See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/321746840

Risk Management in Universities

Conference Paper · December 2017

CITATIONS READS
0 6,543

2 authors, including:

Rabihah Md.Sum
USIM | Universiti Sains Islam Malaysia
21 PUBLICATIONS   6 CITATIONS   

SEE PROFILE

All content following this page was uploaded by Rabihah Md.Sum on 12 December 2017.

The user has requested enhancement of the downloaded file.

 3rd International Conference on Qalb-Guided Leadership in Higher Education Institutions 2017
(iQALB 2017)

RISK MANAGEMENT IN UNIVERSITIES

Rabihah Md.Sum & Zurina Md. Saad

Universiti Sains Islam Malaysia (USIM)

ABSTRACT

The aim of this study is to provide detail explanation and discussion on the importance of risk management to the
academic world. Risk management has been applied to many aspects of modern life such as banking, finance, health,
life, business ventures and project management. It is attracting a lot of attention in universities in terms of academic
researches, courses and degrees offered. The University Transformation Program Green Book highlighted risk and
risk management as one of the duty and roles of universities board of directors. Risk management, however, is missing
from most aspects of the management of universities. The study explained and discussed risks in university
environment, factors driving the emergence of risks and benefits gained if the risks are managed. It also explained
risk management process or frameworks for risk management in university setting. The study contributed to enhancing
understanding and knowledge on risk management - risk management is not another layer of bureaucracy, rather, it
is an effective management tool to assist universities to achieve their strategic objectives. The future direction of this
study is to investigate how to embed risk management processes into the basic management cycles of a university and
develop a risk management framework that can suit a university setting.

Keywords: risk, risk management, university, higher education, Malaysia

INTRODUCTION

University Good Governance Index (UGGI) introduced in 2011 requires Malaysian public universities to
implement an organized risk management. The purposed was for the universities to be given an autonomy
status. Five public universities, Universiti Teknologi Malaysia, Universiti Kebangsaan Malaysia, Universiti
Sains Malaysia, Universiti Malaya and Universiti Putra Malaysia were granted the autonomy status since
2012 (Ariff et al., 2014). Ariff et al. (2014) further stated being awarded the autonomous status; the
universities will be competing intensely in higher education market, resulting in greater exposure to multi-
dimensional risks. The risks involved uncertainty about future government funding, increasing number of
post-graduate students, pursuing high ranking in the world university ranking, increasing competition in
getting quality of international students, and competing globally in terms of research, teaching and learning.
In addition, Ahmad et al. (2016) stated public universities cannot avoid in managing risks. The increasing
demand for autonomous governance especially in financial and resource decision-making have made it
clear that they must be made accountable for the freedom given to them. Therefore as stated by Ariff et al.
(2014), a comprehensive risk management frame work has been made as one of the requirement in the
award of autonomous status for public universities.

According to Ahmad et al. (2016), since the launch of the Malaysian Education Blueprint Higher Education
2013-2025 in 2013, six public universities have been awarded the autonomous status. The revised
Malaysian Education Blueprint Higher Education 2015-2025 (MEBHE), has proposed for greater
autonomy for the public universities. Since evidence of a comprehensive risk management framework is a
requirement in the awarding process, Ahmad et al. (2016) investigated existence of a formal risk

128
 3rd International Conference on Qalb-Guided Leadership in Higher Education Institutions 2017
(iQALB 2017)

management structure or framework in Malaysian public universities. According to the study, it is difficult
to determine whether universities really implement risk management based on publicly accessible
information such as universities' website. Universities rarely published such information. The study
acknowledged that using publicly available platform such as a university's website to determine whether
they are implementing risk management does not indicate whether risk management is actually being
implemented in the organisations. Nevertheless, as preliminary investigation, the study investigated
whether public universities are communicating to the public that they implemented risk management to
assure the public that their funds are best managed.

*Table 1: Universities in Malaysia with Autonomy Status, Risk Policy, Risk Management Framework, Risk
Manager or Risk Committee as of 22 April 2015
University Autonomy Status Risk Policy Risk Management Framework Risk Manager Risk Committee

UTM Yes Yes ISO31000:2009 Yes Yes

UKM Yes Yes ISO31000:2009 Yes No
UUM Yes No ISO31000:2009 No Yes
USIM Yes No No Yes No
USM Yes No No Yes No
UTEM Yes No No Yes No
UiTM Yes No No Yes No
UMT Yes No No Yes No
UPM Yes No No Yes No
UIA Yes No No Yes No
UM Yes No No No No
UNIMAS Yes No No No No
UMP Yes No No No No
UPNM No No No Yes No
UPSI No No No No No
UNIMAP No No No No No
UTHM No No No No No
UMS No No No No No
UMK No No No No No
UNISZA No No No No No
*Reproduced from Ahmad et al. (2016).

