Built Environment & Infrastructure Risk Management
-
SearchLogin
Leaders at higher education institutions face the daunting challenge of protecting their colleges and universities amid an increasingly complex "polycrisis" risk environment. An wide array of dynamic risks come to mind, such as sophisticated cyber threats targeting the sector, nation-state espionage, on-campus active shooter events, changing security risks to students and faculty traveling abroad and climate-driven natural disasters.
Even if post-secondary organizations take reasonable steps to minimize the chances of a crisis occurring, it is unrealistic to think that all crises can be avoided, particularly in this “‘polycrisis”’ world. With that in mind, colleges and universities must take concrete steps to enable effective crisis response and reduce the impact of future disruptive events. First and foremost, support from leadership is crucial. In addition, empowered governance and defined roles and responsibilities, effective teams with thoughtfully selected members, robust incident and crisis response planning, and informative training and exercising are equally critical. In addition, a truly integrated and therefore effective response is only feasible if based on a better alignment and shared understanding of previously complementary yet disparate capabilities around crisis management, business continuity, cyber, disaster recovery and emergency response.
One cannot overstate the value of crisis exercising. Leading-edge colleges and universities conduct exercises of increasing complexity using diverse scenarios and provide teams the opportunity to practice responding to crises in a “safe” environment. Post- secondary institutions seeking to ensure that their programs are forward-looking increasingly build their exercise scenarios around key emerging and complex risks, with the goal of “poking holes” in their readiness for such events. This has become increasingly popular as leaders look to be more proactive to avoid finding themselves on their backfoot as many did during recent large-scale crises (e.g., COVID). These exercises often pull in diverse teams from across the institutions and test the organization’s ability to respond both tactically and strategically. In addition, organizations are increasingly using technologies (e.g., tools for mass notification/accounting for personnel) in exercises and asking key response providers such as their legal counsels and crisis responders to participate. This helps intensify realism and identify gaps that illustrate a more realistic picture of how the organization will respond in an actual crisis.
Control Risks has been supporting organizations, including post-secondary institutions, in responding to and recovering from acute crises since 1975. In that time, we have seen some of the best responses to crises; we have also seen organizations make critical and impactful errors. Throughout our history, there remains some enduring orthodoxy. Organizations can emerge stronger regardless of the type of crisis, if they:
That said, colleges and universities are being pushed ever harder to evolve the way they approach crisis and incident response itself. Successful crisis management that focuses on impact reduction and rapid recovery in today’s polycrisis world includes looking outside the walls of one’s institution and recognizing the need for external assistance. This includes the use of external counsel, crisis PR firms and breach coaches, among others. We are also seeing a rise in organizations partnering with crisis response providers that have localized on-the-ground expertise and can provide in-the-moment support during any crisis, including in far-flung geographic areas where faculty or students might be.
So how do organizations truly embrace continuous improvement and reap its benefits for greater resilience? The good news is that if you are already embracing the first two principles discussed above (i.e., focusing on likelihood and impact reduction), you are halfway there. For instance, exercises are a fantastic way to continually improve response skills and readiness for whatever a university or college may face.
Organizations should not only improve capabilities before a crisis hits, but also continuously improve their capabilities to extend beyond the crisis response and into the recovery phase. Whether it be through a lessons-learned analysis or post-incident review, we recommend institutions formalize mechanisms that allow them to review their performance during a crisis and dig into how well prepared they were and how they responded.
In order to fully embrace continuous improvement, these reviews must result in action. Colleges and universities should not only share these results with leadership for both awareness and support, but also formally assign responsibility for resolving identified gaps as well as monitoring progress. Where possible, it is helpful to share these risks and issues across the organization as many of these discoveries point to campus-wide issues and could be connected to other risks already being addressed (e.g., enterprise risk management). Ongoing risk monitoring adds further rigor to such activities. If one of the goals in recovery is the avoidance of similar crises in the future, there are fewer more effective tools than proactive risk monitoring.
Control Risks has a long history of advising colleges and universities across a variety of disciplines. Examples include the following:
For more information on how Control Risks can help your organization, please Contact us.