Welcome to Compliance U

The Board's Role in the Regulatory Era

By Peter F. Lake    //    Volume 21,  Number 4   //    July/August 2013
AGB Trusteeship Magazine with cover article: Welcome to Compliance U: The Board’s Role in the Regulatory Era - July/August 2013

At a recent national conference on law and Higher Education that I chair on behalf of the Stetson University College of Law, I asked a panel of experts to predict where higher education would be in 20 years. One panelist said she envisioned that a typical college would be a large compliance bureaucracy surrounded by a few, relatively small, educational and athletic facilities. While her comment was tongue in cheek, what she foresaw in her crystal ball had its basis in a growing reality.

Higher education has entered an era of rapidly increasing regulatory activity at both the federal and the state levels, resulting in what I call “Compliance U” in The Rights and Responsibilities of the Modern University: The Rise of the Facilitator University (Carolina Academic Press, 2013). The ascendance of Compliance U has major strategic implications for governing boards, as it will require significant cultural change in higher education to adapt to ever-growing demands for accountability from policy makers, regulators, and the public. Boards have an important role to play in helping create that culture of compliance and ensuring that institutional administrators with compliance responsibilities have enough resources to perform them.

In the words of Janice M. Abraham, president and CEO of United Educators Insurance and author of a new AGB book, Risk Management: An Accountability Guide for University and College Boards, “Although not at the level of financial institutions and utilities, higher education faces a labyrinth of rules and regulations that must be followed. Noncompliance can lead to fines, liabilities, and/or reputational risk. Compliance requirements vary according to the size, complexity, and mission of the institution. However, all institutions must comply with a core set of employment, financial, safety, and environmental regulations.”

In the last three years alone, federal regulation has increased substantially. A defining moment was the release of the “Dear Colleague” guidance letter from the Department of Education in April 2011 that signaled a sea change in regulatory enforcement of Title IX of the Education Amendments of 1972, which bars sex discrimination at colleges and universities receiving federal support. This letter, which included requirements for institutional policies concerning sexual assault and signaled significantly increased enforcement of Title IX, was a complex and demanding regulatory initiative requiring “immediate compliance” under threat of loss of funding. It required, for example, that every campus have a clearly defined Title IX coordinator with sufficient rank and job protection from improper interference—such as if a powerful coach were to attempt to countermand discipline of a student athlete to protect that student’s eligibility to compete.

That has put new burdens on colleges and universities. For instance, especially at smaller institutions with fewer resources, a director of human resources may serve as Title IX coordinator and also on a threat-assessment team. But the Education Department directive frowned on Title IX coordinators who have conflicting job responsibilities. Few colleges were prepared to meet the requirements of the letter, particularly in the specified time frame. The letter created something on the order of regulatory panic at operational levels in colleges, and many institutions are still struggling to come into compliance. (AGB is working with the National Association of College and University Attorneys (NACUA) to develop a white paper to guide boards about their role in the oversight of their institution’s handling of issues of sexual assault.)

The Education Department’s initiatives regarding Title IX have come hand in hand with a flurry of other regulatory activity directed at college cost and affordability, accreditation, lending, disability accommodation, college safety, alcohol and drug prevention, and academic-records management, to name just a few. Merely scratching the surface of the expanding regulatory world, you will discover:

  • The Department of Education has promulgated hotly contested “gainful employment” requirements for some sectors of higher education, with the intention of expanding similar requirements for other sectors. These regulations essentially test the value of a college degree and may be linked in complex ways to federal funding and student lending.
  • The Education Department and Justice Department have been active in regulating disability law compliance, particularly Title II regulations. For example, regulators have become more determined to protect the rights of disabled students in residence halls, recently expanding rights to service and comfort animals (yes, even miniature horses).
  • The Department of Justice has just created and funded a national campus safety center, and Congress may follow soon with legislation permanently creating such a center.
  • The Education Department now sends “Clery Teams” to audit college compliance with the Clery Act (a campus safety law requiring colleges to report complex crime data and undertake safety measures designed to protect campuses from mass violence, inter alia) and other college safety laws including Title IX and the Safe and Drug Free Schools and Communities Act. The latter requires substantial biennial reporting on science-based alcohol and drug prevention efforts.
  • Regulators have also ramped up regulations protecting student veterans and have signaled a willingness to enforce these new rules.

