Transcript

Host: Hello and welcome to Prevention and Protection, the United Educators Risk Management Podcast. Today, Hoda Hussein, Beth Kidwell, Jojo Dunlap, and Natalie Babaniyi, UE’s risk management consulting team, are forecasting risks impacting educational institutions for 2026.

A reminder to listeners that you can find other UE podcasts, as well as UE risk management resources, on our website, www.ue.org. Our podcasts are also available on Apple Podcasts and Spotify. Now, here’s Hoda.

Hoda Hussein: Hello and welcome to the United Educators Risk Management Podcast. I’m Hoda Hussein, a senior Risk Management Consultant here at United Educators. I’m joined in today’s discussion by three of my risk management consulting colleagues here at UE: Beth, Jojo and Natalie. The four of us are going to spend the next 15 to 20 minutes talking through five risks that we’re seeing more often as we head into 2026 and what they mean for institutions day to day.

Team, let’s have you each introduce yourselves and give us your opening thoughts.

Beth Kidwell: Thanks, Hoda. I’m Beth Kidwell, Risk Management Consultant, and looking forward to our conversation today. For me, the risks that we’ll talk about today are not hypothetical risks. They’re showing up in claims, they’re being discussed in campus conversations, and I think each of us could agree that we’ve answered one or two questions from our members about these risks. In many cases, the risks are changing much faster than institutions expect, which is part of what’s making them so complex and challenging to navigate.

Jojo Dunlap: Hello, I’m Jojo Dunlap, an Associate Risk Management Consultant here at UE. As we go through each risk, we’ll talk about what it actually looks like on campus, where liability tends to show up, and a few practical things institutions can do now to stay ahead of each risk.

Natalie Babaniyi: And I’m Natalie Babaniyi, also a Risk Management Consultant here at UE. And as we have this conversation, I think it’s important to note that every campus is different, so use this as a framework and not a checklist. We aim to give you topics to consider as you think about risk prevention in 2026, and if any questions come up while you are listening, reach out to us at risk@ue.org.

Hussein: Yes, so let’s get started. The five risks we’re forecasting for 2026, in no particular order, include deferred maintenance, with an emphasis on extreme weather; name, image, and likeness, usually referred to as NIL; artificial intelligence, cybersecurity; and civil unrest. These aren’t ranked and any one of these could be a full episode on its own, but today we’re keeping it high level and focused on what matters most from a risk perspective. We’re going to kick things off with deferred maintenance and extreme weather. Much of the Southern and Eastern US just recently experienced a significant snow and ice event. For many campuses in these regions, this isn’t weather they’re historically designed for. Systems that rarely get stress tests for prolonged freezing temperatures — so that’s your roofs, pipes, HVAC, drainage, even staffing and response plans — are suddenly being pushed to their limits, and that’s where deferred maintenance quickly turns from a facilities issue into a safety and liability issue.

Kidwell: Yeah. This risk has been on my mind quite a bit recently, Hoda, so I’m going to jump in here and get us started. Deferred maintenance has always been a part of the conversation, especially in higher ed, but it becomes much riskier when you layer in extreme weather events. So as you mentioned, older roofs, HVAC systems, the drainage infrastructure, all of those are under increased strain from heavier storms, longer heat waves and the more frequent freeze/thaw cycles. Things that might’ve been manageable in the past, we’re seeing them fail much more quickly now, and those failures can have real contractual consequences as well.

When facilities aren’t usable, institutions could face disputes over things like canceled events, disruptionss to their housing, and interrupted services. So deferred maintenance can expose gaps in contracts that never contemplated frequent weather driven shutdowns and didn’t clearly assign responsibility for them. At the same time, we’re seeing a key shift, where acts of God are no longer the shield they once were. Courts and regulators increasingly expect institutions to anticipate foreseeable weather risks and take reasonable steps to prepare for them. So when extreme weather is no longer rare, the questions become: What did you know? What did your contracts address? And bottom line, what did you do to mitigate it?

Hussein: That’s right, Beth, especially in regions where snow and ice aren’t routine, the expectation to plan and respond is still there regardless of how unusual the event feels locally.

Dunlap: Yeah. Bouncing back to Beth’s comments, I think it’s important to note that when we see claims tied to these events, the weather usually isn’t the real issue. The focus tends to be on what the institution knew beforehand and what was done or not done about it. If there were known issues or prior complaints, those details matter a lot after something goes wrong.

Babaniyi: Exactly, and let’s not forget, the risks often extend well beyond just the building. We see injuries, mold claims, disrupted classes, lost research, emergency response challenges. From a risk perspective, having a clear picture of known issues, prioritizing repairs tied to safety, documenting decisions really does matter. Deferred maintenance is no longer just a budget problem; it’s a liability one.