Ahmad et al. (2016) used the following proxies as evidences of risk management implementation: existence
of risk policy or risk management framework and existence of formal structure to manage risks such as a
risk management committee or risk manager. The study scrutinized the universities' website to find
evidence of either proxy. The findings of the study are presented in Table 1. From the findings as observed
on 22 April 2015, out of total of 20 public universities in Malaysia, 10 percent (2 universities) published
their risk policy on their website. The other 90 percent (18 universities) did not publish any information on
risk policy or framework on their website. Fifteen percent (3 universities) stated that their risk management
framework is based on ISO31000:2009. The other 85 percent (17 universities) did not indicate the type of
risk management framework anywhere in their website. Eleven universities have risk managers or a formal
structure to manage the risks. Ten of the universities have appointed a risk manager to oversee the risk
management activities and one university appointed a risk management committee.

129
 3rd International Conference on Qalb-Guided Leadership in Higher Education Institutions 2017
(iQALB 2017)

This study is motivated by Ariff et al. (2014) and Ahmad et al. (2016). The purpose of this study is to bring
risk management to the academic world. It aim to enhance knowledge and understanding on risks and risk
management in higher education context. The study also aims to correct people perceptions on risk
management. Risk management is not another layer of bureaucracy. Rather, it is an effective management
tool to assist universities to achieve their strategic objectives. Universities have been teaching risk
management to students, therefore they need to practice what they teach. The next section discussed the
University Transformation Program Green Book and duties and roles of universities Board of Directors in
terms of risks and risk management. The third section discussed common risks faced by universities. The
fourth section discussed factors driving the emergence of risks in universities and the fifth section discussed
the benefits of implementing risk management to mitigate the risks. The sixth section discussed successful
implementations of risk management in universities and the benefits gained from the implementation. The
seventh section presented risk management framework or process that can be used to conduct risk
management in university setting. The final section concluded the study and presented future direction of
the study.

UNIVERSITY TRANSFORMATION PROGRAM GREEN BOOK ENHANCING

UNIVERSITY BOARD GOVERNANCE AND RISK MANAGEMENT IN UNIVERSITIES

This section discussed the universities Board of Directors (The Board) duties and roles in terms of risks and
risk management. The purpose is to highlight the need to implement risk management in university. Figure
1 presented The Board duties and roles in terms of risks and risk management as outlined in the University
Transformation Program Green Book Enhancing University Board Governance and Effectiveness.

According to Chang-Da Wan (2015), the MEBHE required balancing between autonomy and
accountability. The two components then further embedded into universities governance. In September
2015, to aid in the implementation of MEBHE, Ministry of Higher Education Malaysia launched University
Transformation Program (UTP) Green Book: Enhancing University Board Governance and Effectiveness
(MOHE, 2015). The UTP Green Book detailed the enhancement of The Board duty and roles in public
universities. In page 27 of The UTP Green Book explained The Board second role. The second role is
oversee university finances including fundraising. Their duty is to ensure resource allocation is aligned with
the university’s strategy, and to seek and secure funds from external sources.

Apart from budgeting and income generating, The Board is required to exercise risk and control. The Board
need to establish a risk management policy for all university activities to ensure the likelihood and
consequences of risks are controlled within pre-determined limits. Developed risk criteria so that different
type of risk can be commonly understood and compared. For example, between financial and reputation
risks. The Board need to request a detailed risk analysis for all major or strategic decisions, ensure that a
risk mitigation plan exists, and endorse a procedure to assess costs and benefits of mitigation. The Board
need to ensure that proper financial controls are in place to uphold principles of accountability and
transparency, and that there are sufficient resources to support this function.

The Board also need to establish various standing and ad hoc committees with clear purpose, jurisdiction,
and powers. One of the committee is risk and audit. On the risk side, the purpose of committee is ensure

130
 3rd International Conference on Qalb-Guided Leadership in Higher Education Institutions 2017
(iQALB 2017)

the likelihood and consequences of risks are controlled within pre-determined limits. Provide detailed risk
analysis and mitigation plan for all major decisions. On the audit side is to ensure that the university
complies with all relevant regulations and requirements, and that there is sound financial reporting. Exhibit
12 page 56 of The UPT Green Book outlined the boundaries of risk management role between universities
management committees and The Board. The roles of the management committees are to analyse and
quantify the university’s risks, manage all risks within boundaries set by The Board and instil risk
management culture. The Board roles are to set the university’s risk parameters, understands major risk
exposures and ensures appropriate risk mitigation approach is in place and considers the risk factors in all
major decisions.

Exhibit 8 page 41 of The UTP Green Book provided case study examples as guidance for The Board to
engage in risk management. The case study pointed out two components need to be established for risk
management: define roles and establish a risk management process. The define roles component outlined
the following: define the responsibilities of The Board and its committee against universities management
with regards to risk management, consider different risk categories; determine if a dedicated risk
management committee adds value or is required and established clear decision-making processes. The risk
management process component outlined the following: universities need to manage risks within the
boundaries set by The Board; establish a process to identify potential risks (top-down versus bottom-up
process); define how risks identified are analysed and measured; ensure appropriate mitigation levers are
in place and establish periodic Board reporting structures.