The list goes on … and only continues to grow.

Moreover, regulation is hardly limited to the federal government; many states have created new regulatory requirements, as well. For example, licensing out-of-state educational programs has become intensely complicated—especially given the proliferation of online courses and programs—and is often heavily influenced by specific state rules.

Regulators can engage an individual campus via an audit process, or if there is a complaint, an investigatory process. In either process, college leaders should expect that regulators will identify areas for improvement in compliance efforts. Boards should, however, also be aware that compliance, like health, is a goal and a process, not a static end state. Regulatory requirements are so complex and ever-changing (and sometimes so indefinite) that it is not realistic to believe that at any given moment a campus will be 100 percent compliant.

As Jonathan Alger, former senior vice president, general counsel, and compliance officer at Rutgers University and now president of James Madison University, noted in “The Rise of the Compliance University,” a 2012 paper for the Center for Excellence in Higher Education Law and Policy at Stetson: “When people think about the topic of compliance in general, they can easily be overwhelmed with the vast array of laws and regulations that apply to an institution. Thus, it’s helpful to think about the subject in manageable chunks or clusters of issues, and to set priorities in stages of time when developing new programs and policies. This is a subject where the law is constantly changing, and all compliance programs need to be flexible over time.”

Boards should instead strive to foster a culture of compliance on their campuses. Regulators typically respond most favorably to candor and systemic good faith efforts to understand and strive for compliance. They have the power to use fines and other punishments to address instances of noncompliance, but most often they seek voluntary resolutions and collaborative outcomes. Building a compliance process and a culture that encourages working with regulators should be the principal goals for boards and other leaders of Compliance U.

Compliance as Risk: The Board Audit Committee

Compliance is a risk and should be evaluated and responded to using a framework similar to a broader enterprise risk management (ERM) structure. While the appropriate board committee will review the risks associated with a new program, the audit committee should have a process in place to ensure that any new compliance issues are also addressed.

The senior administration is responsible for developing the structure of the compliance program and regularly reporting to the audit committee any compliance violations that may be reported to federal or state agencies and therefore become public. The audit committee’s role in compliance is to ensure the institution has policies and processes in place so that it is both aware of regulations it is required to follow and can also effectively meet these obligations.

To start the dialogue, audit committee members should ask administrators:

  • Does the institution have in place an adequate system to monitor and comply with laws, regulations, and reporting requirements?
  • Does the institution have in place an adequate system for ensuring that reports to the public and media are accurate?

Compliance encompasses more than local, state, and federal rules. Inaccurate reporting to the National Collegiate Athletic Association, U.S. News & World Report, and other external parties creates reputational risk. False reporting of information during an accreditation review can jeopardize accreditation. While misrepresenting admissions or other data to the external media may not carry the same consequences, fines, and penalties, reputational damage can be significant and processes should be in place to avoid intentional and unintentional misreporting of data. New programs and initiatives bring both new opportunities and new compliance issues.

—Adapted from Risk Management: An Accountability Guide for University and College Boards, by Janice M. Abraham (AGB Press, 2013).

The Emerging Compliance Office and Enterprise Risk Management

The governing board, usually through its audit committee, should ask for regular reports, as well as updates as appropriate, on compliance issues at the institution and share them with the rest of the board. At the same time, boards should carefully avoid trying to directly manage operational compliance matters. Clearly defining the board’s role in compliance protects not only the board and its members but also the integrity of compliance management by the professional administrators entrusted with that role.

