Risk governance in higher education: What boards of trustees need to know

College and university boards of trustees must understand their role in risk oversight to address the unique challenges higher education institutions face.

Cynthia Vitters

United States

Jake Braunsdorf

United States

It’s an especially challenging time to serve on a board of trustees in higher education.

Issues range from declining enrollment, diminishing trust in institutions, challenges to the traditional business model, a polarized political climate, charges of misconduct, policies on academic freedom, controversy over diversity, equity, and inclusion (DEI), and the value of a college education—all under the glaring spotlight of the news media.

When a serious risk event occurs, key stakeholders, including students, parents, alumni, the community, and regulators, inevitably ask: Where were the trustees? Were they aware of these risks? Did they exercise proper oversight?

Trustees, therefore, need to better understand their role in risk governance at colleges and universities, including specific risk-management tasks as a trustee and how enterprise risk management (ERM) can support governance.

Five key challenges facing higher education boards of trustees

Trustees will need to carefully guide colleges and universities through a decision-making process addressing five broad emerging trends.1

  1. Peak college enrollment: Enrollment of traditional college students has been falling for more than a decade, and this trend is projected to continue as the number of high school graduates decreases over the next decade.
  2. Questions around the value of degrees: While the four year college degree generally provides a wage premium and career mobility, that is not true for all degrees. Therefore, certain programs need to demonstrate value or further evolve.
  3. Challenges to the business model: Colleges and universities can no longer rely solely on traditional students. They need to look beyond tuition, fees, and discounting and, through innovative marketing and more cost-effective delivery models, bring in new segments of learners, such as adult learners who have accumulated some postsecondary credits but fell short of completion or those looking to retool in the workforce.
  4. New demands from employees: In the post-COVID-19 pandemic environment, campus employees want improved work/life balance, more advancement opportunities, and options for hybrid and remote work.
  5. Diminishing trust in institutions: Public trust in institutions has plummeted,2 and colleges and universities are no exception. The percentage of survey respondents who say that colleges have a positive effect on the way things are going in the United States decreased from 65% in 2020 to 58% in 2021 to 55% in 2022.3

These trends herald a new era for colleges and universities, signaling a need for transformation rather than marginal change at the edges. As a result of these trends, colleges and universities are subject to more stakeholder demands, with stakeholders expressing their views on strategic and operational decisions with more assertiveness and higher expectations. Rising compliance costs and complex regulations are fueling a need for greater investment in systems that enable controls, reporting, and compliance.

Colleges and universities are also experiencing the call for digitalization that has revolutionized other industries. There is also a need for greater analytical capabilities while being mindful of data and information security risks. Perhaps the most significant challenge is the push for hypertransparency. Stakeholders now expect colleges and universities to communicate with clarity and candor, and to closely monitor risks that could impact an institution’s brand and reputation.

Importance of integrating risk awareness into institutional culture

The board of trustees is responsible for risk oversight, while the president and those who report to them are responsible for risk management. A robust risk-management program includes embedding risk awareness into the institution’s culture, including the following key functions:

  • Enterprise Risk Management (ERM) helps address the full spectrum of institutional risks by identifying, assessing, prioritizing, responding to, and monitoring risks. ERM should be the central conduit for providing high-quality risk information to trustees.
  • Compliance serves as the central hub to manage internal and external compliance and promotes ethical adherence to standards, policies, and regulatory requirements.
  • Internal audit monitors and makes recommendations regarding operational, financial, and risk-management controls and communicates these recommendations to leadership.
  • General counsel manages legal obligations to internal and external entities, assesses the implications of stakeholder actions, and assists in navigating statutes and legal precedents.

When operating effectively, these functions identify, assess, and prioritize risk information and provide it in an easily digestible format within the context of the other roles trustees serve. Trustees should see that there is an ERM program established and that it is operating effectively; they should also have a solid understanding of the institution’s risks and how they are being managed. In addition, formal escalation criteria and a defined process are necessary to ensure risk information is raised at the right time. The ERM program typically will be responsible for managing operational risks, while the board oversees strategic and reputational risks, ensuring they do not interfere with the ERM program’s role in risk management.

