Still reeling from a damning report about Pennsylvania State University’s handling of a child-sex-abuse scandal, the chairwoman of Penn State’s board made a decidedly clinical observation last week.
“We should have been risk managers in a more active way,” Karen B. Peetz said at a Thursday news conference.
In a story about young boys’ being raped in locker-room showers, as they were by a former assistant football coach at Penn State, phrases like “risk management” may sound unduly dispassionate. Yet Ms. Peetz’s statement strikes at the heart of a governance problem that experts say has plagued boards across the country for years. The fact is, many college boards’ approach to risk management is not all that different from Penn State’s.
The Association of Governing Boards of Universities and Colleges and United Educators, a major insurer of colleges, issued a litany of sobering findings in 2009 about risk management in higher education. In a survey completed by more than 600 institutions, less than half of the respondents “mostly agreed” that risk management was a priority at their colleges. A majority, 60 percent, said their institutions did not use comprehensive, strategic risk assessment to identify major risks to mission success.
The findings detailed in the 2009 report, “The State of Enterprise Risk Management at Colleges and Universities Today,” read like a preamble to a document issued last week by Louis J. Freeh, a former director of the FBI. Mr. Freeh conducted an exhaustive investigation of Penn State’s handling of allegations that Jerry Sandusky, a former assistant football coach, had inappropriate contact with young boys on the campus over a period of years.
Mr. Freeh determined that the university’s lack of a robust risk-management system contributed to systemic failures in identifying threats to individuals and the university, and created an environment where key administrators could “actively conceal” troubling allegations from the board. Accusations that Mr. Sandusky showered with a boy on the campus in 1998, and sexually assaulted another boy in a shower in 2001, never reached the trustees.
“The board did not have a process or committee structure at that time for receiving regular reports from university officials about matters of potential risk to the university, such as the allegation against Sandusky,” the report states.
Ad Hoc Risk Management
The same could be said for a majority of the nation’s colleges, which tend to “monitor risk on an ad hoc basis,” according to the report from the Association of Governing Boards and United Educators. Indeed, less than a quarter of respondents to the survey said their board was given regular, formal reports on institutional risk.
More than 75 percent of the survey’s participants were from private colleges, and presidents most commonly responded to the questions. Chief financial officers, trustees, provosts, risk managers, and general counsels also participated.
Janice M. Abraham, president and chief executive of United Educators, said each committee of a college board should receive regular reports on risk factors under the committee’s purview.
“You create a culture of communication, of transparency, and of commitment to risk management,” she said. “By having regular reports to the board, it means the board is messaging to the administration: We know there are risks out there, and we want you to keep us informed.”
Brett A. Sokolow, managing partner at the National Center for Higher Education Risk Management, said a formal reporting structure is important but not a panacea.
“Many boards are independent, but many are really not,” Mr. Sokolow said. “They are very much loyalists, so if the president tells them about something and says we have it under control, I’m not sure a risk-management committee of the board would be that interventionist.”
In March, Penn State’s board revamped its committee structure, adding a Committee on Audit, Risk, and Legal Compliance. By that time, Mr. Sandusky had sexually abused 10 boys. A jury convicted him in June on 45 counts of child molestation.
Penn State has long had an Office of Risk Management with a broadly defined official mandate, but its oversight role, “in reality,” was narrowly tailored to deal with contract-based risks, the Freeh report states. Similarly, the Association of Governing Boards and United Educators report says that most institutions define risk too narrowly, often limiting their scope to financial matters.
The AGB report included a sample risk-assessment table, which could be used to assess the probability and severity of a dozen potential risks. While a relatively low probability, one listed risk sticks out among the most severe: “Employee with unsupervised access to children is a sex offender.”