RISK IN UNIVERSITY ENVIRONMENT

This section presented risks faced by universities. The purpose is to show universities like any other for-
profit corporations are exposed to risks.

The concept of risks and universities seems irrelevant. Risk is normally associated with extreme sports,
risky behaviour, business and financial world. Universities is viewed as ivory towers, isolated and separated
from the corporate world. A university is viewed as a place for deep thinking and discussing matters of
philosophy, theories and ideas. It is a place to teach and develop young minds of future's leaders and
managers. Therefore, the concept of risks seems irrelevant in such a place. The reality is, however, risk is
part of everyday life and universities like any other people and business are exposed to risks. Mitroff et al.
(2006) argued, despite their core education mission, universities are more like cities in terms of numbers
and variety of services they provided. For example, University of Southern California operates up to twenty
different businesses including food preparation, health care and sporting events. According to former
Enterprise Risk Management Director at Yale University, institutions of higher education are complicated
businesses with millions of dollars at stake. Yet, the do not like to think of themselves as enterprises
(Lundquist, 2015). A university in its Ivory Tower has been blinded to many of the aspects of the world
outside that tower and risks being one of them (Raanan, 2009). Raanan (2009) further argued, universities
behaved as if the traditional way of work were guaranteed forever. The reality, however, is that university
could not be more in error in their perspective regarding risks. The following discussed and explained risks
faced by universities. The purpose is to show that the risks are real.

131
 3rd International Conference on Qalb-Guided Leadership in Higher Education Institutions 2017
(iQALB 2017)

The Higher Education Funding Council for England (HEFCE) defined risk as the threat that an action or
event will adversely affect an organisation's ability to achieve its objectives (HEFCE, 2001). The definition
made a direct linkage between risks and objectives. HEFCE stated, the objectives of risk management are
to ensure institutional objectives are more likely to be achieved, damaging things will not happen or are
less likely to happen and beneficial things will be or are more likely to be achieved. The National
Association of College and University Business Officers (NACUBO) defined risk as any issue that impacts
an organization's ability to meet its objectives (Cassidy et al., 2001).

According to a leading global provider of risk management services AON in their 2011 Global Risk
Management Survey AON (2013), the top three risks for higher education were regulatory and legislative
changes, economic slowdown and damage to brand or reputation.

Cassidy et al. (2001) documented five types of risk faced by universities. The types of risk are:

i. Strategic Risk. Risk that affects an organisation's ability to achieve its goals. For example, tuition-
dependent university's strategy is to expand its student-enrolment into new markets and effectively
managing its financial aid budget. How the university can assesses and manage its risk? How well
does the university understand its competitive environment so that it can effectively attain its
strategic goals?

ii. Financial Risk. Risk that may result in a loss of assets. For example, a university with a historically
conservative endowment and investment philosophy decides to invest more heavily in foreign
investments and private equity funds with multiple investment managers, while entering into new
hedging arrangements. How does the university manage the potential market and credit risk that
may negatively impact the university's investments? Will the market perform as expected?

iii. Operational Risk. Risk that affects an ongoing management process. For example, a university has
recently implemented new administrative systems such as general ledger, payroll and human
resources or student systems. The systems implementation involved changes to business processes
with respect to transaction processing by decentralized department administrators and staffs. How
does the university manage the risk that its staffs are not effectively processing and monitoring
transactions in the new environment? How can it put the new system into operation most
effectively?

iv. Compliance Risk. Risk that affects compliance with externally imposed laws and regulations, as
well as with internally imposed policies and procedures concerning safety or conflict of interest.
For example, an Academic Medical Center (AMC) with significant research and clinical activities
is responsible for complying with an ever-changing body of federal rules and regulations and their
interpretation. How does the AMC ensure that its principal investigators, physicians, and staffs are
aware of and complying with rules and regulations?

v. Reputation Risk. Risk that affects an organisations' reputation, brand or both. The risk may result
from failure to effectively manage any or all of the other risk types. Reputation risk involves
perception. For example, a university is establishing several satellite campuses in Europe. The

132
 3rd International Conference on Qalb-Guided Leadership in Higher Education Institutions 2017
(iQALB 2017)

campuses will be financed with donor funds as well as with funds received from the local country.
The university's faculty will be teaching on the campuses. How does the university manage the risk
that ineffective management of its new global venture might tarnish its prestigious brand?