Hussein: That’s exactly right, Natalie. We just held a focus group on facilities maintenance and the recurring barrier that we heard about from attendees was funding — essentially, deciding what gets funded now versus later, and how to justify those decisions to leadership and boards. These claims can cost millions of dollars, but the preventative maintenance is often much more affordable, and it goes beyond just the money. There is a safety and reputation cost to these claims. If people are critically injured due to facilities issues, that’s not likely to play well in the media.

Several schools emphasize the importance of framing issues in terms of health, safety, liability, and reputational impact — including social media and enrollment, not just facilities condition — to unlock resources. Colleges don’t solve the funding problem, but they make progress by being sharper about why a project matters, who is at risk and what happens if nothing is done. The schools that move the needle are the ones that turn maintenance into a defensible risk decision, not a wish list. So while deferred maintenance and extreme weather expose a very physical risk on campus, the next area we’re seeing grow just as quickly, and often with far less clarity, is NIL.

So Jojo, what should schools be thinking about here?

Dunlap: Yeah. Thanks, Hoda. Name, image, and likeness, NIL, has changed the athletics landscape in a big way. Student athletes are entering into sponsorships, appearances, and business relationships that simply just didn’t exist a few years ago. Even when schools aren’t directly involved, they’re often connected through facilities, events, or expectations around oversight.

Kidwell: That’s right, Jojo. And that connection is where risk can creep in. We’re seeing issues around NIL-related events or appearances where it’s not clear who’s responsible for the safety, insurance or supervision. Institutions may see themselves as hands-off, but that’s not always how others are going to see it after the incident. Natalie, I think you have some takeaways from our focus groups on this topic that you wanted to share during our conversation.

Babaniyi: Absolutely. We have held several focus groups on NIL, and what stood out is that risk managers do not feel connected to the NIL decision. However, the risk is absolutely showing up in their work. NIL is not being considered an enterprise risk, and most decisions are being handled by an institution’s athletic department. Additionally, NIL exposure is not limited to Division 1 or varsity sports. Institutions are seeing a ripple effect in club and recreational sports where participation is growing, but staffing, medical coverage, and oversight have not kept pace. We are also hearing about more serious injuries, growing mental health needs among student athletes, and ongoing shortages in athletic trainers and sports medicine staff. The combination can significantly increase liability, especially in club sports where resources are thinner, but expectations are rising. And there is also still a lot of uncertainty around the rules. Revenue sharing, Title IX implications, fair market value, and long-term athlete care. In the absence of clear guidance, institutions are making high-stakes decisions that could have compliance and reputational consequences. Clear policies around approval, insurance, and education are critical as NIL continues to evolve.

Hussein: Thanks, team. With NIL we talked a lot about unclear responsibility and evolving expectations. Those same issues come up maybe even more so when we turn to artificial intelligence and the emerging liability that comes with it, which is our next risk. So what are some thoughts here?

Dunlap: I’m going to jump right in here. We know that AI is already being used across campuses in all kinds of ways, from admissions and advising, to chatbots, procurement tools, and safety systems. The challenge is that adoption is often happening faster than governance can keep up. And institutions are realizing that the bigger risks may not be using AI at all, but using it without clear guardrails. Some of the risks we’re watching include bias, lack of transparency, inaccurate outputs, and over-reliance on automated decisions. When AI plays a role in high-impact decisions, institutions may be asked to explain how those tools were used, what data they relied on, and where human judgment came into play. Relying on a vendor doesn’t remove that responsibility.

Babaniyi: Yes, Jojo. That is why we are seeing so many institutions lean towards guidelines rather than rigid policies. They’re relying on existing frameworks, like academic integrity, discrimination, and data privacy, to manage AI risks. The flexibility helps campuses to adapt as the technology changes, and it also makes coordination critical. Another pressure point we are hearing about is procurement. AI is now embedded in so many everyday tools that evaluating data use, third-party involvement, and contractual risk has become much more complex. Without the right expertise and oversight, those decisions can introduce risk long before they realize it.

Hussein: They certainly can; great points raised. Of course, all of this increased reliance on technology raises a bigger question. How secure are the systems and data that power it? That takes us straight into cybersecurity. What should schools be thinking about here? Beth, I’ll turn to you on this risk first.

Kidwell: Thanks, Hoda. Cybersecurity remains one of the most significant and persistent risks facing education institutions, particularly when it comes to ransomware. And unfortunately, I know from firsthand experience that a ransomware attack is a very challenging event to navigate. Educational institutions are attractive targets, not only because of the volume of sensitive data they hold, but also because of how dependent they are on uninterrupted access to systems. When you see operations come to a screeching halt across your campus, the pressure to restore them quickly and get back to normal can really drive high-stakes decisions in a very short window.

