Institutions of higher education are home to large populations of students, faculty and staff, ranging from many hundreds to thousands and even tens of thousands of people. Colleges operate utilities (electricity, steam, water, sewers, phone and internet), provide police protection, maintain housing ranging from faculty houses to high-rise student dormitories and apartments, care for miles of streets and walkways, offer media communications, and run dining facilities—all in addition to their core mission of educating the next generation. In fact, while negotiating my university’s insurance coverage, an underwriter once observed that the university had “all the risks of a city.”
But institutions of higher education (IHE) have significant differences from cities, especially when it comes to operations outside the United States. IHEs have student study abroad programs on every continent. They also run campuses and international research facilities in other countries. Activities are not just land-based; research may also take place on and under the oceans and in the atmosphere or outer space. Individual or small-group international education or research activities add to the complexity of an IHE’s risk profile.
Assessing the Risks Facing Higher Education
The risks that IHEs face are at once similar and different. While the kinds of adverse events that could happen at two institutions are basically similar, the magnitude could be quite different at a rural liberal arts college in Iowa compared to a major research university in the center of New York City. Likewise, the liability for accidents can be much less at a public university with sovereign immunity than at a private college with no legal protection at all.
Certainly the scale of activities also creates big differences. Think of the differences in risk for a university in NCAA Division I whose team plays football at a stadium with tens of thousands of fans compared to that of a Division III team playing the same sport in front of a few hundred fans in the bleachers. Some institutions support unique facilities and unusual activities, such as hospitals, primary and secondary schools, farms, museums, retail stores, flight schools and rodeos.
IHEs share a mission to educate men and women to be critical, educated thinkers in their fields so that they succeed out in the world. Because of this important role, colleges and universities find themselves at the center of important issues in the United States, which creates strategic, political and reputational risks for the organization.
For example, should college education be accessible to all students—even if they are unprepared to learn at that level—if it means reducing the disparity certain ethnic groups endure in the United States? How can IHEs address the challenges women face in the economy from unequal treatment and in society from sexual assault? Depending on how policymakers act on these issues, IHEs will need to respond.
With the range of threats IHEs face, risk assessment in higher education is challenging, and the approaches to identifying risks are varied. According to a recent survey by the University Risk Management and Insurance Association (URMIA), more than half of respondents operate using enterprise risk management (ERM) processes. While about a third follow a model for ERM, such as COSO or ISO 31000, the rest create frameworks that meet the needs and culture of their specific institution.
Virtually all IHE risk managers have responsibilities in risk assessment, but they are almost never solely responsible for it. About 40% of respondents to another URMIA survey have a risk committee overseeing the risk assessment process. Other institutions expect additional functions, such as internal audit or legal, to work collaboratively with risk management.
Creating a Higher Education Risk Inventory
To improve the quality of their institution’s risk assessment, IHE risk managers can exploit higher education’s willingness to collaborate on academic and administrative issues. Unlike a corporate environment where protecting information to keep a competitive edge is tied to the bottom line, IHEs tend to share what they know if it will help a colleague. In serving its mission to advance the discipline of risk management in higher education, URMIA facilitates the sharing of risk information.
To this end, URMIA maintains an inventory of risks that are common among colleges and universities to assist institutions in their risk identification process. For purposes of the URMIA Risk Inventory, risk is defined as any issue that impacts a college or university’s ability to meet its objectives.
The URMIA Risk Inventory categorizes areas of risk into 23 groups. Each category has specific risk areas that reflect circumstances that give rise to risk. The risk inventory lists 290 such risk areas. For each risk area, the inventory then lists “risk factors” that may make the circumstance more or less risky depending on the institution. Below is an alphabetical list of the risk categories and a sample of the associated risk areas.