URMIA (2007) documented the following risk areas that universities leaders need to address as they map
new strategies for their institutions. Leaders need to understand the risks, and establish a risk conscious
tone at the top for their organizations. The risk areas include:

i. Strategic Risks- Goals of the Organization. In developing strategic plans, universities should
consider the risks associated with each strategy. Institutions of higher learning must market their
unique advantages, strive to be competitive and be a vital presence in the communities they serve.
An appropriate risk management framework can support the upside of risk and protect against the
downside of risks in all the endeavours.

ii. Operational Risks - Processes that Achieve Goals. Universities are dependent upon day-to-day
operations for their success and, as such, must assess operational risks.

iii. Financial Risks - Safeguarding Assets. Finance divisions, including risk management departments,
focused on managing the risks of potential loss of physical assets and financial resources.

iv. Compliance Risks - Laws and Regulations. This area includes internal and external reporting and
may involve financial and non-financial information. Non-compliance with external laws,
regulations and rules can be costly. Some of the most significant penalties have come from
ineffective management of compliance risks.

v. Reputational Risks - Public Image. Many organizations images have been damaged and reputations
tarnished by failure to effectively manage reputation risks. Emphasis on employee and educational
integrity and a clear statement of the ethics and moral values emanating from the top is an important
component of this risk.

133
 3rd International Conference on Qalb-Guided Leadership in Higher Education Institutions 2017
(iQALB 2017)

Figure 1: The Board of Directors Second Role and Duty In Terms Of Risks and Risk Management as Outlined in the University
Transformation Program Green Book: Enhancing University Board Governance and Effectiveness.

The Board of Directors Second Role and

Duty
Role: Oversee university finances
Risk Management Roles Boundaries
including fundraising
Duty: To ensure that resource allocation is The Board of Directors University Management
aligned with the university’s strategy, as • To set the • To analyse and
well as to seek and secure funds from university’s risk quantify the
external sources parameters. university’s risks.
Risk and Controls • Understands major • Manage all risks within
• Establish a risk management policy for all risk exposures and boundaries set by The
university activities. ensures appropriate Board.
risk mitigation • Instil risk management
• Developed risk criteria.
approach is in place culture.
• A detailed risk analysis for all major or
and
strategic decisions,
• Considers risk factors
• Ensure that proper financial controls are
in all major decisions.
in place.

Risk and Audit Committee

Risk Audit
• Ensure the • To ensure that
likelihood and the university
consequences of complies with
risks are controlled all relevant
within pre- regulations and
determined limits. requirements,
• Provide detailed and that there is
risk analysis and sound financial
mitigation plan for reporting.
all major decisions.

Risk Management
Roles
• Define the responsibilities of The Board and its
committee against universities management with
regards to risk management.
• Consider different risk categories;
• Determine if a dedicated risk management
committee adds value or is required.
• Established clear decision-making processes.
Process
• Universities need to manage risks within the
boundaries set by The Board.
• Establish a process to identify potential risks
(top-down versus bottom-up process).
• Define how risks identified are analysed and
measured.
• Ensure appropriate mitigation levers are in place.
• Establish periodic Board reporting structures

134
 3rd International Conference on Qalb-Guided Leadership in Higher Education Institutions 2017
(iQALB 2017)

According to Brewer and Walker (2011), a university context strategic management are distinguished from
typical commercial organisations by having a high visibility within the community at large, by a plurality
of objectives as reflected in their strategic plans, and by a relatively high diffusion of accountability among
those concerned with strategy implementation. Therefore, a university's risks arise from its position in the
broader community, its response to the change drivers and its own internal governance activities, and can
be conceived as strategic or operational. Risks faced by universities are as the followings

i. Strategic Risks. Strategic risks are university-wide risks that relate to the broad university risk
context in terms of outcomes of university activities, threats arising from the external environment
in which the university operates, and risks associated with the internal governance of the university.
Strategic-level risks are usually associated with longer-term consequences and may necessitate
treatment processes involving policy changes.

ii. Operational Risks. Operational risks are those risks associated with activities carried out by
faculties and/or administrative units to implement university strategies, conduct the core university
activities of learning, teaching and research, and manage the operations and resources of the
university. The risks may be common to several faculties or units, or may be specific to an
individual faculty or unit.

Lundquist (2015) presented risks faced by universities in every facet of its existence. The risks are grouped
into ten institutional areas. Each area has its types of risk. The followings presented the areas and their type
of risks:

Boards of Trustees and Regents, President, Senior Administrators: accreditation, board performance
assessment, CEO assessment and compensation, conflict of interest, executive succession plan, fiduciary
responsibilities, IRS and state law requirements and risk management role and responsibility;

Business and Financial Affairs: articulation agreements, bonds, budgets, business

ventures, cash management, capital campaign, contracting and purchasing, credit rating, debt load/ratio,
endowment, federal financial aid, fraud, gift/naming policies, insurance, investments, loans, outsourcing,
transportation and travel, recruitment and admissions model.

