Like all global sectors, higher education is facing significant challenges because of COVID-19. To properly assess and manage short- and long-term risks, risk professionals need to shift their priorities and work habits to deal with this “new normal.”
Every industry is experiencing profound change and ongoing challenges during the COVID-19 pandemic, but few have experienced quite as much business disruption as the higher education sector.
Starting in mid-March, colleges and universities around the world closed campuses, sent students home, and moved teaching online. Most don’t expect to resume normal life this spring semester. Some are already planning to continue with an online-only model next fall; others are expecting campuses to stay closed until 2021.
Consider the shockwaves a move like that brings: operational models changed overnight, risk profiles turned upside-down, oversight structures that are no longer effective. Sure, higher education has been moving toward distance learning for years—but COVID-19 has turned that leisurely stroll into a stampede.
That provides a fascinating look at how risk assurance teams need to consider new risks and remediation measures as their organizations weather the COVID-19 crisis. There are lessons here for us all.
Re-assessing the higher education risk landscape
Firstly, universities and colleges need to appreciate what the challenge actually is. The fundamental objectives of higher education remain the same: serving students, preserving academic integrity, complying with state and federal regulations, and achieving budgetary and financial goals.
What’s changed for most institutions is the operating model—from mostly in-class instruction to large-scale distance learning. So higher education’s risk assessment looks radically different. Some examples:
- Security. Students and staff now spend all their time communicating online. That increases risks around privacy (protecting personally identifiable information) and data security (transmitting confidential intellectual property around the internet). It also potentially puts academic IT infrastructure at greater risk of cybersecurity vulnerabilities and attacks as VPNs and off-campus systems access become the new norm. (Students have also recently been targeted by COVID-19 cybersecurity scams, with hackers sending fake emails from campus administration accounts.)
- Liquidity. Closed campuses save money in some ways (lower utility bills, no spending on sporting events) but cost money in others (losing international students and sporting/event revenue). Time-tested budget projections are now obsolete, but the need for fiscal responsibility is ever larger.
- Academic integrity. How do you assure an enrolled student is the actual person who completes assignments or takes online tests? Access controls—and even the nature of assignments and tests—are now much more critical considerations.
- Student life. Sexual harassment, bullying, and mental health were high priorities in the traditional campus setting, with regulatory compliance and litigation risks for institutions that failed to take them seriously. Those problems still exist in the online world, so higher education institutions and representative bodies now need to find new ways to address those issues.
“The reality is that by the time an organization implements new risk management strategies and procedures in response to COVID-19, your risk profile may well have changed again.”
COVID-19 means new strategic risks
Many colleges and universities could also face emerging strategic risks. For example, older institutions founded in the 19th or 20th centuries that have relied on traditional modes of on-campus teaching for generations might not be as adept at online delivery as newer competitors. Other parts of society are examining the shift to virtual learning resulting from COVID-19, and what the long-term effect of that might be on the higher education sector—questioning whether traditional on-campus classrooms and lectures are necessary, as evidenced in this recent article from Harvard Business Review.
Speaking of competitors: if students can now attend class from their own homes, does that mean universities can recruit more students from new regions? What if larger institutions try to scoop up more students, leaving other schools with too few? (This isn’t a hypothetical; UK regulators are considering caps on student enrollment precisely so a few large players won’t steal away students from other schools.)
How higher education audit teams can manage the “new normal”
Higher education encapsulates just about all the risk issues that COVID-19 can bring on an industry. So how do audit teams cope with so much turmoil? We can identify a few basic steps.
1. Risk assessment triage
We could spin out new or changed risks in higher education all day; so could any audit executive for their respective industry—which is exactly the point. COVID-19 has changed organizations’ risk profiles so much that risk professionals can barely keep up. Audit teams must prioritize which broad categories of risk will need reassessment first, and which ones can wait.
2. Remember your enemy & understand your allies
As your organization rolls out new policies, procedures, and controls, employees and other colleagues throughout the organization are going to grumble. Inevitably, some will feel like these new steps are intrusive and unnecessary because they would never trigger whatever risk you’re worried about.
Audit teams must always remember that the virus is the enemy. The business functions are your allies, and they can’t be alienated. To implement remediation plans and compensating controls successfully, audit teams will need deft interpersonal skills, clear communication and collaboration, and an appreciation for the objectives those allies are trying to achieve.
3. Monitor & repeat
The other reality is that by the time an organization implements new risk management strategies and procedures in response to COVID-19, your risk profile may well have changed again. For example, governments may have changed closure dates for local businesses, or approved emergency funding. The circumstances of COVID-19 risk will change constantly. So, it’s necessary to monitor the state of risks, analyze data, and reassess everything all over again, as required.
Use technology more effectively
Technology that empowers people to work remotely while working as a team is essential. So all the usual points about technology capabilities still apply:
- A single, trusted source of data. This is especially true given the vast number of employees who will be working apart from each other. The risks of version control issues or data incompleteness and inaccuracy are higher, so the need for a single, trusted source of data in one platform is greater also.
- Communication and collaboration tools. COVID-19 keeps people apart, across time zones and offices, without easy means to work together spontaneously. So functional, collaborative, easy-to-use communication tools are needed to recover those lost interpersonal experiences.
- Processes to monitor remediation work and flag steps that aren’t happening. Along similar lines, there is much more risk of tasks “falling through the cracks” when workforces are remote. The ability to track tasks—including automated notifications and workflow remediation functionality—is essential.
- Strong documentation and testing mechanisms. And with so many new risks, improvised procedures, and emergency controls—testing and documenting all those things will become paramount.
COVID-19 taxes our ability to work together because we literally must stay away from each other to avoid infection. At the same time, however, the virus also poses a blizzard of new risk challenges—either entirely new risks, or previously familiar risks that manifest in new ways. Higher education is one example of that, but every other sector is experiencing the same sorts of challenges.
Audit teams will need to push their talents and capabilities far in this new world, on everything from risk assessments, to remediation plans, to testing and documentation. Better use of technology is instrumental to that success. And so is collaboration, ingenuity, and lots of perseverance.
Operational resilience is an organization’s ability to keep providing services to customers, despite a sudden disruption. Find out:
- What boards and regulators want to know about operational resilience.
- Who should own operational resilience—and the roles risk assurance and management functions play.
- How to assess and test operational resilience.