University Risk Managers Share Concerns
Higher education risk managers converged on Louisville, Ky., this fall for the annual conference of the University Risk Management and Insurance Association, where several themes emerged as key areas of focus.
“ERM seemed to be the biggest theme, but there was a enough variety in the sessions to cover all the basics,” said Mark Logel, director, administrative services & risk management at the University of Evansville and a first-time conference attendee.
More than six in 10 (61 percent) survey respondents said they have not conducted an enterprise risk management process at their institution in the past two years, or don’t know if such work was done, according to data shown during one session, “Managing Risk Intelligently: A New Normal.”
And yet, nearly three-fourths (73 percent) said they are more focused on institutional risk now than five years ago, and 63 percent reported having more full board discussions about institutional risk.
Paradoxically, only 39 percent of respondents said they were getting enough information about their exposures, down from 43 percent in 2008.
However, according to Gary Langsdale, university risk officer at Pennsylvania State University (PSU) and a session speaker, these statistics are not as negative as they appear. Such conflicting opinions may demonstrate that institutions are growing more aware of the complex web of risks they face and therefore asking for more information, not necessarily receiving less.
“There’s an impetus for thinking more holistically about risk,” said Andre LeDuc, executive director, enterprise risk services at the University of Oregon. “It’s a continual struggle to promote a risk-aware culture.”
Such a culture needs to be built from the top down, with buy-in from board members and more communication between academic and student affairs offices. The publicity surrounding the Sandusky scandal at PSU revealed a need for greater board involvement, Langsdale said.
But, he noted, there is a limit.
“Board members should have their noses in but fingers out,” he said, meaning the board’s role is to be informed but not overly involved in risk management.
Langsdale identified ways risk managers can help set the culture for a true ERM effort:
• Look for leadership opportunities.
• Break down organizational silos.
• Understand the analytical tools and methodologies available.
• Elicit views from across the organization.
“Establishing ERM is an evolution,” LeDuc said. “Check back in two or three years to see what works and what doesn’t. Every institution is unique. … We have to take lessons learned back to our home institutions and help the thematic thread spread.”
Changing demographics and enrollment challenges, lack of funding and regulatory compliance are three major strategic risks faced by universities.
According to Christine Eick, executive director, risk management and safety at Auburn University, some schools saw hundreds of millions of dollars’ worth of cuts in government funding during the recession.
That is compounded, Langsdale said, by a lack of funding on students’ end as well. As costs rise, fewer students and their families are able to contribute much from their own pockets.
“We have to make choices about which programs to support,” he said.
Many attendees acknowledged that funding for sports programs, while ultimately accounting for a very small percentage of a school’s overall budget, should be the first to take cuts because of their high visibility.
Enrollment has also fallen as demographics shift. There are simply fewer 18-year-olds in the prospective student pool now than there were a decade or more ago, which increases competition among schools vying to keep classrooms full.
“One help has been recruiting returning military members,” Eick said, “who often come with the support of government funding” and have incentives to obtain a degree as they re-enter the mainstream workforce.
Compliance has also risen as a priority, especially with adherence to Title IX and the handling of sexual assault cases coming under tighter scrutiny.
Along with the increased risk, however, comes the benefit of putting “risk managers at the right tables,” said LeDuc, as universities need to discuss such risks among different offices and with board members.
Like any other organization that collects personally identifiable information, higher education institutions are more concerned with cyber threats.
“Data, data, data. Are we fully aware of our exposures?” LeDuc asked, picking out cyber security as a risk to watch related to students’ personal and financial records, as well as the potential for theft of intellectual property, especially at research institutions.
“Cyber is an increasing threat,” Eick agreed. “There has to be a shift in culture that mandates security training for all faculty to be completed by a certain date. Schools should be employing more privacy officers and CIOs to handle those challenges.”
Universities may have a higher exposure for data breach, Langsdale said, because networks are “designed to be open” to allow access for prospective and current students, alumni, faculty, and researchers from other facilities.
“You need to be on top of your cloud providers and know where your servers are located,” he said. “There should be no deemed export of information.”
Along with the increase in study abroad programs comes the increased need for colleges and universities to do more to ensure the safety of students in such programs, including keeping track of their whereabouts and the conditions of the countries they visit.
Until recently, schools have had limited ways to track and communicate with students abroad, and have kept limited records of incidents. Both nonprofit organizations and businesses offer resources to help risk managers expand their efforts.
One way to conduct due diligence is through site visits, which “are not terribly expensive,” according to Eick, but which usually are only done by larger, better-funded schools.
In addition to scoping out the conditions of hosting school and the surrounding communities, site visits allow risk managers an opportunity to analyze local coverage and ensure that the right policies are in place. Language barriers can result in improper coverage.