Attacking campus risk
With YouTube, Facebook, Twitter and other social media outlets, virtually nothing escapes the pubic’s notice, and judgment. It’s one reason higher education is paying much more attention to risk management now than in the past.
There are also more risk-generating contingencies, such as mass shootings, and accountability standards, such as for the prevention of sexual assault, than ever before.
Perhaps the wake-up call was the 2011 child abuse scandal with former assistant football coach Jerry Sandusky at Penn State. Though an anomaly, the incident—and the resulting Freeh Report’s recommendations, including the expansion of legal and risk-reporting protocols—mobilized many institutions across the country to formulate or re-evaluate enterprise-wide risk management plans.
“I don’t want to pin it all on PSU, but it was a defining moment for a number of universities to think more about the risk governance process,” says Gary Langsdale, the university’s risk officer.
ERM policies being executed tend to share one major approach: sharing ownership of various risks campuswide. Following are three ways to work on risk management under that principle.
Squelch the silos
Though many colleges employ risk officers, they are moving away from the silo mentality of managing risk. Collaborating and exchanging information enterprisewide— generally through an ERM committee comprised of senior-level administrators—is more efficient.
Adding up the risks
All constituencies that higher ed institutions serve can create risk, from students, faculty and staff to alumni, trustees, donors, local and state government, and state donor agencies, says Leta Finch, national practice leader for higher education at risk management services provider Aon.
There are, of course, more common risks, which include but are not limited to accidents, infrastructure, emergency management, large-event programming, third-party vendor relationships, and research subject safety.
And then there are the statutes and regulations coming from each corner of the government.
“Big issues are compliance—federal regulations, state regulations, environmental; you can run through every secretary, every department in the federal government, and they all have regulations applied to higher education, so maintaining compliance is a risk for a university,” says Craig McCallister, director of risk management and insurance at Cornell University.
Emerging risks of concern to experts and university officers, and long-time risks they’re spending more time thinking about, include:
- Regulatory compliance, particularly Title IX and athletic compliance
- Greek Life/underage drinking
- Breach of contract
- Cyber risk/data security
- Disaster recovery
- Distance learning (student verification, third-party marketing oversight, financial aid compliance, risk to existing program enrollment, etc.)
What is bringing some of these risks to the forefront?
“When the economy goes down, people start looking for ways to make claims,” says Attorney Brenda Radmacher of Glendale, California-based Wood Smith. “For universities, it’s hard because they’re there to serve; they feel like they are partners with students and are not thinking, ‘We need to protect ourselves.’”
“The culture should promote risk management as everyone’s responsibility,” says Leta Finch, the national practice leader for higher education at Aon, a global provider of risk management and other services. ERM committees, meanwhile, can identify major risks and manage risks generated by new opportunities in a way that allows them to fully materialize.
At Penn State, the risk management office leads the effort, but doesn’t own the risks—that is, the office doesn’t take ultimate responsibility for them. “Our vision is that it’s up to the deans and other administrative unit leaders to be accountable for risks in their units,” says Langsdale. Penn State’s risk committee meets about six times a year.
One major risk that committee has identified, common to most universities, is underage drinking, which is considered the responsibility of the student affairs office head. “So he is the risk leader, he owns it, and we look to him to tell us what is going on, and how they’re dealing with the risk,” Langsdale says.
Similarly, Cornell has a risk council that meets bimonthly. This group of senior administrators from all four of the university’s campuses represents areas that include legal, audit, communications and health services.
“That is where our risk is driven, through the risk council, making sure that large risks are addressed, making sure that there are risk owners, and making sure that they’re treating it appropriately,” says Craig McCallister, director of risk management and insurance.
“No one manages a risk in a vacuum,” he adds. “There are central resources and within the risk owners’ operation, they’re going to have multiple people looking at something.”
Departments and administrators working on risk might include the general counsel’s office, the CFO and the provost, as well as traditional risk officers, says Monica Modi Dalwadi, partner at Baker Tilly, a provider of risk management and other consulting services.
A risk committee established in 2009 at East Carolina University (N.C.) meets quarterly. “Our purpose is to share current as well as emerging risk information from specific colleges or departments,” says Tim Wiseman, assistant vice chancellor for enterprise risk management. Collaboration increases awareness and considerations of the impact various risks can have and how they should be handled.
Results of the committee’s annual risk surveys are used to create a top10 list of risks and then develop plans to address them.
East Carolina officials think in “risk buckets” of strategic, financial, operational, compliance or reputational threats. “Those are the five lenses we use to evaluate areas of risk,” Wiseman says.
Reputational risk is impacted by all the others. “If there is an area of heightened concern or a negative occurrence, it will fast affect the reputation of an institution,” he says.
