You are here

Feature

Colleges are closing in on compliance

Approaches to prioritizing and managing costly, complicated mandates
University Business, February 2018
Regulatory compliance buckets.
Regulatory compliance buckets.
8 elements of an effective compliance program.
8 elements of an effective compliance program.

Vanderbilt University, with the help of the Boston Consulting Group, conducted a comprehensive internal audit in 2015 to better understand its regulatory compliance costs. With just under 13,000 students, the Nashville university found that compliance cost $146 million in 2013-14, or 11 percent of the school’s non-hospital operating budget.

The University of North Carolina’s 17 campuses estimated its current compliance costs to be 7 to 8 percent of total campus operating expenses.

Smaller schools are taking a big hit too. Hartwick University in New York, which has about 1,200 students, reported spending $300,000 on compliance in 2012, close to 7 percent of its non-compensation budget.


Sidebar: Higher ed compliance management education programs


The Vanderbilt study reported the total annual cost of compliance in higher education to be approximately $27 billion. So what’s all this money being spent on?

Labor, for one. And technology to manage, track and report on compliance efforts, on top of training and materials and equipment to facilitate institutional alignment with regulations and statutes—relating to everything from academic programs to campus safety, disabilities, the environment and human resources.

Ignoring compliance isn’t an option. Until recently, some colleges have assumed that the way compliance has always been done is still good enough today, says Terry Wynne, associate director for safety at the University of North Dakota.

That’s risky, with fines that could result in substantial penalties—$150,000, $250,000, and up—plus possible jail time for proven violations.

Institutional leaders can take action, however, to ensure they’re on the right track today and to reduce the drain on existing resources.

Be aware ... continuously aware

There are an estimated 265 federal statutes for institutions to follow, according to a public compliance matrix developed by the Higher Education Compliance Alliance (HECA), which maintains a centralized repository of free information and resources on federal laws and regulations.

Those statutes, representing federal rules and government expectations, change every year, making it difficult to keep up. Regulatory compliance is also an issue for any college that receives federal funding through Title IV—essentially all institutions offering two-year or four-year degrees and that also provide financial aid.

Given the constant updates, limited budgets and complexity of some of the issues, becoming 100 percent compliant is a goal all schools aspire to achieve. But that’s a highly ambitious aim.

“Striving for better” is how one administrator describes the attitude of many in the field of education toward compliance.

“Universities want to be compliant and make every effort to be,” says Steve Hoffman, president of The Tax Translator and author of Taxation for Universities and Colleges (Wiley, 2013), who worked on compliance issues while tax manager at George Washington and Ohio State universities.

Prioritize and prepare

Some regulatory issues are a larger priority in 2018 than others. Those include student safety (as mandated by the Campus SaVE Act, Clery Act and Violence Against Women Act) and Title IX’s sexual harassment and misconduct rules.

To avoid non-compliance penalties, many colleges rely heavily on training and other support from third-party vendors, says Donna McMullin, vice president of marketing at Scenario Learning, the developer of SafeColleges safety and compliance programs.

According to 2017 Scenario Learning data, the top four most-completed SafeColleges training courses cover topics related to Title IX, sexual violence, sexual misconduct and sexual harassment for staff and students.

Other courses in the top 10 cover discrimination awareness; confidentiality of records; alcohol awareness for students; the Clery Act; bloodborne pathogen exposure prevention; and slips, trips and falls.

While there are 36 different regulatory categories, according to the HECA, those can be distilled to six major areas: miscellaneous federal, civil rights, privacy and information security, international, environmental, and financial (see graphic, left).

Improve the odds of compliance

Figuring out exactly how to comply with the hundreds of federal obligations is no easy feat. And it’s not a job for a single individual.

“Compliance has to be a collaboration,” says attorney Claire Hall, owner of the higher ed consulting firm University Education & Compliance Training, known as UECAT. “Once you know what the obligations are, achieving them is not as difficult.”

The work does, however, require creative problem-solving.

Identifying necessary resources, engaging subject matter experts and strategizing how best to close any potential gaps have become priorities in higher ed, says Stacie Kroll, director of compliance and risk management at Five Colleges Incorporated, which represents Amherst, Hampshire, Mount Holyoke and Smith colleges as well as UMass Amherst in Massachusetts.

When a question about a particular mandate comes up at Smith, the internal subject matter expert will guide compliance committee members in strengthening efforts to support the compliance initiative. Silos within higher ed can make it more difficult to get a handle on who’s doing what with compliance efforts.

Raising awareness of the importance of adhering to mandates is essential to getting whole-campus collaboration, says Jennifer Kirkland, acting general counsel at Washington and Lee University in Virginia. Success relies on establishing accountability.

Institutions lacking a framework for reporting—making it unclear who, exactly, is responsible—have bigger challenges in managing compliance.

Establish a management model

The most common organizational structures associated with tracking and reporting compliance, explains Kirkland, include:

  • Centralized compliance officer. A single point-of-contact is responsible for training, tracking progress and reporting results to the government.
  • Compliance committee. A committee is accountable for the institution’s compliance program. The committee develops a program, collects data from departments and reports results to necessary stakeholders.
  • Internal office in charge. Some colleges rely on the Office of Internal Audit or Risk Management to spearhead compliance efforts and ongoing monitoring.
  • Compliance matrix. Spreading compliance responsibility across multiple departments creates a communitywide effort that can help facilitate culture change. (Washington and Lee’s compliance matrix is available at www.wlu.edu/document/compliancematrix.)
  • Stealth mode. A few schools have no formal structure. “It’s not that institutions are not doing anything to comply,” Kirkland says. “It’s that they don’t have a framework for documenting and tracking.” So they may not really know if they are in compliance.

There are pros and cons to centralized and decentralized approaches, says Scott Wightman, executive vice president at insurance, risk management and consulting firm Gallagher.

In a presentation given on “Enterprise Risk and Compliance Management” for a Community College Risk Management Consortium event, he explained it this way:

“While a centralized effort—designating a single individual or office as the key contact—can be effective, it requires significant resources. Organizations that are completely decentralized often have trouble with execution—incentivizing individuals to perform—while a mix of centralized oversight and decentralized implementation by subject matter 
experts seems to provide the best chance for success.”

The safety of students, faculty and staff has moved to the top of the compliance list, says Hoffman. However, many colleges express the sense that they are still building a foundation of best practices around compliance, rather than being able to simply maintain existing efforts.

At the University of North Dakota, training about safety and compliance has led to a changed culture, says Wynne, with everyone more aware of the need to report concerns.

“We didn’t get safety calls before because no one thought anyone was listening.” Today, with more reports coming in, incidents, accidents and problems have all declined.


Marcia Layton Turner is a Rochester, New York-based writer.