It is not uncommon for a college or university to place heavy responsibility for compliance management on one or two people with strong skills in relational management. But strong relational skills cannot overcome unduly burdensome workloads (which lead to burnout and compliance error), lack of experience with an area of compliance, or inherently inconsistent job responsibilities. The fact is, Compliance U requires new forms of organizational dynamics and structure.

Thus, a growing number of institutions are establishing a compliance office that oversees and coordinates campuswide ongoing compliance efforts as well as deals with audits and investigations—whether internal, regulatory, or criminal. Yet it is also important for that office to create a culture in which compliance is seen as everyone’s job, not just a task dedicated to a specific office. And the fact is that while the compliance office provides leadership and coordination, the specific tasks of compliance very often should be delegated to a variety of administrators and offices. In addition, smaller campuses may experiment with consortia approaches to compliance management in order to achieve efficiencies—sharing personnel and resources.

Closely allied to the creation of centralized compliance coordination is the adoption of an enterprise risk management (ERM) approach to managing risk. ERM provides a comprehensive framework to assess risk and opportunity across many dimensions. Compliance error is its own source of institutional risk and is often related to other risks. For instance, if a campus does not have a properly trained and tasked system-wide Title IX coordinator, as required by the Education Department, it faces not only the risk of an audit or investigation and monetary penalties, but also potential safety risks to students and reputational risks to the institution. (See box above.)

The Three Challenges of Bystander-ism

In addressing the issues, board members of Compliance U can confront three challenging organizational dynamics: posturing, parochialism, and lack of coordination.

First, some people at the college or university may resist a regulatory, compliance-oriented environment, one involving external review and accountability demands. Certain staff members, for instance, may be reluctant to candidly assess themselves according to compliance metrics. Such an attitude sometimes leads to posturing. Simply adopting new policies, making bold public statements about commitments to compliance, and hiring new personnel or consultants are not sufficient: Regulators will test for the sincerity of compliance efforts. Posturing may work in court but does not play well with regulators, many of whom are skilled criminal investigators.

The second challenge, parochialism, comes in many forms. For instance, departments may be tempted to treat issues and challenges solely within the norms of that department. A problem with a coach could be viewed as a coaching issue, but there may be broader issues to consider such as brand risks, retention, and civil/criminal responsibility. Parochialism can create “silos” where decision-making becomes myopic.

Or, a campus may be tempted to try to manage compliance issues entirely on its own, with its own personnel—usually out of concern about exposing issues to others. However, even the most elite campuses lack some of the necessary resources to successfully navigate the new regulatory world, and outside perspectives can be enormously helpful in gauging progress towards compliance. A campus that attempts to go it alone is a target for serious compliance issues in the future.

Finally, coordination of compliance efforts can require significant time and effort. Many campuses will find that their compliance activities are scattered all around the campus in sometimes inefficient and duplicative ways. In light of recent regulatory directives, however, many institutions have been forced to organize and focus their Title IX compliance efforts, for example. Now human resources, athletics, and discipline administrators coordinate compliance efforts and operate with one vision. Similarly, emergency-notification mandates under the Clery Act have prompted campuses to centralize emergency-management efforts.

When posturing, parochialism, and lack of coordination combine, the result can be bystander-ism: the tendency to not tackle aggressively major institutional risks. Many campuses have fallen prey to bystander-ism; however, it is exactly this phenomenon that may have motivated consumers to demand, and government officials to create, a more heavily regulated environment for higher education. From a strategic institutional perspective, bystander-ism may be the single greatest business risk to higher education today, as it invites backlash in a variety of forms.

For instance, in civil litigation, colleges routinely disclaim responsibility for student alcohol-related injuries (vehicular incidents, sexual assaults, altercations, falling injuries, alcohol overdoses, and others). Although colleges “win” many of these cases, families of the injured have turned to regulators for answers to the dangers associated with high-risk drinking. Indeed, the severity of the federal government’s intervention in Title IX issues is directly the result of the perception that colleges were not doing enough to protect victims from sexual predators. “It’s not our fault” may win in a court of law but then lose in the court of public perception and regulation.

