ask itself about risk governance:9
The challenges presented by recent trends and the heightened risk environment affecting colleges and universities show no signs of abating. If anything, they likely can be expected to intensify amid rapid social, political, technological, and economic change. As a result, risk governance has risen to the top of the board agenda at many colleges and universities. Yet the prospect of improving risk governance can be daunting.
Risk governance supported by a sound risk program and processes calls for high levels of collaboration within the board, with the president and their leadership team, and across the institution. Marshaling the people, processes, and technology that enable risk oversight, risk reporting systems, and any needed culture change requires time and effort.
To curb and swiftly address the potential risks, trustees should begin enhancing their institutions’ risk governance capabilities now.