Creating a Risk-Conscious Climate
Risk, both physical and financial, is part of the planning fabric as never before.
By Rick Whitfield
To effectively manage business risks, college and university leaders must be cognizant of these drivers, but especially of the risks accompanying them. The question is: Are our campus leaders prepared to address this transformed environment? I've spent the past three years researching academia's response to change, and I studied for-profit sector models for enterprise risk management, assessing how these models might transfer to the not-for-profit sector. Although I concluded in that study (Managing Institutional Risks—A Framework, published last May) that "higher education leaders do not typically recognize the changes external market forces are having on the industry," the emergence of institution-wide risk management infrastructures is beginning.
Learning From the Other Side
After many businesses in the late 1980s failed soon after receiving unqualified audits of their financial statements, and change was exploding all around them, a group of business leaders evolved a common framework and language in conjunction with the Committee of Sponsoring Organizations' (COSO) Integrated Internal Control Framework. (An updated report is due out later this year.) The elements of that framework comprise a paradigm shift from a strict focus on financial controls to a focus on assessing business risks.
It was a time and response not unlike today. There is a difference, however. The accounting industry has been turned upside down, and the Sarbanes-Oxley legislation is setting the tone for corporate governance, providing increased federal government regulation of independent accountants. While Sarbanes-Oxley compliance is required at for-profit companies, numerous college and university boards are adopting components of Sarbanes-Oxley as best practices. (NACUBO's Accounting Principles Council released guidance in November's Advisory Report 2003-3, which can be accessed at www.nacubo.org.) Colleges and universities can use this common language to assess their business risks. Transparency is necessary across all industries, and this flexibility can be modified to fit any institutional culture. Senior management in the business sector has identified some basic success factors: support at the top, accountability at all staff levels, a clear framework, and a "risk officer" to champion the initiative. While these success factors may not seem groundbreaking, they are significant because they reflect lessons learned directly by those actually implementing an enterprise-wide risk management model in a business setting.
Looks From the Inside
One chief financial officer commented to me that aligning new initiatives with for-profit sector practices often toll the death knell in a campus setting. But the drivers challenging higher education are perilously close to those facing the for-profit sector. In many ways, the business world is better positioned to respond quickly to the changing marketplace. But several recent business scandals have shaken the cornerstones of higher education institutions as well. Seton Hall University received a substantial gift from Tyco's former CEO, L. Dennis Kozlowski, reported by the Wall Street Journal to be at $5 million, and built a prominent academic building bearing his name. (Another carries the name of another Tyco board member, Frank Walsh, Jr.) In addition, The New York Times reported in November that Tyco shareholders are laying claim to a $4 million donation to Cambridge University. "The money was used to create the Robert A. G. Monks chair in corporate governance, a program that promotes research into corporate accountability, and is named after an American shareholder activist who had often praised Mr. Kozlowski and served on the Tyco board from 1985 to 1994." Cambridge claims that neither Tyco International nor Kozlowski had any influence on the first chair appointment. Cambridge is reported to have no intentions of returning the funds. At press time, Kozlowski had been on trial since September on criminal charges for fraud and misuse of corporate funds, and investigations into the source of the donated funds continue.
Different Worlds, Equal Risks
The higher education community is not unlike the business world regarding the risks it faces. This table illustrates the different types of risks, how they are handled, and how they affect each entity.
It's only one example, but it's clear that the trials and tribulations of corporate America have direct implications and risks for higher education.
