Staff strike? Pandemic? Zombies? How smart risk management can prepare your university for anything.

By Julie Mercer (Nous Group) and Charmaine Leech (RCG Consultants)

In April staff at the University of Kent voted in favour of strike action after the university decided to phase out six subjects, resulting in job losses.

This situation is not unique. Many UK universities have cut or are in the process of cutting courses and modules in response to growing financial instability. The impacts of these decisions are widespread, including on student expectations and experience, university culture and staff.

This is just the latest example of a university having to respond rapidly to difficult and/or seemingly unexpected events.

As COVID-19 demonstrated, most universities are not fully prepared to handle large-scale shock events. This is a cause for concern, given UK universities operate in increasingly risky environments; consider the cost-of-living crisis, changes to the dependant visa regime, war in Ukraine and the Middle East, and rising tensions between China and the West.

Universities also face education-specific challenges requiring them to operate differently: the cap on domestic tuition fees, the changing use of facilities and occupation rates post-pandemic, and the impact of student expectations.

In this environment, it is vital that universities take a sophisticated approach to managing risk.

In this article, we are pleased to share Nous Group’s and RCG Consultants’ insights into why effective and comprehensive risk management is so important for a university, and how risk maturity can be achieved.

Nous has worked closely with universities in the UK, Canada, and Australia to tackle many of these challenges. Our experience spans risk management through to its impact on strategy, organisational design, culture and financial sustainability. RCG provides insights from other sectors’ risk-based solvency regimes, and adapted tools and techniques to fast-track the implementation of effective risk-based solvency regimes within the higher education sector.

Many universities lack a consistent approach to risk, with risk management varying by departments, schools and even year. The typical university risk register includes generic explanations of high-level risks but lacks the granular data and appropriate processes to effectively manage, monitor and mitigate risk. Insights are rarely brought together to provide a single institutional view.

A small investment now will better futureproof a university and enhance institution-wide understanding of strategy and operations. The benefits of planning are well-established. Thinking early about risk saves significant time and money, protects reputation, and safeguards student experience into the future.

Heavily regulated sectors, such as financial and pharmaceutical services, have already set this precedent, with robust risk and compliance management practices to protect their reputation and sustainability. For example, Solvency II (new EU regulatory requirements for insurers) enhanced risk management practices in the insurance industry with the stated aim of strengthening the financial balance sheet. Sustainability of the higher education sector requires a similar transformation of risk management practices.

Nous has developed a risk maturity framework to give organisations a structured means to assess and progress their risk management approach. It brings people onto the same page and helps them identify how to collectively enhance risk management processes, governance, and structures.

The maturity levels build on the knowledge and best practice of the preceding levels. To be Risk Mature, an organisation needs a clear, integrated risk lifecycle. It begins with setting objectives and scanning the horizon to identify threats and opportunities, and then assessing, monitoring, controlling and responding to each risk. It results in a clear reporting structure that feeds directly into strategic and operational decision making.

It is important for universities to be at Stage 3 of this framework. From our experience, there are four key hallmarks of a risk mature university:

1. Your university is more financially sustainable. Risk management feeds directly into financial planning. The university routinely forecasts for worst, best and expected scenarios. Strategies are built on balance sheets and financial plans. Risk management optimises decision making, ensuring efficient and effective resource allocation. Strategy and planning activities consider risk as a core input.
   
2. Your university has more effective governance. Clear definitions allow for a consistent view of risk across the institution, highlighting priorities, dependencies and opportunities. The executive or board sets the ambition across the organisation, delegates responsibility for managing the associated downside risk, and regularly monitors the organisation’s approach to both ambition and risk management.
3. Your institution has clear oversight of risk. Every risk has an assigned owner and clear mitigations. Teams understand and manage risk within their agreed risk appetites. Mitigations are monitored, with early-warning systems in place. Transparency and accountability reduce the potential for surprises and the university is more resilient to big shocks when they occur.
4. Your university has a risk intelligent culture. Risk is not one person’s responsibility. Leaders act as role models for desired behaviour and set an example regarding appropriate risk-based behaviours. Treating risk as business as usual encourages a risk maturity among staff. There will be a clear and meaningful organisational purpose that guides people’s risk-related decision making.

To begin the journey to risk maturity, there are several steps universities should take. For each one, we have learnt from our work supporting clients:

1. Undergo rapid catch-up work. An arts university engaged Nous to rapidly investigate its biggest and most time-sensitive risks while more permanent processes were being developed. Through conversations with stakeholders, we created an interim risk register (with consistent definitions of risk impact, likelihood and appetite) and updated risk management policies. While not a long-term solution, it ensured senior leaders had oversight of immediate concerns, and demonstrated how starting a dialogue between departments and schools is a vital step to increasing institution-wide risk maturity.
   
2. Establish effective structures and governance. A defining feature of a risk-mature organisation is an integrated risk lifecycle, which relies on clear structures and governance. Nous was embedded in a London-based university to establish clear risk infrastructure. We set up a schedule of regular discussions and risk reviews that integrated into existing governance structures and developed a standard template for departmental risk registers with clear escalation steps. Follow-on work included ongoing ‘deep dives’ into external risks (from AI in education to Chinese student recruitment) and discussions around staff training needs. This work illustrated the need for consistency when establishing institutional oversight, from templates to an agreed narrative for risk management.
3. Conduct risk assessments for projects and strategies. Effective risk management does not end with formal structures and governance but should be built into all strategic planning. We know that universities often do not anticipate the full scale or range of risk. Nous previously worked with a Russell Group university to identify key risks to its new strategic plan. The team drew on senior leaders’ expertise to develop a full risk register and test effective responses to scenarios with subject-matter experts at the university. This work gave the university a comprehensive view of its strategic risks, and mitigation plans.
4. Conduct scenario planning exercises. Universities should not be complacent about risk. It is important to regularly review the changing operating environment and consciously train staff to respond. Scenario exercises are one way to do this. Nous conducted scenario workshops with a post-92 university. In sessions, cross-cutting university representatives planned and tested their response to a high-risk scenario, considering communication, response owners, and current and missing mitigation processes. Bringing a range of stakeholders into the conversation helped permeate risk awareness and accountability across the institution and enhanced different teams’ understanding of how to safeguard the university.

The more transparent a university’s approach to risk, the more its people will buy into it.

Clear structures and processes will empower individuals in the organisation to find the ‘elephants in the room’ and talk about them. This is supported by ongoing training, ensuring individuals understand the significance of proper escalation and monitoring. This ensures that risks can be monitored and mitigated, as well as used proactively in planning. It reduces the potential for unpleasant surprises and under-used opportunities.

Without this, a university is at huge risk of a potentially catastrophic event such as another pandemic, political unrest, or even a zombie apocalypse! You need to act now to ensure your university is in the strongest possible position to adapt to the sector’s changing environment.

Get in touch to discuss how we can help your organisation manage risks.

Julie Mercer is a Principal and UK office leader at Nous Group. Charmaine Leech is Senior Director in Risk, Compliance & Governance Advisory Services at RCG Consultants. Nous Group and RCG Consultants are working together to support UK universities to improve their approach to risk.

Connect with Julie Mercer and Charmaine Leech on LinkedIn.

Prepared with significant contributions from Lucy Hubbard.