Learn what and how to share specific risk information with different leadership levels effectively
Empowering Risk Managers in Risk Governance Conversations
The role of the board of trustees as it relates to risk management is increasingly becoming important, as the headwinds facing higher education continue to strengthen. Historically, those who manage risk at colleges and universities have not always had a “seat at the table” with other institutional leaders when major decisions were being made. However, in response to the COVID-19 pandemic, risk leaders became key leaders responsible for the institution-wide coordination and response to the pandemic. Given their prominent role, their positions within the college/university setting were elevated beyond where they had previously been. And, as a result, the maturity of higher ed’s risk practices has produced higher-quality risk information and allowed for more productive conversations with trustees on managing risk.
As a result of this shifting dynamic, Deloitte examined the board’s traditional role in risk governance and how higher education institutions can better communicate risk information and manage risk in a four-part webinar series on risk governance in higher education. As an accompanying resource, this article seeks to capture the key insights from the series as we explore boards of trustees’ role in risk governance and empower risk managers to engage in conversations around risk at their institution.
Organizational Alignment on Risk - Leveraging Your ERM Program to Produce High-Quality Risk Information
Having a strong command of how to curate high-quality risk information and establish a proper governance structure is the foundation of a strong risk program. Governance provides the structure by which institutions are directed and managed. Risk governance specifically influences how risk management objectives are set and achieved, how risks are monitored, and how organizational components work together. A well-structured risk governance approach ensures that enterprise risks are regularly and proactively identified, assessed, prioritized, escalated, and addressed per mission and strategic objectives.
Here are a few key tenets that should be considered and typically represent a well-designed system that breaks down silos and encourages buy-in for the ERM program:
- Executive leadership/board members who make strategy, policy, and budget decisions based on enterprise risk committee (ERC) recommendations;
- An ERC comprised of key leaders who assess and prioritize enterprise risk;
- ERM working groups which may include subcommittees to address risks to a specific portfolio, account, or area;
- Risk champions who serve as representatives between staff and ERM working groups; and
- Staff and employees across the institution who identify risks.
A University Example
Carnegie Mellon University (CMU) has successfully implemented an ERM program that provides the governance, framework, and guidance to assist and support campus leadership and stakeholders in identifying events that have the potential to impact the CMU community. They have “three lines of defense” in their risk governance structure. The first line features risk management working groups and department leadership. The second line includes the enterprise risk and compliance management. Finally, they have internal audits as the third line of defense. Each of these plays an important role in managing risks, including external audits and regulations. At Carnegie Mellon, all members of the community are risk managers who have a responsibility to speak out if they see a risk arise. Risk custodians take those risks and determine how best to manage risk, while the risk owners (executive and VP leadership) are accountable for oversight and making effective policy decisions for the risk culture.
Understanding the Role of the Board in Risk Governance
Institutional governance within higher education typically consists of a governing board (board of regents, trustees, visitors) elected or appointed to oversee the decisions about institutional strategic plans, programs, budget, policies, risk management, and appointment of senior officials. The board plays a fundamental role in higher education governance and ensures the institution achieves its mission, typically sitting at the top level of the institution’s risk governance framework and serving in a fiduciary role for its institution.
Boards may vary in the roles they play, particularly when considering the differences between public and private college/university boards, but they typically share six core functions:
- Strategy: Set strategy in collaboration with institutional leadership and monitor its execution.
- Governance: Establish and review key policies that govern the institution's operations and conduct.
- Financial: Oversee the institution’s financial management, including review and approval of operating budgets.
- Performance: Establish performance standards and provide oversight of the institution’s performance on key success factors.
- Risk: Develop enterprise-wide risk mitigation strategies, communicate risk tolerance, and proactively monitor risks.
- External Relations: Promote and guide the institution’s partnerships and external engagement strategy.
Through those six core functions, board members operate differently day-to-day than their management counterparts. The institution needs to segregate these duties to avoid duplicate work and create clear lines of reporting. For example, the board is responsible for establishing strategic priorities, providing expertise, and approving management decision-making, while institution management (college/university presidents, chancellors, etc.) are responsible for executing board and committee decisions and making strategic recommendations for board review/approval.
Having a board that is supportive and aware of the importance of risk oversight, combined with the right governance model is paramount to fostering a risk-oriented culture throughout the institution. There are several models, but direct lines of communication and bi-directional communication are required for governance models to operate effectively. While there are many models that colleges and universities employ, Figure 1 presents a sample risk governance structure.