Compliance with Federal, State, and Local Laws, Statutes, Regulations, and Ordinances: Americans with
Disabilities Act (ADA)/Section 504, copyright and fair use, Drug-Free Schools and Communities Act,
Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act
of 1996 (HIPAA), Higher Education Opportunity Act IRS regulations, Integrated Postsecondary Education
Data System (IPEDS), Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics
Act (Clery Act), National Collegiate Athletic Association (NCAA)/National Association of Intercollegiate
Athletics (NAIA) regulations, record retention and disposal, tax codes and whistle-blower policies;

Campus Safety and Security: emergency alert systems for natural disaster or other threat, emergency
planning and procedures, incident response, infectious diseases, interaction with local, state, and federal
authorities, minors on campus, terrorism, theft, violence on campus, weapons on campus and weather;

135
 3rd International Conference on Qalb-Guided Leadership in Higher Education Institutions 2017
(iQALB 2017)

Information Technology Business Continuity: cyber liability, electronic records, information security,
network integrity, new technologies, privacy, system capacity and web page accuracy;

Academic Affairs: academic freedom, competition for faculty, faculty governance issues, grade tampering,
grants, human subject, animal, and clinical research, intellectual property, internship programs, joint
programs/partnerships, laboratory safety, online learning, plagiarism, quality of academic programs,
student records, study abroad and tenure;

Student Affairs: admission/retention, alcohol and drug use, clubs and organizations, conduct and
disciplinary system, dismissal procedures, diversity issues, fraternities and sororities, hate crimes, hazing,
international student issues, psychological disabilities issues, sexual assault, student death, student protest
and suicide;

Employment/Human Resources: affirmative action, background checks, discrimination lawsuits,

employment contracts, grievances, labour laws, performance evaluation, personnel matters, sexual
harassment, termination procedures, unions and workplace safety;

Physical Plant: building and renovation, fire, infrastructure damage, off-site programs, public-private
partnerships, residence hall and apartment safety, and theft;

Other: alumni, athletics, external relations, increased competition for students, faculty and staffs, increased
external scrutiny from the public, government, and media, medical schools, law schools and vendors.

RISK DRIVERS IN UNIVERSITY

Bubka and Smith (2015) stated from a risk management perspective, a university is often compared to a
small city. University risk managers face the daunting challenge of identifying and managing the complex
risks across their campuses. The good news is that universities have lower loss rates than the industrial
sector. However, the cost of claims to higher education institutions both financially and from a public image
stand point can be significant. Universities need to protect students, faculty, administration, support
workers, contracted workers, the public, and their schools reputation. If a catastrophic loss occurs, the media
coverage may affect the universities reputation, posing a threat to future admissions, endowments, and
financial strength.

Ruzic-Dimitrijevic and Dakic (2014) argued the emergence of academic risks in English universities is
because of:

Provision of academic excellence - universities did not recruit adequate staffs and students, deficient
infrastructures for research or poor ranking.

Overall quality of the higher education sector. For example poor leadership, insufficient unambiguous
objectives, or inadequate evidence of the performance of higher education institution.

136
 3rd International Conference on Qalb-Guided Leadership in Higher Education Institutions 2017
(iQALB 2017)

Performance of higher education for society in general and the economy in particular. For example
inadequate demand structure, insufficient representation of socio economic groups, or unsuitable demands
on the national capacity.

Brewer and Walker (2011) argued the higher education context in which universities operate comprises a
complex network of education providers in a competitive global environment. In this environment there are
several significant change drivers that impinge on a university's s activities and give rise to risks. The drivers
are:

Increased responsiveness and accountability: universities are increasingly expected to take account of the
needs of employers and the wider community in both the design and delivery of courses and in the focus of
research work undertaken.

Broader student expectations: in terms of the range of learning paradigms available: These relate to the
importance of the image presented by a university and its reputation, both of which enable the attraction of
high-quality students and faculty.

Competition: There is increased competition for students and faculty in what has become a global
marketplace for tertiary education. Competition for faculty is exacerbated by the demographic shift towards
higher age groups and consequent problems in succession planning.

Increased external scrutiny: universities' activities are now subject to an increasing level of examination
and review. Monitoring compliance with regulatory and stakeholder requirements.

Entrepreneurialism: Engagement with the commercial world is an increasing feature of most universities'
activities and often such engagement is proactively driven by university researchers seeking partnering
arrangements with commercial organisations whereby research work can be funded and the commercial
value of research outputs can be realised and shared.

The impact of information technology: Advances in information technology have affected tertiary education
in two major areas: first, with the advent of electronic or e-learning giving rise to significant changes in
traditional learning and teaching patterns, resulting in increased flexibility in exchange for reduced direct
tutorial contact; secondly, automation of student support services such as admissions and enrolments, and
provision of a common platform that enables consolidation of financial and other administrative functions.

