Rethinking organizational relationships to strategically align compliance, audit, risk, ethics and ERM functions in higher education

Rethinking organizational relationships to strategically align compliance, audit, risk, ethics and ERM functions in higher education

Higher education institutions of all sizes are constantly being asked to “do more with less.” Resource and budgetary constraints, in conjunction with new and evolving risks, continue to provide fresh challenges that require institutions to rethink organizational relationships in search of a more effective and efficient operating model. At the Society of Corporate Compliance and Ethics (SCCE) 2018 Higher Education Compliance Conference, one presentation provided attendees with an opportunity to learn about the benefits of identifying and leveraging strategic internal partnerships that can still allow for the necessary lines of separation (e.g., independence). The presentation focused on the potential for functional efficiencies in areas such as compliance, audit, risk, ethics and enterprise risk management (ERM).

The following themes were highlighted throughout the discussion:

  • How can your institution identify and leverage opportunities to combine valuable resources and organizational relationships?
  • What can you do to leverage existing communication channels?
  • How can you utilize limited resources to better position your institution while maintaining the necessary lines of defense?
  • What are some effective and interesting ways to communicate compliance to educate and build awareness?

In addition, the presentation introduced four key stages for institutions to utilize relationships with key stakeholders within an effective compliance program, highlighted in the following sections.

Utilizing key stakeholder relationships

1. Identify and define institutional relationships

First, the presenters emphasized that identifying and leveraging a network of institutional resources is a process that will take time. Most likely, the resources you are trying to identify already exist in some capacity; however, their roles, responsibilities and titles will vary widely between institutions. Whether the resources are internal (e.g., departmental or institutional leaders) or external (e.g., contractors or auditors), key strategic partnerships could come from areas such as:

  • Compliance and ethics
  • Internal audit
  • External audit
  • ERM
  • General counsel’s office
  • Information security and privacy
  • Other partners

Once strategic partners have been identified, it is helpful to define their roles and responsibilities within the new, collaborative model. Some things to consider as your institution begins to establish distinctions between each strategic relationship:

  • What risks will each partner be responsible for monitoring and/or owning?
  • Will they be functioning independently and objectively?
  • What are the reporting responsibilities?
  • Can this structure maintain the necessary lines of separation?
  • How will the changes be communicated to impacted stakeholders?

Answers to these significant questions may only scratch the surface on how this model will ultimately be designed and operate. However, it will likely serve as the foundation for a new collaborative model that grows over time as stakeholders begin to operate within the new structure.

2. Develop a common language

After your institution has identified the appropriate stakeholders, defined the roles and responsibilities and created a preliminary model for the new structure, it is necessary to establish a “common risk language.” Since individuals across an institution may apply different meanings to the same word or set of words, a common risk language, including risk terminology and definitions, will ensure all stakeholders are using and speaking the same language. A common risk language can also help identify risks at varying levels of the institution in a way that will lend itself to consolidating risk assessments and sharing critical risk information more readily. Further, it will allow for greater coordination and reduce redundancies among the strategic partners, and it will make the collaborative relationship more seamless from the perspective of stakeholders throughout the institution.

Some common “big picture” considerations to address at this stage include:

  • Are all strategic partners educated on their roles and responsibilities?
  • Do the partners know what others are responsible for (e.g., training areas, escalation and reporting to senior management and the board)?
  • Has a common definition of “risk” been established for all strategic partners?
  • Are there clear communication channels among relevant institutional stakeholders (e.g., risk manager(s), senior leadership and the board)?
  • Is there consistency in the documentation, tools and templates utilized by the partners?

Documenting these considerations and creating a new common language will go a long way to increase transparency at all levels of the institution and allow for a more unified and integrated approach to managing institutional risk.

3. Align current resources

Three lines of defense

When considering the risk management activities of an institution, the three lines of defense is a potential structure to leverage existing knowledge, information and support to create a cohesive and collaborative environment.

  • First line: Risk owners and managers (operational resources) – represent the institution’s internal controls that are designed, owned and monitored by the current process owners. These process owners are primarily responsible for implementing and owning the controls.
  • Second line: Risk control and compliance (management/compliance function) – represents functions that are likely assessing the effectiveness of the internal controls related to their area(s) of oversight. For example, a compliance function might be charged with monitoring specific risks for noncompliance with laws and regulations.
  • Third line: Risk assurance (internal/external audit) – represents an independent assurance function (e.g., auditors) capable of assessing the effectiveness of the governance, risk management processes and the overall internal control environment. This line also reports to the institution’s governing body and can provide a unique, independent perspective.
Areas for collaboration

Collaboration can take on many variations and different levels of involvement. The following four scenarios present opportunities for collaboration within the compliance program:

1. Risk assessments are a tool for evaluating and prioritizing institutional risks to inform internal audit, compliance and/or institutional leadership of high risk areas that need attention. Performing collaborative risk assessments can provide many benefits to an institution, including:

  • Robust, cross-functional discussions that enable the identification, evaluation and prioritization of risks at the institution level
  • Opportunities for using existing data to measure and monitor risks across the institution
  • Enhanced understanding of institutional practices, internal controls and risk mitigation strategies
  • Results that provide a cohesive and informed prioritization of current risks and a strategy to address future risks

2. Audit activities, including collaboration during the audit process, enables stakeholders to gain valuable insight (i.e., assurance) into the design and effectiveness of the institution’s internal controls as well as in-depth knowledge of the institution’s operational processes. Additional information about the adequacy of policies, procedures and processes can be gained through each audit or independent review that is performed.

