Sign In

Communications of the ACM


Three Risks Facing Higher Education

View as: Print Mobile App Share:

With the spread of the COVID-19 pandemic, the higher education sector found itself facing significant risks that, prior to the pandemic, had been identified as risks with a serious potential impact but a low likelihood of occurrence. For example, in the first phase of the COVID-19 crisis, quick decisions were made regarding the transition to hybrid and online learning and teaching, exposing higher education institutions to major cyber threats and to the financial consequences of partial or complete shutdown of campuses. Furthermore, the potential damage to the reputation of higher education institutions was also high and largely depended on their ability to provide a proper response to the rising levels of stress and anxiety related to job reduction and cost of education. All these factors caused a decline in public sentiment toward higher education and to questions relating to the value of higher education. It became clear that the range of risks warranting attention is wide (Delloite, 2021).

In this blog post, we analyze three such risks facing higher education institutions. Basing our analysis on a risk management process that we previously adjusted for STEM (science, technology, engineering, and mathematics) education systems (Even-Zahav & Hazzan, 2017), we show how the manageability levels of risks have changed, and conclude by proposing that higher education institutions should change their attitude towards risk management.

Risk Management

A risk is an internal or external event that has the potential to affect the implementation of the organizational strategy and the achievement of the objectives it sets for the future. The risk realization (that is, the occurrence of an event that is a manifestation of the risk) may deflect the organization from achieving its desired orientation, either positively by enabling the organization to exhaust an opportunity, or negatively, by posing a threat to the achievement of the desired results. For example, the shutdown of all higher education institutions due to the COVID-19 pandemic and the overnight transition to distance learning may be conceived both as an opportunity and as a threat. Specifically, on the one hand, it opened up an opportunity to adopt distance learning as a routine practice and to realize a goal that was set years earlier by higher education institutions, and on the other hand, cyberattacks that followed this transition and the need to adopt additional private security tools posed a threat for those same higher education institutions.

Mikes and Kaplan (2014) classified risks into three levels according to the difficulties involved in their elimination:

  • Level 1 includes operational risks related to internal organizational issues and processes that are often created by mistake or accidentally. These risks are preventable, and therefore are perceived as easy to eliminate.
  • Level 2 includes strategic risks, which are associated with the achievement of the organization's goals, as their mere existence may produce profit or deficit for the organization.
  • Level 3 includes external risks, which are caused by unpredictable events over which the organization has no control and so the organization must accept their existence. In general, external risks are characterized by high uncertainty and are treated as risks that are difficult to eliminate. Although these risks are excluded from the control of the organization, the organization should be prepared for their appearance.

The COVID-19 pandemic is an excellent example of an external risk: it was an unpredictable event and completely uncontrolled by higher education organizations, that academic institutions had made no preparations for its appearance. At the same time, it significantly disrupted academic life worldwide.

Risk management process in higher education pre- and post-pandemic

Prior to the pandemic, higher education institutions mainly addressed operational risks. The focus was placed largely on the development and operation of new study programs in accordance with future forecasts and the institutions' respective goals. The pandemic exposed and highlighted the need to deal also with strategic and external risks that role holders in higher education institutions (both academic and administrative) were not sufficiently attentive to on a daily basis prior to the pandemic and, accordingly, the higher education organizations had made no preparations for them.

We review three risks, as managed by higher education institutions, that were classified prior to COVID-19 as either strategic or external risks and which turned out to be operational risks after being managed, during the pandemic, on a daily basis as part of the institutions' routine management activities. As operational risks, they are now considered to be more favorable for mitigation (see Table 1).

Table 1: Changes in risks' level from prior to the pandemic (dashed) to after the pandemic

(green indicates an opportunity; red indicates a threat

Risk 1 - Online & hybrid learning: The realization of this risk is positive as it opens up new opportunities for higher education institutions. While prior to the pandemic, the increased prevalence of distance learning was considered a strategic risk (Level 2), this risk turned into an operational risk in the post-COVID-19 era, as higher education institutions gained a lot of experience and practice handling it.

Specifically, prior to the spread of the pandemic, higher education institutions treated distance learning as a strategic risk, referring to the achievement of organizational goals such as the opportunity to expand their influence beyond their local area. Accordingly, higher education institutions developed MOOCs and allocated resources to the development of online learning. However, when COVID-19 appeared, most academic intuitions were not prepared for an immediate transition to distance learning of the entire campus and faced tough challenges in online delivery. Today, in the post-COVID-19 era, it is reasonable to assume that online and hybrid learning spaces will be part of the norm of any campus life.

