|Download the PDF|
Introduction and aim
This briefing note looks at risk management. It introduces the concepts of risk and uncertainty, sources of risk, risk appetite and assessing risk; it considers the role of the governing body and risk, and what can go wrong.
The future is unclear
The operation of any organisation, including higher education institutions, involves uncertainty and risk. Because the future operating environment cannot be fully known, the outcomes of an institution’s actions are unable to be forecast with certainty. For example, future policy changes by governments can lead to significant discontinuities and how competitors subsequently react can magnify their impact on individual institutions.
As a general observation the external environment for higher education institutions has become less stable. This means the assessment and mitigation of risk and uncertainty is more difficult, but equally more important.
Although often used interchangeably, it is possible to distinguish between risk and uncertainty. Risk refers to known events, against which it is possible to attach an assessment of the likely resulting loss or gain should the risk materialise. In passing it is important to note that although risks are generally discussed in terms of negative outcomes, risks (unforeseen events or unanticipated degrees of change) may result in opportunities. For example, the freehold of a building in a strategically important location to the institution suddenly and unexpectedly is offered for sale. A related question is then whether the institution is in a position to take advantage of the unforeseen opportunity?
Uncertainty has most recently been associated with ‘black swan’ events: highly improbable and unpredicted events. Illustrated by the financial crisis of 2007/08 such events have been described as tail risks (ie at the end of the distribution of an event curve) and very rare. True uncertainty by its very nature cannot be assessed.
Looking to the future
While some events can be foreseen, there are equally others that are very difficult or impossible to predict, let alone assess their likely impact. For instance, there may be genuine uncertainty about future government policy suggesting that beyond the immediate time horizon a key aspect of the operating environment cannot be reliably foreseen. As a result institutions may need to take a contingency approach and prepare for a number of different outcomes.
Risk management is a process by which risks are identified and managed. It starts by seeking to identify and understand the risks associated with a given action, looks at the likely impact should the risk materialise and then considers how the risks can be reduced through proactive management.
Sources of risk
There are different sources of risk that institutions need to be aware of, and seek to manage. Further, one event may lead to a single risk or a set-off to a chain of multiple risks. Risks once they materialise can be very difficult to manage. Potential sources of risk include:
The term risk appetite describes the extent to which a governing body is prepared to tolerate risk. If the governing body’s risk appetite is low, it has a low tolerance of risk; whereas if the risk appetite is high their tolerance of risk is much greater.
The appetite to take risks does not necessarily remain fixed, and may change with the operating context and the extent to which future income streams are judged more or less certain. The institution’s executive team should have give careful consideration to the likely risk appetite of the governing body, before placing before the governing body specific proposals for which it is seeking approval.
A meaningful assessment of risk is not easy. Approaches commonly categorise risk by using a matrix which allows a hierarchy of risk to be identified and the greatest attention given to those risks deemed to have the largest potential impact and deemed most likely to occur.
Typically, the process involves identifying and assessing risks based on their potential impact as high, medium, or low. A high risk being one has the potential to have a widespread and significant impact on the institution.
Alongside impact, the likelihood of the risk occurring is also commonly assessed; again using the classification of high, medium, or low. Those risks most likely to occur are rated as having a high likelihood.
Mitigation of risks
Risks judged to have a high impact and a high likelihood of occurrence should receive management particular attention, and actions identified that can mitigate (reduce) the risk (ie proactive actions that reduce the impact/ likelihood of the event).
In assessing the extent to which action can be taken to mitigate a high impact/likelihood risk, there is a need to distinguish between what lies within the institution’s control and what lies outside. For example, an individual institution is unlikely to be able to change national policy, but may well be able to take internally focused actions which reduce the impact of a policy change should it occur.
Governing bodies and risk
Governing bodies need to assure themselves of the following:
Once the process for assessing risk has been agreed it is important that the key risks are regularly reviewed to ensure that the risk list (register) remains current. It is important that the governing body satisfies itself that the agreed actions to mitigate the key risks are being implemented and they do actually reduce the identified risk.
More than compliance
Risk management is not always viewed as the most engaging, or interesting topic. As a result there is a danger that although an assessment of risk is carried out it is largely about compliance and essentially a box-ticking exercise.
While such an approach may technically comply with the requirements placed on the institution, it is unlikely to mean risks are well understood and their management embedded within the behaviours and culture of the organisation. Without such engagement, it’s unlikely that the institution’s approach to risk management will be sufficient to ensure that effective actions to manage the risk have been taken.
What can go wrong
There are a number of areas - not necessarily mutually exclusive - where problems can arise:
Questions to consider
End notes and further reading
Associate Director, Governance
Aaron Porter was appointed as Associate Director, Governance at the Leadership Foundation (LF) in January 2014. He is also a higher education consultant and a freelance journalist, having previously been president of the National Union of Students (NUS) in 2010 – 2011. He is also an associate for the LF and the Higher Education Academy (HEA), on the advisory network for the Office for Fair Access (OFFA) and CFE research and consultancy alongside a number of other portfolio roles.
During his high profile term at NUS, he was the first NUS President to be invited as an observer to the board of the Higher Education Funding Council for England (Hefce) and to address the annual Universities UK Conference in September 2010. In addition he served as a non-executive director on the boards of UCAS, the HEA and Endsleigh Insurance. He also co-chaired the Beer/Porter Student Charter group which reported to Higher Education Minister David Willetts in January 2011, and was a member of the Hefce Online Learning Taskforce and the review of External Examiners chaired by Dame Janet Finch both conducted in 2010/11.
Previous to his term as NUS President, Aaron served two successful terms as NUS Vice-President (Higher Education), helping to build NUS’ reputation with the sector. He also served as a non-executive board member for the Office of the Independent Adjudicator (OIA) and on the board of the European Students’ Union (ESU). He was also a member of the Burgess Implementation Steering Group and the National Student Survey Steering Group. In 2009, he was part of the UK delegation to the European higher education ministerial summit in Leuven, Belgium.
Aaron studied BA English at the University of Leicester and graduated in 2006. He then spent two years as a sabbatical and trustee of the students’ union, he was also the founding chair of Unions94 (the students’ unions of the 1994 Group). As a student he was editor of the student newspaper, ‘The Ripple’.
Governance Web Editor
David Williams is Governance Editor for the LF website. He has over 25 years experience of working in higher education, as both as an academic and senior manager. During this time he has worked closely with governing bodies, contributing to, and supporting their work
in a variety of ways.
As Governance Editor, David works with the wider LF community and its members to ensure the governance website offers a repository of information and signposts recent developments in the field on governance.