Significant risks facing higher education in 2026: A more data-informed approach to risk management

Maturing risk assessment methods

Many higher education ERM programs rely on familiar “basic” risk assessment methods.¹ While these types of assessment methods prove useful in the early stages of ERM program maturity, as the program advances and evolves, there is value in exploring more advanced methods (figure 1).

Statistical methods for advancing risk assessment maturity

For institutions seeking a more nuanced approach to risk assessment, quantitative approaches can be incorporated into existing ERM programs (figure 2). These methods can build on existing data-gathering practices or be combined to amplify their effect. All three can be created and deployed in a spreadsheet, reducing implementation costs. More mature programs may invest in governance, risk, and compliance tools to automate ERM processes.

1. Loss curves: Loss curves (also known as loss distributions) depict the relationship between the probability of an event and the magnitude of potential financial losses. They help visualize how often losses of varying sizes might occur, supporting more informed decisions about risk tolerance and mitigation strategies.
2. Monte Carlo simulations: Monte Carlo simulations use random sampling and statistical modeling to estimate the probability of different outcomes in complex systems. By running multiple scenarios, they help quantify the likelihood and impact of uncertain events.
3. Bayesian statistics: Bayesian statistics is a framework for updating the probability of a hypothesis as new information becomes available. This approach can improve the accuracy of risk assessments through more refined probability and impact estimates.

Significant risks and risk drivers facing higher education institutions

This section highlights significant risks—and drivers of those risks—facing US colleges and universities over the next one to three years. It is not an exhaustive list of every possible risk and risk driver; rather, it focuses on those that institutions should consider or address with time, attention, and resources.

Part 1. Significant risks to higher education institutions

Federal policy and regulatory change

Recent federal regulatory changes present higher education institutions with heightened uncertainty. Over the last 18 months, US government agencies have enacted and proposed significant policy shifts affecting student enrollments and funding models for both students and institutions.

Decline in visa acceptances

International applicants to higher education institutions are experiencing changing visa regulations, including increased fees, heightened vetting, and changes to status requirements. These changes may lead to fewer enrollments. In fall 2025, the number of new international students dropped by 17% from the prior year.²

New legislation is increasing financial pressure on institutions

The One Big Beautiful Bill Act (H.R. 1), signed into law in July 2025, introduces changes to higher education funding and regulatory frameworks.³ The legislation caps federal graduate student loans at US$20,500 annually (US$100,000 lifetime for most borrowers) and US$50,000 annually (US$200,000 lifetime) for professional degrees, and modifies Pell Grant eligibility while expanding it to job-training programs. These changes could drive greater reliance on private loans or alternative funding sources.

The Act also increases taxation on endowments—up to 8% for institutions with US$2 million or more in assets per student, and 4% for those with US$750,000 to US$2 million per student.⁴ While this increase will not affect many institutions, those impacted may face challenging decisions as they navigate additional financial pressures.

Understanding the impacts of the increased tax burden will be important, as these endowments fund scholarships, support operations, and help institutions respond to financial shocks. Some institutions have responded by pausing hiring, reducing salary increases, and delaying capital projects.

Uncertainty in federal grants

Reductions and uncertainty in federal grants pose risks to research funding.

Grant cancellations or delays can strain the institutional research model and may lead institutions to scale back labs, defer equipment and facility investments, reduce staffing, and take on fewer multiyear research commitments.⁵ Reports estimate that about US$2.3 billion in unspent federal funds across nearly 2,500 medical research grants have been frozen or terminated, and that more than 1,300 science research grants—representing about US$700 million in unspent federal funding—have been cut.⁶

Taken together, sponsored research and student financial aid have historically been primary sources of revenue for institutions. As those traditional sources of funding are reduced or eliminated, institutions will need to seek alternative sources that may come with a different risk profile.

Targeted cybersecurity attacks or breaches

Colleges and universities are often targets of cybersecurity attacks due to the breadth of their operations. Institutional activities often extend beyond education into other sectors, creating a vast pool of data that may be used for malicious activity.⁷

The data that institutions collect, including personally identifiable information, intellectual property, and payment information, is often sensitive and, if exposed, can harm the institution, its students, faculty, and business relationships. At the same time, institutional cybersecurity measures may lag in creating a secure environment, which attackers may exploit or untrained users may expose.

Missed targets for enrollment, retention, and net tuition revenue

Missed targets for enrollment, retention, and net tuition revenue are becoming a compounding enterprise risk. Even modest shortfalls can lead to margin compression as pricing power weakens and aid requirements rise.

