Identify Institutional Risks With Confidence

Begin Step 1 of the enterprise risk management (ERM) process at your K-12 school, college, or university by developing a risk register – a list of institutional risks. Your ERM committee can use this resource to correctly identify risks and complete the first step of the ERM process with confidence.

What Is an Institutional Risk?

Institutional risks are inherently different from what leaders typically have in mind when discussing risk management. These complex risks:

• Affect your entire institution or its mission, rather than affecting a single department or function
• Require a coordinated, cross-functional approach
• May combine multiple risks seen across different areas of your institution
• May not have a clear risk owner

Student mental health, enrollment, diversity and inclusion, and data security are examples of institutional risks.

Keys to Identifying Institutional Risks

Address Trends by Looking at Break-Fix Issues

A common risk identification misstep involves including issues that aren’t risks at all. Avoid identifying break-fix issues (problems or concerns that may be solved without a coordinated response). Instead, look for trends in these types of concerns across departments; this will help with identifying an institutional risk in order to focus on your institution’s risk management strategy.

For example, instead of identifying break-fix issues like a cracked sidewalk or a broken medication refrigerator, combine similar concerns across all institutional facilities to the institutional risk of deferred maintenance. As a result, leaders may develop an institutional process to report and track maintenance requests across all departments. Your institution can then prioritize maintenance projects by scope and implications and even allocate a budget line to address the highest concerns each year.

Elevate Multiple Departmental Risks

Another pitfall we see is including risks that affect only one department or functional area. While leaders at the department level may consider risk management daily, they often focus on those risks from their department’s perspective rather than combining those risks to consider how they affect the whole institution.

For example, Residence Life staff may note overcrowding in student housing, Athletics coaches may seek additional space for sports training, and employees may need more parking. After discussions with all these departments, the ERM committee can combine these departmental risks into a single institutional risk of lacking space on campus. As a result, the institution can coordinate its response across all departments and create efficiencies and a cohesive response. Together, leaders can identify innovative solutions and demonstrate a greater impact on the institution – and thus receive attention and financial support from senior leadership.

Examine Complex Risks Without Clear Risk Ownership

A tip for identifying risks involves asking if any risks affecting your institution or its mission are so complex that it may not be immediately clear who would oversee the risk’s treatment strategy. Institutions only can address these risks effectively when leaders coordinate efforts across many areas.

For instance, student mental health has implications for all areas of an institution. The risk may involve managing student and parent expectations at the time of admission; addressing safety concerns through the public safety office; and considering the impact of stress on academics, extracurricular activities, and physical health. After conversations with leaders across the institution, the ERM committee may include this risk on the risk register. The committee may task Counseling Services with overseeing this risk and coordinating a proactive, collaborative response.

Additional risks without a clear owner include:

• Business continuity planning
• Campus culture
• Employee wellness and mental health
• Sexual abuse and misconduct

More to Consider When Identifying Risks

• Don’t include terms on risk registers that aren’t risks. While United Educators (UE) has seen leaders identify “reputation” and “claims” as institutional risks on their risk registers, remember that these are outcomes of risks rather than risks in and of themselves. For instance, employment and student risks all have reputational and liability implications that could involve claims. Instead of incorrectly identifying these terms as risks on your risk register, consider your institution’s reputation and liability as part of assessing all risks and in your risk treatment strategies.
• Don’t be tempted to skip to assessing risks quite yet. Leaders often rush to prioritize risks simultaneously as they identify them or ask whether there are sufficient resources to manage one risk before identifying all other risks. Instead, in Step 1 your institution should consider all potential risks without removing risks that later may be deemed a low priority. This will help you avoid missing something crucial. There’s no need to prioritize or remove risks at this time.
• Note that risk identification isn’t a one-time activity. Since new and emerging risks may surface throughout the year, the ERM committee always should monitor risks and may include an additional risk even after Step 1 is completed. That said, ERM committees should start each year with a formal risk identification activity to ensure all new and emerging risks are considered along with risks previously identified on your risk register.

After completing Step 1, continue on to UE’s blog Assess and Select Which Risks You Will Tackle This Year or use UE’s ERM Process Tracker to input risks into your risk register.

Additional Resources

RMPC Top Risks Report (Higher Ed)

RMPC Top Risks Report (K-12)

Enterprise Risk Management Resource Collection