Complying with the Letter and the Spirit of the Law

The hobgoblin of compliance is overemphasis on technical compliance— simply filling out the right forms and focusing on deploying “best practices” (a term to use with caution, if at all) to avoid getting audited. Boards should actively seek to inculcate the spirit of compliance throughout their institutions. Regulators will be looking to see that institutional missions truly converge with certain goals and principles and that we in higher education have internalized those goals and principles. For example, the spirit of Title IX is to reduce educational barriers created by sex discrimination. In essence, this is the “mission statement” of Title IX and should inform every decision at every operational level on a campus.

At the same time, boards should not allow their institutions to be baited into thinking that the way to comply is to simply copy and apply best practices used by others. Each institution is somewhat different, and doing only what worked yesterday will never be enough tomorrow. Compliance is about continuous efforts, and today’s widely adopted practices are simply steps on a compliance path.

In fact, governmental regulatory bodies rarely prescribe “best practices” as such. For example, the Department of Education instead uses “guidance” and “resolution” documents to direct compliance efforts. Your institution’s compliance mantra should be “best practices are good, but we can always do better.” There are a few excellent clearinghouses of information on compliance that institutions can turn to for help and support.

Helpful Resources

The Higher Education Compliance Alliance was created to provide the higher education community with a centralized repository of information and resources for compliance with federal laws and regulations.

Spearheaded by the National Association of College and University Attorneys (NACUA), the Compliance Alliance is now made up of 29 participating associations, including AGB, representing a broad cross-section of higher education interests. These associations share a joint commitment to providing high-quality resources on a diverse range of compliance topics as a service to the higher education community at large. Many of the resources on this Web site are freely available; a wealth of additional resources (denoted throughout the site with a padlock symbol) is available via password to members of the association providing the resource.

Other informative Web sites include:

Catholic University

North Carolina State University

Washington and Lee University

Defining New Roles for Lawyers

Higher education was historically able to meet its compliance obligations with a relatively limited number of legal professionals. But today board members and other college leaders will need to reassess their institutions’ legal needs and the skill sets of existing legally trained staff. Institutions will require assistance from lawyers with significant experience in regulatory law—preferably at the federal level. Moreover, they will increasingly need to populate other administrative roles with those who have been legally trained. For instance, it is now common for discipline officers and Title IX coordinators to have a law degree. Boards must help senior administrations prepare their campuses for a new workforce, emphasizing new skills.

NACUA has focused on compliance and developed an advisory group on the topic. The association has conducted a survey of institutional practices and structures (see “Legal Standpoint”) and will be convening leaders throughout higher education and outside of it to discuss the role, operations, and impact of the compliance function on campuses.

Effecting Regulatory Change

Many experts have raised concerns about the increasing burdens of regulatory compliance on higher education and the fact that colleges are often playing regulatory “defense.” Although not technically unfunded mandates, many new regulatory burdens have that feel, especially during a period when regulators are pushing institutions to achieve simultaneously greater cost effectiveness and efficiency.

Some government agencies—in particular, the Education Department—have made a concerted effort to put their staffs in a dialogue with colleges and universities by sending them more frequently to higher education conferences. Board members can encourage top administrators to attend and participate meaningfully in such events to help improve regulatory interventions in the future. I have seen an unfortunate misdirection of resources when a college will cite budget and travel restrictions as a reason for administrators not to attend a conference with regulators while spending thousands of dollars to send them to “train” and receive “certification” in “best practices.”

The Education Department from time to time also offers opportunities for negotiated rule-making in which interested groups can be involved in the development of new regulations. We in higher education can improve our regulatory posture by participating in negotiated rule-making when the opportunity arises and requesting that the Education Department exercise its discretion to use this process more frequently with respect to critical compliance issues. Participation in negotiated rule-making has limits, however. The process is focused on new rules and formal regulations, yet much of the consternation over new regulatory mandates has been directed at the less formal guidance that higher education receives in “Dear Colleague” letters and resolutions with specific institutions. It is important for higher education to create a broad-based constructive dialogue with the Education Department and other regulatory agencies and not rely on any one process, such as negotiated rule-making.

