Ok, so we’ve been through all the prestige/reputational risk stuff (here and here), and tomorrow we will deal with financial risk. But today, there’s the issue of straight-up operational risk: that is, the possibility that an institution (or part thereof) might not be able to open tomorrow.
The obvious risks here relate to disaster planning: fire, earthquakes, environmental protection, etc. This is the stuff the insurance companies really care about and with justification: these can really affect property values. But with modern construction techniques, a lot of these risks are diminishing or disappearing; though at older campuses legacy issues still persist and can occasionally be quite serious. For instance, there was that one Canadian college last year that suddenly found out that its campus contained a basement housing a 30 year-old hazardous waste dump that nobody knew about, requiring hazmat teams flown in from Texas to clean up.
That story underlines something central about risk. Risk is supposed to be calculable. It’s about the odds and how to reduce them. But you can’t play the odds properly if you don’t know all the facts, and you can’t know all the facts if things were not properly documented to begin with. There are a lot of Canadian institutions – mostly colleges but a number of smaller universities as well – where records going back to the 70s and 80s just aren’t very good. And it’s in precisely those situations where the random toxic waste dumps (or its equivalents) are hiding. That’s why many institutions, as part of their risk-management strategies, almost need a group with a function resembling an auditor-general: a unit that noses around the institution just to make sure there are no skeletons in the closet – financial, operational, or otherwise.
Another big source of risk these days are IT systems. To keep faculty and students happy, institutions are – at the cost of millions of dollars – installing Wi-Fi pretty much everywhere on campuses. This not only costs money for installation, but it also massively increases the cost of network safeguarding. It’s not just a matter of safeguarding personal information on the network, and making sure the institution’s servers don’t get hijacked for Denial of Service attacks; given how central internet and data servers are to modern universities, any interruption in service can be very costly to institutions. This makes them vulnerable to ransomware attacks, as was the case two years ago at the University of Calgary (U of C got off lightly at $20,000, I thought – given the scale of the chaos, I think most universities would be prepared to pay a lot more than that to avoid something similar). This is an incredibly difficult area for institutions: when threats are continually evolving, institutions are necessarily dependent on a lot of off-the-shelf third-party software of varying quality and degrees of inter-operability, and the potential for cost expansion is nearly endless.
But the two biggest risks to keeping an institution running safely these days are human. The first, and larger of the two, are strikes. Canadian post-secondary education is relatively strike-prone. It’s rare that a year goes by without a strike somewhere; this year saw the entire Ontario college sector shut down for five weeks. The main form of risk mitigation here is to not let strikes happen in the first place. This is as much an issue of communication and management style as it is about money (the basic rule is: if money’s an issue, talk about it all the time, not just once every three years once you get to the bargaining table). But if a strike does happen, then a very different type of risk management has to go into action to ensure safety at the picket lines.
The second threat is more short-term in nature but contains much deeper threats to reputation; namely, on-campus protests. Though we almost never see events which involve several months of ongoing in-class protests like those at Reed College, and campus occupations like those in France are pretty rare nowadays, we are seeing a bit of an uptick in protests around particular events, usually from speeches. Event security can get extremely pricey for these and they tend to draw a lot of potentially negative media as well. Risk management is tricky in this area because the discussion about campus speakers is – not unreasonably – tied up with notions of academic freedom, and faculty tend to think of that as their purview rather than as being an administrative risk management challenge. But I think it’s fair to say that it is both good academic policy and good risk management for institutions to have well thought-out policies both for invited speakers (who gets to invite a speaker? On what grounds might a speaker be disqualified?) and rules for protest and security at those events. Often the really bad stuff happens when institutions make up policy on the fly.
You will probably have noted in this post and in the two previous that a lot of these potential risk mitigation strategies are a lot easier to implement if you have a lot of money. Well, that’s true. But money doesn’t appear magically: institutions have to work to obtain it. And therein like another set of risks. More on that tomorrow.
On the IT front, I am not sure I understand your issue with wifi. Wifi can be segmented and controlled. The issue is more likely the devices that connect to the wifi – more so than the private sector, and even most parts of the public sector, HigherEd lives in a BYOD world with few controls.
I was surprised that you did not mention the risk of not replacing/repairing infrastructure on a timely basis. It constitutes a huge risk which could have a variety of consequences if this is ignored. This type of risk is actually quantifiable using the insurance industry’s basic risk assessment tools. However, assessing infrastructure risk is only the first step. Boards must approve a continuing funding strategy to mitigate this ongoing risk.