Lessons Learned in Updating Risk Management: An Accountability Guide for University and College Boards

Host: Hello and welcome to Prevention and Protection, the United Educators Risk Management podcast. Today’s guests are Justin Kollinger and Liza Kabanova, Risk Management Consultants at United Educators. They will discuss lessons learned while contributing to the second edition of An Accountability Guide for University and College Boards, a book published by the Association of Governing Boards in April 2020, that discusses the risk landscape in education today. Hosting the discussion is UE colleague and fellow Risk Management Consultant, Sam Swartout.

Before we begin, a quick reminder that you can find other episodes of Prevention and Protection, as well as additional risk management resources, on our website, This and all other episodes of Prevention and Protection are also available on iTunes. Now here’s Sam.

Sam Swartout: Justin and Liza, thanks for joining me today about what we’ve learned in the process of researching and writing the second edition of this book about enterprise risk management (ERM) in higher education. I know you spent last year interviewing leaders in education about ERM and work closely with the association of governing boards to update the book on ERM. In addition, you also work closely with leaders at K-12 schools, colleges, and universities to facilitate on-campus ERM workshops that assist leaders with starting or refreshing ERM program.

You know, I hear the term enterprise risk management and ERM a lot. But could you share a brief summary of what exactly it is?

Justin Kollinger: Enterprise risk management is a holistic process that helps institutions identify, prioritize, manage, and report on risks at an institutional level. ERM committees typically comprise a cross-functional group of senior administrators who then work together to identify risks and select which ones the institution will tackle that year.

To give you an example, deferred maintenance is one that requires ERM to really effectively manage. If you think about it, deferred maintenance cuts across the institution. Any single input or focus on deferred maintenance is probably too limited to have a strategic approach to dealing with that risk. For example, a safety-only approach doesn’t prioritize student recruitment or the impact of facilities on student learning. And deferred maintenance might include equipment, as well as physical plants, and there can also be IT implications.

So you can see how there’s a lot of potentially cross-cutting risks. And by bringing everybody into the room together, that helps everyone have a say in how deferred maintenance decisions can be prioritized in a way that minimizes the most urgent risks the institution faces and allows you to allocate resources accordingly. This is really what ERM does well.

Swartout: What’s changed in the risk landscape that caused us to rethink ERM since the first edition of this book came out in 2013?

Liza Kabanova: It does feel like so much has happened in just under a decade, Sam. We’ve seen big changes in employment practices and global competition for education. Education has been in the news about admissions practices, sexual abuse and misconduct, diversity and inclusion, and protests on campus since then. Another example is a global health crisis we’ve all experienced this year. We’ve seen this pandemic impact admissions and enrollment, mental health, finances, and even reputation.

Kollinger: Yeah. There’s been lots of expansion of previously existing risks. These are things that we thought were manageable in the past and now all of these risks seem like they have a chance of just blowing up on us. For example, if we look back to 2013, we were starting to understand what enrollment was going to look like over the course of the next decade. But by 2020, and we now have pretty increased certainty that a demographic cliff is upon us, both in K-12 and in higher ed.

Meanwhile, public skepticism of education has grown – issues around diversity, equity, and inclusion. Again, these aren’t new, but they’re expanding, as we’ve seen more protests, increased public interest, more discussion about diversity, equity, and inclusion in politics, and perhaps most importantly, increasing engagement in these issues by the Gen-Z students we serve. And I think a lot of these risks, they can sound abstract when we talk about them in these terms, but they can have a real impact, both on your finances and your ability to achieve your institution’s mission.

I can think of how a lot of these risks can impact whether students choose to attend a different institution or [whether] they drop out or transfer from yours. I can see impacts on philanthropic giving or even if we’re looking at the liability side, things like social inflation, which is an increase in the value of settlements due to higher expectations from our institutions, ultimately creating greater losses from claims.

Swartout: As somebody who is personally addicted to Twitter, I know social media has been a major change in how campuses respond to these types of events. The new edition includes a new chapter on reputational risk and social media. Can you tell me more?

Kabanova: That’s right, Sam. Through our research and in talking with leaders, we learned that risk management is just as important if not more so today than it was 10 years ago. In fact, risks tend to be bigger and more overwhelming, particularly given the rise of social media and political polarization around higher education. Risks that used to fly under the radar now have the potential of tainting the college or university’s reputation minutes after they occur. Something we want all leaders to think about is that reputational risk is a second-order risk.

Swartout: What do you mean by second-order risk?

Kabanova: What I mean is that any risk event happening, whether it’s big or small can have an impact on your institution’s reputation. Whether there’s a protest on campus or a new diversity and inclusion initiative that’s really getting great press, any of these events will have some kind of impact on your reputation. So when you’re thinking about the why behind your risk management efforts, reputation always plays into it.

Something else that we encourage all leaders to think about is being proactive about managing reputation. We talked with a couple of communications firms who mentioned the idea of building goodwill with your communities before something bad happens. Reputation is all about trust and establishing positive relationships with your community. So that’s why it’s so important to include your communications team in your ERM process. They’ll want to know about risks you’re talking about and they may even be able to help you think outside the box in managing risks.

