Joseph Agins (jxa101@shsu.edu) was interviewed in April by Gerry Zack (gerry.zack@corporatecompliance.org), Chief Executive Officer of the SCCE & HCCA.
Joseph Agins, CCEP, CFE, Institutional Compliance Officer at Sam Houston State University in Huntsville, Texas, USA
GZ: You’ve been in the higher education compliance arena for more than 12 years now. What are the biggest changes you’ve observed in how compliance has been approached over that time?
JA: Well, certainly there has been more importance placed on having compliance programs, and more and more institutions are realizing the added value that a robust compliance program can have, not simply by keeping the institution compliant, but also improving the institution’s culture. As with many industries, compliance is often looked at somewhat negatively and like a thorn in your side that you are occasionally forced to deal with. I think we are now seeing that institutions are starting to realize the real value proposition of having a good compliance program, and the compliance program is looked at as more of a positive as opposed to a negative.
GZ: Compliance in the higher education environment has many diverse elements, from student financial aid to research, privacy, and many other areas. How is this complexity reflected in how your compliance function is organized, how responsibilities are assigned, etc.?
JA: Managing compliance at a university is, in many ways, like managing compliance in a small city. We seem to have it all—from athletics to the Americans with Disabilities Act, student financial aid to Title IX, the Clery Act to campus safety. Yes, compliance in higher ed is indeed very complex. Did I mention we have a body farm here at Sam Houston State University (SHSU)? Universities have literally hundreds and hundreds of vastly varying compliance requirements they need to comply with. As such, SHSU has a very decentralized model where minimal compliance responsibilities are actually owned by this office. We focus more on identifying the experts (our compliance partners) in different areas and then work with them to understand where they are at, what the challenges and gaps are, and provide assistance to them as much as possible. My role is more of a problem solver, partnering with these experts and developing workable solutions to sometimes very complex compliance issues.
GZ: Can you describe how your compliance team is structured and how you decided on this structure?
JA: I am in some ways a one-man show. I was brought on to help build a compliance program where no such official program had existed. There was, of course, great compliance work going on all around the institution but no formal compliance program to bring it all together, to provide assistance, and to collaborate with our compliance partners. There was no way to fully understand our compliance posture, as a whole, to provide compliance information to leadership so they could understand where we were at and what gaps there were, so they could then make informed decisions on where we needed to focus our resources when it came to addressing said concerns. We have a great program now, and this decentralized structure seems to work very well for us.
GZ: You have more investigative experience than many compliance professionals. How has this assisted you in your work to proactively manage compliance risks?
JA: Like you, in addition to being an ethics and compliance guy, I do have a deep background in fraud and investigations, as well as a strong passion for both. They actually allow me to teach a white-collar crime class in our criminal justice college, which I really enjoy. Ask any investigator worth their salt or take any good course in investigations/investigative interviews, and you will hear about “building rapport.” Good investigations and investigative interviews are all about rapport and relationships. Although I no longer do many investigations, my job as compliance officer is all about relationships and building rapport. If others do not buy in to your compliance program, you are not going to have much success as a compliance officer. To get folks to buy in, you have to create relationships and be able to articulate the value proposition for compliance. When people know/trust you and understand how compliance benefits them, they comply because they want to and not because they have to. Dwight Eisenhower once said, “Leadership is the art of getting someone else to do something you want done, because he wants to do it.” To do this you must build and have strong relationships with folks.
GZ: Data privacy is more important and more complicated than ever. It entails numerous requirements based on the jurisdiction that the individual is associated with (e.g., a student’s citizenship, the US state where the institution is located). Can you give us a sense of how this risk area has affected your work, and how you attempt to keep current on the requirements?
JA: I think if you asked any compliance officer in higher ed, they would list data privacy in their top three items of concern/importance, and this may not have been the case years ago. We have a responsibility to keep our student, faculty, and staff data secure, and this is not simply an IT department issue/responsibility. Compliance has a big role to play here in supporting IT’s efforts in this most critical of areas. So, let’s just say a good part of my work is dedicated to this effort—and rightly so. With legislation like the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Brazilian Data Protection Law (LGPD) to consider, I spend a lot of time reading articles, attending conference sessions, speaking with other compliance officers and picking the brains of experts like Robert Bond to understand applicability and best practices.