Babaniyi: I’ll add that the impact of cyber incidents is rarely confined to IT. We see ripple effects across payroll, housing, instruction, research, patient care, and athletics. Even after the system comes back online, institutions may still be navigating regulatory notification, forensic investigations, insurance coordination, and potential litigation. Those downstream consequences are often where the real cost and complexities show up.

Hussein: So, what I’m hearing is, this really reinforces that cyber preparedness is an institutional responsibility, not just a technical one. Regular training, realistic tabletop exercises, clear decision-making authority, and a solid understanding of cyber insurance coverage all matter. Cyber risk isn’t hypothetical anymore. It’s something institutions should assume they’ll face and plan for it accordingly. So when you layer in heightened tensions on campus, misinformation, and the speed at which events can escalate online, we arrive at our final risk, civil unrest. What do you all see coming up most often in your conversations with members on this one?

Dunlap: Civil unrest, particularly protests or demonstrations that escalate quickly, is an area we’re watching closely. What’s super interesting, for me, is that this risk has typically been focused within higher educational institutions, but we’ve noticed a newer trend in K-12 schools, where students have been walking out during the day to protest against ICE. Having minors involved, of course, heightens and complicates liability exposure. Institutions are often trying to balance maintaining normal operations with increased safety — and all under intense public scrutiny, where decisions are being made in real time and then they’re later reviewed with the benefit of hindsight.

Beth Kidwell: Exactly right, Jojo. And when claims arise, the focus is rarely on the event itself. It’s usually on whether warning signs were missed, whether policies were applied consistently, and whether the institution can demonstrate that expectations were clear. So, training, documentation and consistent decision-making really do matter when actions are later scrutinized.

Babaniyi: I want to point something out here: One of the biggest challenges we see is information living in silos. Different offices may each have different areas of concern about visitors, social media activity, prior incidents, or logistics, and therefore no one connects them early enough. Also, as Beth said, scrutiny often centers around whether warning signs are missed or if the policies were applied consistently or if expectations were clearly communicated — and if information lives in silos, institutions cannot demonstrate that they acted reasonably or proactively. Campuses that use cross-functional coordination, strong reporting channels, and threat assessments or incident response teams are much better positioned to deescalate situations before they spiral, and also respond in an unfortunate situation where an incident does occur.

Hussein: I also want to mention, what we heard clearly from members is that successful institutions don’t rely on enforcement alone. Early engagement with organizers, clear expectations set in advance, and coordination across risk, legal, student affairs, communications, and public safety all reduce the chances of escalation. We also heard that the most unpredictable element often isn’t students, it’s outside actors and misinformation. Planning for third-party involvement, explaining the purpose of safety measures, and focusing on keeping people safe and pathways open can make a meaningful difference.

In many cases, liability ultimately turns on whether institutions followed their own processes and could show they acted thoughtfully and consistently. So as we look ahead to 2026, the risks we talked about today were deferred maintenance with an emphasis on extreme weather, NIL, artificial intelligence, cybersecurity, and civil unrest. While these may seem very different on the surface, what stood out to me is often how the same underlying challenges show up across all five. Before we wrap up, what are your closing thoughts? Beth, I’m picking on you first.

Kidwell: OK. Thanks, Hoda. Whether it’s a storm, a protest, a cyber incident, or an NIL related issue, we saw the questions tend to be the same. Who knew what or when? Who is responsible for acting, and were decisions made consistently and documented along the way? Strong governance, clear roles, and good communication are what help institutions answer those questions with confidence.

Dunlap: That’s right, Beth. We also heard repeatedly that risk isn’t just about reacting when something goes wrong, it’s about the work that happened beforehand. Early engagement, realistic planning, training, and coordination across departments can significantly reduce both harm and disruption when challenges arise. OK, Natalie, what am I missing?

Babaniyi: Thanks, Jojo. Remember, risks do not exist in isolation. They overlap and often compound each other, which is why breaking down silos, sharing information across campus, matters so much. Institutions that invest in preparedness, address risk management across function and departments, and follow their own processes are far better positioned when decisions are later reviewed and questioned.

Hussein: Those are all excellent closing thoughts. We encourage members to think ahead about how your institution would respond to an incident involving any one of these risks. One place to start is our Crisis Response Tabletop Exercises library, which includes downloadable scenarios on each of the risks that you can use with your crisis response team to test assumptions and assess preparedness. You can also find collection pages on each of these five risks on UE.org. And if you’re thinking about how these risks show up on your campus or where it might make sense to focus next, we’re always happy to be a resource, and you can reach out to our team at risk@ue.org.

Host: For United Educators Insurance, this is the Prevention and Protection Podcast. For additional episodes and other risk management resources, please visit our website at www.ue.org.