While overall enrollment has rebounded, growth has been concentrated in community colleges, vocational programs, and certificate programs. Institutions reliant on traditional residential undergraduate models may still face declining headcount and revenue targets.⁸ Institutions that miss retention targets face stop-outs that erode net tuition revenue, rising recruiting costs, and potentially unfavorable cohort mix shifts.

At the same time, private nonprofit institutions are experiencing record tuition discounting amid declining net tuition revenue, increasing the likelihood that growth-based budget assumptions will not materialize.⁹ At public institutions, inflation-adjusted net tuition and fee revenue per full-time equivalent student fell by 3.7% in 2024 and 8.1% over five years, underscoring that enrollment gains do not always translate into net tuition revenue growth.¹⁰

Institutions that do not recalibrate enrollment strategy, discounting discipline, and retention interventions may face increased budget volatility.

Campus safety events or protests

Campus protests and safety-related incidents increased in 2024 and 2025 compared with previous years. These protests can create operational disruption, strain relationships with students, faculty, and the local community, leading to reputational risk.

Institutions must be prepared to respond faster and communicate more effectively with those involved and the surrounding community. Real-time amplification across traditional and social media can further compress response windows and expand reputational exposure, particularly when localized incidents are framed as institutional positions or as acceptable activities.

Even when demonstrations appear to be largely peaceful, prolonged encampments, counterprotests, and off-campus spillovers can have the potential to heighten safety and property risks, disrupt academic operations, and challenge institutional response efforts.

Presidential and other executive leadership turnover

Institutional presidential and executive leadership turnover poses a risk to continuity and timely strategy execution. Sector indicators suggest this risk is structural: The American Council on Education found that 55% of presidents expect to step down within five years, while average presidential tenure declined to 5.9 years in 2022 (down from 6.5 years in 2016 and 8.5 years in 2006), implying sustained churn.¹¹

A Willis Towers Watson survey of large private R1 (research-intensive) institutions similarly reported elevated turnover, with presidential turnover affecting approximately 25% of universities between 2023 and 2024 and remaining high at about 20% in 2025, alongside a rise in interim presidencies.¹² This turnover often has a cascading effect. A president’s departure can trigger additional exits among other executive leaders.

Turnover is often driven by financial pressures, declining public confidence, campus unrest, increased political scrutiny, and the demanding 24/7 nature of the role. Leadership volatility can disrupt execution, weaken stakeholder confidence, and make it harder to sustain long-term transformation.

Part 2. Significant risk drivers in higher education institutions

Understanding risk drivers enables institutions to identify factors contributing to risk exposure, better understand the interrelatedness of risks, and strategically allocate resources to manage them.

Similar to Part 1, this section is not intended to be a comprehensive list of all risk drivers; rather, it highlights a selection of key risk drivers likely to emerge over the next one to three years.

AI and the redefinition of the college degree and perceived value or return on investment

Advances in artificial intelligence, especially generative AI, are reshaping academic programs, career outcomes, and institutional trust, as employers redesign work and students adopt new tools at scale.

Entry-level job postings have declined since early 2024, and early-career employment in highly AI-exposed fields has fallen relative to less-exposed work, as employers signal broader skill disruption and workforce redesign as automation expands.¹³

As a result, institutions face pressure to modernize offerings to include AI literacy, applied data and automation skills, and work-integrated learning tied to emerging roles. At the same time, they should address parallel risks around academic integrity, responsible use, integration into institutional operations, and compliance expectations.

Deferred maintenance through underinvestment and increased backlog

Years of underinvestment in renewal and replacement are leaving many higher education institutions with growing deferred maintenance backlogs, increasing safety, reliability, and business continuity risks. As a sector, higher education faces a maintenance backlog of nearly US$5 trillion.¹⁴ Campus space has also outpaced enrollment, with classrooms used only about 60% of the time.¹⁵

Against this backdrop, “facilities stewardship” is emerging as a needed financial and operational discipline—treating the physical campus as a strategic asset and aligning capital renewal, space utilization, and life cycle costs with priorities like student achievement, enrollment management, and long-range financial planning.¹⁶

Without this shift from reactive fixes to outcomes-driven portfolio management, institutions risk maintaining too much space with insufficient capital. This may compound backlog growth, increase unplanned outages, and force more disruptive, higher-cost interventions later.¹⁷

Technical debt

The pressure to move quickly can lead institutions to adopt short-term technology solutions that can accumulate over time as technical debt—the future costs associated with shortcuts or suboptimal decisions made during software development.¹⁸

This debt can be more costly than implementing a solution properly the first time. It often arises from a lack of knowledge of industry-leading practices, insufficient security standards or protocols, outdated information technology infrastructure, or changes in business alignment.