A goal of administrators working on risk management is to handle any events in a nonreactive, noncrisis mode.
Risk watch: Bankruptcy trustees
Though it’s not brand new, there has, of late, been a surge in claims made against universities by bankruptcy trustees, filing under Chapters 7 or 13. The trustees are seeking to recover tuition that parents have paid on behalf of their children.
The actions are being made under long-existing fraudulent transfer statutes, says attorney Tobey Marie Daluz, a partner with Ballard Spahr’s Wilmington, Delaware, office. Such statutes exist under both state and federal law.
“The purpose is to allow the trustee to recover, on behalf of the bankruptcy estate, all moneys paid for which the parent didn’t receive adequate consideration in return.” In this case, the child received the benefit of the college education, not the parent.
Driving this trend may be a struggling economy over the last several years.
Though it’s not possible to estimate the numbers, Daluz says some universities, particularly those with larger endowments, are settling these claims that could pose big trouble for smaller institutions. “Legal fees can quickly eclipse the dollar amount in question,” she adds.
Institutions may have a stronger defense in cases where parents were required to cover college tuition as part of a court order.
“If they had an obligation to pay tuition, that means the parents were paying a legitimate obligation of their own. That is a defense in a fraudulent transfer,” says Daluz. “There may be other defenses, but that depends upon facts and circumstances of that case.”
A proposed bill is under consideration in Congress to block these claims. Until then, there is not much action a university can take.
“Other than accepting payment of tuition in good faith,” Daluz says, “there is nothing colleges can do in advance to predict which tuition payers might file a bankruptcy claim two to four years down the road.”
“It’s important to share ERM activities because so much of what happens in a university setting is intertwined,” says Dalwadi of Baker Tilly. “No one area in and of itself will likely be equipped to handle the myriad of risks the institution faces.”
Prepare for a range of risks
The Jerry Sandusky scandal is by no means the only factor causing institutions to examine risk more closely.
“The environment overall is becoming more risky,” says Eric Nelson, vice president of finance and administration at Misericordia University in Pennsylvania, adding that administrators are becoming more aware of the outside and inside influences that could cause harm.”
To that end, four years ago the university developed a risk matrix identifying broad categories of risk—such as financial, physical and environmental. Administrators assigned numerical values to specific risks based on whether they would have a major or minor effect on operations, and then calculated how likely something was to occur.
The risks were reviewed to determine what could be done to mitigate them and whether any of them were insurable. The risk committee now meets quarterly for further review, says Nelson. That committee includes board of trustee members and officials from finance and administration, though Nelson works with departments across campus throughout the year and meets with outside auditors several times a year.
Misericordia had an opportunity test its matrix not long after its development. When Hurricane Sandy plowed into the East Coast in 2012, the university lost power for two-and-a-half days, which affected student food services. Working with Residential Life and food services provider Metz Culinary, administrators executed their plan to serve cold meals at an alternate location.
“It was an inconvenience for a couple of days, but that was something we had identified on our risk matrix and had a plan in place and knew what we had to do,” says Nelson.
Understand the financial consequences
ERM can help mitigate financial losses when problems occur. It is far more economical to foresee potentially costly events and not have to do damage control, which can lead to mounting lawyer and consultant fees.
In extreme cases, a catastrophic event could potentially shut down an unprepared institution. “We have definitely seen fines, penalties and the possibility of reduced admissions,” says Dalwadi. “If you drop in ranking, that can have an impact on your admissions.”
A failed ERM program, or lack of a program, will likely also drive up insurance claims, says Cornell’s McCallister.
On the flip side, having an ERM process in place could help raise capital for long-term projects. For example, Moody’s gave East Carolina a favorable rating, which Wiseman attributes in part to an ERM program that was “embedded in our risk management culture and tied to the governance body.” This strengthens donor trust as well, he adds.
Smaller institutions especially are driven by tuition and auxiliary enterprises such as revenue from room and board, says Ron Hromisin, controller at Misericordia, which has about 3,200 students. With most institutions budgeting based on enrollment, failing to meet projected goals can impact cash flow.
Evolve as needed
Being proactive also means looking beyond the most obvious and more traditional risks.
A good example is cybersecurity, which has emerged as a major risk in recent years. As McCallister of Cornell notes, it’s not surprising that higher ed is finding it challenging to protect data assets, considering major credit card companies and the government are struggling as well.
Having risk management policies in place also shows constituents and that public that you’re not flying by the seat of your pants in an emergency situation.
Enterprise risk management is not, and should never be, static. Rather, it’s constantly evolving and changing with the times, in accordance with identified risk trends.
“The risk that comes true,” says Langsdale of Penn State, “will be the one you weren’t thinking of.”
Hilary Daninhirsch, a former practicing attorney, is a Pittsburgh-based writer.