Risk management and compliance are two of the core operational functions of colleges and universities that intersect the most with the law. Even more so than compliance, which at some institutions is part of or reports to the legal department, risk management is usually a separate unit, but the overlapping issues are substantial. The March/April “Legal Standpoint” column discussed compliance and the law. This column discusses four points regarding risk management and the law that are of particular importance to board members and senior leaders.
An important first step in any risk management program is the identification of risks that must be addressed. While not all risks have a legal component, most do. Each of the generic risk categories—reputational, financial, compliance, operational, strategic, and governance—is populated with specific risks that cannot properly be identified and understood without an understanding of the law.
The following examples in each generic category illustrate this point:
1. Reputational – Most risks pose the danger of reputational harm. An example of current relevance that has legal implications is sexual misconduct by an institutional official or widespread sexual misconduct within the institution.
2. Financial – Risks of financial impropriety such as embezzlement or theft involve violations of the law. Also, such business risks as financial viability, creditworthiness, and counterparty risks raise legal issues based on contractual obligations to lenders and other third parties.
3. Compliance – All compliance issues pose legal risks. One example with a high degree of severity is a compliance failure in federal sponsored research or financial aid programs that results in claims by a whistleblower and/or the
federal government alleging violations of the False Claims Act.
4. Operational – Risks of tort and statutory liability arising from institutional operations involve legal concepts of duty and negligence.
5. Strategic – Failure to consider legal risks and opportunities (and lost opportunities should be part of any risk management program) in connection with a technology transfer program can cause strategic and financial harm. As a further example, strategic choices that lead to significant employment decisions—such as layoffs—create employment and labor law risks.
6. Governance – Conflicts of interest by board members can result in reputational harm and violations of law, institutional policy, and fiduciary duties.
Second, once the key risks facing the college or university have been identified, a good risk management program must analyze and evaluate the risks, including the probability and severity of an occurrence. For most risks, because of the overlap-ping legal issues, lawyers can help analyze and evaluate what can go wrong and the consequences when bad things happen. For example, lawyers can help analyze the likelihood and severity of government investigations or litigation; the chances of contractual disputes; and health, safety, and environmental risks, which in turn depend on analysis and evaluation of legal requirements and obligations.
Third, after identifying, analyzing, and evaluating the most important risks that an institution faces, a good risk management program should develop a plan for managing the risks, including describing current risk management efforts, identifying gaps, and proposing solutions. Management of risks may include policy development, auditing, monitoring, and insurance. Lawyers can help prepare and implement appropriate risk management policies, coordinate with internal audit, decide on types and levels of appropriate insurance coverage, and help to develop other risk mitigation initiatives.
Fourth, as with compliance, a good risk management program involves buy-in and leadership from the board and college and university officials. Risks should be assigned to board committees and the risk manager should make regular presentations to the board. Lawyers can work with the risk manager and help develop governance structures (should there be a risk committee?) and policies (a formal risk plan?) that provide for consideration of the risks facing the college or university. For all risks that involve legal issues, lawyers should be at the table in orientation sessions and board meetings during which such risks are discussed.
Steve Dunham, JD, is the vice president and general counsel for Penn State University.
Share on LinkedIn
