Ulrich Hommel and Benjamin Stévenin
It’s time for universities to get used to the fact that financial distress or even bankruptcy are real risks for many. The reasons are many, ranging from institutions getting pushed to the wall by competitors to reputation crises, such as a loss of accreditation and ranking downgrades which put a drain on financial resources.
The ultimate consequence is a squeeze on budgets that often leads to cost-cutting programmes and further revenue declines as the market re-evaluates the quality of the service offer. In this environment, managing an institution’s risk factor is vital and oversight bodies are prescribing the use of so-called risk registers as ‘weapons of choice’.
But how do institutions use risk registers correctly and are minimum standards necessary?
In their most basic form, risk registers can be viewed as simple ledgers of the risks facing a higher education institution at any given point in time.
Risks are classified according to general categories such as: operational risks (for instance, the 2019 ransomware attack on Maastricht University), event risks (for example, the Thammasat University campus flooding in 2011), reputational and legal risks (such as the sexual assault cases brought against several US universities in recent years) and financial risks (for instance, the income risks faced by private Argentinian universities due to accelerating hyperinflation in 2018-9).
Each risk factor is then evaluated on the basis of likelihood and impact using an ordinal Likert metric. Registers also list the risk owner and risk manager, include information with how the risk is to be managed and contain an assessment of the extent to which management objectives have been achieved and whether action is urgently needed.
Assuming that the likelihood and impact of the risk are rated on a scale from 1 (‘very low’) to 5 (‘very high’), they can then be mapped into two-dimensional risk heat maps with 5×5 risk quadrants. The severity of each risk is flagged using a traffic light system with a ‘very high’ rating for both leading to a code red, implying danger for the institution if not managed carefully.
The attractiveness of risk registers as described above comes from their intuitive simplicity. They have the touch and feel of beefed-up to-do lists. But nobody would seriously suggest that to-do lists qualify as a management tool, right? For one, risk registers require additional risk descriptors to become meaningful. These, for example, include:
- Degree of vulnerability: This shows how harmful a particular risk may be for an organisation. An individual faculty member conducting research unethically is, for instance, a small-scale issue compared to intra-school research cartels with honorary authorships sold for money.
- Speed of onset: This indicates how quickly a risk gone wrong ends up on the institution’s doorstep. When the 2011 Christchurch earthquake disabled the campus infrastructure days before the beginning of the semester, the effect was immediate, requiring the entire institution to switch into crisis mode in an instant.
In order to prevent risk registers being (mis)used as a tool of ad hoc reasoning, the Likert-scaled risk identifiers should always be underpinned by additional metrics. Likelihood of risk will ideally be linked to a probability measure, possibly combined with a definition of acceptable frequency over a defined time period. The impact can be expressed in monetary terms (for instance, loss) or in operational terms (for instance, enrolments or research scores).
The same logic applies to the other dimensions. In other words, the ordinal ranking of risks should really be defined quantitatively as a range of variables that may represent a composite score of relevant proxies describing the risk.
Using key risk indicators
Risk managers believe in two principles: (1) uncertainty is a positive function of time, and (2) uncertainty resolves itself over time.
The first implies that managing risk exposure too far in advance is generally not very sensible because the range of possible outcomes tends to be huge. The second implies that more information can be acquired over time to better evaluate a particular risk.
Specifying so-called key risk indicators (KRIs) can be helpful in this context. They are used to define trigger points for action when the achievement of risk management objectives is under threat. Each risk should be linked to one or several KRIs that create thresholds for triggering action.
A serious shortcoming of risk registers is the cultivation of silo thinking. The overall risk position is broken down into individual risks which are then assigned to owners or managers. One needs to keep in mind in this context that crises are typically the result of several things going wrong at the same time. While formal correlations may be difficult to specify in many instances, what is the alternative?
The frequently observed practice of ignoring any correlations completely means it is assumed there are none. Practically, correlations can be accounted for using scenario planning and subsequent stress testing.
Governing risk management activities
A university-wide approach to risk management requires the establishment of a risk committee (or assigning management responsibility to an existing committee) that implements institutional risk policies, monitors risks and controls the effectiveness of countermeasures.
We would like to point out four issues that explain why governance plays a key role in using risk registers effectively:
- Risk registers are not ‘get out of jail’ cards. Risks must be actively managed, not just listed as items to be monitored. If, for example, heavy dependence on China or India for student recruitment is identified as an issue, then concrete actions must follow to diversify the sourcing of tuition fees.
- When it comes to producing as ‘complete’ a list of risks as possible, university executives must account for the diminishing returns of adding more complexity. The more fragmented the risk portfolio appears, the more likely it is that key risks are not receiving sufficient attention. Applying the 80/20 rule can lead to sensible outcomes in this context.
- Many higher education institutions review risks periodically, such as on a quarterly or annual basis, and this often aligns with their financial reporting cycle. Every risk, however, has its own lifecycle, requiring the use of a less aligned approach. Proxies used to predict future enrolments should probably be monitored on a monthly basis first and then in much finer detail as the application deadline approaches. By contrast, faculty turnover can be managed more informally for most of the year and less often than student enrolments.
- Risk committees can also help to cultivate risk awareness in faculties and schools. If one faculty is producing an unplanned budget shortfall, it may impact on the current and future contribution margins of other units which may cover the losses. Flagging up these effects can help to avoid faculties and schools simply viewing the university as the lender or subsidiser of last resort.
In order to establish an effective risk control structure, managing the interaction between risk committee, risk owners and risk managers is key – on all levels of the institution from university to faculty or school and department or institute.
If the objective is to foster institutional resilience (the compilation of risk registers at the University of Warwick is, for instance, managed by the ‘Institutional Resilience Team’), then the empowerment of actors following the ‘team of teams’ philosophy appears key. Information should be shared widely, trust in the competencies and abilities of risk owners or managers should be formalised, decisions should be taken transparently and follow-up controls should be conducted in the spirit of quality improvement.
Beyond risk registers
Risk registers are ideally suited to manage known risks where there is a history and good supporting data available, but the main challenges universities face nowadays are so-called ‘grey rhino’ risks. These are visible from afar but are difficult to interpret in terms of how they will impact on the university and when is the right time to act.
We may, for instance, think that stackable credentialing will ultimately have an impact on market acceptance of university degrees, but how quickly should we move to a modularised structure that may cannibalise fee income and weaken the management of students’ intellectual progression? When will the ‘grey rhino’ charge at us and when will it be too late to act?
University risk managers must become experts in reading weak signals of what may be in store around the corner. These tend to be fuzzy and qualitative, meaning it is difficult to capture them using the risk register methodology.
Ulrich Hommel is professor of finance at EBS Business School and specialises in risk management as well as restructuring in higher education. He has published extensively on these topics. Benjamin Stévenin is CEO of RimaOne, a company that offers software solutions for the finance and higher education sectors.