Risk Management is a term borrowed from finance but has broad applicability in many settings, including Institutions of Higher Education (IHEs). In settings where Risk Management goes well beyond financial risk, the term Enterprise Risk Management is used. At IHEs, Enterprise Risk Management refers to management of risks that can interfere with an institution’s core missions: education of students and research.
In a 2000 report, the National Association of College and Business Officers (NACUBO) identified five types of risk at IHEs:
- Compliance Risk: Risk created by failing to follow federal, state or local law, regulation or IHE policy or procedure that safeguards the IHE from legal exposure
- Financial Risk: Risk that may result in loss of physical assets or financial resources
- Operational Risk: Risk that affects ongoing day-to-day management processes
- Strategic Risk: Risk that affects the IHE’s ability to achieve its objectives
- Reputational Risk: Risk that affects the perception that others have of the IHE
Departments across all Lehman College divisions engage in Risk Management to varying degrees, putting Risk Management processes in action daily in the form of procedures and policies. Risk Management tasks often bring together different departments within divisions, as well from CUNY. The campus Risk Management Committee is composed of members of the Lehman College community from each division. The CUNY Risk Management and Business Continuity Council meets monthly and is composed of representatives who have Risk Management and Business Continuity leadership roles at their own Colleges.
Risk Management is a process that most of us perform as part of our work (and daily lives) that seems almost automatic. When asked to describe the process, however, we might falter. The Risk Management process, however, lends itself to systematically separating into discrete steps. When these steps are articulated and defined, the seemingly overwhelming task of Risk Management is broken down into manageable steps, facilitating more complete treatment of Risk Management. The four steps of the Risk Management process are:
- Step 1: Risk Identification
- Step 2: Risk Assessment
- Step 3: Risk Mitigation
- Step 4: Risk Communication & Monitoring
The written product of the Risk Management process is the Annual Risk Mitigation Plan (available on Lehman Connect), which includes summaries of all Campus Risks (Risk Identification), Impact and Likelihood (Risk Assessment), Existing and Potential Mitigation Controls and tools/procedures for Risk Communication & Monitoring.
Risk Management Links
- CUNY Environmental, Health, Safety and Risk Management
- National Association of College and University Business Officers (NACUBO) Enterprise Risk Management
- The State of Enterprise Risk Management of Colleges and Universities Today 2009, Association of Governing Boards of Universities and Colleges, United Educators)
- Enterprise Risk Management Initiative, North Carolina State University, Poole College of Management