|Business World||Education Community|
|STRATEGIC RISKS: GOALS OF THE ORGANIZATION||In the business world, strategic plans provide the roadmap for new product development, competitive positioning, and increased market share. Accompanying each strategic initiative are risks that present opportunity, uncertainty, and hazard. These risks are taken into consideration when determining "go" or "no go" strategies.||Colleges and universities are engaged in developing extensive strategic plans to guide their achievement of strategic goals. What is not evident is whether consideration is given to the risks accompanying these strategies.|
|OPERATIONAL RISKS: PROCESSES THAT ACHIEVE GOALS||Day-to-day operations within businesses determine the success or failure of achieving incremental progress toward defined goals. Accompanying each operation are risks that could deter progress toward goals. The ability to anticipate and manage risks is critical to maintaining ongoing operations.||Colleges and universities likewise are dependent on day-to-day operations for their success and are subject to operational risks.|
|FINANCIAL RISKS: SAFEGUARDING ASSETS||The potential loss of physical assets or financial resources represents areas traditionally subjected to more focused risk management. Businesses generally acquire insurance to protect against potential or unanticipated asset and/or financial losses.||Colleges and universities, like businesses, pay particular attention to financial risk management.|
|COMPLIANCE RISKS: LAWS AND REGULATIONS||Like colleges and universities, businesses in the for-profit sector are subjected to many external rules and regulations.||Noncompliance can be costly to colleges and universities. Some of the most significant penalties have come from ineffective management of compliance risks. An increasing focus on managing compliance risks is evolving given significant events that have proven costly and embarrassing to both businesses and colleges and universities.|
|REPUTATIONAL RISKS: PUBLIC IMAGE||For businesses and colleges and universities, their reputations may be their most important asset and the one least protected. An organization's image and reputation rest in the hands of the people who comprise the organization and are guarded only by the decisions made and actions they take each day to ensure the organization's success. Many organizations' images have been damaged and reputations tarnished by failure to effectively manage reputational risks.|
Preparing for Risk: Inside/Out Views
The question for leaders is not should but how can higher education institutions adopt a common framework and language for managing institution-wide risks. The range of stakeholders—trustees, presidents, provosts, deans, vice presidents—hold a variety of perspectives on risk management.
Trustees lead the way; industry leaders know that this varied group brings diverse interests, enthusiasm, and resources to the campus boardroom, and a wealth of opinions. It may be an understatement that their view of the outside world contrasts with many administrators who, many trustees feel, lag in the adoption of good corporate business practices. Trustees often make suggestions to improve the efficiency and effectiveness of resource utilization; some even go as far as setting expectations for the implementation of business practices. This is particularly true for trustees serving on independent college and university boards. Public institutions, on the other hand, are often governed by bureaucratic processes, which lead to even less flexibility for significant change in government-controlled practices.
One trustee I spoke with from an independent university is a partner in a global professional services firm serving both for-profit and not-for-profit clients. He agrees that effectively managing risk is a critical component to successful leadership of any organization. At his institution, risk management is not a component of the strategic leadership model. Instead, it's a limited but important annual task undertaken by the general counsel and other senior managers. He stresses that "risk management is not sexy and visible; no university or college president's legacy will read 'effective risk-management leader.'" He doesn't believe it will rise to a strategic focus until it can be demonstrated that risk management provides a distinct competitive marketplace advantage. One thing holding his institution back is the traditional skill set of the internal audit staff, which is not positioned in the organizational structure to lead a holistic initiative.
He cites the following as the factors for success at his university:
- engaged trustees and presidents;
- willingness to embrace corporate best practices;
- diminished status quo thinking;
- openness to embrace change; and
- governance structures that require accountability for effectively managing institution-wide risks.
Top Down Perspectives
College and university presidents have a distinct role to play in risk management. Two presidents whom I interviewed lead distinctly different institutions; both institutions fall within the Carnegie Doctoral/Research Universities–Extensive classification, but they are in different geographic locations, and vary in size, complexity, and market segments served. However, they have a common mission: research, teaching, and service. Both presidents have originated risk management initiatives and have established a risk-conscious tone at the top of their respective institutions. For the first president—a former department chair, dean, and provost—managing institutional risks was embedded in her institution's strategic plan developed in 1996; the board of trustees, especially those on the audit committee, was bent on improving control and risk management mechanisms. This president, who serves on corporate boards and audit committees, wanted qualified professionals to implement this plan, drawing on actual experience in higher education and best practices from the for-profit sector. A proven business leader as well as a scholar, this president is viewed by many inside and outside the institution as a true CEO, albeit at a university. She emphasizes that prior to the September 11 terrorist attacks, discussion of risks would have been difficult to get on any university or college president's agenda. Introduced to the needs of institutional management by her board, she directed the executive vice president and chief internal audit executive to champion the initiative, to keep the conversation alive. The second president I interviewed, a world-renowned scientist and corporate board member, stresses holistic risk management in colleges and universities as critical. She acknowledges that her career experience in the corporate sector, federal government, and as chair of a for-profit corporate audit committee provides her with a more in-depth understanding and drives her commitment to risk management. She cites several key elements for any risk management initiative:
- It is everyone's responsibility to manage risk.
