Katie Ignatowski (kignatowski@uwsa.edu) is Chief Compliance Officer for the University of Wisconsin System, based in Madison, Wisconsin, USA.
Building an effective compliance program is in many ways akin to a game of whack-a-mole; once you feel fairly confident you’ve got a plan in place to address an emerging risk area, another one is just around the corner. I came to realize this when I started my role as the University of Wisconsin’s first chief compliance officer. With not much more than a few words of advice to guide the way, I set out to learn as much as I could about what would make an effective compliance program at a university. I attended conferences, enrolled in seminars, and picked up the phone to (essentially) cold call anyone who might have some words of wisdom to share. I spoke with many colleagues across the country who had similar experiences, and I quickly learned that compliance meant something different to each person. What follows are the observations I’ve made and how I’ve applied them to my organization’s compliance program.
Two approaches to building a compliance program
Through my process of listening and learning, two types of approaches to compliance programs have emerged. (I’m generalizing to some extent here, but I found these themes to generally hold true.)
The first approach primarily focuses on addressing high-risk compliance areas by providing specific expertise, tools, and resources to mitigate risk. Compliance programs that embody this type of approach may identify high-risk areas through any number of means, but perhaps most commonly as a response to an identified need with no clear owner elsewhere within the organization. When I started my position, each of our 13 universities had a Title IX coordinator, but we needed a dedicated expert at the system level to provide support, tools, and resources. Youth protection (a program to keep children and adolescents safe on higher ed campuses) followed shortly thereafter, so we hired an expert in this field to make sure our youth camps would operate safely. Additionally, we have experts for public records, records management, and ethics.
The second type of approach embodies the second line of defense model.[1] Under that model, compliance is a second line of defense that provides “complementary expertise, support, monitoring, and challenge to those with first line roles” on risk-related matters. This approach embraces the idea that institutional compliance is like an umbrella that makes connections between the many different compliance functions in order to best coordinate resources that serve to leverage expertise across an organization. This approach may focus on building structures, such as a compliance matrix, or conducting initiatives, such as a global compliance risk assessment, that allow for a comprehensive view of the compliance landscape across the entire organization, and it puts leadership in the best position to make informed decisions in an effort to align resources to areas of greatest risk.
There is significant value in both types of approaches, so we built a hybrid system at my organization. We bring on subject matter experts and take ownership of compliance areas that don’t seem to belong elsewhere within our organization, while also making sure we build the capacity to “see the field,” so to speak. We’ve also discovered new efficiencies by recognizing that compliance issues rarely exist in silos and by building compliance structures that can be leveraged across many different compliance areas. Our core focus is now on continuously scanning the horizon in order to determine which new and emerging risks may be just around the corner. This information can be learned through our collaborative relationships with internal audit or risk management, or gathered through external literature or sources such as national associations, the media, or federal or state guidance or legislative action.