Common and emerging risks faced by colleges and universities

Through the development of ERM programs, institutions can identify, assess, prioritize, and respond to the wide variety and criticality of risk. While each college and university has a unique risk profile, there are common risks that most institutions face and trustees should be familiar with, including: 

  • Financial risk: The declining enrollment of traditional students, tuition dependency, and rising operating costs present direct financial risks to colleges and universities.
  • Operational risk: Financial pressures and stakeholder needs require efficient supply chains, facilities, assets, and business continuity management to mitigate operational risk.
  • Cybersecurity risk: Digitalization and widespread use of laptops, smartphones, and online media have increased exposure to hackers and cybercriminals intent on appropriating, corrupting, or exposing data, information, and intellectual property.
  • Environmental, social, and governance (ESG) risk: Decisions related to ESG and the potential risks stemming from implementing an ESG agenda.
  • Health and safety risk: College and universities have a duty of care for students and should prioritize their physical safety and mental health and do the same for employees.
  • Talent risk: The war for talent translates to higher competition and pressure to retain high-quality faculty, administrators, and staff. Failure to provide competitive compensation, growth opportunities, and work/life balance can put the institution at risk.
  • Legal, regulatory, and compliance risk: The greater the legal, regulatory, and compliance demands an institution faces, the greater the risk in those areas.
  • Third-party risk: A breach, failure, or disruption at a third-party supplier or partner could present financial, operational, cybersecurity, or other threats to the institution.
  • Reputational risk: Virtually any type of risk event can generate reputational risk if it were to become public, which is likely in today’s media environment. Also, student retention rates and graduates’ employment opportunities now strongly affect an institution’s reputation.

In addition, emerging risks include:

  • Generative AI and its potential impact on teaching and academic integrity, student performance, and administrative operations.
  • Affirmative action policies, particularly given the recent US Supreme Court decision, significantly limiting affirmative-action admissions programs, and the potential fallout from similar legal actions.4
  • New outcomes and accountability standards and the different measures of outcomes driving accountability for institutional performance and effectiveness.
Show more

Trustees often become victims of asymmetric information and may not be able to provide the level of oversight required to effectively navigate colleges and universities through the challenges they face. To combat this dynamic, effective boards employ an inform-and-decide meeting structure to help facilitate action-oriented meetings. Trustees review key information during the initial portion of the meeting and focus on decision-making for the remaining portion. Here’s an example of this structure:

  • Inform: Trustees are informed or briefed on current risk exposures and ongoing activities to mitigate those risks and often provide insight into strategic and reputational risks, particularly in areas where they possess expertise (cybersecurity, construction/real estate, financial services, etc.).
  • Decide: Trustees are asked to decide on topics related to the approval of risk appetite based on recommendations from the ERM program (and coordinate with the ERM program on tolerance thresholds), make decisions on major strategic or reputational risks, and approve key policies and investment decisions.

Colleges and universities can apply this model to the entire board of trustees, as well as at the board committee level charged with risk oversight, such as a governance committee or a risk committee.

When briefing risk information to trustees, there are several key practices that help in the communication with trustees:

  • Create targeted agendas that utilize the inform-and-decide meeting structure to delineate briefings from action-oriented discussions and include the appropriate amount of background and context.
  • Focus each briefing on the practical impact of the risks and options for responding to each risk.
  • When available, use comparative metrics to other institutions and include key data-driven insights to communicate why the risk is critically important.
  • To ensure the relevant details are provided and to reduce follow-up, consider inviting those closest to the risk or the risk owner to brief the trustees.

Colleges and universities must understand that the role of trustees is to provide governance and, more specifically, the structure by which risks are directed and managed across the institution. It’s also important that they outline how risk governance fits within their institution to provide oversight of the enterprise risk portfolio, make decisions, and hold risk owners accountable. Risk can be the missing link within governance, so providing a clear framework is vital for sound risk governance.

A comprehensive governance framework for effective risk management

A governance framework is a fundamental tool for enabling sound governance. Each element of the overall governance framework impacts virtually all functions, operations, and processes across the institution.

We’ve devised a framework that provides an end-to-end view of organizational governance and helps to identify improvement opportunities. The framework places risk at the center because all functions, operations, and processes are subject to risk. Rather than replacing existing models, the framework aims to connect them to present an integrated picture of the institution’s governance system. It can also help define roles and responsibilities within those models.

Within each element of the framework, there are specific requirements for management and the board. That is, each component encompasses various needs as well as processes for meeting those needs. This framework illustrates that risk is the underpinning and connection point to each element of the framework and ultimately helps create broader risk awareness throughout the institution.

This framework can also complement existing risk frameworks from organizations such as the Committee of Sponsoring Organizations of the Treadway Commission (COSO)5 and the US National Institute of Standards and Technology (NIST).6 Trustees should be aware of those frameworks and how they may apply to their institutions.