- The senior management team should focus on the topic.
- An internal audit function is best positioned to champion such institution-wide initiatives, if staffed with knowledgeable personnel.
Both presidents emphasized the following steps:
- Include knowledgeable leaders on senior management team to drive goals to reality. A focus on risk should be embedded as a component of the strategic plan.
- Just do it—a big bang launch isn't necessary.
- Develop metrics in operational plans to measure progress toward risk mitigation.
- Employ effective communications and training.
- Identify and empower a "champion" within the management ranks.
- Exercise presidential intervention when necessary.
The Academic Standpoint: Provosts and Deans
A provost sees risk management through a different lens, but often comes up with the same conclusions. One provost from a large research-intensive university relates that his university is currently conducting a limited risk assessment. Its focus is primarily on research laboratories. The objective is to determine what, if any, environmental, health, and/or safety risks exist on the campus and develop action plans to mitigate them. While this is the only holistic risk management initiative undertaken by this university, the provost notes that risks are routinely considered when making decisions that are either entrepreneurial in nature, have the potential to drop the university's national ranking, or increase reputational risks. His key points:
- Institution-wide risk management makes good business sense, particularly for entrepreneurial and venturesome institutions.
- Risk discussions surround major decisions, particularly reputational risk impacts; that is, anticipate what could go wrong.
- Adapt the business risk framework to each institution's respective culture.
- Risk management is critical, since few key initiatives concern the university at large.
He stresses that the president must communicate to the faculty and must show connectedness of risk management initiatives to academic mission. In addition, resource commitments must be aligned and support the academic mission.
Deans are looking from another vantage point, but risk still lurks in the landscape. A dean of the College of Arts and Sciences at a large research-intensive university, which includes a medical school, multiple hospitals, and physician practices, notes that his university has long had a risk management initiative, which is still evolving.
He agrees that risk management must be articulated as a strategic priority, and adds these points:
- A framework and common language, such as the defined business risks, are beneficial to generate dialogue about managing risk.
- The trustees, president, provost, deans, and vice presidents must sponsor and support the initiative and designated champion.
- Managing reputational risk is critically important, and all these other type risks—strategic, financial, operational, and compliance—reference reputational risk in one form or another.
- A chief risk officer position is not necessary, but someone to champion this initiative is crucial. It must be someone knowledgeable about higher education and the specific institution.
Setting the Tone
Most higher education leaders are finally engaged in thinking broadly about institutional risks. But what is obvious from the research is that risk management does not currently attract a wide audience within the higher education industry, particularly at the presidential and senior management level—just where significant impact could be gained. Too many agree with the trustee who said that risk management is not sexy. But a champion is just what this management framework requires—all those I interviewed stated it as one of the key success factors. Chief business officers should consider taking the lead by championing the institution-wide risk discussion within the framework of strategic, financial, operational, compliance, and reputational risks (see chart, "Defining Business Risks of Transformational Change"). The three legs of what I characterize as the "institutional will" are: recognizing that change is constant, setting a risk-conscious tone at the top, and engaging the trustees to actively champion the initiative. These critical actions represent the cornerstones for constructing and successfully implementing a risk management framework and common risk language. The framework should begin with the institution's strategic plan. A commitment to managing risks should be stated and supported by the president as a key institutional objective (which, in concert, supports the achievement of other institutional goals and objectives).
Discussing risks and the importance of being an astutely risk-oriented environment is difficult. But early adopters in higher education have realized numerous benefits and anticipate even greater gains from risk discussions. A cultural transformation is occurring at these institutions, even without a big launch of a new central administrative initiative. The transformation can be seen in the evolving common language around risk, which stands out in dialogues among faculty, academic administrators, central administration, and senior management. Now, initiatives to address risk are strategically aligned with institutional goals—previously, they were a reactive response to the latest event. The gains are many: minimizing surprises and decreasing the cost of crisis management, at the very least. And, while risk will never be reduced to zero, the potential impact (financial, compliance, reputational) of risks associated with strategic goals and institutional priorities will be addressed before they hit. Think of it as an early warning system for potential high-risk events.
