From allegations of mishandling sexual assault complaints to abusive coaching practices to widespread academic fraud, the high-profile risks that commanded the attention of colleges and universities lately are prompting some big compliance changes in the higher education sector.

Over the last two years, numerous universities have appointed their first ever chief compliance officer, including Penn State, Northwestern University, the University of Miami, the University of New Mexico, and more. With these appointments, many universities are just now developing a central compliance department for the first time.

“When you look at universities, academic medical centers almost uniformly have robust compliance programs by the nature of the industry—but academic medical centers aside, a central compliance function is a newer concept than in the corporate world,” says Robert Roach, CCO of New York University. Roach joined NYU in 2006 to establish its first ethics and compliance program.

In some universities, these changes were not unprompted. The poster child is Penn State, which appointed its first chief ethics and compliance officer in 2013 following the sex-abuse scandal surrounding former Penn State assistant football coach Jerry Sandusky.

“People benchmark us a lot, probably for the wrong reasons,” says Regis Becker, Penn State’s chief ethics and compliance officer. “We obviously had a crisis, but that led to a lot of good governance changes.”

Prior to the Sandusky scandal, Penn State had several compliance departments, “but there wasn’t a central function coordinating it,” Becker says. Today, the university has an Ethics and Compliance Council, which meets 10 times a year and serves as an advisory board with oversight responsibility for all university ethics and compliance matters. 

The Council is made up of 20 individuals who are heads of the university’s functional ethics and compliance units, including research, athletics, human resources, student affairs, and more. According to its website, the mission of the Council is “to help develop strategy, evaluate results, suggest improvements and updates, and provide oversight for the overall ethics and compliance program.”

Several other university compliance officers describe similar central compliance functions. The University of New Mexico (UNM), for example, used to have siloed compliance units until 2013, when UNM appointed Helen Gonzales as its first chief compliance officer.

Gonzales says she has since established an Institutional Compliance Committee made up of “compliance partners” across the various compliance units. These individuals are responsible for identifying risks in their respective compliance areas and developing mitigation strategies, she says.

“As the compliance office, we work as an adviser to assist them,” Gonzales says. This means overseeing the program and ensuring that they have appropriate internal controls and strategies to identify and manage the highest risks in their compliance areas, she says.

The larger the university, the more compliance committees. NYU, for example, has not only a senior-leadership executive compliance committee, but also designated compliance and risk officers who exercise day-to-day responsibility for the compliance and risk program. Their activities are coordinated through several compliance and risk committees whose members include administrative and academic officers, as well as representatives of the university’s global campuses in Abu Dhabi and Shanghai.

“An effective compliance program has to build alliances with the administrators who run the different departments to ensure compliance is a priority.”
Frances Bouchoux, Interim Chief Enterprise Risk Management, E&C Officer, Rutgers University

“To me, those committees are the heart and soul of the compliance program, because through them over the last eight years, we’ve really developed a culture of compliance where day-to-day, mid-level managers are intimately involved in executing all the elements of an effective compliance program,” Roach says.

Frances Bouchoux, interim chief enterprise risk management, ethics and compliance officer for Rutgers University since last year, agrees that collaboration between compliance and its committees is an essential component of a robust university compliance program. “An effective compliance program has to build alliances with the administrators who run the different departments to ensure compliance is a priority,” she says.

Equally important is the compliance department’s relationship with internal audit, Gonzales and Bouchoux says. Both say they work in close collaboration with internal audit to ensure they’re focusing their audits on the most significant risks.

Compliance Hurdles

When first implementing a compliance program, the biggest hurdle to overcome is “getting people to understand what the compliance function is and what it is not,” says Rudolph Green, CCO of the University of Miami since 2013. It’s about letting people know that we are here “to help improve business operations by mitigating the risk associated with compliance and ethics violations. We’re not here to just police,” he says.

Similar to corporate governance, tone at the top also is important. “You cannot effectively create cultural change unless the leadership of the organization is involved in the cultural change,” Green says.

Equally important is where the CCO sits within the university. “Whoever is in charge of the compliance program has to be a high-level official and has to have the attention of the highest level executives in the organization,” Green says.


