Enterprise Risk Management for Independent Schools
Serving as a trustee or administrator of an independent school is a bit like being the owner of an old home. In both situations, there are countless risks to monitor and address. Some are obvious and demand your immediate attention like leaky pipes or declining enrollment figures. Others may not be so readily apparent, like mold growing behind the old wood paneling or a trustee with a potential conflict of interest. Still other issues may or may not ever emerge, yet require preparedness – such as trees that hang over the roof, or the risk of misconduct by a major donor (and the accompanying bad publicity).
The trustees and administrators of an independent school are the current custodians of their school’s campus and mission. They not only must keep the school fully operational, habitable, and nurturing for its present occupants, but also ideally will seek to leave it in a better condition than they found it for the next custodians. In order to do that job successfully, it is important that they understand and closely monitor the key risks and challenges facing their school.
An ideal way to do that is for the Board and school administrators to conduct an enterprise risk management process, a kind of “home inspection” for the school.
Enterprise Risk Management (“ERM”) is a tool for strategic decision-making, from identifying and assessing key risks, to managing and monitoring those risks consistent with the school’s strategic goals, risk tolerance, and available resources. ERM involves a commitment by school leadership to identify, prioritize, own, and address the various risks faced by the institution.
ERM, a concept from the for-profit business sector, has been adapted in the independent school context to help schools support and safeguard their educational mission and goals. Done correctly, ERM can help to minimize financial, legal, and public relations-related exposure.
Understanding and Committing to ERM
The first step in implementing ERM is for school trustees and the administration to agree on the importance of the risk management process and commit to that process.
Though a school may have the requisite in-house expertise to explain ERM to key decision-makers, the school might consider bringing in an outside expert to present an overview of ERM, answer any questions that school leaders may have, and offer guidance on how to tailor the process to fit the school’s goals and resources.
There are countless different ways to conduct an ERM process, and each school should consider how best to tailor the process. For example, in some schools, the Board is closely involved, while in other schools, the administration owns the process entirely. Some schools use a formal process with heat maps and checklists; other schools might take a seemingly less formal approach that focuses on a few more obvious top priorities each year.
School leadership should understand that ERM involves not only an initial commitment to auditing the school’s risk profile but also an ongoing commitment to reassessing and addressing new and ongoing risks going forward.
Once a school has committed to an approach to risk management, the next step is to conduct a risk audit. A common practice is to create an ad hoc ERM Committee, which may include Board members, administrators, and others, in order to develop a comprehensive understanding of possible risks to the school.
The ERM Committee, perhaps with the help of outside experts, will generally create an ERM audit checklist that will help guide the process. As an example, this audit checklist might include: academic program, student health and well-being, athletics, employment issues, the school’s reputation in the community, data security, field trips, admissions, contracts and advancement, among many other topics.
The process of identifying areas of risk can be extensive, often involving the input of many individuals, each of whom has an understanding of different specific risks facing the school. Having legal counsel participate may also protect the discussion with the attorney-client privilege.
After conducting the ERM audit, the next step is generally to evaluate each risk based on a number of factors. Some issues to consider are: (1) how likely is it that a negative consequence might flow from a particular risk; (2) how severe might that consequence be; and (3) what might the anticipated cost (again, think time, talent, and treasure) be to eliminate or mitigate the risk.
Because every institution has finite resources, it is not possible to address every risk. But an ERM process will help the school decide which risks must (or can) be addressed immediately, which should be addressed over time, and which can be tolerated comfortably. (Note: These priorities will also likely evolve over time, as circumstances change. Thus it is important that the school maintain its commitment to ERM.)
The ERM process may reveal certain serious risks that can be addressed using only a small commitment of resources. These low-cost, high-impact issues might be the first that the School chooses to address. For example, through ERM, the school might discover that it does not have a plan for responding to allegations of some headline-grabbing misconduct at the school.
Therefore, the school might decide to develop a crisis response plan, which may not cost the school a lot, but may prevent the school from making critical missteps that could cause future harm to the school.
Owning and Addressing Risk
Because ERM addresses varied aspects of a school’s operations – from academics to zoning – many hands are needed to assess risk, and even more hands are required to address and manage risk. Though the Board or administration may initiate the ERM process, most of the actual risk management work will typically be undertaken by school administrators, who in turn may delegate as appropriate to school employees and/or vendors.
The role of the Board in ERM is typically (and properly) limited to issues involving long-term strategic implications. The Board may develop and approve a risk management policy, and should stay informed of the ERM process, receiving updates from the Head of School and others. The Board will typically work with the administration to analyze and prioritize risk, and is likely to focus on risks related to Board governance, long-range planning, and the financial viability of the school.
The Head of School and other key administrators will generally bear responsibility for day-to-day oversight and implementation of the risk management process. It is important that the Head of School fully commit to this process by participating in the initial discussions regarding ERM, thus having a key role in developing the ERM philosophy and in analyzing and prioritizing risk.
The Head and other senior administrators will then be in the best position to oversee most of the changes being made, such as (for example) changes to the school’s academic program and hiring practices. The Head will typically delegate ownership of certain risks. For example, the Health Office might ensure that all student health information is properly stored, and the Business Manager may oversee the process of running background checks on employees and volunteers. Ultimately, the Head will generally report back to the Board with an annual ERM review.
Enterprise Risk Management is a unified and systematic approach to understanding the active and latent threats to your school’s continued success, and channeling the school’s resources in a way that most effectively combats those threats. For school leaders, like homeowners, there will always be issues that demand immediate attention. ERM is a way to take a step back, to conduct a thorough “inspection” of the entire enterprise and be better prepared for the challenges that await.
* * *
Please feel free to contact one of Schwartz Hannum’s experienced independent school law attorneys if you would like to discuss the ERM process, arrange for customized ERM training for your school’s leadership, or seek our help in preparing an ERM audit checklist.