A Time of Opportunity

While boards should encourage a culture of compliance broadly conceived, they must also help ensure that the rapid increase in external regulations does not interfere substantially with the fundamental values of the academy. It is important not to redirect day-to-day efforts of educators away from the delivery of the core educational mission towards meeting compliance obligations (for example, shifting the focus away from teaching students to filling out forms). In fact, over-identification with compliance as a business goal is itself a risk to higher education institutions.

That said, the regulation and red tape of compliance are here to stay. And Compliance U will operate best when institutions and their boards learn to embrace a regulated culture and seek out the opportunities it creates. Indeed, this truly is both a challenging and opportune time in higher education. “At their best, compliance programs can be educational and enriching—and can be used to help individuals and units do their jobs more effectively,” observes James Madison University President Jonathan Alger. “Indeed,” he adds, “a positive focus on compliance can promote an ethical, values-based environment that is consistent with the mission of higher education.”

Fundamentally, much of the energy coming from Washington is directed at creating safer and more responsible campuses that deliver on their educational missions. We in higher education can build on the demands of regulators to meet the interests of our key constituents. For instance, new rules can give us better access to K–12 records to anticipate the needs of our potential students, and regulations about veterans and disabled students can help ensure the enrollment and retention of the diverse range of students that our institutions need. Leadership towards opportunity is the bright hope as the era of Compliance U dawns.

“So many people are involved.”

Athletics. Human subject protocols. Conflicts of interest. Export controls. IT security. The list of potential institutional compliance woes is long, and growing.

“It is more and more complicated,” said Michael Somich, executive director of internal audits at Duke University. And “the environment is difficult because so many people are involved.” Those people may range from graduate student researchers to research subjects to faculty to deans to general counsels to the president and, finally, to the board, particularly members of the audit committee, who oversee the institution’s compliance program and receive reports at each board meeting on compliance activities.

Somich is responsible for all internal audit activities of Duke University, the Duke Management Company, and Duke Medicine; manages the Institutional Ethics and Compliance Program (IECP); and facilitates the risk management process for Duke University. It’s a big job, made a bit more manageable by the IECP, which has been in place since 2005. Prior to that, the process at Duke was more decentralized. The IECP is led by a steering committee that includes the president, chancellor, provost, executive vice president, dean of the school of medicine, general counsel, and a dean named by the president.

There are more than 400 laws, regulations, and policies with which Duke must comply, and each one is the responsibility of someone on the campus—president, chancellor, provost, or executive vice president—and a separate compliance liaison who is specifically responsible for managing each compliance risk. The liaisons must assess and rank the impact and probability of potential compliance violations when new regulations are identified and for an annual risk assessment process. There is also a quarterly monitoring process as well as a semi-annual review of compliance issues determined to be especially high risk.

Somich said that throughout the institution, Duke works to create a culture in which compliance is second-nature, where there is “an awareness by people that they need to be in compliance and the expectation is that they will be in compliance.” That includes the board. “The board, particularly the audit committee, often questions us on the culture of compliance of the faculty and staff,” said Somich. “Issues such as: How are they educated and reminded about expectations? How do we monitor meeting compliance expectations? What do we do if we discover an instance of significant noncompliance? How do we use instances of significant noncompliance as teaching moments?”

“The major role of the board,” he said, “is to work with management to put in place a program that is effective, then receive reports and make sure the program is running as intended.” While it’s important for the full board to know what compliance is and roughly how it works, Somich said, it is the particular responsibility of the audit committee to learn the nitty-gritty details and to be sure that the program is functioning as planned.

