Enterprise risk management for higher ed: Strategies for a resilient future

Amid shifting student expectations, political polarization, financial pressures, and rapid technological change, higher education institutions must adapt to survive.

In this environment, enterprise risk management (ERM) is no longer a compliance exercise — it is a strategic capability that determines whether an institution can remain resilient and mission aligned.

To help institutions navigate these challenges, Baker Tilly and NC State University’s ERM Initiative host the annual Navigating Risks in Higher Education Workshop for risk management leaders from colleges and universities across the nation. Join the conversation at this year’s workshop Oct. 15-26, 2026, in Raleigh, North Carolina.

The key takeaways from the 2025 workshop identify top risks and provide a compass for higher education to anticipate change, increase resilience, and create sustainable road map for success.

1. Share institutional risk perspectives to identify and assess higher education’s most critical risks

Collaborating with the risk leaders from other colleges and universities can help your institution better understand risks and learn from the practices at other institutions.

At the workshop, participants used the Baker Tilly proprietary RiskSynergy™ tool to identify the top risks facing their institutions, then assessed each risk using impact, likelihood and mitigation effectiveness. The results of the activity included a prioritized listing of the top five cross-institutional risks, including talent management, political environment, student welfare, campus safety, and the enrollment cliff. Risk leaders participated in focused discussions on each critical risk, identifying root causes, impacts, and sharing practices on current and potential risk mitigation strategies.

Risk management lessons learned

• Design a scalable, practical ERM framework that evolves as your efforts mature
• Don’t over-engineer ERM in the early stages
• Embed ERM in existing governance structures, where possible
• Use risk appetite statements to guide decision-making
• Communicate ERM wins to demonstrate value and sustain momentum

2. Develop a risk-aware culture by encouraging campus-wide support and participation

Strong ERM leadership alone can’t create a resilient organization; it takes campus-wide support and participation. A strong risk culture relies on collaboration, cross-campus relationships, and visible champions who reinforce risk-informed thinking.

It’s important to establish clear protocols to manage the flow of information, determine how and when communication will occur, and define who needs to know what.

Ongoing ERM support and education starts at employee onboarding and continues through ongoing training programs to build a risk-aware culture. This is supported by storytelling that helps embed ERM principles into everyday decision-making.

Establish your risk reporting tiers

• Develop a framework that defines ERM roles and responsibilities, including who’s responsible or accountable, who needs to be consulted, and who should be informed as it relates to ERM activities (i.e., a Responsible, Accountable, Consulted, and Informed (RACI) matrix).
• Identify and document interconnected risks.
• Determine how information will be funneled to appropriate stakeholders, both up and down the communication chains.
• Understand how to meet the stakeholders’ reporting needs and preferences with tools such as charts, heat maps, dashboards, annual risk write-ups, FAQ, and updates.

3. Prepare for emerging risks and black swan events

Not all risks can be anticipated. A black swan event can have a major impact. Preparation can strengthen your overall risk management program and turn your response to the unexpected into a competitive advantage.

Workshop participants explored potential events including loss of accreditation, shifts in athletics revenue, lack of clean drinking water, legislation of alternative education models, labor strikes, and natural disasters.

Questions for evaluating potential black swan events

• What are our emergency strategies? Are we confident in them? Do they allow flexibility?
• How do we communicate and build awareness of tools, plans, and protocols to support risk mitigation activities or emergency planning strategies?
• What scenarios could derail our strategies, tools, plans, and protocols?
• Have we recently identified and discussed emerging risks? Have we considered and communicated risk interdependencies?
• Can we do scenario planning or incorporate stress testing for black swan events, such as using multivariable scenarios to explore risk interdependencies, link scenarios to strategic objectives, and create contingency plans?

Three strategies to turn disruption into advantage

1. Develop early warning indicators and horizon scanning for emerging risks.
2. Establish a periodic emerging risk forum, such as holding a quarterly cross-functional discussion.
3. Foster adaptive capacity to give yourself the ability to pivot quickly during disruptions.

4. Integrate enterprise risk management (ERM) with internal audit

While it’s important to involve stakeholders from across the campus, it’s also important to understand that risk management asks may come on top of time already required for compliance and internal audit tasks throughout the year.

To avoid this issue, start by aligning ERM reporting with existing internal audit and compliance cycles to reduce duplicate efforts and increase the likelihood of participation from the key stakeholders you need.

Set expectations appropriately by developing a shared calendar of risk-related activities, defining a unified risk taxonomy and language for all stakeholders, and formalizing ERM responsibilities.

Promote effective communication and integration between ERM, internal audit, and compliance by defining escalation protocols and embedding cross-functional coordination.

Define escalation protocols

• Assign clear ownership for each risk category and define decision rights for risk acceptance, mitigation, or escalation.
• Set predefined thresholds for key risk indicators and risk appetite breaches that automatically trigger escalation to senior leadership or the board.
• Develop structured escalation levels to ensure proportional response based on impact and likelihood.
• Maintain a formal escalation matrix and communicate it across the organization to ensure consistency and speed during risk events.

Embed cross-functional coordination

Align escalation protocols with internal audit and compliance frameworks to ensure risk events trigger timely assurance activities and regulatory checks. This integration strengthens the interconnected nature of ERM by enabling coordinated responses, consistent reporting, and reinforcing governance across all three lines of defense.

Next steps to mature your ERM program

Enhance ERM maturity by using real-time dashboards, establishing dynamic feedback mechanisms to capture risk changes, and leveraging the predictive capabilities of automation and AI-driven analytics.

Accelerate adoption of advanced risk governance frameworks by drawing from corporate ERM practices and leveraging board members’ expertise in areas such as risk appetite, risk governance, and cybersecurity resilience.

Design a scalable, practical ERM framework that can evolve and mature along with your stakeholders, but right-size it for your current institutional maturity.

Design your ERM framework

• Assess your ERM programs' current maturity levels and consider defining your desired state.
• Begin aligning risks to strategic goals. This doesn’t need to be a formal process, but it will help establish connections to strategy and performance.
• Formalize the integration of ERM into budgeting and strategic planning processes.
• Use risk insights to prioritize resource allocation and inform decision-making.
• Develop risk-adjusted KPIs to measure strategic success.