Is Risk Management Part of Your Executive Strategy?

Written By Tracey Swift

Risk does not have to be all about doom and gloom. The time has come where risk management can no longer be seen as hampering innovation but rather as a tool to foster accountability, transparency and support, not hinder organizational objectives.

Between the current legal and regulatory environment and lessons learned during COVID, risk management discussions must be elevated not only the to the C-suite but also boards and other fiduciaries. Without an understanding and accounting of the strategic, financial, compliance and operational risks at the executive level, organizations will remain vulnerable to risks such as regulatory non-compliance, ineffective crisis management, financial overexposure, and risk to brand.

According to a Deloitte article, “The board of trustees is responsible for risk oversight, while the president and those who report to them are responsible for risk management.” (1)

Despite the intent of the maker-checker structure, we still see a number of risk management failures at the executive level.

From campus scandals and financial woes to regulatory non-compliance, we have seen the news; the question is why and what actions can boards and leadership take to avoid making the next headline.

Why is this happening?

In my opinion, there are two challenges.

First, there appears to be a disconnect between the risk appetite of the organization and the actions of employees and appropriate board oversight.

Defining an organization's risk appetite is one of the most important steps of a risk strategy but, it tends to be put on the back burner. The fear of regulatory scrutiny, time and resource constraints, and data quantification challenges; institutions hesitate to incorporate “risk-appetite” into risk assessments. Neglecting to define or discuss risk appetite can lead to risk methodologies being misaligned with organizational goals. This, in turn, may result in information gaps, adding additional risk to the organization.

Boards also have responsibility, and they must hold leadership accountable for managing risk within certain limits. Per COSO, an enterprise risk framework, a key component for boards is “Be apprised of the most significant risks and whether management is responding appropriately.” (2) Which leads to the question: how can boards decipher what is an appropriate response without understanding the risk appetite?

The second reason is that executives and boards may not be asking the right questions to their teams, committee members, and advisors.  By asking good questions, leadership will not only become more risk-aware but the answers can help define a risk appetite and the requisite risk mitigation strategies.

What questions should I ask?

  • How do the risks align with the organization's strategic objectives and mission?

  • What methodology will be used to identify and prioritize risks?

  • What is the likelihood and impact of each risk?

  • What are current and pending regulatory requirements and the penalties for non-compliance?

  • Are there interdependencies between identified risks?

  • How frequently are risks reviewed and reported to the board?

  • What metrics are used to monitor risks to demonstrate risk mitigations are effective?

Why is this important?

With increasing governmental regulations combined with student, faculty, donor, alumni, and tax payer activism, the current environment demands it. Passively addressing risk, assuming that “this will not happen,” and putting things off for another day is not a viable or a responsible approach.

Colleges and universities are facing increased pressure and scrutiny to address a broad range of concerns, from safety, cost of tuition, mental health, financial viability of new ventures, and data protection and privacy. Stakeholders expect more from executives and boards, both in terms of understanding the risk landscape and the oversight required to mitigate these risks.

Further, without an informed executive team, there could be potential failures in the bedrock of your organization’s risk management program resulting in financial losses and impacts to reputation.

What mitigation strategies can be implemented?

  • Bridge the "communication gap" between the board, central administration, faculty, and students by championing transparency from the top down.

  • Conduct an inventory of your stakeholders and determine if key voices are missing.

  • Don’t over-emphasize metrics that you lose sight of the bigger picture. Not all risks are quantifiable but can they can still impact your organization.

  • Focus on the long-term health of your organization versus short-term gains.

  • Increase board diversity to understand the impacts of your organization's goals on the communities they serve.

  • Invest in training and education for executives and board members that include a risk management focus.

  • Recruit the right board members. Make sure the candidates have relevant experience in higher education as well as strong business acumen.

By elevating and incorporating risk management principles into strategic decision-making at the executive and board level, institutions of higher education can proactively manage risks, potentially reduce costs, and increase transparency.

What strategies will you implement to make your organization more risk aware and resilient?

If you want to dig deeper into this topic. Risk governance in higher education- What boards and trustees need to know

Supporting research:

Tracey Swift
Previous

What does the contract say?
Next

How transparent is your institution?