The lack of proven metrics that capture the impact of institution-wide risk management is damaging to all. Once metrics are developed, and institutions can demonstrate a strategic competitive advantage over non-adopters, the industry will step up and take notice.
Taking Stock of the Future
The more I looked into this subject, the more obvious it became that numerous areas warrant deeper research. First, enterprise risk management models both outside and inside the industry are in their infant stages. Enron's model was heralded as a corporate best practice in research studies—of course, that was prior to Enron's failure. Clearly, there are lessons to be learned from Enron's fall, and the fate of Enron's executives, including its chief risk officer. Second, how well can governance structures (especially faculty governance), which vary, even within similar institutions, effectively implement risk management frameworks? Third, how are those "early adopter" frameworks, those already in place, working? As noted by one senior administrator, the first steps in a long journey have been made. Is the sustainability of these early models solely dependent on the personalities of the existing leadership (i.e., trustees, president, senior management)? Will the journey continue if key sponsors and/or implementers change or leave the institution? Will existing organizational structures be modified and policies implemented to create a sense of permanency? It will be important to track these early adopters and determine if the industry follows.
Several colleges and universities have suffered global media scrutiny over tragedy and scandal in recent years. The bonfire catastrophe at Texas A&M; academic and basketball scandals at the University of Minnesota; and presidential misconduct at University of Tennessee are just a few examples. More recently, presidential failures and governance structures, including foundations, have tarnished the reputations of many institutions. Assessing the strategic, financial, operational, compliance, and reputational impact on these institutions' business and operational practices may provide metrics for measuring the cost of ineffectively considering risks. Looking at the return on investments that represent measurable risk avoidance will be extremely valuable. And, of course, September 11, 2001, changed the world and significantly impacted the leadership and management of higher education institutions. The Department of Homeland Security, Federal Bureau of Investigation, and Central Intelligence Agency have publicly identified colleges and universities as "soft targets" (easy to access and inflict terror). As college and university leaders give further heightened consideration to the risk of terrorist attacks on their campuses, broader thinking will be needed. Risk is a part of the world as it has never been. Campus leaders can't afford not to develop a framework to manage risk to keep their institutions safe in an uncertain future.
Hear the Author at HEAF
Hear Rick Whitfield expand on his ideas at NACUBO's Higher Education Accounting Forum (HEAF), April 25–27, at the InterContinental Chicago. His session, Application of an Enterprise Risk Management Framework in Higher Education, offers a perspective on integrating financial risk management beyond traditional boundaries to consider the new world of governance and accountability inspired by legislation and current events.The new framework provides a foundation to understand past challenges and modern improvements,and addresses the concerns of trustees, presidents, provosts, business officers, accounting and finance professionals, senior management, and academic administrators.
Whitfield's session is one of 12 concurrent sessions addressing the latest issues in higher education financial and managerial accounting. Early-bird registration rates are in effect until March 26 for HEAF, which sold out in 2003. For detailed program and registration information, visit www.nacubo.org or call 202.861.2520.
Author Bio Rick Whitfield is vice president for audit and compliance at the University of Pennsylvania. He earned a degree from Penn's Executive Doctorate Program in Higher Education Management.
- ED Proposes Substantial Expansion of Financial Responsibility Indicators
- Supreme Court Hands Down Two Decisions with Higher Education Implications
- NACUBO Objects to Annual SFA Audits
- 2016 CAO and CBO Collaborations
August 1-2, 2016
- 2016 Planning and Budgeting Forum
September 19-20, 2016
- 2016 Managerial Analysis and Decision Support
November 17-18, 2016
- WEBCAST: The CBO's Role in Diversity and Inclusion on Campus
Thursday, June 30, 2016 1:00 PM ET
- ON-DEMAND: The Clery Act: Strategic Planning to Mitigate Institutional Risk
- ON-DEMAND: Title IX: Key Issues Surrounding Institutional Compliance
- ON-DEMAND: NACUBO Live! Higher Education Accounting Forum
- ON-DEMAND: Responsibility Center Management: Two Different Perspectives