Risk Management for Institutions of Higher Education

There are a number of risks institutions of higher education face, and they often go beyond those inherent in financial reporting and federal compliance. In today’s environment—with an increased demand for information and the constantly expanding use of technology in nearly everything organizations do—the risks and the need for vigilance are heightened.

Precautions of various types can help mitigate many of these risks, and some are as basic as ensuring appropriate segregation of duties or careful review of information for public consumption. Others might entail after-the-fact inspection or monitoring by internal audit. Still other areas may require use of specialists with skills in areas such as information systems security. Let’s look at some of the major areas institutions of higher education will want to address in a comprehensive enterprise risk management (ERM) strategy.

Nonfinancial Reporting

A small sample of the information colleges and universities often supply to outsiders through nonfinancial reports includes:

  • Data for the US Department of Education
  • Data for the US News & World Reports survey
  • Data for the National Association of College and University Business Officers endowment study
  • Title IX reporting
  • Information about international students to the Student and Exchange Visitor Information System for the US Department of Homeland Security
  • Reporting in accordance with the Jeanne Cleary Disclosure of Campus Security Policy and Campus Crime Statistics Act (the Cleary Act)

We’ve observed a number of situations in which information is compiled by one or very few individuals with little oversight and limited or no review of their work. Sometimes this information has a broad audience and is scrutinized closely by members of the public who rely on the information. A number of institutions have faced highly publicized criticism for erroneous reporting. One university’s reporting practices, for example, created reputational risk and ultimately embarrassment when the institution reported inaccurate student SAT scores. When the problem was discovered and disclosed, news media focused considerable attention on the unfortunate institution.

Aside from reputational risk, there are even more serious implications for institutions that don’t publish accurate information pertaining to campus safety or that don’t provide accurate information to federal agencies concerning foreign students. Institutions can reduce their risks in these reporting situations by ensuring data is correct, that it’s compiled by more than one individual, and that it’s reviewed for accuracy.

Infrequent or Decentralized Activities

Other areas that present risks to institutions include situations that involve large dollar amounts and occur infrequently or in which there are decentralized operations that aren’t subject to routine institutional controls. It’s difficult to possess all the skills internally to oversee the particular needs associated with these unique situations.

Take as an example of the first scenario—the high–dollar amount, infrequently occurring one—a sizeable construction project at a campus that only infrequently engages in building projects. The door is open for inappropriate billings, unauthorized change orders, or other improprieties that could go unnoticed. These pose a risk of financial loss or possibly reputational risk among donors who perceive the situation as an indication of poor stewardship. To mitigate the risk, the institution could employ its internal audit resources or have external experts provide training to those charged with project oversight. The institution may also want to perform a project audit after the fact.

In the case of decentralized, foreign operations, there’s the risk of financial loss. But there’s often significant risk related to compliance with foreign laws and regulations as well. One risk mitigation option might be to employ resources in the foreign jurisdiction who can provide the oversight necessary to offset the limited-control environment as well as provide knowledge of local laws and regulations.

Information Technology

With regard to use of specialists, IT security is one of the most critical areas for careful oversight and monitoring. Universities are the custodians of significant amounts of personally identifiable information—belonging to students, staff, parents, donors, and others. This data often includes Social Security numbers, bank account and credit card information, medical information, academic information, and more, and much of this data is subject to data security regulations such as the Federal Trade Commission’s Red Flags Rule, the Family Educational Rights and Privacy Act, the Health Insurance Portability and Accountability Act, and the Payment Card Industry Data Security Standard. Given that most businesses are subject to security breaches—and many aren’t even aware that a breach has occurred when it does—it’s imperative that, as a preemptive measure, systems are reviewed and assessed periodically by experts to identify vulnerabilities and risk areas within the IT environment and an institution’s operations.

Steps to Consider

Assessing the aforementioned risks and determining appropriate responses can seem a formidable task. However, thinking in terms of these few steps can make the undertaking much more manageable:

1. Develop a listing of all nonfinancial reporting made outside the university, noting the users of the information.

After developing the list determine the source of the information and the adequacy of controls to ensure its accuracy. Consider the audience and type of risk posed by the reporting, then the costs and benefits (that is, the cost of the risk versus the cost of the mitigation). Finally, implement the appropriate response.

2. Determine high-dollar or higher risk activities that occur infrequently.

Assess your activities to determine your risk profile and evaluate whether your controls are adequate and appropriate for your institution. Consider using specialists or performing an internal audit to reduce the risks inherent in these activities.

3. Conduct an assessment of your IT systems and data.

Review, analyze, and assess the cybersecurity posture of your institution, including the people, processes, policies, and technologies you have in place to help ensure the confidentiality, integrity, and availability of critical business data. Consider conducting a penetration test (“ethical hacking”) of selected systems and networks to find vulnerabilities that may be subject to hacker attack, unauthorized access, data theft, or data leakage.

We're Here to Help

Each organization will need to approach its enterprise risk management strategy by first understanding its unique risk profile. Moss Adams can help your organization analyze the factors that weigh into your institution’s risk profile, prioritize findings, and develop sound internal controls to mitigate the risks that pose the greatest threat to your organization. For more information on managing risk at your institution, contact your Moss Adams professional.