In April, the Georgia Institute of Technology (Georgia Tech) announced they had suffered a data breach and that “an unknown outside entity” had access to data of 1.3 million people. Can you imagine? I mention this not to criticize Georgia Tech but more so because it is very recent and because this shows it can happen to even the best of institutions. We all have to be better stewards of our data and much more thoughtful on what we choose to house, how we house it, why we are collecting it in the first place, and how we ultimately protect it. GDPR, CCPA, and LGPD are all about better data hygiene practices, and I view these laws as the wave of the future. So we need to get on board, because this genie is not going back in the bottle, and more importantly, it’s the right thing to do.
GZ: Athletic programs in higher education have been on the front pages for numerous compliance and ethics scandals in recent years. Where should a compliance officer start in assessing and addressing the risks that have come under the compliance microscope in this area?
JA: Yes, athletic programs in higher ed seem to be in the news much too regularly, and once again, we saw athletics as part of the recent college admission scandal that broke back in March. As to your question, I think compliance officers have to start at the top when it comes to assessing and addressing the risks in this area. And by top, I mean the top of the institution and not the top of the athletics department. The latter is, of course, important, but if we look at almost all of the big scandals that you are alluding to, the tone from the very top was not optimal. This combined with the power and idolatry of some of these athletic programs can make for a very dangerous combination. So I would want to be assessing the tone from the very top and drilling down from there.
GZ: Another higher education issue that has entered the scope of compliance officers’ work involves student and fraternity behavior, everything from bullying to assault. How has this affected your work?
JA: I just read an article today on how another Texas university just suspended all fraternity and sorority events on campus due to “concerns regarding the culture of the fraternal community both at UTA and nationally.” Unfortunately, there are all too many news articles involving these types of concerns, and certainly, no institution is immune. Although philanthropy and leadership opportunities are cultural components of Greek life, the partying is as well. And, it is in this third area where we typically see the assaults, excessive drinking, bullying, sexual assaults, etc.
We must do our absolute best to protect our students, and one need not look very far to find other very prestigious and renowned institutions that have failed in this area and mishandled sexual assaults. We have a very robust program here with great leadership and support from the highest levels. To tackle this issue we have to work together across the institution to come up with creative solutions to very complex issues. It takes a lot of effort to change a culture, but as compliance professionals, we understand this and thus have a lot to bring to the table.
GZ: As more areas that have traditionally been “off limits” find their way into the scope of compliance professionals, do you see this trend continuing, and do you see any likely “next areas” for compliance in higher education?
JA: Two words, “varsity blues.” I’m not sure there are any areas that are truly off limits anymore. However, the varsity blues scandal[1] is certainly a recent reminder that culture matters, gaps exist, and a strong and targeted compliance program can provide benefits. Such scandals are an unfortunate stain on our industry, and no one likes hearing this stuff. However, these are also opportunities for us to get better, and I feel we will all be better because of these incidents. Anytime a brighter light is shone on the raison d'être for compliance and the value proposition it provides, the better things will be in the long run.
I may be looking harder than others since I work in the education industry, but you don’t have to look very hard to see major institutions in the news for things they do not want to be in the news for. It would certainly appear that there may be room for some compliance and ethics work in the area of enrollment, etc. The ability to undermine the integrity of a school’s admission process—like we saw in varsity blues—is a big deal, and obviously, many institutions were not doing enough in this area.
GZ: You recently wrote about and spoke at the Higher Education Compliance Conference about “compliance by wandering around,” encouraging compliance professionals to get out and have conversations and observe. For readers who haven’t ever experimented with this, what are some tips for beginning to incorporate this into their routine?
JA: I am a staunch believer in what I like to call compliance by wandering around. This is, of course, my play on the popular management philosophy “management by wandering around,” used by Hewlett-Packard and highlighted in the best-selling book by Peters and Waterman, In Search of Excellence: Lessons from America’s Best-Run Companies.[2] It is my belief that in order to be successful compliance officers, this general philosophy must apply. We absolutely must get out and wander around our organizations.
I expand more in my article and presentation, but my primary tip would be to, very simply, get out from behind your desk and go meet with people! Listen, learn about what they do and who they are, and offer support and assistance. If you are going to spend the bulk of your time sitting behind your desk and waiting for compliance issues to come to you, you are going to be waiting a long time, and many issues will never make it to you. However, the more you are out there, the more people will get to know and trust you, and the more they will inform you and seek your help. So put your walking shoes on and start wandering!
GZ: Thank you very much for sharing your experiences with our readers.