- Affiliated entities: independent academic organizations, student and alumni organizations, commercial partners
- Athletics: conferences, facilities, academic issues, graduation rates, injuries and resulting medical care, NCAA compliance, spectator control, terrorism, trademarks and licensing, weather
- Brand and reputation: academic excellence, academic freedom, alumni relations, constitutional challenges, free speech and expression, relationship with key supporters
- Business continuity and emergency planning: breadth and currency, emergency response, international activity, National Incident Management System (NIMS) compliance, coordination with public agencies
- Community: economic development, use of institutional facilities by community members and organizations, service
- Competition: diverse education providers, college rankings
- Conflict of interest or commitment: faculty, especially in research
- Demographics: declining number of college-age students, increasing enrollment by international students
- Enterprise risk management: effective program design, assessment and mitigation plans
- Financial: budgeting, capital sufficiency, construction management, contracts, deferred maintenance, economic conditions, energy availability and cost, food crisis, fundraising, grant procurement and compliance, infrastructure, investment management, liquidity, tuition
- Gender-related issues: equality, sexual harassment and assault, LGBTQ issues
- Governance and institutional management: access and affordability, authorized activities, competency-based education, institutional culture, decentralized authority, educational technology, leadership and strategic planning, shared governance and academic freedom
- Government support of higher education: financial aid, government financial support, sponsored research
- Human resources: code of conduct, diversity, employee productivity, employee benefit management and ERISA, employment, workplace safety and injury, unionization, volunteers, wage and hour compliance
- Intellectual property: legal compliance and defense, lost opportunity
- International: asset protection, competition, compliance, emergency response, ethical violations, global trends, locality risk, U.S. policy
- Local, state and federal regulation: compliance, environmental, facilities, Higher Education Act, research, tax
- Operations: auxiliary business such as bookstore and publishing, library and art collections, distance learning (especially online), outsourcing, premises, transportation, travel, student health services
- Property: physical damage, depreciation and obsolescence, inadequate design, naming
- Public safety: active shooter and terrorism, building access and security, crime, Clery Act requirements (stipulates that all schools that participate in financial aid programs must disclose information on campus crime), minors on campus
- Safety: fire and life safety, laboratory safety, pandemic, research, training, vehicles
- Students: academic standards and graduation rates, Americans with Disabilities Act requirements, admission and enrollment, alcohol/substance abuse, at-risk students, code of conduct, diversity, experiential learning, financial aid, healthcare, Family Educational Rights and Privacy Act (FERPA) requirements, sexual assault
- Technology: access, business continuity, changing technology, governance, mobile devices, performance capacity, security and cyber liability, system design
The URMIA Risk Inventory also classifies each risk area into one or more of the following types of risk:
- Strategic: High-level goals, aligned with and supporting the mission
- Operational: Effective and efficient use of the institution’s resources
- Reporting: Reliability of the institution’s external and internal reporting
- Compliance: The institution’s compliance with applicable laws and regulations
- Reputational: Damage caused by any of the above that spills over to how the university is valued or perceived
URMIA continually updates its risk inventory based on member suggestions and by monitoring events and issues in education. Because IHEs are diverse and have different risk profiles, this is not an exhaustive list, so risk managers still must identify risks specific to their institutions.
Next Steps to Management and Mitigation
How, then, can IHE risk managers put the URMIA Risk Inventory to use? According to a recent survey, most members use the Risk Inventory for background information. While IHE risk managers are often not solely responsible for risk assessment, they do have a major role in the effort. Informing risk managers about possible risks to their institutions informs the risk assessment process.
IHE risk managers can also use the URMIA Risk Inventory as a benchmark to identify possible gaps in their institution’s assessment of risk. Senior management frequently asks, “Are we missing anything?” With about 300 potential risks, the URMIA Risk Inventory provides some comfort that the essential risks have been considered.
The survey also showed that risk managers have shared the URMIA Risk Inventory to stimulate conversation about risks. Many colleges and universities do not yet have an ERM process, but management still must consider all the risks facing a college or university. The risk inventory allows risk managers to provide a panoramic view of the issues facing their institutions.
In addition to ensuring that an institution’s risk assessment is comprehensive, use of the URMIA Risk Inventory also provides actual value in reducing risk. For example, a member reported that after using the URMIA Risk Inventory, the institution recognized a gap and identified a need to actively coordinate and conduct exercises with local law enforcement agencies to effectively respond to campus emergencies. With shootings posing a real threat to campus communities, fixing this oversight in advance was a significant contribution to this institution’s safety program.
The sheer number of risks facing colleges and universities can be daunting. But by using a guide like URMIA’s risk inventory, IHE risk managers should be able to conduct a thorough risk assessment of their facility and develop plans that will benefit faculty, staff and students alike, allowing them to focus on their number one priority—education.