“When Eating an Elephant, Where Do You Begin” was a webinar hosted by URMIA (University Risk Management & Insurance Association) on October 18, 2016. Presented by a compliance officer and Associate Counsel from the State University of New York (SUNY), the webinar is directed toward universities in the United States without a compliance program or an immature compliance program.
I recently had the pleasure of attending a webinar hosted by URMIA on a very important issue – risk management and compliance responsibilities on college campuses. The presentation was very helpful when considering why a higher education institution should have a risk management program.
I first want to say thank you to URMIA for hosting this webinar, as well as the two presenters – Nedra Abbruzze-Werling, Director of Compliance & Ethics, and Joseph Storch, Associate Counsel.
Colleges and universities have an incredibly high number of rules and laws they must comply with. This not only includes federal and state laws, but also local municipal laws and any applicable case laws, contractual obligations and accreditation standards.
From 1997 to 2012, the number of federal requirements alone for higher education institutions grew by 56%!!
After providing a definition of compliance and its meaning for higher education, the webinar describes “traditional risk management” and “enterprise risk management” (read our article on the differences between traditional risk management and ERM for more information). In the description, the webinar applied the ISO 31000 standard to the idea of traditional risk management/loss prevention/insurance rather than applying it to ERM, which is the intent of this particular standard.
Although their description of ERM (i.e. “…formal, structured, and continuous process that is designed to identify, assess and manage risks on an enterprise-wide basis”) was okay, it left out a key part about ensuring management has the appropriate information to make risk-informed decisions.
After providing these definitions, the webinar then goes into 6 steps for developing a compliance program at a university. These include (according to the webinar):
- Self-awareness and acceptance
- Buy-in
- Establish structure, and then communicate it
- Establish your compliance matrix
- Get buy-in from campus community
- Assess your risks and create a compliance plan
Again, the webinar provided a great high-level view of why a university should have a compliance program, but the order of the 6 steps was off the mark in a big way – step #6 should really be step #1!
A big question that popped into my mind while watching the webinar (…and what prompted me to write this blog) was:
How can an organization know it has a problem with compliance unless the risks are identified and assessed first?
When establishing an ERM program, compliance risk is one of the areas that should be discussed at the beginning of the process. What are the laws, etc. that the organization is subject to? Examples can include labor laws, educational regulatory bodies at the federal, state and sometimes local level, the IRS, OSHA – the list goes on and on. When assessing all of these risks, the university needs to consider the impact to the organization and the probability of the risk occurring at a minimum.
Following this assessment, risks are then prioritized.
If it’s determined that compliance risks are a higher priority, the university will have a higher sense of urgency for creating a compliance program, which in turn helps gain the buy-in, not just from leadership, but also the campus community at-large. The buy-in from university leadership and the campus community drives the acceptance that a compliance program is needed.
Again, I want to thank URMIA, Nedra, and Joseph for the wonderful presentation. Although there were a few items from the webinar I took issue with, it provided a great high-level overview of why it’s vitally important for universities to have a robust risk management and compliance program.