URMIA (2007) argued higher education institutions need to implement risk management. The risk drivers
are increasing pressure to transform higher education and requiring them to manage risks effectively.
Specifically the drivers are: fierce competition for faculty, students, staffs, and financial resources, pressure
for increase productivity, responsiveness, and accountability while reducing costs; increased external
scrutiny from government, the public, governing boards, journalists, and taxpayers-rights groups; powerful
new technologies that require significant investment of both financial and human capital resources; rapidly
increasing entrepreneurial ventures beyond the traditional educational venues that create stresses and strains
on traditional administrative and financial infrastructures; increased competition in the marketplace; and

137
 3rd International Conference on Qalb-Guided Leadership in Higher Education Institutions 2017
(iQALB 2017)

increased levels of litigation in general and internally, with ever-increasing levels of financial
consequences.

PricewaterhouseCoopers (2005) stated universities recognised that the higher education sector is
undergoing a period of change, driven by the need to maintain and enhance excellence, and that this
impacted on their risk management processes. Current factors driving risk and presenting opportunities at
a strategic level include: variable tuition fees, increased competition for students and changing student
expectations; increased exposure and reliance on overseas markets, global competition and alliances;
restructuring, investment in infrastructure, institutional expansion and large capital projects;
commercialisation opportunities, and new and emerging technologies and involvement in partnerships and
associates. Universities saw risk management as helping to address these factors in an increasingly
competitive environment.

RISK MANAGEMENT BENEFITS FOR UNIVERSITY

According to Brewer and Walker (2011), although higher education institutions increasingly recognise that
the effective management of risk is important to them, their focus has been on preventing a risk from
eventuating and the management of risks after the event. Very few have implemented risk within an
integrated approach to their quality assurance regime or strategic planning framework. Risk Management
links institutional governance, risk management, and the strategic goals of a university. Simply put, it is a
way to more effectively manage all of the risks that exist on a university campus. The financial benefit of
risk management for a university includes (Brewer and Walker, 2011): cost-effective management of all its
resources; greater efficiencies in use of constrained resources, maintaining competitive advantages,
resulting in enhanced use of existing applications; eliminating paying fines for regulatory non-compliance;
enhanced capital and reduced loss of assets; reduced cost of turnover by avoiding employment liability
exposures; reduced legal expenses, enhanced communications across department, the self-contained
management of risk with-out reference to the overall goals and strategy of the organization; and reduced
claims or operational losses by enhanced loss prevention.

Abraham (2013) pointed out that many higher education institutions are recognizing that an effective risk
management program, with the full support of the governing board will increase a university likelihood of
achieving its plans, increase transparency, and allow better allocation of scarce resources. Good risk
management is good governance Abraham (2013, p.5). In overall risk management helps a university to
sustain its competitive advantage, solidify its integrity and reputation, respond effectively when a
significant event occurs, avoid financial surprises and effectively manage all of its resources.

RISK MANAGEMENT IMPLEMENTED IN UNIVERSITIES

The followings presented risk management implemented in universities and benefits gained from risk
management (PricewaterhouseCoopers, 2000, Cassidy et al., 2001, Edwards, 2012, Clyde-Smith, 2014)
Auburn University, Alabama USA. For Auburn, risk management is part of the university culture and is
incorporated into the strategic planning process and goals of every department. Individual departments and
divisions at the university will know what their risks are, will take responsibility for managing those risks,

138
 3rd International Conference on Qalb-Guided Leadership in Higher Education Institutions 2017
(iQALB 2017)

and will measure their performance in managing their risks. With risk management, the departments are
taking the responsibility for managing their risks through their strategic planning process and are holding
themselves accountable for their risk management performance.

Pennsylvania State University, USA. Penn State is a multi-campus, public land-grant university that
improves the lives of the people of Pennsylvania, the nation, and the world through integrated, high-quality
programs in teaching, research, and service. The university mission includes undergraduate, graduate, and
continuing and distance education informed by scholarship and research. Its research, scholarship, and
creative activities promote human and economic development through the expansion of knowledge and its
applications in the natural and applied sciences, social sciences, arts, humanities, and the professions. The
goal of Penn State University's risk management program is to provide tools for its leaders and managers
to make better risk-adjusted decisions. Those who own the risks need to better understand how they can
seamlessly incorporate risk management into their decision-making process so that they can keep risks
within the University's tolerance and gain a competitive advantage.

The Maricopa Community Colleges, Arizona USA. Maricopa comprise ten public colleges, two skill centres
and numerous education centres dedicated to educational excellence, meeting the needs of businesses and
the citizens of Maricopa County. Each college is individually accredited, yet part of a larger system of the
Maricopa County Community College District. The District is one of the largest higher education systems
in the world and the largest provider of health care workers and job training in Arizona a major resource
for business and industry and for individuals seeking education and job training. Risk management
increased overall effectiveness and accountability, sound business processes, greater assurance of business
continuity, clear demonstrated compliance with applicable laws and regulations, enhanced employee
empowerment and pride, reinforcement of the strong Maricopa cultural identity and enhanced competitive
advantage.