Furthermore, the realization of this risk will likely foster additional trends that will shape the future of higher education. These trends include replacing lectures with active learning (Mor, Gil, Dimitriadis, and Köppe, 2022), teaching skills that remain relevant in a world that keeps changing, and formative assessment instead of high-stake exams (El-Azar, 2022). The increase in the prevalence of distance learning in higher education in the post-COVID-19 era will also affect the physical-structural aspects of higher education institutions (in terms of required buildings, etc.) (Guàrdia, Clougher, Anderson, & Maina, 2021).

Risk 2 - Pandemics, diseases, and viruses. The realization of this risk is clearly negative. While prior to the pandemic it was considered an external risk (Level 3), in the post-COVID-19 era this risk turned into an operational risk (Level 1). As an operational risk, it leads to recommended strategies for campus safety, which include the ability to manage processes like mandating vaccines and upgrading and investing in sophisticated air filtration systems (Delloite, 2021). Today, as it is widely acknowledged that new viruses are to be part of the new routine and most probably will continue to develop, each institution should create a health unit that will function similarly to other operational units of the university, and will handle and manage all instructions related to future diseases as part of the university's routine (de Wit & Altbach, 2021).

Risk 3 - Cyber security and privacy. The realization of this risk is clearly negative as well. While prior to the pandemic it was classified as an external risk (Level 3), in the post-COVID-19 era, it became an operational risk (Level 1). This change is a result of hybrid learning, which requires on-going attention to privacy, safety, and identity in hybrid spaces (Mor, Gil, Dimitriadis, Köppe, 2022).

Specifically, higher education institutions hold and store substantial amounts of personal identifiable information (such as payment information and medical records) that is considered a target for hackers. Although prior to the outbreak of COVID-19, cyberattacks were perceived as an external risk, during the pandemic, as private information became more distributed and cloud-based, higher education institution administrators faced new challenges and had to change their thinking about cybersecurity (Delloite, 2021). This risk turned into an operational risk, which universities mitigate by increasing students' awareness to phishing attacks, as well as by fostering response capabilities and resilience towards cyber threats.


In this post, we present the realization of three risks that higher education faced during the pandemic, and their transition between the levels of mitigation difficulty. It is now clear that new risks will continue to emerge, often with little warning, threatening the success of higher education institutions.

Since the realization of strategic and external risks during the pandemic found university administrators unprepared, higher education institutions need to rethink the way they manage risks in order to thrive. Specifically, they must move from a reactive and risk-averse risk management culture, which focuses mainly on operational risks, towards a proactive, adaptive, agile, diverse, and innovative risk management culture that considers also strategic and external risks.


De Wit, H., and Altbach, P. G. (2021). Internationalization in higher education: global trends and recommendations for its future. Policy Reviews in Higher Education5(1), 28-46.

Deloitte. (2021). Significant risks facing higher education Volume 2: The COVID-19 "New Reality" and the call for an enterprise approach to risk management. PowerPoint Presentation (

El-Azar, D. (2022). 4 trends that will shape the future of higher education, World Economic Forum, 4 trends that will shape the future of higher education | World Economic Forum (

Even-Zahav, A. and Hazzan, O. (2017). Risk Management of Education Systems: The Case of STEM Education in Israel. SpringerBriefs in Education. 109 pages. DOI: 10.1007/978-3-319-51984-5. Link to full text.

Guàrdia, L., Clougher, D., Anderson, T., and Maina, M. (2021). IDEAS for transforming higher education: an overview of ongoing trends and challenges. International Review of Research in Open and Distributed Learning22(2), 166-184.

Mikes, A., and Kaplan, R. S. (2014). Towards a contingency theory of enterprise risk management. Harvard Business School.

Mor, Y., Gil, E., Dimitriadis, Y., and Köppe, C. (2022). Forward Looking: Predictions for the Future of Hybrid Learning Spaces. In: Gil, E., Mor, Y., Dimitriadis, Y., Köppe, C. (eds) Hybrid Learning Spaces. Understanding Teaching-Learning Practice. Springer, Cham.


Anat Even-Zahav holds a Ph.D. in science education. She is a lecturer at the AL-Qasemi Academic College of Education, Israel, where her research focuses on STEM education policy and management. Orit Hazzan is a professor at the Technion's Department of Education in Science and Technology. Her research focuses on computer science, software engineering, and data science education. For additional details, see


No entries found