Forbes: Risk management: the often underappreciated work that drives mission

Posted on by nmunson
Forbes: Risk management: the often underappreciated work that drives mission

Image courtesy of Getty.

Irma Becerra is president of Marymount University, a comprehensive doctoral-granting university known for its innovative curriculum.

When people hear “risk management,” they often picture insurance policies, legal memos or a compliance office saying “no.” As the president of a university that is a Hispanic-Serving Institution, I see it differently. Risk management is the discipline of protecting what matters most—our students’ opportunity, our employees’ ability to do great work and our institution’s capacity to keep its promises to the community.

Risk is often framed as probability multiplied by impact. But in reality, estimating probability is rarely precise. Bias, incomplete data and overconfidence can distort our judgment. That is why disciplined systems matter more than intuition.

In plain terms, risk management is a consistent method of identifying what could go wrong, understanding how severe it would be and putting practical controls in place so risks remain within an acceptable range. The goal is not to eliminate risk, which is often impossible. It is to intentionally assume risk when appropriate while avoiding preventable harm.

Why It Matters

Universities, like many businesses, are open by design. That openness to ideas, people and the community is a strength. But it also expands the surface area for risk.

For institutions like ours, the stakes are immediate. Many of our students are first-generation, working, parenting or supporting family members. A cyber outage, burst pipe or delayed financial aid disbursement may be an inconvenience elsewhere—but for our students, it could disrupt their academic trajectory and lead to dropouts.

Done well, risk management is equity work because it makes outcomes less dependent on luck.

What Good Risk Management Looks Like

Effective risk management is not a binder on a shelf. It shows up in practice through budgeting, hiring, IT, facilities, academics and communications. In my experience, five elements matter most:

  1. Determining Your Nonnegotiables

Name the outcomes you will not accept. For us, that includes serious safety incidents, exposure of sensitive data or a liquidity crisis that interrupts instruction. Clear red lines make decisions faster and less political.

  1. Prioritizing With Discipline

Not all risks deserve equal attention. A practical risk register scored by impact and likelihood helps leadership focus on what truly threatens mission and stability.

  1. Building Proportional, Owned Controls

Controls may be preventive (training, maintenance), detective (monitoring, audits) or corrective (incident response, backups). In my experience, the best controls have a clear owner, a defined cadence and measurable indicators.

  1. Preparing For Inevitability

Business continuity and crisis communications are easy to neglect—until the first real incident. Tabletop exercises, clear decision rights and “day one” playbooks can reduce chaos and reputational damage.

  1. Rewarding Early Reporting

Many failures begin as small issues that people hesitate to recognize. Leaders must promote a culture that rewards early reporting, learns from near misses and treats transparency as professionalism instead of blame.

It’s important to remember that risk management is a bigger concept than insurance. Insurance can absorb financial shocks, but it cannot restore lost business, rebuild trust after a data breach or undo harm to those you serve. I’ve found the strongest programs reduce the likelihood and impact of incidents in the first place and accelerate recovery when something does occur.

How Leaders Can Set The Tone

Risk management is ultimately a leadership discipline, and as such, it cannot be fully delegated. Leaders determine whether it becomes just a checkbox or an operating system for their organization.

Three actions matter:

  1. Put risk on the regular agenda. We review top risks alongside core business metrics such as enrollment, retention and financial performance.
  2. Fund the fundamentals. Cyber hygiene, preventive maintenance, staff training, separation of duties and adequate reserves rarely make headlines, but they prevent crises.
  3. Make tradeoffs explicit. Every new initiative—a program, vendor, partnership or delivery model—carries risk. What risks are you accepting? What mitigations are you funding? What early indicators will tell you if you are off track?

A Practical Starting Point

Even with limited staff, organizations can build momentum:

  1. Identify your top mission-threatening risks from operational, financial, personnel and reputational perspectives.
  2. Assign owners and establish regular reviews.
  3. Define early warning indicators, such as phishing click rates, deferred maintenance backlogs, days of cash on hand or time-to-fill for critical roles.
  4. Conduct at least two tabletop exercises per year (i.e., ransomware, extreme weather, financial system failure, etc.).
  5. After incidents, close the loop. What happened? What changed? How did you verify the change held?

Risk Management As Mission Protection

A university exists to expand human potential, and that mission depends on trust. Risk management is the quiet, often underappreciated work that protects that trust. In uncertain times, it ensures our students, institutions and communities can keep moving forward with confidence.

For any organization, disciplined risk management is what allows mission, strategy and growth to endure when disruption inevitably occurs.

Marymount University