Below is an excerpt from the report, “Recalibrating Education of Colleges and Universities,” conducted by the Task Force on Federal Regulation of Higher Education.
One early effort to estimate costs [of compliance] was undertaken by Stanford University in 1997. It estimated that even by a conservative accounting, the university incurred about $29 million yearly in ongoing regulatory compliance costs. Stated another way, Stanford spent 7.5 cents of every tuition dollar on compliance.
Given the increased volume of federal mandates, those costs are undoubtedly higher today. A more comprehensive and recent effort to quantify these costs was undertaken by Hartwick College in 2011-12. A self-audit prepared over the course of a year at the direction of Hartwick’s president revealed that for a modestly sized institution, compliance-related activities cost the college $297,008 annually and required more than 7,200 labor hours for data collection and filing of required reports and forms. Hartwick estimates that the actual cost of compliance could be as much as 7 percent of its non-compensation operating budget. This study provides an important model that other colleges have used in their efforts to estimate the costs of regulation.
Another far-reaching analysis was launched by Vanderbilt University in 2014. Initial findings reveal that approximately 11 percent, or $150 million, of Vanderbilt’s 2013 expenditures were devoted to compliance with federal mandates. Nearly 70 percent of these costs were absorbed into different offices, affecting a broad swath of faculty, research staff, administrative staff, and trainees in academic departments. Vanderbilt is currently working with other institutions to test its methodology on different campuses.
In addition to these institution-specific efforts, other research shows that the cost of institutional compliance with regulations is rising, both monetarily and in terms of time. A recent publication by the American Action Forum found that the number of individuals in higher education with the title of “compliance officer” has grown by 33 percent in the past decade. Using publicly available data, the Forum also determined that institutions spend 26.1 million hours annually completing Department of Education-mandated forms. This figure did not include regulatory burdens that go beyond completing forms, meaning, for example, that efforts like the time required to develop and implement compliance policies were not considered.
Source: Senate Education Committee.

Several university CCOs say they report directly to the university president, as well as to the audit and compliance committee of the board. The University of Miami, UNM, Rutgers, and NYU all have such reporting structures in place.

University vs. Corporate Governance

University governance practices and corporate governance practices differ in some significant ways, particularly concerning the decision-making process. “I came out of 27 years in Corporate America to this job, and the biggest difference is the shared governance and collaborative nature of universities,” Becker says. “It’s not a top-down management infrastructure.”

At Penn State, for example, any changes the university makes follow a lot of debate and discussion from the senior administration, staff, faculty, and student representatives, Becker explains. “It takes a long time to get things done because of that,” he says. Several other compliance officers shared this sentiment.

Many university compliance officers say they further contend with a far more complex regulatory environment than companies. “We’re one of the most heavily regulated industries,” Bouchoux says.

Consider, for example, the findings of a recent report conducted by the Task Force on Federal Regulation of Higher Education, which noted that the Education Department issues new guidance to amend or clarify its rules at a rate of more than one document per day. “As a result, colleges and universities find themselves enmeshed in a jungle of red tape, facing rules that are often confusing and difficult to comply with,” the report stated.

Unlike a company, which generally must comply only with rules and regulations specific to its industry, a university must comply with rules and regulations spanning several industries—pharmaceutical, procurement, export controls, and more. “The amount of compliance obligations is astronomical,” Gonzales says.

Imagine, then, the regulatory complexities of a global university like NYU. The regulatory environment is becoming more complex not only due to the ever-increasing number of U.S. regulations, Roach says, but also as the university expands its global footprint and has to comply with the laws of other countries where it has operations.

Rutgers also is facing some unique compliance hurdles following its merger in 2013 with the University of Medicine and Dentistry of New Jersey (UMDNJ)—one of the largest academic mergers in U.S. history. “We went from being a large university with no healthcare services to an even larger university with substantial healthcare services,” Bouchoux says.

Rutgers now has to comply with healthcare regulations, something it never encountered before. “We had the benefit of taking on much of the compliance office that had been built at UMDNJ, and it’s a very robust program,” Bouchoux adds. A huge challenge for the university right now is making uniform “all those processes: student services, procurement, research, HR—virtually every aspect of what we do,” she says.

As the regulatory environment grows more complex, so, too, will the need for universities to develop central compliance programs. With robust collaboration and communication, compliance can be “an asset to the organization,” Green says, “not just an appendage.”