Edge Hill University, UK. The Higher Education Funding Council for England (HEFCE) funded Edge Hill
University to undertake a project to adapt, develop and apply the techniques described in HEFCE guidance
on risk management to the area of academic quality and standards (Edwards, 2012). The project examined
risk management's role in promoting a quality culture. Its findings included that as a result of the
employment of a risk management, over time that such a system became more predictive and integrated
with other institutional management processes, including financial and strategic planning. The risk
management approach was also found to enable the processes of the institution to become more selective
and focused on quality enhancement and that the institution's data became more rigorous and focused on
informing decision-making to enable the achievement of the strategic objectives (Raban and Turner, 2006).
The followings are the benefits of the risk-based approach: evidence-based judgements, closer scrutiny and
support of high risk provision, appraisal and treatment of institutional and environmental risks, and
supporting quality enhancement.

Research Institute, Queensland Australia. Clyde-Smith (2014) stated risk management is being utilised
with varying degrees of success across many universities in Australia. Risk management strategies were
used to develop a regulatory and operational framework for a new multi-partner Research Institute that will
house up to 900 staffs from four different institutions in Queensland, Australia. The Institute will operate
in a business environment while functioning as a research resource for the higher education sector. Risk

139
 3rd International Conference on Qalb-Guided Leadership in Higher Education Institutions 2017
(iQALB 2017)

management strategies were used to develop a regulatory and operational framework to support the Institute
in achieving its vision, maximising opportunities. Utilising enterprise risk management enabled the
development of a governance and operations framework for the emerging Institute.

RISK MANAGEMENT PROCESS OR FRAMEWORK FOR UNIVERSITY SETTING

According to Tufano (2011), risk management for university leaders begins with fundamental questions:
what is our mission?, what is our strategy to achieve it? And what risks might derail us? Tufano (2011)
proposed to focus first on risks highly likely to occur that have severe mission-derailing consequences.
University leaders need to ask: how is our institution set up to deal with such risks? and how are we
managing the risks? According to Tufano (2011), top university leaders are not inclined to work through a
detailed step-by-step risk management process. They rather take a top-level approach based on
straightforward fundamental questions. Therefore, risk management process framed in the context of
university leaders consist of the following questions: what is the university mission?, what is its strategy to
achieve it?, (iii) what risks might derail the university from achieving its mission? how is the university set
up to manage or live with the risks? and where are the university being too timid regarding risks?.

The basic idea of risk management is to identify important risks and to plan actions to mitigate the risks. A
detailed step-by-step risk management is a five-step process (Chapman, 2006, Moeller, 2007). The steps
are: business analysis, risk identification, risk assessment, risk response and risk monitor. Each step is
detailed below (Sum, 2015).

Step 1- Analyse the Business. Identify and understand the objectives of specific unit, department, or process
requiring risk management. A university needs to identify the focus of risk management before proceeding
with risk identification. For example the university's goals or objectives of strategic plans, a faculty or
department strategic objectives or plan.
Step 2 - Risk Identification. A process of identifying events, situations or incidents preventing a university,
faculty or department from achieving its objectives or strategic plan. Risk identification identifies, lists and
categorises risks, and it records them in a risk register.
Step 3-Risk Assessment. A process for evaluating and assessing the likelihood of risks occurring and the
magnitude if they occur. The purpose is to rank the risks. This enables universities to focus on managing
significant risks. Risk ranking is also used to inform decisions on the appropriate risk response. Universities
can use the output of risk assessments to plan their risk responses or strategic risk management actions.
Step 4 - Risk Response Planning. Appropriate actions to manage significant risks. How a university
responds to risks depends on its risk appetite and risk tolerance. The risk response options are to avoid,
retain, reduce or transfer the risk. Risk avoidance involves eliminating the risk from the university. The risk
is retained if no other risk mitigation alternatives exist, or if it is more economical compared to other
options. Risk reduction involves reducing the frequency or severity of the risk. An example of a risk
reduction technique is diversification. Risk transfer involves transferring the risk to an economically
capable third party with a premium, such as an insurance company.
Step 5 - Risk Monitor. Risk monitoring is the final risk management step. It involves constant monitoring
of performance and suitability of the risk response. The risk environment constantly evolves; new risks
emerge and some risks never materialise. Risk responses change as new methods for managing risks are

140
 3rd International Conference on Qalb-Guided Leadership in Higher Education Institutions 2017
(iQALB 2017)

developed or old methods are improved. The purpose of risk monitoring is to continuously update and
improve risk management.

CONCLUSION AND FUTURE DIRECTION

Risk management is attracting a lot of attention in universities in terms of academic researches, courses and
degrees offered. It is, however, missing from most aspects of the management of universities. This study
brings forward the argument that risk is not limited to large corporations or banks. Non-profits government
agencies and higher education institutions face a host of risks as well. Yet, in Malaysia risk management
practices in the non-profit institutions, including universities and higher education, is less developed than
in much of the corporate world.

