Five Reasons to Audit your Risk Management Function
At Sage Consultancy we are advocates of the importance of Enterprise risk management within the school setting. This is a holistic process that helps institutions identify, prioritize, manage, and report on risks in an institutional setting.
For those schools that have not yet adopted ERM, that may sound like a lot, but essentially leaders use ERM to think more proactively about new and emerging risks. The focus is on risks that can affect the entire campus and how leaders can collaborate using a cross-functional approach. Often, a committee of senior administrators work together to identify common risks and select specific risks that the campus will tackle that year. The ERM committee is responsible for seeing risk management efforts through and reporting to senior administrators and the board.
The real value of ERM is that it requires cross-functional efforts and is particularly valuable for managing complex risks that cannot be solved by just one leader or department. For example student mental health is a risk that institutions cannot manage in silos. It’s a risk that affects student life on campus, their classroom performance and academics, their relationships with other students, and really any aspect of a student’s time on campus. Student counseling should not be alone helping students manage stress or succeed academically, in fact, schools that coordinate efforts are in a much better position to help students and really get to the root cause.
In this article Joe Underwood, CPCU, ARM-E from Albert Risk emphasizes some reasons why schools should review their current approach to risk management, irrelevant as to what level of sophistication it may have.
As political, economic, social, technological, legal, and environmental risks continue to emerge and shift, risk management is a core business function that affects performance and possibly even the continued existence of an organization. Whether your risk management function is focused on enterprise-wide risk management or traditional insurance risks, an audit of the function should be among the first priorities.
In the corporate world, the internal audit function is critically important to bring additional expertise and resources to the process of identifying and evaluating risks and ensuring appropriate risk treatments are in place. Internal auditors also understand the importance of objectivity and bringing in subject matter expertise where needed. For small to mid-size educational institutions, these functions typically reside with the financial officer and/or business manager, the persons who are responsible for insurance and risk management. With this in mind, here are five ways educational institutions can benefit from an audit of risk management.
1. Financial officers and business managers may learn about risks that guide future audit plans - When developing top-down, risk-based audit plans, there is usually no better place to start than by looking at what risk management has identified as key risks, especially if your school has an enterprise risk management (ERM) program. Such programs usually involve periodic risk assessments that identify and assess emerging or critical risk issues. The board or senior leadership establishes risk appetite and tolerance while a risk committee prioritizes the key risks and risk owners are engaged in discussion about how risks are managed and monitored.
The dialog from these ERM processes can surface many areas where controls are weak or non-existent. It is helpful for finance and business managers to participate in the risk assessment process, or at a minimum, review key deliverables. These can be instructive in developing more detailed audit projects where warranted.
2. The stakes are high - Most risk management functions deal with events that could seriously threaten the institution if not handled properly. Insurable risks include natural catastrophes, transportation and sports accidents, health crises, acts of maliciousness or violence, data breaches, multi-party casualty events, employment practices liability, management liability including unethical practices, educators legal liability, kidnap and ransom risks, and many others. Uninsurable risks include reputational damage, competition, regulatory issues, economic conditions, etc.
Many events are high-impact and low-likelihood. In other words, while the stakes are high, the odds are high that most will never happen. This is a good thing, but it creates a greater need for objective assurance. There are no test runs. Risks can be neglected for long periods of time and no one will know. If protection against a catastrophic risk is not in place the first time around, there may be no next time.
3. Objective assurance - Due to time constraints and short-term financial pressures, mid-level administrators often discount the need to manage certain risks because they have never experienced one. However, a single career is a small statistical sample. It is important to look more broadly at the risk issue.
By way of analogy, a property in a 100-year flood zone is determined to have a 1% chance of loss in any given year. Yet multiple lifetimes could pass without that property experiencing a flood. Or, multiple floods could occur within a short period. Risk is uncertainty, and if the consequences of an event are not tolerable, one must stay protected at all times.
Financial officers and business managers understand the dilemma of working with limited data and are versed in how to obtain objective input from outside resources. Modern boards count on those parties to provide objective assurance, not only on financial risk issues but also on the soundness of the overall risk management process.
4. A fresh look to keep pace with institutional change - Institutions often grow, expand their geographic reach, introduce new programs and services, add leading edge educational concepts, or introduce new technologies. It is important for those managing risk and insurance programs to occasionally take a step back and examine why things are the way they are, and whether they are still optimal. Sometimes the best way to encourage that level of critical thinking is to prompt it through a risk management audit.
Seasoned risk management professionals understand the importance of obtaining independent perspectives on their work. They recognize that they can become entrenched in the day-to-day and that everyone is subject to human error. An audit can promote fresh thinking and can bring about significant improvement or address previous blind spots. An audit may also highlight that the function is under-resourced and add support to a risk manager’s request for additional resources.
5. Verification that insurance policies actually provide the coverage expected
In most business negotiations the terms of the agreement are fully documented when the deal is made. Not so in the insurance industry. With few exceptions, many months pass before the buyer sees the insurance policy that they purchased. Renewal proposals are often delivered days before the renewal effective date, leaving little time for meaningful review. Unless requested, specimen policy language is often not provided during the negotiation process. Seemingly innocuous policy exclusions could be listed on the quote, but the language might encompass a broader array of matters than the endorsement titles suggest.
It is common for insurance buyers to assume that they can transfer responsibility to a broker to secure appropriate insurance to protect their businesses and verify that policies are issued in accordance with negotiations. However, unless special circumstances are created, the broker only has the obligation to place the coverages directly requested. Some broker agreements even require that clients review their policies and inform the broker of any errors within a set time frame.
Put your risk management on your audit plan!
If you have not already audited your organization's risk management function, add it to your plans for 2022. You may find a new project idea, prompt meaningful improvement in how key risks are managed, and find opportunities to improve insurance coverages. Educational institutions can only stand to benefit when their risk management team proposes solutions focusing on key risks.
Sage Consultancy offers support to international schools in different aspects of finance and operations, this includes the establishment, audit and support of your risk management systems.