By Dr. Vlad Krotov and Dr. Jacob Chacko
The 2020 Business Accreditation Standards by AACSB require a business to “maintain an ongoing risk analysis, identifying potential risks that could significantly impair its ability to fulfill the school’s mission, as well as a contingency plan for mitigating these risks.” With the recent events surrounding the COVID-19 pandemic and its impact on educational institutions around the globe, there is a growing realization among business schools and their leaders of the importance and usefulness of Risk Management in their organizations. In this article, we briefly discuss the Risk Management Process and offer simple, practical guidelines on how to identify, analyze, and mitigate risks with the help of a formal Risk Management Plan that is aligned with a broader Strategic Management Plan devised by a business school.
Simplifying Assumptions
In this article, we make a number of assumptions in relation to Risk Management (see Figure 1). We believe that these assumptions will simplify the Risk Management Process and make it more effective in mitigating the identified future risk events.
Figure 1. Risk Management Assumptions
First, we believe that Risk Management is not a “bulletproof shield” for protecting a business school against all possible risks. It is rather a tool or a method that, if used effectively, can reduce the negative impact of risk on the organization. Risk Management can also be misused and turn into a vain exercise. This usually happens when the Risk Management process is (a) based on flawed analysis that does not properly identify and analyze important risks, (b) too complex and, thus, impractical, or (c) not backed by adequate resources required for risk mitigation. Second, we also believe that Risk Management is subjective. Risk Management is much closer to art rather than science; it is based on subjective reasoning and viewpoints, requires imagination for proper risk identification, and is heavily impacted by the “unknowns.” Because of that, we are strongly against a naïve, overly quantitative approach to Risk Management. We do support a formal, structured approach to risk analysis that makes use of appropriate quantitative and qualitative factors. Third, we believe that simplicity is the most effective response to the inherent complexity and serendipity of the environment that many business schools are operating it. We believe that overly complex, highly structured plans are inherently “fragile” in the face of the uncertain, highly complex, and turbulent environment that many business schools are increasingly finding themselves in. Simple, agile plans and structures are more robust and effective during the times of turbulence and uncertainty.
Risk Management Process
Risk Management can be defined as a continuous process comprised of the following steps or phases: analysis of strategic priorities and relevant internal and external factors, identification and definition of risk bearing events, analysis of risks based on likelihood and severity of their impact, mitigating risks by devising response strategies and actions and assigning people responsible for these actions, and monitoring of risks and periodic reporting in relation to these risks to key stakeholders (see Figure 2). Each of these steps is discussed in more detail in the sections below.
Analyzing Strategic Priorities and Relevant Internal and External Factors
Risk Management starts with the analysis of the current strategic priorities. As explained in Standard 1 of the 2020 Business Accreditation Standards published by AACSB, risk management is a part of a broader strategic management process and should be carried out in a way that supports a business school in attaining its strategic goals and objectives. Many of the internal and external risks can be identified by analyzing an organization’s internal strengths and weaknesses together with external opportunities and threats (the so-called SWOT analysis).
Identifying and Defining Risks
After this analysis, the organization should be able to identify and clearly describe important risk bearing events it is facing in relation to its internal and external environments. Examples of external risks include:
-
- Growing competition for students among existing educational institutions
- Drops in enrollment due to demographics changes
- Deficit of resources due to worsening economic conditions
Examples of internal risks include:
-
- Decreases in funding due to budgeting changes at the university level
- Inadequate staffing
- Turnover in leadership
A table with clear descriptions of identified risks should be the main deliverable of the risk identification and definition phase.
Analyzing Risks Based on Likelihood and Impact
While all kinds of risks can and should be identified as a part of the Risk Management process, not all risks have the same estimated likelihood and potential impact. Thus, each risk should be carefully analyzed to determine (1) the likelihood of an event occurring and (2) severity of its impact (see Figure 3).
This categorization of risks allows one to prioritize attention and resources in relation to possible future events. Events that are very likely to occur and which can possibly have a great impact on an organization should be treated as critical events. These events require special attention and resources to prevent their negative impact on the organization. Possible future events with moderate likelihood and moderate-to-high impact should be treated as important risk events. While being treated with adequate attention and resources, as a rule, these events should require less attention and resources than critical events with high likelihood and high impact. Low likelihood events with moderate-to-high impact should require a moderate level of attention and resources. Events with moderate-to-high likelihood and low impact should be acknowledged and dealt with, but with a minimum level of resources. Finally, events with low likelihood and low impact should be discussed but probably excluded from a formal risk management plan to keep it simple.
Mitigating Risks by Devising Mitigation Actions and Assigning Responsibilities
After analyzing each possible risk event in terms of its likelihood and impact on the organization, possible actions for mitigating these risks should be devised. It is important to assign to each risk event a “risk owner”—a person responsible for taking a lead on these risk mitigation actions. More thought and extra planning should be put into critical and important events. Important organizational leaders should not be “overextended”; they should be assigned as “leads” only to critical and important risk events.
Monitoring Risks and Establishing Period Reporting to Key Stakeholders
People in charge of the specific risks should be given the formal task of monitoring the internal and external environment of a business school and carrying out mitigation actions designed to protect the organization from a possible negative impact of an event in a proactive fashion or carrying out emergency actions designed to minimize the impact of an event that has occurred already. Without a person responsible for monitoring and mitigating a potential risk event, the organization my find itself in a situation where the event is not identified or dealt with in a timely fashion. Periodic updates by people assigned to risk events should be sent to the dean. The dean can compile all of these reports in a formal Risk Management Plan update that is sent to all the key stakeholders quarterly, biannually, or annually—depending on the complexity and uncertainty of the environment that the school is operating in.
Risk Management Plan
The most important deliverable of the Risk Management process is in the form of a formal risk management plan that is updated periodically, depending on the Strategic Planning cycle length of a business school. The main elements of an effective Risk Management Plan are summarized in Table 1 below.
Strategic Goal 1 – Emphasize Faculty & Staff Development
Risk Description | Importance | Risk Owner | Mitigation Actions | Reporting Timeline | Status Updates |
Inferior instructional quality in online courses | Critical | Dept. Chairs, Faculty | Comprehensive faculty training, audit of online classes | On-going | All online courses have been reviewed using a standard quality rubric |
Failure to attract and retain qualified faculty | Important | Dean, Dept. Chairs | Faculty development opportunities, faculty satisfaction survey | Annual | A formal business faculty development program was established in collaboration with the Faculty Development Center |
Failure to maintain appropriate portfolio of qualified faculty | Important | Dept. Chairs, Assoc. Dean | Develop and maintain a faculty resource plan | Annual | A faculty resource plan has been designed in accordance with AACSB definitions |
Failure to maintain AACSB accreditation | Moderate | Dean, Assoc. Dean | Ensure adherence to AACSB standards, focus on continuous improvement | On-going | Faculty sufficiency issue has been communicated to the university’s senior leaders |
Note that the plan contains all the outcomes or deliverables of the steps or phases of the Risk Management Process discussed above. Periodic status updates reported by the people in charge of the risk events are appended to each of the identified risks. Another important characteristic of this Risk Management Plan summary is that it is explicitly linked to Strategic Goal 1 found in the Strategic Plan of the business school.