However, challenged by rising costs and uncertainty about future government financial aid and funding of
research, universities face increasing risks. To sustain, risk management activities need to be considered
essential and supported by top-level leaders at the universities. Risk management should be mission-
centred, strategic, and broad enough to capture issues that are of fundamental importance to the ongoing
success and mission of the universities.

The future direction of this study is to investigate how to embed risk management processes into the basic
management cycles of a university and develop a risk management framework that can suit a university
setting. The challenges lies ahead are to develop risk management process, framework or methodology,
that are cost-effective and sensitive to the university governance; and to develop best practice in the
implementation of risk management within universities.

REFERENCES

Abraham, J. M. (2013). Risk Management: An Accountability Guide for University and College Boards. Association
of Governing Boards of Universities and Colleges and United Educators, Washington DC.
Ahmad, S. N., Isa, M. Y., and Tapa, A. (2016). Web disclosure of risk management practices in Malaysian public
universities. International Journal of Academic Research in Business and Social Sciences, 6(11):404-410.
AON (2013). Higher education risk management. http://www.aon.com/industry-expertise/higher-education-risk-
management.jsp.
Ariff, M. S. M., Zakuan, N., Tajudin, M. N. M., Ahmad, A., Ishak, N., and Ismail, K. (2014). A framework for risk
management practices and organizational performance in higher education. Review of Integrative Business and
Economic Research, Society of Interdisciplinary Business Research, 3(3):422-432.
Brewer, A. and Walker, I. (2011). Risk management in a university environment. Journal of Business Continuity and
Emergency Planning, 5(2):161-172.
Bubka, M. A. and Smith, H. (2015). Best practices in risk management for higher education: addressing the what if
scenarios. Technical report, PMA Companies.
Cassidy, D., Goldstein, L., Johnson, S. L., Mattie, J. A., and James E. Morley, J. (2001). Developing a strategy to
manage enterprise wide risk in higher education. Technical report, National Association of College and
University Business Officers (NACUBO) and PricewaterhouseCoopers.
Chapman, R. J. (2006). Simple Tools and Techniques for Enterprise Risk Management. John Wiley & Sons, West
Sussex England.
Chang-Da Wan (2015). The History of University Autonomy in Malaysia. Policy Idea No.40. Institute for Democracy
and Economic Affairs (IDEAS), Kuala Lumpur.

141
 3rd International Conference on Qalb-Guided Leadership in Higher Education Institutions 2017
(iQALB 2017)

Clyde-Smith, J. (2014). Utilising enterprise risk management strategies to develop a governance and operations
framework for a new research complex: A case study. Journal of Higher Education Policy and Management,
36(3):327-337.
Edwards, F. (2012). The evidence for a risk-based approach to Australian higher education regulation and quality
assurance. Journal of Higher Education Policy and Management, 34(3):295-307.
HEFCE (2001). Risk management: A guide to good practice for higher education institutions. Technical report, Higher
Education Funding Council for England (HEFCE).
Lundquist, A. E. (2015). Lessons from the Academy: ERM Implementation in University Settings, chapter 9, pages
143-178. John Wiley & Son, Inc., Hoboken New Jersey.
Mitro, I. I., Diamond, M. A., and Alpaslan, C. M. (2006). How prepared are American colleges and universities for
major crises? Assessing the state of crisis management. Change: The Magazine of Higher Learning, 38:61-67.
Moeller, R. R. (2007). COSO Enterprise Risk Management: Understanding the New Integrated ERM Framework.
John Wiley & Sons, New Jersey.
MOHE (2015). University Transformation Program Green Book: Enhancing University Board Governance and
Effectiveness, Ministry of Higher Education Malaysia.
PricewaterhouseCoopers. (2000). Achieving goals, protecting reputation: Enterprise Risk Management for
educational institutions. PricewaterhouseCoopers.
PricewaterhouseCoopers (2005). Risk management in higher education: A guide to good practice. Higher Education
Funding Council for England (HEFCE).
Raanan, Y. (2009). Risk management in higher education - do we need it? Sinergie Journal, 78:43-56.
http://www.sinergiejournal.it/rivista/index.php/sinergie/article/download/490/383
Raban, C. and Turner, L. (2006). Quality risk management. Modernising the architecture of quality assurance.
Perspectives: Policy and Practice in Higher Education, 10(2):39-44.
Ruzic-Dimitrijevic, L. and Dakic, J. (2014). The risk management in higher education institutions. Online Journal of
Applied Knowledge Management, International Institute for Applied Knowledge Management, 2:137-152.
Sum, R. M. (2015). Risk Prioritisation (RP): A Decision Making Tool for Risk Management. PhD thesis.
Tufano, P. (2011). Managing risk in higher education. Forum for the Future of Higher Education, 54-58.
URMIA (2007). ERM in higher education. University Risk Management and Insurance Association (URMIA).

142

View publication stats