The risks worrying Uni directors

Thinking of joining a university or college board? Phillip Cenere reports on a recent symposium in Sydney where the key lessons on risk management in the tertiary education sector were discussed.

Australian universities are akin to small towns or cities, some with more than 50,000 students, 3,000 employees and annual revenues approaching $2 billion. They can house museums, theatres, libraries, shops, restaurants, cafés, gymnasiums, sporting facilities, churches, parks, lakes, childcare centres, car parks and we haven’t even got to the teaching spaces – vast mazes of lecture halls, laboratories and seminar rooms.

The boards and management of these institutions are responsible for developing and overseeing staff and students, infrastructure and buildings in multiple sites (domestic and abroad) while ensuring campuses remain open spaces, accessible to students and any member of the public seeking knowledge, scholarships or just a warm place of refuge.

Universities operate in an ever-changing regulatory, economic, social and technological environment.

It is therefore not surprising they face the full facet of risks (reputational, strategic, operational, financial, compliance) encountered by large companies or government departments.

Late last year, in an effort to learn about best practice in dealing with these risks, senior staff and academics from across Australia’s tertiary education sector took part in a one-day symposium on risk management in Sydney, presented by the Australian Institute of Company Directors and the Association for Tertiary Education Management.

The discussions focused on the role of executives and boards in risk management; incorporating risk management in strategic planning and budgeting; setting the risk appetite for institutions; and managing the risk managers. Speakers came from across the commercial, government and tertiary education sectors.

If you are thinking of joining a university or college board, here are the top lessons they have learned about risk management for the tertiary education sector.

Professor Ann Brewer FAICD, Deputy Vice Chancellor (Strategic Management) of the University of Sydney and CEO of the Centre for Continuing Education, told the symposium that higher education providers (HEPs) were facing unprecedented challenges.

“We have increased scrutiny at every level, in every sense, on every aspect of the university, from various agencies, federal and state. We are completely open and need to be so. This increased scrutiny provides a dense risk profile for all HEPs today.”

She said the tertiary education sector was experiencing several key change drivers and risks, including:

• Fierce competition for faculties, students, professional staff and resources (especially capital).
• Greater need for better performance outcomes, responsiveness and accountability, while reducing costs.
• More external scrutiny from governments, boards, the community, parents, students, philanthropists and the public.
• Increasing entrepreneurialism.
• Rapidly changing e-platforms and technology.
• Changing values and demographics leading to cultural transformation.
• Environmental concerns and mounting regulation and costs.
• Uncertainty about political decision-making.
• Keeping up with the latest risk-management ideas, practices and knowledge.
  

Brewer observed: “Because of these change drivers and the things we’re dealing with daily – many of us are running universities the size of regional towns with as much control and freedom as any city council – we need to continue to survey our risks and understand our potential vulnerabilities.”

She said HEPs needed to understand the wider and organisational context in which they operated.

For example, the University of Sydney had developed an executive dashboard that had been very useful in helping its committees and key people understand the multi-layered risks.

“It’s important that you have measures for all your operational activities and processes so that managers understand how they work, what the key performance indicators are and can anticipate the outcomes. The board and strategic committees need to get that informative feedback regularly. Nobody should be sitting on a committee and not understand this level of detail. All members need to be across this level of detail and to understand the data to support it.”
Brewer said HEPs shouldn’t shy away from taking risks.

“If we want universities to remain competitive and provide a rich environment for researchers and students, we have to have an appetite for risk. Risk is inevitable. No organisation is successful without a healthy risk appetite.”   

She added that risk management was not about risk management per se, but about achieving strategic objectives.

Kevin McCann FAICD, chairman of Macquarie Group and a Fellow of the Senate of the University of Sydney, observed: “Obviously, financial institutions and universities are very different – the core business of universities is teaching and research; the core business of financial institutions is to make money.”

However, he believed universities could learn much from Australian financial institutions which, following the global financial crisis, had become heavily regulated and, as such, had developed high-level risk-management frameworks.

Today, they were sophisticated managers of risk and very good at determining their risk appetites, creating risk cultures, identifying risks in their businesses and developing frameworks for risk management and policies and processes to manage risk.

They also provided resources for risk management and ensured the risk appetite and risk profile were understood by the staff.

“At Macquarie, we undertake risk that is consistent with our goals and values, what we stand for, how we do things. Risks also need to be aligned with strategic intent and have to be acceptable. You have to put in risk limits and policies. For instance, it’s our policy to be compliant with regulation. That’s one area where there is zero tolerance for deviation. Another is occupational health and safety.” 

McCann stressed this was vital for HEPs where staff and students may be working in the field in sometimes dangerous and unpredictable environments.

He added that changes introduced by the Australian Prudential Regulation Authority (APRA) had seen the boards of financial institutions take on a more hands-on role in risk management and this had become best practice across sectors.

“APRA has now said the board is going to be responsible for risk management and it’s the board that’s going to set the appropriate behaviours. It was very keen on this concept of the ‘tone at the top.’  We’re expected to be influential through management. That’s quite a sea-change for directors because we’ve been used to delegating that task to management... The board is ultimately responsible for risk.”

McCann believed HEPs should consider appointing chief risk officers (CROs) who had a direct line to the board.

“In the case of financial institutions, the CRO is a well-established role. That person is a member of the executive committee. He or she reports not only to the CEO but to the chairman of the risk committee and directly to the board. It’s a role that’s taken very seriously.”

However, McCann noted that outside the finance sector it was a different story, with the position usually parked under the CFO and not the executive committee. The qualities he looked for in members of risk committees included:

• A good understanding of the institution, its strategy, operations and categories of risks it faced.
• An understanding of the vision, mission, funding and what the organisation wanted to do.
• A background in finance (many issues concern money) or law (the ability to think things through).
  

McCann said many organisations wrote down their risk culture formally. “Formalising a risk appetite and risk culture has been a very good discipline. You must maintain external stakeholder confidence. They’ve got to have confidence that risk is being properly managed.”

Peter Achterstraat FAICD,  a principal of Evans & Peck in Sydney, noted that HEPs faced many of the same risks as other organisations in other sectors.

Some of these included financial issues, superannuation liabilities, overseas student revenue, long-service leave obligations, capital works, maintenance backlogs and massive open online courses.
 
He said risk had become much more important, sometimes because of a crisis, sometimes because of leadership. “If you’re going through change, risk management is more important than if you’re in the status quo. When I went to university, revenue from overseas students was seen as a bit of cream for the universities – a bit of extra money. Gradually, it’s become part of the funding base where it really is necessary, and so managing overseas students has become a very important issue.”

Achterstraat recalled the bashings of Indian students in Victoria in 2008 and 2009 and subsequent protests.

“That had ramifications across the tertiary education sector. Universities said: ‘We’ve got to do something.’ Many sent delegations to India to say: ‘It’s safe here. Please come.’ They sent deans, vice chancellors and other very important people. Wollongong University sent Adam Gilchrist, an alumni and a famous cricketer. The result was its overseas enrolments marginally increased. That showed how a risk can sometimes become an opportunity.”

So how do you inculcate risk management into an organisation’s culture? While you could do it “carrot and stick”, Achterstraat said the best approach was to manage risks before they become a crisis. “What I’m enjoying about my new role [is that] in the past as [Auditor General of New South Wales], you’d come in when the project has gone bad and sometimes bayoneted the wounded; the beauty at Evans & Peck [where you are dealing with infrastructure and building] is that you go in before anything happens and ask: ‘Is it a good business case?’”