Higher education institutions of all sizes are constantly being asked to “do more with less.” Resource and budgetary constraints, in conjunction with new and evolving risks, continue to provide fresh challenges that require institutions to rethink organizational relationships in search of a more effective and efficient operating model. At the Society of Corporate Compliance and Ethics (SCCE) 2018 Higher Education Compliance Conference, one presentation provided attendees with an opportunity to learn about the benefits of identifying and leveraging strategic internal partnerships that can still allow for the necessary lines of separation (e.g., independence). The presentation focused on the potential for functional efficiencies in areas such as compliance, audit, risk, ethics and enterprise risk management (ERM).
The following themes were highlighted throughout the discussion:
In addition, the presentation introduced four key stages for institutions to utilize relationships with key stakeholders within an effective compliance program, highlighted in the following sections.
1. Identify and define institutional relationships
First, the presenters emphasized that identifying and leveraging a network of institutional resources is a process that will take time. Most likely, the resources you are trying to identify already exist in some capacity; however, their roles, responsibilities and titles will vary widely between institutions. Whether the resources are internal (e.g., departmental or institutional leaders) or external (e.g., contractors or auditors), key strategic partnerships could come from areas such as:
Once strategic partners have been identified, it is helpful to define their roles and responsibilities within the new, collaborative model. Some things to consider as your institution begins to establish distinctions between each strategic relationship:
Answers to these significant questions may only scratch the surface on how this model will ultimately be designed and operate. However, it will likely serve as the foundation for a new collaborative model that grows over time as stakeholders begin to operate within the new structure.
2. Develop a common language
After your institution has identified the appropriate stakeholders, defined the roles and responsibilities and created a preliminary model for the new structure, it is necessary to establish a “common risk language.” Since individuals across an institution may apply different meanings to the same word or set of words, a common risk language, including risk terminology and definitions, will ensure all stakeholders are using and speaking the same language. A common risk language can also help identify risks at varying levels of the institution in a way that will lend itself to consolidating risk assessments and sharing critical risk information more readily. Further, it will allow for greater coordination and reduce redundancies among the strategic partners, and it will make the collaborative relationship more seamless from the perspective of stakeholders throughout the institution.
Some common “big picture” considerations to address at this stage include:
Documenting these considerations and creating a new common language will go a long way to increase transparency at all levels of the institution and allow for a more unified and integrated approach to managing institutional risk.
3. Align current resources
Three lines of defense
When considering the risk management activities of an institution, the three lines of defense is a potential structure to leverage existing knowledge, information and support to create a cohesive and collaborative environment.
Areas for collaboration
Collaboration can take on many variations and different levels of involvement. The following four scenarios present opportunities for collaboration within the compliance program:
1. Risk assessments are a tool for evaluating and prioritizing institutional risks to inform internal audit, compliance and/or institutional leadership of high risk areas that need attention. Performing collaborative risk assessments can provide many benefits to an institution, including:
2. Audit activities, including collaboration during the audit process, enables stakeholders to gain valuable insight (i.e., assurance) into the design and effectiveness of the institution’s internal controls as well as in-depth knowledge of the institution’s operational processes. Additional information about the adequacy of policies, procedures and processes can be gained through each audit or independent review that is performed.
3. Investigations create a response mechanism to provide subject-matter expertise to reported breaches of external laws/regulations and/or violations of internal policies. Investigations may be prompted by information reported to compliance or an independent hotline, which can help identify areas of risk or needs for additional resources. Having a formal avenue for reporting and investigating compliance matters is a proactive approach for monitoring compliance requirements and trends to inform areas of focus for various institutional stakeholders, including audit, ERM and institutional leadership.
4. Compliance governance assessments can be a shared role between audit and compliance. Internal audit can provide an initial assessment and advise on the governance structure, while compliance can focus on what may be required to achieve sound overall governance.
Not only will senior leadership and the board benefit from increased collaboration and knowledge sharing, but these new partnerships should drive a consistent application of risk-based practices both at an operational and strategic level.
4. Driving change and ongoing monitoring
The presenters then described how the seven elements of an effective compliance program, as outlined in the Federal Sentencing Guidelines, essentially provide institutions with a framework and the basis for initiating change and seeking collaborative opportunities. These seven guidelines outline the need for a balanced and supported effort across the institution in order to generate an effective cultural change. The guidelines also provide a mechanism for an institution to perform a periodic and comprehensive self-evaluation in their progress towards a collaborative model.
Practical examples of collaborative leadership
The SCCE presenters also offered real-world examples of how institutions could initiate reasonable and actionable change through channels and activities that already exist. One example highlighted in the presentation was a fraud investigation process led by an institution’s compliance function, in collaboration with the internal audit function.
In this example, the compliance function at this institution was initially made aware of an allegation of potential procurement card misuse through an anonymous compliance hotline report. Based on the nature of the reported allegation, the compliance function collaborated with the internal audit function to narrow the scope and identify resources to support a formal fraud investigation (e.g., interviews, testing procedures). Internal audit provided resources to perform testing procedures and collaborated with compliance on follow-up interviews with key stakeholders. Through these interviews, internal audit and compliance were able to obtain critical information to review and confirm the preliminary testing results.
The results of the collaborative investigation effort not only provided the institution and management with opportunities to enhance their internal control environment, but it provided additional context on risk areas for future consideration. Management was able to leverage the results of the investigation to develop and implement an action plan for remediation and enhanced monitoring activities. This collaborative result also ensured the buy-in of key stakeholders from across the institution, increased the efficiency of communication efforts and led to quick, actionable results.
There is no “one-size-fits-all” approach that works for every institution!
The presenters concluded the session by highlighting several variations in reporting relationships and emphasizing the importance of tailoring it to an institution’s individual structure and culture. Since effective collaboration may vary at each institution, there are advantages and disadvantages that will differ, regardless of the model used. Examples of collaborative structures include:
Over time, strategic partnerships can become increasingly aligned and efficiencies realized throughout the day-to-day activities of all stakeholders. Operational processes can become more streamlined through simplified, direct lines of communication, informed decision making and collaborative risk management. Maximizing the collaborative efforts between these otherwise independent functions can enable your institution to optimize its resources for improved, more effective oversight of new and evolving risks.
For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.
 Source: United States Sentencing Commission, §8B2.1, Effective Compliance and Ethics Program, https://www.ussc.gov/guidelines/2015-guidelinesmanual/2015-chapter-8