Show more

Exploring the responsibilities of trustee in risk governance

Trustees may serve several roles on boards, but having a solid command over the following tasks is critical to enhancing risk governance:

  • Distinguishing their role from management’s: Trustees do not manage risk; instead, they hold management responsible for doing so. In their governance role and as representatives of all stakeholders, the trustees—unencumbered by operating responsibilities—provide an objective perspective of the risks around strategic decisions, investments, and the effectiveness of risk management. As stewards of the institution’s values, the board ensures both long-term and short-term priorities are met and assists in maintaining trust and resilience.
  • Expanding beyond financial and compliance issues: Some boards settle for overseeing regulatory compliance and mandated financial disclosures. Some too-readily accept management’s view of risk. A board should serve as a strategic partner to management, respectfully challenging management’s methods, asking for clarification when needed, and applying its members’ intellect and experience to every aspect of governance. Even seemingly rudimentary questions can open refreshingly new avenues of discussion. In fact, senior leaders of most institutions want a board to provide candid views, clarifying questions, and true governance.
  • Accessing relevant expertise: When a board fails to sufficiently challenge management, it may be due to a lack of expertise. It is the board’s responsibility to acquire or access the knowledge it needs to fulfill its role. A need for additional or specific expertise is not a shortcoming. Indeed, that need invariably arises during rapid cultural, political, and technological change or when the institution is undertaking any major initiative that can impact its risk exposure, such as an IT implementation, capital project, or administrative restructuring.
  • Creating an optimal risk-governance infrastructure: Risk governance infrastructure refers to the roles, responsibilities, and reporting lines involved in risk governance. College and university boards of trustees should have a clear understanding of the risk-management processes and infrastructure. For example, a chief risk officer (CRO) may or may not be present, but a senior executive should be responsible for risk management and submit risk reports to the board. A senior leader independent of management, such as the CRO or chief audit executive, should report to the board and provide assurance that management has identified and adequately addressed all risks. The board should always know who is responsible and accountable for specific risks.
  • Setting risk-related priorities: When allocating risk-related resources, it is important to prioritize them by focusing on the most critical risks. Management should be responsible for allocating risk management resources, and the board should ensure that risk governance resources are properly allocated. Internal audit functions should not spend excessive resources on routine compliance and instead focus on providing assurance around managing key risks. The board can encourage the internal audit team to focus on the highest priorities and the creation of an ERM program. Risk-related topics should always be included in board or management meeting agendas.

These areas cover a lot of ground. So, trustees should prioritize which key tasks are essential to preserving and enhancing value. The board should avoid getting bogged down in details and establish governance mechanisms that ensure accurate reporting, clear lines of communication, and trusted relationships with management and independent sources of assurance. The sooner a board gets these mechanisms in place, the sooner it can enhance risk governance.

Enterprise risk management and how it supports risk governance

Risk management involves addressing functional level risks, such as financial, cyber, and health and safety. ERM applies at the enterprise level, specifically looking at risks across the organization that could hinder the institution’s ability to achieve its goals and fulfill its mission. Deloitte defines ERM as the discipline of engaging all the organization’s risks—and opportunities—and integrating risk management at the enterprise level to support strategic decision-making and mission fulfillment.

By delivering a panoramic view of risk, ERM enables colleges and universities to manage enterprise risk and also enables the board to govern them. ERM also facilitates risk-based strategic, financial, and operational decision-making. Effective ERM programs ensure that all risks (and opportunities) associated with a decision, investment, or initiative are considered, and resources (including risk management resources) are allocated according to the likelihood and impact of a risk event. The following figure illustrates the ERM life cycle and how high-quality risk information is identified, assessed, prioritized, responded to, and monitored to facilitate the ERM process.

Since the early 2000s, ERM has become widely adopted across organizations. Commercial entities, such as those within financial services, have embraced ERM, and US federal agencies have been implementing ERM programs since they were mandated by the Office of Management and Budget (OMB) in 2016.7 Colleges and universities have more recently joined them, often as late adopters. For example, a survey of 348 colleges and universities8 found that 55% of respondents said they had an ERM program in place, leaving 45% without an established program.

In addition, among those that did have an ERM program:

  • About half (49%) did not know which ERM framework they were using.
  • Roughly third (35%) of ERM programs reported to the chief financial officer rather than to the president or CRO.
  • Less than half (47%) had more than 1.5 full-time employees (FTEs) dedicated to ERM.

These responses indicate that many colleges and universities are either operating without a formal ERM program or with potentially under-resourced programs. Such shortcomings may deprive an institution’s leadership team of adequate risk information and the ability to provide trustees with risk information on the institution.

Late adoption is one reason that trustees from outside higher education may find colleges and universities’ risk management relatively immature. Trustees can and should—within their risk governance remit—play a leadership and advisory role in promulgating ERM within their institutions.

