Lessons from the Academy: ERM Implementation in the University Setting
ANNE E. LUNDQUIST
Western Michigan University
The tragedy at Virginia Tech, infrastructure devastation at colleges and universities in the New Orleans area in the aftermath of Hurricane Katrina, the sexual abuse scandal at Penn State, the governance crisis at the University of Virginia, American University expense-account abuse, and other high- profile university situations have created heightened awareness of the potentially destructive influence of risk and crisis for higher education administrators. The recent Risk Analysis Standard for Natural and Man-Made Hazards to Higher Education Institutions (American Society of Mechanical Engineers-Innovative Technologies Institute 2010) notes that "resilience of our country's higher education institutions has become a pressing national priority" (p. vi). Colleges and universities are facing increased scrutiny from stakeholders regarding issues such as investments and spending, privacy, conflicts of interest, information technology (IT) availability and security, fraud, research compliance, and transparency (Willson, Negoi, and Bhatnagar 2010). A statement from the review committee assembled to examine athletics controversies at Rutgers University is not unique to that situation; the committee found that "the University operated with inadequate internal controls, insufficient inter-departmental and hierarchical communications, an uninformed board on some specific important issues, and limited presidential leadership" (Grasgreen 2013).
The situation at Penn State may be one of the clearest signals that risk management (or lack thereof) has entered the university environment and is here to stay. In a statement regarding the report, Louis Freeh, chair of the independent investigation by his law firm, Freeh Sporkin & Sullivan, LLP, into the facts and circumstances of the actions of Pennsylvania State University, said the following:
In our investigation, we sought to clarify what occurred ... and to examine the University's policies, procedures, compliance and internal controls relating to identifying and reporting sexual abuse of children. Specifically, we worked to identify any failures or gaps in the University's control environment, compliance programs and culture which may have enabled these crimes against children to occur on the Penn State campus, and go undetected and unreported for at least these past 14 years.
The chair of Penn State's board of trustees summed it up succinctly after the release of the Freeh Report (Freeh and Sullivan 2012) regarding the university's handling of the sexual abuse scandal: "We should have been risk managers in a more active way" (Stripling 2012).
The variety, type, and volume of risks affecting higher education are numerous, and the public is taking notice of how those risks are managed. Accreditation agencies are increasingly requiring that institutions of higher education (IHEs) demonstrate effective integrated planning and decision making, including using information gained from comprehensive risk management as a part of the governance and management process. Credit rating agencies now demand evidence of comprehensive and integrated risk management plans to ensure a positive credit rating, including demonstration that the board of trustees is aware of, and involved in, risk management as a part of its decision making. Through its Colleges and Universities Compliance Project, the Internal Revenue Service (IRS) is considering how to hold IHEs responsible for board oversight of risk, investment decisions, and other risk management matters. The news media has a heightened focus on financial, governance, and ethical matters at IHEs, holding them accountable for poor decisions and thus negatively affecting IHE reputations. In response to this, many IHEs have implemented some form of enterprise risk management (ERM) program to help them identify and respond to risk.
-  Many colleges and universities were affected by Hurricane Katrina in the New Orleans area (see the American Association of University Professors [AAUP] Special Committee Report on Hurricane Katrina and New Orleans Universities at https://portfolio .du.edu/downloadItem/92556). The independent report by Louis Freeh and his law firm, Freeh Sporkin & Sullivan, LLP, documents the facts and circumstances of the actions of Pennsylvania State University surrounding the child abuse committed by a former employee, Gerald A. Sandusky (available at progress.psu.edu/the- freeh-report). The AAUP's Committee on College and University Governance reported on breakdowns in governance at the University of Virginia as the board attempted to remove president Sullivan (aaup.org/report/college-and-university-govemance-university-virginia-goveming-board). American University trustees removed then president Ladner in 2005 after investigation of expense abuses of university funds (usatoday30.usatoday.com/news/education/2005- 10-ll-au-president_x.htm). The most tragic of these situations was, of course, the shootings at Virginia Tech on April 16, 2007. On December 9, 2010, the U.S. Department of Education issued a final ruling that Virginia Tech had violated the Clery Act by failing to issue a "timely warning" to students and other members of the campus community following the initial shootings early on the morning of April 16, 2007. In commenting on the verdict, Stetson Professor of Law Peter Lake stated, "Higher education is under the microscope now. The accountability level has definitely changed" (S. Lipka, "Jury Holds Virginia Tech Accountable for Students' Deaths, Raising Expectations at Colleges," Chronicle of Higher Education, March 14, 2010).
-  In order to disperse federal financial aid and grant degrees, institutions in the United States are accredited by one of several accrediting bodies. One example of the way in which accreditors are emphasizing risk management in their review is the Southern Association of Colleges and Schools Commission on Colleges (SACS COC) (sacscoc.org/) Standard 3.10.4: The institution demonstrates control over all of its physical and financial resources. The University of Virginia demonstrates evidence of this standard on its website by articulating the organizational structure and integrated policies and procedures related to internal and external audit, internal controls, fixed assets, procurement, facilities management, and risk management, among others (virginia.edu/sacs/standards/3-10-4.html).
-  The recent Special Comment by Moody's, "Governance and Management: The Underpinnings of University Credit Ratings," declares that "governance and management assessments often account for a notch or more in the final rating outcome compared with the rating that would be indicated by purely quantitative ratio analysis" (Kedem 2010, p. 1). In Moody's consideration of five broad factors that contribute to its evaluation of governance and management, the report cites "oversight and disclosure processes that reduce risk and enhance operational effectiveness" (p. 2). The report further notes: "Effective internal controls and timely external disclosure about student outcomes, research productivity, financial performance, and organizational efficiency will become the hallmark of effective university leadership and will become increasingly critical in mitigating new risks to individual universities and the sector overall" (p. 3).
-  One significant area of change has been the Internal Revenue Service's increased oversight of compliance issues affecting tax-exempt entities, including colleges and universities. In 2008, under prompting by members of the U.S. Senate Finance Committee, the IRS developed a 33-page compliance questionnaire (IRS Form 14018) and sent it to a cross section of 400 institutions of higher education. The form focused on a number of potentially sensitive subjects, including the types and amounts of executive compensation, the investment and use of endowment funds, and the relationship between an institution's exempt activities and other taxable business activities. The IRS also revised its Form 990, "Return of Organization Exempt from Income Tax," beginning with the 2008 tax year. The purpose of the changes is to increase the transparency and accountability of tax-exempt organizations and to ensure compliance with the Internal Revenue Code by requiring more detailed information in several categories. The changes focus not only on revenue, investment, and spending issues, but also on governance, conflicts of interest, and whistle-blower policies and procedures.