Figure 1: Illustrative Risk Governance Model
Approaches and Techniques for Communicating Risk Information with the Board
Risk conversations can be confusing or daunting, but with the right approach, they can be incredibly productive. Here are a few key tenets that allow for more productive discussions:
- Ongoing dialogue that stresses how ERM improves business value
- Clear avenues between leadership, faculty, staff, and students for honest communication and feedback
- ERM trainings throughout the institution to signal the importance of a risk-aware culture
There are various models, but a proven and effective model to communicate risk information is the “inform vs. decide” model. It can help avoid asymmetric information and provide the board with a proper level of oversight. This model creates a structure wherein the board is informed about certain risk information and prompted to decide on other risk information. For example, the board may be briefed on current risk exposures and asked to decide on topics related to the approval of risk appetite based on the recommendations of the ERM program.
The risk manager should also understand how to communicate to the entire board versus the various committees that comprise the board. For example, the board should engage in discussion on overarching, institution-wide risks with significant strategic implications and the overall effectiveness of risk management frameworks and practices. The board’s committees will discuss specific issues, trends, or incidents relevant to the committee’s focus, as well as institutional risks that are not yet critical. Committees often engage in more frequent and detailed risk discussions, while the board’s discussions are less frequent but broader in scope.
Communicating Risk Information at Western Governors University (WGU)
WGU formalized its ERM governance structure, including lines of communication. Its program includes the board of trustees which communicates with the enterprise risk committee using a standard reporting format. In addition, its ERM program uses the same reporting standards to communicate with the chief financial officer and chief risk officer. The standard “ERM 2-Pager” creates cohesive communication across the governance structure. They also have a tactical risk escalation (TRE) form for risks that are developing rapidly and need a more immediate response.
Communicating Risk Information at Southern Methodist University (SMU)
SMU uses a bi-annual strategic risk assessment survey to identify and promote an understanding of the most critical risks facing SMU. It is sent to the board of trustees chair, audit committee chair, president, president’s cabinet, AVPs, deans, and associate deans. It includes open-ended questions about risks and includes details, impact, likelihood, and controls. These risks are then included in SMU’s risk report.
New Frontiers for Engaging the Board of Trustees
Trustees and institutional leaders tend to view the risk landscape through a different lens. Trustees typically weigh risks that could impact the five- to ten-year timeline - greater than risks in the immediate term. In contrast, college and university leaders often weigh risks that are more immediate rather than long-term risks. This difference can lead to delays in decision-making, unclear strategy articulation, a decline in morale caused by lengthy debates, or inefficient resource allocation. While an institution’s current interaction model may be sufficient to facilitate board and institutional alignment, there is an opportunity for further engagement and alignment through proactive integration of board perspectives into the ERM lifecycle.
| Examples of Possible Solutions |
| During the risk assessment process, institutions rate risks identified using defined criteria to evaluate overall risk exposure. Traditionally, the enterprise risk assessment was limited to risk ratings provided by various institutional stakeholders and administrators. The board can provide valuable insights including a unique perspective on likelihood and consequence scoring, a greater attunement to market conditions for velocity predictions, and a detailed understanding of the institution’s risk appetite. |
The board can also enhance the ERM program during the risk response phase. During risk response, institutions develop responses to accept, avoid, reduce, transfer, or exploit risks to reduce risk exposure. Risk response plans are typically developed by risk owners and approved by senior leadership. If engaged further, the board could share best practices and lessons learned from outside industries that would benefit the institution. This engagement could also promote more efficient resource allocation for mitigating the highest-priority risks. |
Call to Action
Given the increased scrutiny of higher education institutions, the role of trustees in risk management is going to be increasingly important. How trustees engage with institutional leaders will be paramount in how they respond when risks manifest. In response, risk managers are going to play a larger role in the institution’s leadership teams. Their ability to engage and communicate with the board will dictate, in many cases, how a college or university can navigate the issues facing higher education.
To learn more about each of these sections of risk governance, review the webinars offered in each area in the URMIA Library (member login required):
Special acknowledgments to the following who participated in presenting the webinars: Cole Clark, Deloitte Services LP; John Fees, GradGuard; Stacy Janiak, Deloitte Global; Melanie Lucht, Carnegie Mellon University; , Southern Methodist University; and Alan Smith, Western Governors University.
8/27/2024
By Cynthia Vitters, Managing Director, Deloitte & Touche LLP
By Jake Braunsdorf, Senior Manager, Deloitte & Touche LLP
By Jake Lord, Cyber and Strategic Risk - Manager, Deloitte & Touche LLP
Insights Home
#InsightsArticle