Taking risks with risks in universities
Anyone working in a corporate environment will know that, after 2001, everything changed. It was around that time that the Enron Corporation went bankrupt. Some of the key features of the bankruptcy and of the resulting fall-out were the role of directors, and the effectiveness of a company’s risk management. This had already been anticipated in Britain in 1999 in the Turnbull report (Internal Control: Guidance for Directors on the Combined Code), which had set out the importance of internal corporate control and risk management. Anyway, after Enron all this quickly had an effect on the higher education world, as university governors became more directly aware of their personal responsibilities and (potentially) liabilities; and as governing bodies therefore became much more focused on the identification and management of risk.
It is easy to argue that this has all been a good thing. Indeed more recent revelations about incompetence and doubtful business practices in the banking world have probably helped to reinforce the post-Enron trend. Indeed reckless behaviour in business is not a good model for higher education. And yet, universities – already places in which strategic caution and complex decision-making are part of the traditional routine – may not always have been helped by the new culture. It is now increasingly common to assess academic strategy in terms of risk. But academic innovation is, or should be, about pushing ideas beyond the consensus and testing them in the unknown. Those who manage risk registers may feel that their efforts produce sounder policies, as indeed they possibly do. But they also breed an atmosphere of strategic timidity in which the unknown is regarded with suspicion.
A good illustration of how risk management is being pushed in the universities is the English funding council’s (HEFCE) ‘risk prompt list‘ for higher education institutions, which contains ’51 examples of potentially significant risk elements’ and which is now used as a template for risk management by many universities. If you read this, and if you imagine yourself assessing a university’s strategy by applying its various alarmist warnings, you could easily imagine a mindset emerging in which there is something like planning paralysis. If you keep asking yourself, constantly, about all the things that may go wrong, you become mesmerised by risk and you fail to address opportunity. Risk is suddenly seen everywhere. For example, one major world-leading university now has a Risk Steering Committee, a Risk Management Policy and a Risk Management Strategy; a whole risk industry. Other universities have whole bureaucracies dedicated entirely to risk management.
Clearly no sensible person would want to call for reckless planning. Understanding risks and seeking to contain them is as good a practice in universities as it is everywhere else. But risk management is not everything. It is merely a reality check. If you audit a university’s strategy, or that of a department, and do so solely by assessing the risks and how they are being handled, you cannot form any real sense of how well the institution is planning its future. It is time to create a better sense of balance between risk and innovation, and to understand that caution-driven consolidation is, in a fast changing world, also a major risk.