10 Principles of Effective Risk Management
Business schools are paying more attention to risk than ever before, especially now that Standard 1.2 in the 2020 AACSB Business Accreditation Standards asks schools to “conduct formal risk analysis and … mitigate identified major risks.” The COVID-19 pandemic made it clear that such analysis is essential to an institution’s long-term survival. Nevertheless, many schools are only beginning to design state-of-the-art risk management systems that measure up to those used by business organizations.
What are the different pieces of the puzzle that, together, provide a tool academic leaders can use to better predict risks and prepare for crises? Here, I outline 10 principles of good risk management—and point out common fallacies that can limit the effectiveness of risk management programs.
Principle 1: Think broadly about risk.
Corporate risk managers interpret risk with a probabilistic approach, using statistical indicators such as standard deviation, skewness, and others that characterize the likelihood of extreme, undesirable outcomes. Unfortunately, most business schools not only lack the data required to carry out such detailed calculations, but they too often restrict their attention to financial impacts, which are relatively easy to measure (or so they believe).
But other less tangible risks can be just as devastating. Think of what happens to an institution’s reputation when its staff members exhibit criminal sexual behavior against students or when its faculty are accused of adopting fraudulent research practices.
And then there are the risks linked to opaque “sources of randomness”—these are crises that are difficult for leaders to understand given their current knowledge, tool sets, and professional experiences. We saw such a crisis in the COVID-19 pandemic, which was a sudden, singular disturbance that affected every aspect of business school operations.
It is not advisable to delay mitigation of these random uncertainties until they have materialized. By then, it is often too late. It is far better to prepare for a broad range of risks before they manifest as substantial problems, losses, or missed opportunities.
Principle 2: Understand your risk landscape.
Crises can result from several things going wrong simultaneously, but leaders too often ignore such co-movement. Compartmentalizing risks into separate silos might help leaders avoid ad hoc reasoning, but also can lead them to assume, incorrectly, that every unfavorable risk will occur in isolation, unaffected by other influences.
Once again, take COVID as an example. Before the pandemic, higher education already had been exposed to a multitude of “gray rhino” risks, a term coined by strategist Michelle Wucker to describe “highly probable, high-impact yet neglected threats.” Such risks include climate change, demographic shifts, technological change, evolving educational preferences, and geopolitical developments.
When everyone on campus is asked to share responsibility for risk management, it’s likely that no one will take responsibility.
Decision makers tend to ignore gray rhino events for too long for many reasons, from the prevalence of herd behavior to the slow speed of crisis onset. But when COVID-19 interacted with gray rhino risks, it sent their slow development into “hyper-speed.” For example, the pandemic accelerated innovations in online education in ways that could offer fundamental challenges to traditional face-to-face instruction.
COVID-19 has compelled many business schools to invest substantially in technology upgrades, program redesign, and faculty training. But schools that already had adapted to the slow-moving changes they saw in the market prior to 2020 were able to transition to online education during the pandemic far more easily.
Principle 3: Avoid the compliance trap.
Parent universities often oversee risk management for all academic units, an approach that appears logical at first. After all, total exposure is the aggregate of risk exposures across an institution’s subunits. But while a compliance model encourages business school leaders to record, report, and discuss potential risks, it often does not force them to manage or mitigate those risks. When everyone on campus is asked to share responsibility for risk management, it’s likely that no one will take responsibility (see Principle 4).
Consider the extent to which some business schools relied on only a few markets, such as India and China, for student recruitment. While many of these institutions expressed the importance of mitigating their risk by diversifying their student recruitment, few took concrete action. As a result, institutions with the most exposure to these markets saw the biggest enrollment drops due to COVID. This was true for Australia’s regional universities, where enrollments dropped by a staggering 40 percent in the first half of 2021.
Principle 4: Establish robust governance.
Responsibilities for risk management need to be clearly defined and assigned. Take, for instance, a school’s flagship program. Who should manage the risks for this program? The associate dean of teaching and learning, the academic director, the head of admissions, the chief marketing officer, or if all else fails, the dean? When the delegation of responsibility is fragmented, it only invites inaction. Consequently, everybody may merely “watch the ball” as it drops to the ground.
Corporate practice teaches us that school administrators should appoint a person holding the remit for a specific risk (the “risk owner”) and a person responsible for monitoring and mitigating that risk (the “risk manager”). In practice, both roles are often combined. In this way, organizations make clear who is responsible to act when a particular crisis occurs and ensure that someone is there to catch the ball before it drops.
Principle 5: Use tools—and data—smartly.
Today’s state-of-the-art “weapon of choice” for risk management is the risk register, where administrators record information such as potential risks, their likelihood, institutional vulnerability, potential impact, speed of onset, mitigation actions, risk owner, and risk manager. In its simplest and most used form, a risk register is set up as an Excel spreadsheet that senior management can use to facilitate risk-related discussions.
In many cases, these documents can be transformed into “heat maps” rating the likelihood and potential impact of certain risks. These ratings can be based on a Likert scale (for example, 1 = “very low” to 5 = “very high”) or a traffic light system to flag dangerous “red” zones.
