Why Boards Should Take Risk Oversight Role More Seriously

Published in, Agenda
By, Stuart R. Levine

Stuart Levine is a director at Broadridge Financial Solutions and the founder of Stuart Levine & Associates, a management consultancy.

Over the past two years, scandals in the athletic departments at both Rutgers and Penn State universities rocked the sporting and higher educational worlds. Firings included Rutgers’s basketball coach, assistant coach, the head of the athletic department and general counsel as well as Penn State’s president, CFO, athletic director and a revered coach.

The issues facing the governing boards of these major multi-billion dollar educational institutions and those of corporate boards are essentially identical.

Many board members of educational institutions are themselves corporate CEOs. The 11-member board of governors of Rutgers and the 32-member board of trustees of Penn State contained numerous well-known and well-regarded CEOs and corporate senior officers. These uncompensated volunteers are responsible for the same duty of care that corporate board members face, and must follow the best practices outlined by the Association of Governing Boards and home state by-laws. The problems at these institutions illustrate three important governance points, including: The board’s role in creating and monitoring enterprise risk management (ERM) policies and procedures; its requirement for a thorough understanding of reputational risk; and its provisions to prepare for strategic communications in advance of a crisis. While not required by law, these provisions are widely regarded as best practices that all directors, including those on corporate boards, should adhere to.

For both universities, there were storm clouds on the horizon well in advance of the storm, but preparations appeared not to be in place.

In December 2012, the Rutgers basketball coach was suspended for bad behavior, a limited and legalistic response, although his behavior clearly violated the values of the university. A video documenting his behavior that caused the dismissal aired on ESPN on April 2; the coach was fired on April 3. The late response, only in reaction to public pressure, damaged the university’s reputation and that of its board.

At Penn State, senior university officers testified at a grand jury proceeding convened for the child abuse case. The board was apprised of the preceding months before the “story” broke, but neither the administration nor the board instituted an in-depth examination of the situation’s potential effect. The board asked no questions about it. When the storm struck, Penn State’s board was unprepared.

The reputation of any organization’s brand is critical. It affects the institution’s culture, its ability to attract and retain quality students and faculty, and its standing within the community. There are direct parallels with a corporation’s reputation and brand.

Boards must have a robust ERM plan in place well in advance of any crisis. The plan describes a structure and a method for identifying, measuring and documenting risk. Management and the board are responsible for it. The board must assure its high quality and its integration into regular operations. ERM may involve compliance, but it must extend well beyond compliance into matters that affect reputation, not just law.

A chief risk officer (CRO), who may also be the chief compliance officer, oversees ERM. The CRO monitors events in real-time to look for storm clouds. The position usually reports to the president or general counsel. The CRO must also have a direct line to the audit and/or governance committees of the board, meeting with them independently at least once every six months. The CRO must be vigilant. The responsible board committees, as part of their duty of care, must also be vigilant and ask questions.

If the board committee overseeing risk senses a problem, it should notify the chair and initiate the “machinery” of the ERM plan that has been put in place, with particular attention to the strategic communication plan. At Penn State, the lack of preparedness in strategic communication was damaging to its stellar brand. The university community, including 500,000 alumni, watched helplessly as the media created a damaging story, which many viewed as inaccurate. Indeed, the university relied on external firms to create a message in the middle of the storm, as no advance strategic communication plan was in place. It did not work.

These institutions, through their adversity, have created a teachable moment for all boards. It is our responsibility as directors to learn from them.