Higher education increasingly is taking an “enterprise” approach to risk management that allows colleges and universities to be proactive about mitigating a variety of circumstances over which they have no control. Instead of managing different risks in silos, reports show these institutions now know their entire risk portfolio is innately connected.
According to Deloitte, colleges and universities have found they need their infrastructure – governance, data, processes and culture – to be prepared for the threats and opportunities that will determine whether they can survive or thrive. These threats include hazing-related deaths, sexual misconduct, cybercrime, athletic program violations and the potential for reputational damage from alleged racism. If addressed properly, these schools have the opportunity to differentiate themselves in a crowded and competitive market.
Many of these institutions are turning to experienced external partners to find risk management solutions to protect them, said John Lynch, education industry consultant with Truist.
Truist, a top 10 U.S. commercial bank by assets, was formed from the 2019 merger of BB&T Corp. and SunTrust Banks, Inc. McGriff Insurance Services, Inc. is a subsidiary of Truist Insurance Holdings and provides enterprise risk management solutions for private schools and colleges and universities, including cyber and privacy liability, crisis management and response, and educators’ legal liability.
Lynch and Brad Clark, an insurance broker at McGriff spoke with The Business Journals about recent risk management trends in both higher education and K-12 private schools.
What did the education sector grapple with during the pandemic?
Lynch: The private K-12 sector has fared really well, especially urban schools in destination places like the Southeast. These regions have been impacted by people moving out of dense urban areas in places like California and New York in favor of smaller urban areas. Many of those schools now have longer waiting lists.
In terms of the financial impact, many hunkered down and looked for cost savings. Some took Paycheck Protection Program loans. We’re starting to see personal protective equipment costs flatten out. Those costs weren’t just gowns and masks. That spending also was for the installation of things like temperature checks, portable units and creating more space in classrooms. Schools stayed in session, usually with some form of hybrid education model with social distancing and masks.
Colleges that entered the pandemic with financial challenges have continued to struggle. If they were somewhat strong, they generally fared well. It was easier for smaller schools to get in sync with faculty and administration. Just like small businesses, they were able to make adjustments quickly. One challenge was not having the online infrastructure, but many schools were able to quickly procure that. A lot of schools also had the expense of renting hotels to have quarantine space for students. It almost became like a concierge service once they figured it out.
From a brand perspective, what should schools know about enterprise risk management?
Clark: A brand is how a school shows itself off to the world. Institutions have a greater chance of protecting their brand and reputation if they look at risk in a holistic way rather than just focusing on traditional concerns like property hazards or slips and falls. There are four quadrants of risk – strategic, operational, financial and traditional hazard risk. It’s important to have thoughtful strategies around those quadrants and be proactive, not reactive.
What’s the continuing impact of international students not being able to travel?
Lynch: This is definitely a challenge for schools that are reliant on these students. Undergraduate international enrollment is reported to be down 14%. Those students are important to many small private universities that have a niche in that space. A lot of those students pay full tuition. Schools have to find ways to make up that lost revenue and that includes attracting more domestic students.
What risks and protections do schools need to think about moving forward?
Lynch: Schools looked under every rock for every little cost savings. It’s that old adage of trying to do more with less, however at some point, you have to invest to stay competitive. There’s been an arms race over the past decade or so to build out curb appeal. If a student and his or her family visit a school today and there’s no curb appeal, the odds are good they will not choose it. That wasn’t the case 20 years ago. Campus and brand reach have expanded.
Schools should consider enterprise risk management to ensure a focus on the top-level risks.
Clark: A broker can differentiate themselves by helping the client look at strategic risks – business perpetuation, leadership development and Title IX policies and procedures – and put programs in place to remain in compliance. The operational side focuses on supply chain and regulatory compliance. The financial piece is having a capital structure and credit solutions in place that provide the school flexibility. Hazard risks is most associated with traditional insurance, such as damage to property, business interruption, and third-party liability claims.
Lynch: The aspect of strategic risk that typically doesn’t get enough airtime is change management/leadership development. There’s a lot of leadership-suite change right now. In recent years college presidents and other senior executives have left their positions at a record pace, causing a lot of leadership turnover in those positions. For decades, these schools have relied on that consistent leadership. It’s been difficult for some institutions to find the right person for the role. Schools are spending a considerable amount with search firms to hire next-generation leaders. Hiring the wrong candidate could delay execution on a strategic plan by several years.
We recommend having a discussion around the four risk quadrants, including change management as it may set the school back for years.
Finally, colleges expect their financial partners have a specialty focus on their sector. The stakes for success are high and they want a partner that has deep expertise in their particular area. Financial and risk management partners who can come to the table armed with knowledge and other client experiences quickly add value to the discussion and the outcome.
Clark: The whole purpose of enterprise risk management is to help the client become better at understanding and managing risk, including the cost of the risk and potential benefits and pitfalls of it.
How does the changing landscape of sports figure into all of this?
Clark: A great example is the increased focus on traumatic brain injuries and how that affects athletic programs. Schools should understand the risks, and how to manage those, including having the right concussion testing protocols. This will help them take all of the appropriate steps in order to effectively manage with processes and procedures as well as help mitigate the risk appropriate insurance partner.
Lynch: Schools also are entering a new realm of risk that probably touches all four of those quadrants. The NCAA has begun the process of allowing student-athletes to make money off their name, image and likeness. That could have an impact on recruiting. Some students may choose schools where they can make the most money for their personal brand. How do schools help manage that and the associated risks. The school and personal brands will be interlinked going forward. What are the potential benefits and pitfalls of that?
Why should educational institutions bring in an objective partner to do risk assessments and make recommendations?
Lynch: Another risk that comes to mind is the ever-increasing cyber threat, especially ransomware. The recent Colonial Pipeline ransomware attack caused the company to pay $4.4 million. Companies are not the only ones at risk. Increasingly, schools have become targets of cyber-attacks. Outside experts may have additional expertise and experience to help protect against the threats from these attackers.
Clark: Schools should have a holistic approach to help prevent these attacks, including internal controls. Schools are particularly vulnerable because student computers access their network. Virtual learning has increased these concerns, but even when students are on campus, they are plugging in to access the university network and they may not have current malware or antivirus protection.
Many schools haven’t invested as heavily as needed in new technology to prevent these attacks and some are still running on old legacy systems. As schools work with third parties to upgrade and enhance the security of their systems, they should make sure the third parties they work with are also doing the same level of due diligence with their security protocols.
What are best practices schools should consider moving forward?
Clark: I ask potential clients about their current approach to risk management. Do they have a risk manager focused on risk or does that fall to the CFO? Are they outsourcing risk management, or do they have an in-house team? How are they looking at compliance and making sure all interested parties are protected?
I also suggest that schools reach out to the University Risk Management & Insurance Association. The first strategic goal of the association this year is to connect members to each other, so they don’t feel like they have to go it alone.
Lynch: For a lot of schools the question comes down to, “What is the right number of students to have before you need your own director of risk?” Many schools grapple with that question. It can be expensive, but it’s often a cost they can’t afford to avoid. Most CFOs and other administrators are focused on the primary duties of their job, so it’s not realistic to expect them to be an expert on risk and have the time to focus on all of the serious issues and contingencies that could affect the brand, reputation and ultimately the ongoing success of the institution. That’s why it’s a good idea to partner with an outside expert that understands the whole risk landscape.