Risk should be understood more broadly than just those things that might be hazardous to the institution’s wellbeing, said Somich. It can also be a good thing, and it should be part of strategic board discussions. “Are we taking enough risks?” he asked. “Could we be more bold?”

—Julie Bourbon, AGB

Seven Suggestions for Boards

  • Recognize that regulatory compliance is a major institutional challenge and a source of both risk and opportunity.
  • Strongly avoid direct operational management of critical compliance issues from the governing-board level.
  • Promote an enterprise risk management (ERM) approach. That includes encouraging the creation of a centralized ERM function with leadership that reports directly to the board and making sure that there are processes in place for establishing important compliance policies and keeping them up to date.
  • Ensure that the institution coordinates compliance initiatives throughout the campus as part of ERM efforts. The organizational chart should clearly identify the office and individuals tasked with such coordination.
  • Working with the senior administration, fundamentally rethink the delivery of legal services. Colleges need a new breed of lawyers with skills in regulatory compliance, as well as legalists who are administrators performing vital compliance jobs. Many administrative jobs will now be “J.D. preferred.” As part of that, know who the legal professionals on the campus are—whether the general counsel or chief compliance officer—and rely on them for their expertise.
  • Lead your campus to primarily education-based solutions to today’s challenges and protect it from becoming nothing more than a regulatory compliance operation. Compliance U needs leadership to protect academic freedom/autonomy and a caring and compassionate learning culture.
  • Remember the strengths of your enterprise and the fact that colleges can often do what the law cannot on its own. Consider, for example, that the Supreme Court itself has acknowledged that the law alone will not end prohibited sex discrimination. The spirit of Title IX lies in voluntary compliance, which for colleges and universities means that the real hope of eliminating sex discrimination lies in the most powerful tool of all: education.

“There is more intolerance of noncompliance.”

Oregon State University (OSU) is one of seven public institutions that falls under the Oregon University System, where change is afoot. Recently, the legislature passed a bill giving some of the state’s universities, including OSU, the right to form their own institutional governing boards in July 2014. Meantime, compliance work goes on.

With the current structure, institutions report to the state board via an annual report to the provost, and more frequently to federal authorities, which might include the Department of Health and Human Services, the National Institutes of Health (NIH), the Department of Defense, even the Nuclear Regulatory Commission (for use of radiation in research). A full-time staff member is assigned to each compliance entity, which covers the gamut of possible risks: human subject safety, export control, environmental safety, financial reporting, conflict of interest, and much more.

“We have a very active training and education program for researchers and faculty,” said Richard Spinrad, vice president for research at OSU, where human and animal safety are paramount. “A researcher cannot engage in research until he or she has taken the training.”

A veteran of the federal government (he was previously an assistant administrator at the National Oceanic and Atmospheric Administration, or NOAA) and its many compliance regulations, Spinrad has been at OSU for three years. When asked whether he thought compliance issues were proliferating, he was thoughtful. “The challenge of adhering to regulations is more time-consuming. There is more accountability. It’s being done more assiduously than in the past,” he said. “It’s not necessarily that there are many more regulations, but there is more intolerance of noncompliance.”

Citing several lab accidents in the last few years at other colleges and universities, Spinrad noted a very aggressive “clamping down” on lab safety. “Universities are being held to a much higher level of accountability.”

Spinrad’s counterpart outside of the research area is Mark McCambridge, vice president for finance and administration. He has been VP for 14 of his 19 years at OSU and is part of a larger compliance reporting mechanism in which, currently, one set of financials is reported to the state board.

“It’s a large entity to monitor,” he said of the system that enrolls more than 100,000 students. The only way a compliance program can succeed on such a scale, he said, is for there to be a very clear culture that demands it. “If it’s not visible from the top in day-to-day activities, it’s not going to happen. That has to go on day in and day out.”

Regular communiques from the president’s office remind faculty, staff, and administrators of their compliance responsibilities, and board members receive detailed instruction in compliance regulations from the chancellor’s office during their orientation.

—J.B.