Swartout: That makes sense. Now, another new chapter I noticed in the book talks about ERM maturity and helping leaders grow their ERM programs. Can you tell me some more about this?

Kollinger: As a researcher and as a consultant, I think this was one of the most fun things that we got to do. Some of the ERM programs that were just starting in 2013 had really matured by the time we were doing the research in 2020. And so we were able to see how some ERM programs grew into highly effective ones and what caused other ones to not grow into highly effective or mature ERM programs.

One really interesting takeaway that I had was that highly sophisticated tech systems actually didn’t seem to indicate a strong ERM program. Some ERM programs had really good tech but they weren’t necessarily good programs, while others had great programs but relatively elementary tech backbone to them.

Ultimately, what we found was that mature ERM programs, they lead to action and accountability. So in that chapter, we set forth an ERM maturity model specifically for educational institutions. Mature ERM programs in educational institutions tend to have a clear purpose and scope, a centralized process with influence across all aspects of the institution, a repeatable ERM process, and these ERM programs promote a risk-aware culture. This means that all employees are adopting their roles as managers of risk, of uncertainty, and of ambiguity.

Swartout: I’m glad you mentioned the ERM maturity model in the book. I know the risk maturity chapter was modeled after an ERM maturity tool that you developed for UE members. Could this tool be used as a map for campuses that don’t have an ERM program yet?

Kollinger: That’s a great point, Sam, and I’m glad you mentioned it. That tool is available to UE members on And we wrote it to show what a sophisticated ERM program can look like. If you’re a listener looking to start a new ERM program or to grow a relatively new one, this tool is a really great way to identify ways to develop your program over time.

Following a self-assessment, I recommend picking one or two elements that I listed earlier to work on this year such as developing a clear scope for your ERM program. Just like with any other kind of planning too, it’s important to set goals for your ERM program every year. And this tool is just one way to help you plan that development of your ERM process.

Swartout: Has anyone used this tool to grow their ERM program?

Kabanova: Absolutely, Sam. That was really our hope when we created this interactive tool. One senior leader at a research university reached out about ideas to convince the cabinet and board to link ERM to the annual budget. In pointing to the ERM maturity tool section on tying budget and strategy to the ERM process, as an element of a mature ERM program, she provided a compelling argument and was able to get traction to do just that. So we do recommend that leaders use the tool to set goals for their ERM program so that it grows over time. And just like this leader, to get buy-in when suggesting an internal change.

Swartout: Let’s end on a pragmatic note. What’s one practical tip for administrators and boards?

Kabanova: Well, if you’re an administrator, I suggest you take a look at chapter two, which is the guide for administrators. There you’ll see some practical information about your role in the process and what the steps of ERM can look like for your campus.

I know as consultants at United Educators, Sam and Justin, I think you’ll probably agree with me that one of the most frequent questions that we get is, “What are other campuses doing? What are my peers seeing?”

Swartout: Very true.

Kollinger: Very true. Yep.

Kabanova: And so when it comes to helping senior leaders and administrators, we included new risk registers from real ERM programs today. While what risks you prioritize will still be very unique to your people and programs, what I think these risk registers in chapter two do is they help you see how other institutions are thinking about risks to the entire institution, down to the names of the risks you’ll see. You’ll see some campuses focus on risks like IT infrastructure and academic space, while others focus on risks to innovation. And I hope that these de-identified samples can help leaders see that there isn’t just one answer or a single lens for thinking about risk management on your campus.

Swartout: I would be remiss if I did not ask about boards since the title of the book refers to them. How can individuals engage their boards in risk management?

Kollinger: The role of the board is one thing that has not changed since the first edition. We continue to advocate a noses in, fingers out approach. As a listener, when it comes to the board or when it comes to your senior leadership, you can always be educating upward about how ERM works and how, specifically, ERM works at educational institutions.

And so if you’re a department manager, talk to your supervisors about how executive teams and cabinets can play a role in risk management. And if you’re a listener who’s on the cabinet or on the executive team, discuss how ERM applies to education with the board or with your president or with your head of school. Help your board use their broader experiences to question the assumptions of your administrative leaders and hold them accountable for managing risk.

Kabanova: And also remember to educate your board members on risk management. One leader we interviewed mentioned that she shares a copy of this book with every board member to help orient them on risk management in education.

Swartout: Sounds like there’s something in this book for everyone. I can’t wait to get a copy of this book for myself from AGB’s website. Thanks for talking with me today, Justin and Liza.

Host: From United Educators Insurance, this is the Prevention and Protection podcast. For additional United Educators resources, please visit our website,

1 of 3 documents are ready for download

The document "Long document name goes right here" is ready. Downloads expire after 14 days. Your remaining documents will be ready in a few minutes. Lorem ipsum dolor, sit amet consectetur adipisicing elit. Quod deserunt temporibus qui nostrum aliquid error cupiditate praesentium! In, voluptatibus minima?

Go to the Document Center