Professionalization of college sports

As college athletics shifts toward a more business-driven model—marking the end of traditional amateurism—institutions must grapple with increased financial exposure, governance complexity, compliance burdens, and reputational risks. Specifically, institutions are navigating:

• Revenue-sharing and direct athlete compensation, prompting difficult decisions about reallocating funding sources and managing new budgeting and reporting expectations¹⁹
• The adoption of more commercial sports operating models, including expanded sponsorship and media-rights strategies, new revenue-focused roles, and potential private capital involvement, which can introduce new stakeholders and longer-term constraints²⁰
• Student athlete mobility that increasingly resembles professional free agency, driving roster volatility and re-recruiting costs, and heightened risk of disputes related to name, image, and likeness contractual obligations²¹

As college athletics evolve, institutions will need stronger governance, financial discipline, and oversight to manage these changes while protecting their core academic mission.

Financial pressures and the need to explore mergers and partnerships

Ongoing financial pressures are forcing many institutions to explore mergers, acquisitions, and strategic collaborations to stabilize operations, preserve academic offerings, and sustain long-term viability amid tightening margins. Rating agency outlooks reinforce this pressure, with cautious-to-negative sector views for 2025 and 2026 and expectations that financially weaker, tuition-dependent institutions will face continued margin compression, downgrades, and an elevated pace of consolidations and closures.²²

The sector is already experiencing an increase in closures and combinations, including dozens of private nonprofit mergers or closures in 2024 and 2025. External analyses warn that closure counts could rise further under adverse enrollment scenarios.²³

While a well-structured merger or collaboration can improve long-term sustainability, institutions will need disciplined due diligence, clear governance, and a realistic integration plan to avoid trading near-term relief for longer-term operational and reputational fallout.

Dependence and overreliance on third-party vendors

Higher education’s shift to cloud platforms, managed services, and specialized providers (for example, learning management systems) is increasing operational dependence on vendors that institutions do not directly control, expanding exposure to outages, data loss, and cyber “spillover” from vendor environments.

Many institutions are still building mature third-party risk management capabilities. An Educause QuickPoll conducted in August 2024 found that 63% of institutions lack a formal third-party risk management process, leaving critical risks inadequately governed.²⁴

Sectorwide disruption events and software-as-a-service (SaaS) fragility compound the issue. A 2024 HYCU report found that 70% of organizations experienced SaaS data loss in the prior year, and 60% mistakenly believed SaaS providers were solely responsible for data protection, underscoring how shared-responsibility gaps can lead to institutional incidents.²⁵

Cyber and privacy impacts can be severe, and in higher education, attacks targeting vendor access points or compromised credentials can lead to campus-wide disruption.

Institutions can still benefit from vendor scale and innovation, but will need disciplined vendor portfolio rationalization, contract and control clarity, and tested contingency plans to avoid turning near-term capability gains into long-term concentration risk and mission disruption.

Building a more data-informed and adaptive ERM program

ERM can be a powerful enabler of effective governance and decision-making in higher education—but only when it is implemented with discipline, consistency, and a clear connection to how leaders actually allocate attention and resources. Institutions do not need complex systems or large investments to improve risk outcomes; they can strengthen ERM by incorporating statistical techniques that reduce reliance on anecdote, make assumptions explicit, and improve the comparability of risks across units and over time. Even modest moves toward more structured, data-informed scoring and monitoring can sharpen prioritization and increase confidence that mitigation efforts are targeted where they can have the most impact.

Methods matter when they are applied to the risks most likely to disrupt the institutional mission. Today’s higher education environment—marked by cyberthreats, shifting regulations, and sustained enrollment and financial pressures—demands an ERM approach that is current, measurable, and adaptable. By pairing practical analytics with a focused view of the most consequential risks, ERM becomes less of a compliance exercise and more of an operational capability—one that improves transparency, strengthens preparedness, and supports resilient strategic choices. Ultimately, a stronger ERM program can help colleges and universities protect their people, resources, and reputation while staying centered on teaching, research, and service.