The Quaestor - Volume 9, Issue 3

Risk Management in Higher Education

Contributed by: Gregg S. Despard, Senior IT Internal Auditor, Institute Audit, Compliance & Advisement

Over  the  years,  many  risk  management  standards  with  their  own  definitions, methods, and goals have been created by such diverse entities as the Project Management Institute (PMI), the National Institute of Standards and Technology (NIST), and International Organization for Standardization
(ISO).    However,  they  all  share  the  basic  concept  that  risk  management consists of the identification, assessment, and prioritization of risks in conjunction with efforts to minimize, monitor, and control the probability and/or impact of risk events.  While countless books, articles, and other publications exist that explain the concept of risk management and its application, few are focused on risk management within Higher Education.

Like other industries, Higher Education operates in an inherently risky environment. Common risk categories include financial, operating, strategic, regulatory, environmental, and reputational risks. But unlike other industries, there are also risks unique to Higher Education such as FERPA, Title IX, and the Clery Act (Campus Safety).

Also unique to Higher Education is the often decentralized structure of the risk environment. The complexity of the Higher Education risk environment - made up of individual colleges, schools, departments, functional areas, and administrative departments - makes risk collection and prioritization a challenge from an enterprise risk management perspective. Below (fig. A) is a simple risk model illustrating risk ranking examples within a decentralized Higher Education risk environment as it relates to probability and impact.

Higher education risk matrix

Once risks have been identified, assessed, and prioritized within a risk inventory or portfolio, a strategy based on risk appetite is then implemented by management to minimize, monitor, and control the probability and/or impact of risk events. Strategies to manage risks typically include implementing measures to avoid the risk, transferring the risk to another party, reducing the negative effect or probability of the risk, or even accepting some or all of the potential or actual consequences of a particular risk. By effectively managing these risks, we can reduce the chance of loss, create greater stability, and protect resources to meet the expectations and needs of the faculty, staff and students.

To efficiently manage finite auditing resources, Institute Audit, Compliance & Advisement (IACA) has historically implemented a risk management based strategy to build our annual audit plan. On an annual basis IACA performs an internal risk assessment. The risk assessment process includes meeting with key stakeholders around campus to identify and assess risks. The identified risks are then used to populate a heat map of prioritized risks within the risk environment. Based on this heat map, the annual audit plan is created.

Committee of Sponsoring Organizations of the Treadway Commission (COSO) Corner

Contributed by: Nancy A. Nasca, Manager, Institute Audit, Compliance & Advisement,

As explained in previous editions of the Quaestor Quarterly, the COSO Framework (an internationally recognized standard with which the adequacy and effectiveness of an organization’s internal controls are evaluated) was updated in May 2013 to further define the principles underlying the five components of internal control (Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring). According to the Framework, these principles are fundamental concepts that must be present and functioning in order to achieve an effective system of internal control.

In addition, the Framework includes points of focus or characteristics that are examples of behaviors or  processes that  would be  expected to  be in  place to demonstrate that the related principle is in fact present and functioning.  This edition of the COSO Corner will summarize the third  principle relating to the Control Environment component of the COSO Framework, as well as the related points of focus.

Principle 3 –   Management establishes—with board oversight—structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

Points of Focus:

  • Senior management and the board of directors establish the organizational structure and  reporting  lines  necessary  to  plan,  execute,  control,  and  monitor  operations.  Key factors to consider when establishing organization structure include the nature and  size  of  college  and  departmental  operations;  risks  related  to  the  Institute’s objectives  and  business  processes;  an  appropriate  segregation  of  duties  to  avoid conflicts  of  interest;  and  a  structure  which  provides  for  clear  accountability  and information flows.
  • The BOT and senior management delegate authority and define and assign responsibility  to  enable  personnel  to  make  decisions  according  to  management’s directives  toward  the  achievement  of  the  university’s  objectives. Delegating authority increases responsiveness but also increases the complexity of the risks to be managed.
  • Senior management defines the limits of authority so that delegation occurs only to the extent required to achieve the university’s objectives and inappropriate risks are not accepted.

Committee of Sponsoring Organizations of the Treadway Commission (May 2013). “Internal Control – Integrated Framework – Framework and Appendices”

Additional Information by IACA

Watch IACA’s Monday Minute video series here!

Our video series focuses on opportunities for improving internal controls and increasing awareness of various university processes, policies, and protocols. If you have questions, feel free to contact anyone in the IACA office using information on our webpage.

Just to name a few, past topics include: Travel Policy changes, FERPA Regulations, RIT’s Ethics & Compliance Hotline, Records Management Policy, Risk Assessment, and many others.

What about ethics in the workplace?
Learn about the RIT Ethics and Compliance Hotline

Learn more about your IACA team.