Has your college created a “risk-aware” culture? Are you ready for what the future may bring? We talked with Anthony Pugliese, president and CEO of the Institute of Internal Auditors, about preparing for and managing risk in higher education.
What are some of the biggest risks facing organizations today — particularly higher education institutions?
As technology continues to evolve rapidly and impact nearly every aspect of our lives, it’s not surprising that internal auditors regularly name cybersecurity as the top risk across all sectors and industries, including higher education. According to our latest Risk in Focus report — which is designed to help internal auditors and their stakeholders understand today’s risk environment — 85% of audit leaders cited cybersecurity as one of the top five risks.
This article comes from the current issues of the Community College Journal, the bimonthly magazine of the American Association of Community Colleges.
Higher education is a data-rich environment where students trust that their personal, academic and financial information will be kept private. Therefore, ensuring that there are effective controls in place to confirm that data-privacy laws are being followed and that threats in that area are proactively identified and managed is a priority for internal audit as well.
Looking ahead, I believe organizations of all sizes need to be acutely aware of the risks that stem from the rapid adoption of artificial intelligence (AI). Ensuring that there is proper governance over the use of AI, as well as organization-wide awareness of the various ways in which bad actors are employing AI, can help mitigate these growing risks.
In addition, audit leaders anticipate that risks related to climate change will increase in the coming years. Higher education institutions should be abreast of the potential environmental risks that their campuses presently face and how those may evolve in the future.
Do you have any tips for assessing risk?
Having a well-resourced, independent internal audit function is an essential first step in assessing risk for the vast majority of mature organizations of a certain size and complexity.
When it comes to assessing risk, it’s essential to take a holistic approach and gather inputs from all areas of an organization to fully understand the environment. While some risks may become more relevant as an organization grows and evolves, a best practice across all industries, including higher education, is to proactively tie assessments of risk to all strategic plans.
Approaching risk from this foundational standpoint allows an organization to develop and implement risk mitigation strategies before an issue arises. This can be accomplished by taking a step back to think strategically and collecting the necessary information to determine the scope of the issue at hand and how it fits into the broader risk management process.
Has risk management and mitigation changed since the pandemic?
The risk landscape has undergone a significant shift since the Covid-19 pandemic, largely driven by the acceleration of remote work and learning, including virtual meetings and online courses.
While technology has long been a key driver of risk — and an important tool in risk mitigation — prior to the pandemic, the explosion of virtual interactions has expanded the risks associated with IT and increased the focus on networks that are out of the central control of IT, such as home offices or student homes. As it relates to higher education, there’s an opportunity to embrace innovation and proactively incorporate new technologies into an institution’s overall risk-management strategy from the outset, to ensure that being an early adopter of the technologies that increase student and faculty flexibility don’t increase the threat level.
The pandemic served as a reminder of our ability to adapt as a society, but it also highlighted how addressing one problem — particularly in real time — has the potential to create new, unforeseen risks. And while an organization might not be expected or able to anticipate all risks, a properly resilient organization should be equipped to identify and react to emerging risks as they manifest.
Many organizations modeled that well during the pandemic and should incorporate the lessons learned into their ongoing risk assessment and planning process.
How can organizations, such as colleges, involve everyone in risk planning and mitigation and create a “risk-aware” culture?
Creating a risk-aware culture cannot be done in a vacuum. Organizations that seek to broadly engage their staff in risk planning and mitigation should first seek to foster and promote an open, inclusive and transparent culture where people are empowered to raise issues without fear of repercussion. This approach makes it more likely that implementing specific organization-wide efforts to keep risk top of mind and at the forefront of the conversation will be successful.
When it comes to formal risk planning, I encourage organizations to bring as many functions as possible to the table from the beginning, to ensure that each party has a voice and can provide proactive input on plan development and mitigation efforts. When risk planning is holistically incorporated across the entirety of an organization from the beginning, a risk-aware culture is the organization’s default.
More specifically, periodic organization-wide surveys are an extremely effective tactic for gathering feedback and uncovering issues before they arise, as well as to keep staff vigilant about the risks they encounter and the proper channels to elevate them.
More community colleges are engaged in the work of futures planning, preparing for various scenarios that could happen. Is that important to risk assessment and management?
Looking ahead to future risks is an essential part of the internal audit function’s role.
I have always advocated for the use of scenario planning, especially around known and pervasive risks, such as cybersecurity and data privacy, to understand an organization’s capacity to mitigate knowable risks.
By the same token, it is equally important to build resilience for unanticipated risks. Good risk assessment and management will ensure the proper roles and responsibilities are delegated and communicated so that when a risk manifests itself, whether anticipated or not, there is clarity about how to react. Having a plan in place ensures that all parties understand their roles and responsibilities and the severity of the threat is understood by all.