There are three main problems with risk registers. First, academic leaders might rely too heavily on Likert-scale ratings, which can be influenced by subjective perception biases. Consider, for example, the term “almost certain.” When people describe a risk as “almost certain,” they might ascribe a subjective probability of anywhere from 80 percent to 100 percent.
If business schools had had the right systems in place, they possibly could have detected a trail of weak signals that foreshadowed the pandemic in late 2019, months before the entire sector was abruptly forced into crisis mode.
Second, risk registers can suffer from aggregation biases, in which leaders fail to link top-level thinking with intraschool operational realities. For that reason, it is valuable for the executive team to create not only a schoolwide risk map, but also risk maps for each subunit within the school, so that they can better identify potential sources of trouble.
Third, risk registers often are not supported by automatic data feeds. But data is crucial to effective risk assessment. With student recruitment, for instance, an executive committee can consider data such as the number of signed student contracts and web clicks on degree pages. In addition, when used in combination with artificial intelligence, such data-based assessment can help schools track ranking performance data and predict forthcoming positioning changes.
An Excel spreadsheet with ordinal scoring is not enough to support effective risk management. Schools also must employ data-driven approaches to create reliable reference points and manage their operational risk.
Principle 6: Learn to detect weak signals.
Business schools started to take COVID seriously in late February to early March 2020. But if they had had the right systems in place, they possibly could have detected a trail of weak signals that foreshadowed the coming crisis in late 2019, months before the entire sector was abruptly forced into crisis mode. These signals included the unusual way governmental bodies in China were handling the earliest stages of the crisis, as well as social media communication surrounding the emerging pandemic. Instead of reacting to these signals, most schools assumed that China would bring this outbreak under control as it had in previous instances.
Too often, schools measure risk using key performance indicators (KPIs) such as tuition income and student enrollments. Unfortunately, these lagging indicators measure past rewards and outcomes. Instead, schools should employ forward-looking measures such as the faculty’s engagement with pedagogical innovation or the perceptions key stakeholders (such as prospective students) have of the school’s quality. Such measures that act as leading indicators of future performance are far more useful at revealing signals of a coming crisis.
Principle 7: Appreciate the benefits of trial and error.
Here, we can be inspired by the well-known marshmallow challenge, in which small teams of people are asked to build free-standing towers using raw spaghetti, tape, and string, before placing a marshmallow on top. Kindergarteners, who let their creativity reign and are always ready to start over, tend to perform much better in this challenge than business school graduates, who are driven more by strategy and KPIs.
The marshmallow challenge has a key takeaway: Complex design problems are better tackled through trial and error than through the application of predetermined practices. When one approach doesn’t work, we must exhibit ambidexterity, agility, and resilience, and we must be willing to change and start afresh.
Principle 8: Become a wayfinding leader.
Wayfinding describes a leader’s ability to navigate the future with little information to go by. Think, for example, of the impact of AI on faculty’s work. Some faculty perceive AI as an opportunity, while others view it as a threat. The best academic leaders will provide narratives surrounding emerging trends such as the adoption of AI to support better sensemaking among faculty and staff. In this way, they can encourage them to embrace new technology and manage risks associated with it more effectively.
Principle 9: Make risk management a team sport.
In auto racing, the current Formula 1 record for changing a set of tires during a pit stop stands at an amazing 1.82 seconds. To perform at this level, teams must practice hundreds of times every season. The same logic applies to business school teams when dealing with risk.
Schools should not only have clear risk management processes in place, but also make sure people know their specific roles as thoroughly as Formula 1 pit crew members know theirs. Otherwise, when a crisis is imminent, faculty and staff will behave like sideline coaches. Everyone will observe, no one will act.
When organizations emerge from crisis stronger than they were before, that outcome does not reflect superior crisis management—it reflects effective risk management.
Principle 10: If not now, when?
Many leaders subscribe to the theory that “a crisis is not the appropriate time to improve ‘back office’ capabilities.” But this sentiment contains two errors in thinking. First, it fails to recognize that people throughout the organization are responsible for risk management, not just “back-office” staff. Second, it diverts attention away from managing risk during a crisis—exactly when risk management is required most. We need only look to the financial markets, where the greatest long-term outperformance occurs during market downturns, not market upswings.
It is always a good time for business schools to enhance their risk management capabilities. For example, those that have worked to improve their market positioning during the pandemic will emerge stronger than they were before. This outcome does not reflect superior crisis management—it reflects effective risk management.
Developing a School’s Risk Culture
For organizations, the biggest challenges of risk management are related not to adopting risk governance strategies or using analytics, but to developing an organization’s risk culture and appetite for risk. By putting these 10 principles into practice, business schools can create cultures where all employees understand the importance of managing exposure to risks and can establish their capacity for risk (benchmarked, for example, against their financial slack) across all cash flow streams, actors, and subunits.
When managing risks, senior management teams at business schools tend to hold their cards close to their vests, sharing little of their planning outside their circle. This is the exact opposite of what they should do. Instead, leaders should make sure everyone is informed of potential risks, invited to contribute his or her knowledge, and included in the risk mitigation process. Only then can leaders ensure that their institutions are truly prepared for future crises, no matter how unexpected.