Getting started: Steps to enhance risk management practices in colleges and universities

Considering the recent trends and evolving risk landscape colleges and universities currently face, now is the time for trustees to evaluate their institution’s risk management practices and the quality of risk information they are receiving. To jumpstart this initiative, formally discuss the following risk-related elements—and the extent to which the institution has them in place—with fellow trustees:

  • A standard definition and inventory of risks that apply across the institution so that management and the board can understand and compare the likelihood of a risk event, its potential impact (in monetary terms), response to the risk, and then allocate resources accordingly.
  • An agreed-upon risk framework supported by appropriate standards and used throughout the institution to manage risks, with risk owners responsible for managing risks within their functions.
  • A risk management and governance infrastructure with clearly defined roles, responsibilities, and accountabilities in both academic and administrative functions.
  • Transparency and visibility into the institution’s risk-management processes as needed to fulfill risk governance responsibilities.
  • One individual with the primary responsibility for implementing and maintaining an effective ERM program. This person should have direct communication lines with the president, the board of trustees, or its risk committee (or equivalent).
  • A specific function, like internal audit, risk management, or compliance that monitors and reports on the effectiveness of the ERM program while also providing objective assurance.

The discussion and the development of these elements should ultimately be a collaborative endeavor between management and the board, potentially conducted by a special-purpose committee and facilitated by an experienced external advisor.

Questions to consider

Sample questions for the board to ask itself about risk governance:9

  • What is the role of the entire board and its standing committees regarding risk oversight?
  • Has the risk governance infrastructure been defined? Is there coordination and communication between all relevant stakeholders?
  • How does the board consider the relationship between the institution’s strategy and risk? What are the potential risks to the strategy and of the strategy?
  • Through what reports and other mechanisms does management, the CRO (if present), general counsel, and internal audit provide the board with information on risk exposures and risk management?
  • What are the institution’s processes for monitoring major financial, operational, cyber, health, safety, third-party, and reputational risk exposures on an institutionwide basis?
  • Is the institution’s risk management system—including people, processes, and technologies—adequate for the risks posed to the establishment? Is it sufficiently resourced?
  • Does an ongoing constructive risk dialogue occur between management and the board, including a willingness to challenge assumptions?
  • What information enables the board to consider emerging risks and the interrelatedness of risks?
  • How, and how often, does the board assess its risk governance capabilities?
  • How does the board identify the risk-related expertise it needs and how to access it?
Show more

Steer clear of risks: The time for action is now

The challenges presented by recent trends and the heightened risk environment affecting colleges and universities show no signs of abating. If anything, they likely can be expected to intensify amid rapid social, political, technological, and economic change. As a result, risk governance has risen to the top of the board agenda at many colleges and universities. Yet the prospect of improving risk governance can be daunting.

Risk governance supported by a sound risk program and processes calls for high levels of collaboration within the board, with the president and their leadership team, and across the institution. Marshaling the people, processes, and technology that enable risk oversight, risk reporting systems, and any needed culture change requires time and effort.

To curb and swiftly address the potential risks, trustees should begin enhancing their institutions’ risk governance capabilities now.

Cynthia Vitters

United States

Jake Braunsdorf

United States

Endnotes

  1. Cole Clark, Megan Culver, Jeffrey J. Salingo, Higher education’s new era, Deloitte Insights, May 17, 2023.

    View in Article
  2. Madeline Halpert, “Trust in US institutions hits record low, poll finds,” Forbes, July 5, 2022.

    View in Article
  3. Karen Fischer, “Americans’ confidence in Higher Ed drops sharply,” The Chronicle of Higher Education, July 26, 2022.

    View in Article
  4. Liam Knox, “Reading between the lines of affirmative action,” Inside Higher Ed, July 17, 2023.

    View in Article
  5. COSO.org, “Guidance on Enterprise Risk Management,” 2022.

    View in Article
  6. Computer Security Risk Center, “NIST Risk Management Framework,” accessed on September 5, 2023.

    View in Article
  7. Deloitte, “Navigating the revised OMB Circular A-123,” accessed September 7, 2023.

    View in Article
  8. University of Oregon and Deloitte, 2022 Disaster Resilient Universities (DRU) National Survey, 2022.

    View in Article
  9. Maureen Bujno, Consuelo Hitchcock, Krista Parsons, Deborah Dehaas, and Henry Phillips, “Risk oversight and the role of the board,” The Wall Street Journal, 2018.

    View in Article

Acknowledgments

The authors wish to thank the following colleagues for their contributions to this article: Cole Clark and Tiffany Fishman of Deloitte Services LP, Maureen Bujno of Deloitte & Touche LLP, and Eileen Sullivan and Chad Ahren of Deloitte Consulting LLP.​

Cover image by: Sofia Sergi