Risk Matters

By Clifford Rossi, PhD

Higher education is not immune from the same kind of risks that impact industry and as we’ve seen in 2024 continues to be buffeted by a wide range of risks including political, reputation, financial and operational, among others.  The practice of enterprise risk management (ERM) in higher education is uneven across institutions and trails behind more evolved ERM programs in the private sector such as banking and pharma.  Elevating ERM within the organization to a prominent leadership role is guaranteed to pay dividends over time and avoid debilitating risk events that detract from the business of education.

Poor risk management practices eventually come back to haunt those organizations that fail to take a broad and proactive view at managing risk. Colleges and universities are not immune to major risk events. The financial meltdown of the 2008 Great Financial Crisis stands in testimony to the fate of many banking institutions that failed to embrace enterprise risk management (ERM) principles. Even today, the collapse of Silicon Valley Bank is a reminder that ERM is critical to franchise viability.  The complexity of institutions of higher education and the diversity of risks they face requires academic administrations to not just develop ERM functions and frameworks but build an institutional culture with the right risk “DNA” to recognize the importance of this function.

My own story is a case in point. I came to academia after a 25-year career in risk management in the financial services industry starting as a regulator during the Savings and Loan crisis of the 1980s and ending it during the 2008 crisis as the Chief Risk Officer for Citigroup’s Consumer Lending Division as well as other C-level stints at major financial services companies.  Some of those marquee name companies I worked for are no longer in business, largely because they relegated risk management to a secondary role in their organizations.

Following the crisis, bank regulators recognized the importance of effective risk governance and ERM practices and now require the largest banks in the country to adhere to heighted expectations for risk management. The banking sector is much further along in the maturity of their ERM programs than other private and public nonfinancial organizations as a result, though other organizations have ramped up their ERM capabilities in recent years. This includes the federal government where large agencies are required to have ERM functions. But what exactly is ERM and why does it apply to colleges and universities?

ERM is a set of principles that lays out a foundation for how organizations should identify, measure, assess and manage their risks. It provides governance and oversight over the process touching the entire enterprise. Risk management should be an integral part of the strategic planning process and incorporate several critical components. These include establishing a risk appetite for the organization that articulates in qualitative and quantitative terms the tolerance for each potential risk the institution faces. The ERM framework also includes a risk taxonomy that clearly describes each major risk type and its various subcomponents. Depending on the firm this can include financial risks such as cash flow, credit, market and liquidity risks, nonfinancial risks such as operational, reputation, legal, regulatory and compliance, and nontraditional risks such as geopolitical, climate, AI, and cyber.

With this backdrop then why do colleges and universities need ERM? Such institutions face many of the same risks as banks and federal agencies. A wide range of financial, nonfinancial and nontraditional risks exist at campuses with many institutions unable to proactively identify, assess and manage their risks until they manifest. Injuries and deaths on campuses for various reasons, geopolitical unrest affecting campus activities, spiraling tuition and costs, and cyber threats are among the myriad risks challenging colleges and university administrations across the country.

Like other sectors, there have been a number of early adopters of ERM principles at colleges and universities. Stanford, for example, created an Office of the Chief Risk Officer, a senior administrative entity where the CRO is a member of the university cabinet and advises the audit, compliance and risk committees of Stanford’s Board of Trustees. While there is no best way of structuring an ERM function, Stanford’s approach is a good model, that includes separate functions for ERM, Internal Audit, Risk & Insurance, Ethics and Compliance, Privacy and Information Security.

Good risk governance is paramount in achieving an effective ERM program.  Having a board of trustees that is supportive and aware of the importance of risk management along with the President and other senior leaders greatly facilitates a risk-oriented culture throughout the campus.  While everything we do as individuals or organizations entails some level of risk, having a well-articulated process for understanding, assessing and managing risks in a cohesive and standardized manner places those institutions that adopt ERM in the best position to prudently and proactively manage what seemingly is becoming an increasingly risky environment for higher education.

Clifford Rossi (PhD) is the Academic Director of the Smith Enterprise Risk Consortium at the University of Maryland (UMD) and a professor of the practice and executive-in-residence at UMD’s Robert H. Smith School of Business. Before joining academia, he spent 25-plus years in the financial sector, as both a C-level risk executive at several top financial institutions and a federal banking regulator. He is the former managing director and CRO of Citigroup’s Consumer Lending Group.