3. Investigations create a response mechanism to provide subject-matter expertise to reported breaches of external laws/regulations and/or violations of internal policies. Investigations may be prompted by information reported to compliance or an independent hotline, which can help identify areas of risk or needs for additional resources. Having a formal avenue for reporting and investigating compliance matters is a proactive approach for monitoring compliance requirements and trends to inform areas of focus for various institutional stakeholders, including audit, ERM and institutional leadership.

4. Compliance governance assessments can be a shared role between audit and compliance. Internal audit can provide an initial assessment and advise on the governance structure, while compliance can focus on what may be required to achieve sound overall governance.

Not only will senior leadership and the board benefit from increased collaboration and knowledge sharing, but these new partnerships should drive a consistent application of risk-based practices both at an operational and strategic level.

4. Driving change and ongoing monitoring

The presenters then described how the seven elements of an effective compliance program, as outlined in the Federal Sentencing Guidelines[1], essentially provide institutions with a framework and the basis for initiating change and seeking collaborative opportunities. These seven guidelines outline the need for a balanced and supported effort across the institution in order to generate an effective cultural change. The guidelines also provide a mechanism for an institution to perform a periodic and comprehensive self-evaluation in their progress towards a collaborative model.

Practical examples of collaborative leadership

The SCCE presenters also offered real-world examples of how institutions could initiate reasonable and actionable change through channels and activities that already exist. One example highlighted in the presentation was a fraud investigation process led by an institution’s compliance function, in collaboration with the internal audit function.

In this example, the compliance function at this institution was initially made aware of an allegation of potential procurement card misuse through an anonymous compliance hotline report. Based on the nature of the reported allegation, the compliance function collaborated with the internal audit function to narrow the scope and identify resources to support a formal fraud investigation (e.g., interviews, testing procedures). Internal audit provided resources to perform testing procedures and collaborated with compliance on follow-up interviews with key stakeholders. Through these interviews, internal audit and compliance were able to obtain critical information to review and confirm the preliminary testing results.

The results of the collaborative investigation effort not only provided the institution and management with opportunities to enhance their internal control environment, but it provided additional context on risk areas for future consideration. Management was able to leverage the results of the investigation to develop and implement an action plan for remediation and enhanced monitoring activities. This collaborative result also ensured the buy-in of key stakeholders from across the institution, increased the efficiency of communication efforts and led to quick, actionable results.

There is no “one-size-fits-all” approach that works for every institution!

The presenters concluded the session by highlighting several variations in reporting relationships and emphasizing the importance of tailoring it to an institution’s individual structure and culture. Since effective collaboration may vary at each institution, there are advantages and disadvantages that will differ, regardless of the model used. Examples of collaborative structures include:

Internal audit and compliance are distinct internal departments with separate relationships to senior leadership.

  • Compliance reports directly to the president or other institutional leader.
  • Internal audit reports directly to the president and the board.

Internal audit and compliance are placed within the same internal department under the same leader.

  • Internal audit and compliance jointly report to the board and/or other institutional leader(s).
  • Internal audit also collaborates with third-party resources and subject matter experts, as needed.

Compliance responsibilities are managed in a decentralized fashion across the institution by various functions (e.g., Title IX coordinator).

  • A single compliance oversight function may not be formally defined.
  • Responsibility for individual compliance areas are distributed to a related internal function(s).
  • Internal audit supports compliance by auditing decentralized compliance areas and reporting results to the board. Internal audit can:
    – Coordinate with key stakeholders to understand and evaluate emerging risk areas for potential review.
    – Monitor compliance-related reporting risks.
    – Report independent audit results to the board in lieu of compliance.

Over time, strategic partnerships can become increasingly aligned and efficiencies realized throughout the day-to-day activities of all stakeholders. Operational processes can become more streamlined through simplified, direct lines of communication, informed decision making and collaborative risk management. Maximizing the collaborative efforts between these otherwise independent functions can enable your institution to optimize its resources for improved, more effective oversight of new and evolving risks.

For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.

[1] Source: United States Sentencing Commission, §8B2.1, Effective Compliance and Ethics Program

Top of capitol building
Next up

Opportunity Zones - first impressions from the second set of proposed regulations