Desktop version

Home arrow Management


In the corporate sector, interest in the integrated and more strategic concept of enterprise risk management (ERM) has grown significantly in the past 15 years (Arena, Arnaboldi, and Azzone 2010). Certain external factors affected the adoption and implementation of ERM practices in corporations, including significant business failures in the late 1980s that occurred as a result of high-risk financing strategies (URMIA 2007). Governments in several European countries took actions and imposed regulatory requirements regarding risk management earlier than was done in the United States, issuing new codes of practice and regulations such as the Cadbury Code (1992), the Hampel Report (1998), and the Turnbull Report (1999). In 2002, the Public Company Accounting Reform and Investor Protection Act (otherwise known as Sarbanes-Oxley, or SOX) was enacted in the United States. In 2007, the Securities and Exchange Commission (SEC) issued guidance placing greater emphasis on risk assessment and began to develop requirements for enterprisewide evaluation of risk. In February 2010, the SEC imposed regulations requiring for-profit corporations to report in depth on how their organizations identify risk, set risk tolerances, and manage risk/reward trade-offs throughout the enterprise.

While widespread in the corporate sector, in large part due to regulatory compliance, ERM is fairly new in higher education. Gurevitz (2009) observes that

Exhibit 9.2 Risks Affecting Higher Education

Institutional Area

Types of Risk

Boards of Trustees and Regents, President, Senior Administrators


Board performance assessment

CEO assessment and compensation

Conflict of interest

Executive succession plan

Fiduciary responsibilities

IRS and state law requirements

Risk management role and responsibility

Business and Financial Affairs

Articulation agreements



Business ventures

Cash management

Capital campaign

Contracting and purchasing

Credit rating

Debt load/ratio


Federal financial aid


Gift/naming policies





Transportation and travel

Recruitment and admissions model

Compliance with Federal, State, and Local Laws, Statutes, Regulations, and Ordinances

Americans with Disabilities Act (ADA)/Section 504

Copyright and fair use

Drug-Free Schools and Communities Act

Family Educational Rights and Privacy Act (FERPA)

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Higher Education Opportunity Act IRS regulations

Integrated Postsecondary Education Data System (IPEDS)

Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act (Clery Act)

National Collegiate Athletic Association (NCAA)/National Association of Intercollegiate Athletics (NAIA) regulations

Record retention and disposal

Tax codes

Whistle-blower policies

Campus Safety and Security

Emergency alert systems for natural disaster or other threat

Emergency planning and procedures

Incident response

Campus Safety and Security (continued)

Infectious diseases

Interaction with local, state, and federal authorities

Minors on campus



Violence on campus

Weapons on campus


Information Technology

Business continuity

Cyber liability

Electronic records

Information security

Network integrity

New technologies


System capacity

Web page accuracy

Academic Affairs

Academic freedom

Competition for faculty

Faculty governance issues

Grade tampering


Human subject, animal, and clinical research

Intellectual property

Internship programs

Joint programs/partnerships

Laboratory safety

Online learning


Quality of academic programs

Student records

Study abroad


Student Affairs


Alcohol and drug use

Clubs and organizations

Conduct and disciplinary system

Dismissal procedures

Diversity issues

Fraternities and sororities

Hate crimes


International student issues

Psychological disabilities issues

Sexual assault

Student death

Student protest


Employment/Human Resources

Affirmative action

Background checks

Discrimination lawsuits

Employment contracts


Labor laws

Performance evaluation

Personnel matters

Sexual harassment

Termination procedures


Workplace safety

Physical Plant

Building and renovation


Infrastructure damage

Off-site programs

Public-private partnerships

Residence hall and apartment safety





External relations

Increased competition for students, faculty, and staff

Increased external scrutiny from the public, government, and media

Medical schools, law schools


educational institutions "have been slower to look at ERM as an integrated business tool, as a way to help all the stakeholders – trustees, presidents, provosts, CFOs, department heads, and frontline supervisors – identify early warning signs of something that could jeopardize a school's operations or reputation." In 2000, the Higher Education Funding Council of England enacted legislation requiring all universities in England to implement risk management as a governance tool (Huber 2009). In Australia, the Tertiary Education Quality Standards Agency (TEQSA 2013) evaluates the performance of higher education providers against a set of threshold standards and makes decisions in relation to their performance in line with three regulatory principles, including understanding an institution's level of risk.

In the United States, engaging in risk management efforts and programs for IHEs is not specifically required by accrediting agencies or the federal government. Perhaps because it is not required, ERM has not been a top focus for boards and senior administrators at IHEs. Tufano (2011) points out that risk management in the nonprofit realm, including higher education, is significantly less developed than in much of the corporate world and often still has a focus on avoidance of loss rather than setting strategic direction. Mitroff, Diamond, and Alpaslan's (2006) survey assessing the state of crisis management in higher education revealed that colleges and universities were generally well prepared for certain crises, particularly fires, lawsuits, and crimes, in part because certain regulations impose requirements. They were also well prepared for infrequently experienced but high-profile situations such as athletics scandals, perhaps based on their recent prominence in the media. However, they were least prepared for certain types of crises that were frequently experienced such as reputation and ethics issues, as well as other nonphysical crises such as data loss and sabotage.[1] A survey conducted by the Association of Governing Boards of Universities and Colleges and United Educators (2009) found that, of 600 institutions completing the survey, less than half of the respondents "mostly agreed" that risk management was a priority at their institution. Sixty percent stated that their institutions did not use a comprehensive, strategic risk assessment to identify major risks to mission success. Recent high- profile examples may be beginning to change that. The Freeh Report regarding Penn State determined that "the university's lack of a robust risk-management system contributed to systemic failures in identifying threats to individuals and the university and created an environment where key administrators could 'actively conceal' troubling allegations from the board" (Stripling 2012).

  • [1] Mitroff, Diamond, and Alpaslan (2006) note that "colleges and universities are in the very early stages of establishing their crisis management programs, and much remains to be done. The recent experience in New Orleans and elsewhere suggests that developing and maintaining a well-functioning crisis management program is an operational imperative for college and university leaders" (p. 67).
< Prev   CONTENTS   Next >

Related topics