This guest blog has been written for us by Professor Roger King, who is the former Vice-Chancellor at the University of Lincoln and currently a Visiting Professor at the School of Management at the University of Bath.
The arrival of the Office for Students (OfS) as a data-driven, risk-based, predominantly market regulator lays emphasis on institutions to devise robust internal systems of control that enable ‘co-regulation’ to be effective. To a great extent, the OfS will operate as a ‘meta-regulator’, monitoring the internal regulatory systems of institutions and assessing whether these produce effective governance or not. It will be the regulation of regulation. But, what are the implications for institutional leaders?
- As a risk-based, consumer-championing, market regulator, the OfS regards processes of risk mitigation holistically; that is, risks to standards, for example, will be assessed within wider financial, reputational, recruitment and other contexts. As the primary custodians of risk governance, no domain, such as academic affairs or quality risks, will be exempt from scrutiny. This has implications for the role of governors, for the academic community, and for institutions’ executives, as previously many governors felt such concerns lay outside their purview or expertise. ‘Risk management’ (not least of reputation) will be a key governing driver and no longer adequately fulfilled by audit committees of governors.
- Although risk regulation is a relatively new phenomenon in English higher education, it has a much longer history in other sectors, such as financial services. Yet even here, governors’ regulatory expertise can often be outrun by fast-changing sector developments. The global financial crisis that commenced in 2008 had a particular immediate cause – inadequacies by company directors in risk oversight. Many boards and senior executives did not understand the complexities and importance of new financial products and the aggregate exposure of their companies. Academic ‘products’ may also generate complex quality risks, especially when delivered abroad, and may escape competent self-governance.
- Although ‘risk committees’ of governors and senior institutional managers may begin to address governance lacunae formally, unlike audit committees, the expertise requirements and supports are less likely to be available. There is no risk equivalent of the internal audit function, while defined expertise, such as in accounting, backed up by internal and external auditors, is lacking.
- Institutional leaders, managers, and governors will require an effective modus operandi where governors are exercising wider accountability objectives and are not there predominantly as supports for executives. The non-executive governors are by definition outsiders and part-timers facing significant information asymmetries in relation to the executives, yet with increasing regulatory responsibility. A related tension is the balancing or tightrope task between supporting institutional managers as colleagues in the same enterprise with exercising distance or even independence in line with monitoring and scrutiny responsibilities.
- Data collection and analysis within institutions will assume greater importance (such as for the Teaching Excellence Framework [TEF] or OfS ‘leading indicators’) and will require greater scrutiny of the university or college by governors before their compliance ‘sign off’.
- A key governing concerning will be a temptation within institutions to ‘sanitise’ or ‘parse’ information or data on risk as it passes up to the institutional hierarchy – including more overt ‘playing the game’ on statistics to improve institutional performance in the TEF and in other rankings. Executives and governors will be expected by the OfS (and by fiduciary obligations) not to collude in such approaches.
- There will be increased need for key institutional players to understand what is meant by ‘risk’. Representations of risk (risk maps, registers, checklists, and so on) have both performativity and auditability purposes. There may be dangers that data collection seeks to provide audit trails rather than focus on mitigating risk, including in line with the perceptions of risk by those employees actually ‘on the front-line’.
- Governors and executives will need to be aware of the ‘reactive’ consequences of the TEF and other rankings, based on actors seeking to conform to the assumptions on ‘excellence’ in such schemes, and ask whether these are in line with the institution’s agreed strategic purpose. The key question to ask is: how far do institutional leaders wish to have strategic objectives derived from the need for regulatory compliance?
- There still needs to be regular personal communications with regulators rather than simply letting data ‘speak for themselves’. Again, how will this be accomplished?
- In moving towards learning and teaching data collection and analytics (digital classroom), senior leaders need to ensure that data is commensurate with the pedagogic aims of teachers.
- The increased role of data for regulatory and risk purposes will necessitate a clear institutionalization of ‘data governance’ – who collects the data, for what purposes, with what authorization, and how is data redundancy to be avoided?
Really interesting and pertinent commentary. As a former Director of Learning at the ACCA I am very familiar with complying with financial and educational regulation globally. The key split between exec and non- exec is really important in this regulatory environment and as we become more and more data driven we need to ensure we maximise the use of data to improve the student experience rather than see the metrics as an end in themselves.
As a risk management practitioner and academic, who has also worked in financial regulation I fully agree with what you are saying here. You might also be interested in the following report:
The report is published by the ACCA, and uses research conducted by myself and colleagues from other UK universities. Boards are not always risk ready, though there is some excellent practice out there which can be learned from. Data is certainly important, but it has to be forward looking and inform both risk control activities and the exploitation of opportunities. Also key is the risk intelligence of the board, which requires a diverse range of skills, education, experience and knowledge.