Our latest study breaks down the monolithic challenge of risk management, providing clear plans for rapid-response situations and implementation guidance for foundational enterprise risk capabilities.
Higher ed institutions seeking to manage risk holistically too frequently stumble when moving from vision to execution, whether distracted by one-off incident response obligations or overwhelmed by the sheer magnitude of the effort.
A top expectation for chief business officers
College and university stakeholders—trustees, funders, students, parents, community members, legislators, alumni—are holding their institutions to high standards, even as their complex enterprises experience more and more risks. Enterprise Risk Management, or ERM, is an intentional approach to managing an organization’s remediation of risks, although higher education’s distributed governance can render the risk identification process burdensome. Campus leaders also struggle to capture stakeholders’ focus because of repeated incident response episodes that distract from holistic risk management.
- The Risk Terrain in Higher Education
- Hurdles in the Way of ERM Implementation
- Quick Start Guide to Risk Management
CBOs and cabinet colleagues seek to manage risks at various levels, with particular hot spots emerging in the areas of information security and student activism.
Best practices to phase in a multi-tiered risk management approach
1. Enterprise Risk Management
Finance and administrative executives seeking to professionalize their campuses’ approach to risk management attain critical stakeholder support by clarifying governance roles, preventing scope sprawl, and accelerating progress. By assigning oversight that includes a comprehensive set of viewpoints, defining the scope of oversight and what is included (and excluded) from the formal risk management process, risk managers can increase the odds of broad campus support for focused treatment of key risks.
- Tactic 1: Targeted Risk Governance
- Tactic 2: Disciplined Risk Altitudes
- Tactic 3: Peer-Sourced Risk Register
- Tactic 4: Risk Accelerator
Associated resource: Risk Register Straw Man
2. Information Risk
Chief information officers (CIOs) and Chief information security officers (CISOs) emphasize security awareness among campus members through proactive, relevant, targeted, and sustained communication. By changing the nature of security-related interactions to providing useful information that targets audiences’ interest areas, CISOs can tap into personal motivations, thereby engaging the broader campus in the mission to keep information safe.
- Tactic 1: Board Education Memos
- Tactic 2: Unit-Level Risk Profiles
- Tactic 3: Data-Informed Vulnerability Consultations
- Tactic 4: Security Scorecards
3. Student Activism
Campus leaders embrace activism as a vital ingredient of students’ engagement with the institution by building communication bridges and anticipating incidents. Seeking to professionalize their campuses’ approach to activism, student affairs offices prepare response plans, engage with potential activists, and ultimately leverage the energy and enthusiasm of activists to work together and drive change on campus.