Community college leaders and board members have several audit and risk management frameworks at their fingertips to help them focus, evaluate and manage their strategy and related risks, one being enterprise risk management (ERM). As previously stated, the risk of not being fiscally viable into the future is a key concern of senior leaders and board members. Therefore, these decision-makers are wise to consider how a regular, consistent approach to assessing all top risks, can allow them to oversee risks and make key mitigation and management-related decisions in a timely and strategically aligned manner.
In the ERM relationship, leadership’s primary responsibility is to establish and implement ERM at the institution, including identifying risks and risk owners, and to oversee risk areas and mitigation plans. The board serves to provide oversight, approve the ERM process and provide feedback to leadership on risk mitigation and its alignment to strategy.
An effective and successful ERM program can be implemented successfully at the community college level by following the steps below:
- Set the strategy and risk management tone: ERM aims to identify risks that could impede the success of an institution’s strategic objectives. When leadership and the board demonstrate their commitment to managing risks that could get in the way of achieving strategic outcomes, that tone flows down through the organization and encourages buy-in across the institution
- Identify risks: Once the strategic objectives of the organization have been established, leadership can begin to identify risks that may pose potential roadblocks or challenges. By aligning strategy with risk identification, risks can be readily tied back to support the institutional objective of realizing their goals
- Prioritize risks: The higher education risk universe is vast. The risk identification process can detect many more risks than an institution can thoughtfully manage. Therefore, the prioritization of risk focus is key
- Develop a risk response/mitigation plan: Once leadership has identified and prioritized their key risks, they need to evaluate whether risk response and/or mitigation plans are in place to prevent or respond to the risk, should and adverse event occur
- Monitor risks and plans and communicate: The last step in the initial ERM process includes monitoring risks and communicating back to leadership and the board on the status of mitigation plans, adverse events, KPIs and other trends that indicate impact to the institution. Many institutions regularly report on ERM to the audit and finance committees of the board of trustees
To address fiscal resiliency as a top strategic risk, the ERM framework can help ensure that there are risk management activities and ongoing assessment and discussion among all leaders about specific actions, threats and opportunities to manage that specific risk in place. In practice, this could look like regular discussions of fiscal or operational risks (e.g., enrollment decline, changes in net tuition, increases in variable expenses due to pandemic requirements, loss of academic program accreditation) and involve a review of dashboards with defined KPIs as indicators of the need for risk mitigation action or evidence of successful performance. It also might involve the board directing changes in budget allocation or debt management policies to better align fiscal management behaviors with accepted level of risk tolerance. Additionally, the framework should establish regular accountability points for both the board and leadership through regular reporting, periodic auditing and cross-function (management and board committee) discussion of enterprise-wide impacts. The benefit is not the ERM framework itself, but the strategic discussions and decisions that come. For example, a shift in recommended action relative to a capital project, third-party partnership or new academic program initiative may result based on the comprehensive, consistent and collaborative conversations driven by risk management frameworks.
Internal audit as a fiscal resiliency tool
The board and management can also leverage the internal audit (IA) function as a key fiscal resiliency tool and to manage risk, assessing the processes and controls in place to mitigate risks that could impede the success of strategy. IA, while designed to be an independent and objective function within the institution, can serve as a trusted ally and strategic advisory partner by supporting the risk monitoring effort of the ERM program.
IA can work with risk managers and owners to evaluate the effectiveness of risk mitigation plans around risks impacting community college fiscal resiliency, including declining enrollment, student retention and persistence, holistic student support and frameworks for course delivery. IA can assess the effectiveness of internal controls, identify gaps that could lead to control breakdowns, adverse events or the institution’s inability to effectively respond to risks and make recommendations to address identified gaps.
For example, internal audit may include the following audits or advisory reviews in its annual audit plan specific to fiscal resiliency. IA’s work in the following areas can help ensure that risk owners, leadership and the board are on the same page in driving successful change:
Fiscal and institutional performance audit
- Determine the presence of a consistent and effective method of reporting fiscal position to the board (e.g., reports, dashboard, etc.)
- Assess and confirm that KPIs align with key drivers of desired outcomes (e.g., if retention rates are a KPI, student support spending trends and initiative results [both quantitative and qualitative] should be part of the information audited)
- Perform testing procedures to verify accuracy of data governance, figures reported and sources of fiscal position information
- Evaluate the level of effort to prepare report or dashboard
Strategic budgeting/fiscal resiliency audit
- Assess whether the institution has an effective fiscal resiliency oversight framework
- Review the clarity of and adherence to financial planning/budgeting and resource allocation policies and procedures
- Assess budget development and monitoring practices for foundational components of strategic design and execution adherence
- Evaluate for effective, consistent and accurate method of reporting fiscal position and performance in comparison to budget to the board (e.g., reports, dashboard, etc.)
- Review and assess fiscal decision-making and budgetary approval frameworks and governance structure
- Perform testing procedures to verify the accuracy of data governance, figures reported and sources of fiscal position information
As an independent function, IA reports directly to the board of the institution, typically to a designated audit committee. Boards, in their capacity as strategic and fiduciary overseers, are responsible for ensuring that institutions have effective internal controls to manage institutional resources. IA and the board are well-positioned to work together to assess and oversee fiscal resiliency risk and hold management accountable for addressing identified gaps and implementing the processes and controls the institution needs to manage those risks.
Given the increasingly challenging higher education environment – and the significant complexities involved in operating a student-focused and fiscally viable institution – strategically aligned board and management leadership with proactive risk management is essential for community college resiliency. All board members should be asking if the institution has clarity and alignment regarding the risks faced, and more importantly, has the required governance framework (including a robust internal audit program) to regularly assess and address issues that could get in the way of student or institutional success.
For more information or to learn how Baker Tilly’s higher education specialists can help your institution manage risk and achieve fiscal resiliency, contact our team.