It’s Thursday August 23rd and our latest edition of the Feagin Company Weekly Risk Report: What you need to know to stay current in risk management. Visit our website at feaginllc.com.
Feedback – Thank you!
We are receiving excellent feedback on the Weekly Risk Report! Readers are telling us they love the content and are finding it useful and applicable to their roles and responsibilities. We’ve been asked to shorten the report and we hear you! Starting this week, we will make it shorter. Keep the feedback coming; thank you!
Higher Education – A BIG FAT “F” for Risk Management
When is a risk no longer a risk? I ask this question many times when looking at risk profiles for any organization/industry. My view? When a risk is impacting the organization and being realized, it’s a problem, not a risk and it requires special and focused attention. Usually one of several things happens: 1) it is not addressed adequately or at all, 2) controls are not effective, 3) leadership has their heads buried somewhere, or 4) the pain isn’t severe enough to care about it. Many parents today will tell you that when they send their precious kids, especially girls, off to college, they worry about them being sexually assaulted or abused (see the “takedown” below). Why is this? For over 7 years I have been analyzing this issue among others that are prevalent within higher education institutions. Here is what I have experienced:
- The organizational structure of most higher educational institutions consist of the Chancellor, the Provost, and the Board of Trustees or some form of (yes, I purposefully ended with a preposition – gasp). These parties each have similar and dissimilar goals and objectives; yet, they each wield tremendous power across the institution. Effective risk management requires alignment of priorities and interests regarding risks as well as risk management policies, actions, and commitment. In the majority of higher ed cases I have worked, I have been appalled at the conflicting leadership and misalignment of risk management. I’m leaving it right there. Hospitals and healthcare in general have the same issue (Administrator versus Chief Medical Officer).
- Managing certain risks is almost a joke. Let’s look at sexual harassment, rape, and abuse in general where the victim is often ignored, forgotten, or mishandled. Why? For the sake of brand? Or is is something more sinister like that of an increasingly perverse and ideological culture run amuck with no accountability? I float the idea at least, right or wrong. Yes, campus crimes must be reported now. Wondering why? Look up Jeanne Clery who was 19 when she was raped and murdered in her campus hall residence at Lehigh University. Sad…that it took this incident and a grieving mother and father who were relentless in their pursuit of justice to finally require campus crime reporting. By the way, look up the number of institutions that are in violation of reporting their crime statistics…disgusting.
- Don’t question those in authority or those who are icons at the school…the “money makers,” “the powerful,” “the influential,” or “the famous”…Jerry Sandusky was convicted on 45 counts of rape and child sex abuse. The sad part, retired Director of the FBI, Louis Freeh’s report accused Penn State of covering up the attacks and said leadership had “total and consistent disregard” for the child sex abuse victims. Risk management will never work for any industry where ethics, transparency, and doing the right thing are not valued. Accountability is critical.
- Reporting a risk is a “black eye.” Can you believe that someone would actually think that documenting a risk is a bad thing? Been there, seen that…”oh, we can’t document that! It might get out to the public.” When I look at risk profiles for higher ed, I am more interested in what’s not there than what is there. Curious, how does a higher ed risk manager who’s sole focus is on insurance mitigation deal with rape and sexual abuse? Money doesn’t fix the lifelong psychological trauma faced by these victims.
The Good – Making progress
Ever since the 1999 Texas A&M Aggie Bonfire collapse, many higher ed institutions started placing increased focus on risk management. Though it’s a sensitive and tragic topic, they managed it well. Kudos to the Aggies for being one of the few institutions that actually discloses details about their Enterprise Risk Management policy, process, and controls. Let’s hope their crime stats can soon return to 2014 numbers or be even better.
Predictability: Many companies are pouring $-millions into artificial intelligence as a means to generate predictive analytics for managing risks in the supply web. Don’t forget that A.I. and analytics in general have a diminishing return at some point. Continue to use caution as you develop these capabilities.
Cyber Risks: Vendors and suppliers that are not required or held to stringent cyber controls can be a serious vulnerability to your organization. If your vendor produces electronics or software for you, read about “trusted hardware” and “trusted software.” A rogue supplier or supplier with a rogue employee could easily place nefarious code or hardware into sub-assemblies that feed your products. It’s happening…and why I don’t use smartphones by ZTE or Huawei. I don’t trust their hardware or software.
Risk Management Capabilities: Organizations, especially large ones, need to consider promoting risk management practices within key functions like Vendor Management, IT, and Operations with outputs reporting into the enterprise risk process. I’ll continue to expand on this in future releases…but this is how you institutionalize and integrate risk management up, down, and across the organization. Forget “risk culture” as a focused project…you naturally create a risk aware culture when you empower the functional areas and lead from the top. Don’t waste your money on a “risk culture” gig from some consultancy…you’ll get more out of an all-hands decked out party complete with a headlining band.
- In 2014, ESPN reported that only 1 in 27 potential concussions were reported in collegiate football…hmmm.
- 20% – 25% of college women and 15% of college men are victims of forced sex during their time in college (b)
- A 2002 study revealed that 63.3% of men at one university who self-reported acts qualifying as rape or attempted rape admitted to committing repeat rapes (h)
- More than 90% of sexual assault victims on college campuses do not report the assault (b)
- 27% of college women have experienced some form of unwanted sexual contact (e)
- Nearly two thirds of college students experience sexual harassment (p)
- How about legislation that creates accountability in higher education institutions similar to existing and forthcoming corporate controls?
- Where is board independence and executive accountability? It is being demanded by institutional investors and regulators in the corporate world…how about higher ed?
- Dealing with blow back and “hurt feelings reports” from this week
- Activism Risk
- Geo Politics