Contract & risk management
When it comes to evaluating and dissecting the ins and outs of contract and risk management on the higher education level, Jennifer Adamo, ARM, recommends you view it like this. Universities are like small cities that present a broad range of risk exposures to manage. While the main focus is academics, the university cityscape also includes student organizations, residential life, Greek life, athletics, health clinics, police and auxiliary services, study abroad/international travel, facilities/construction, laboratories/research, experiential learning and internships, events and speakers, youth camps, etc.
And if you take a minute to absorb the enormity of what schools and universities are tasked with overseeing, you will see that each presents unique risks and exposures. This does not even include the institution’s data security commitment as responsible stewards of student, faculty, staff, alumni and donor data–and the scope gets even bigger.
To achieve their goals, Adamo, Director of Risk Management and Insurance at Trinity University, says employees from all of these areas may experience the need to negotiate myriad types of contracts. Each one, she says, legally binds the university and creates exposure to a host of risks that they may not even be aware of.
One way for universities to mitigate contractual risk exposures is through a centralized contract management system. “A contract is a legally binding agreement that defines and governs the rights and responsibilities between two or more parties,” Adamo says. “This contract is intended to be enforceable by law. A written contract sets expectations, rights and obligations for both the university and the third party.”
Entering into a contract exposes university resources—and university employees themselves—to certain statutory and legal risks created through legally binding obligations. Contracts may contain terms, conditions and requirements that the school may not be able to comply with, but they also present an opportunity to protect its interests.
Peeling back the legalese of said exposures, Adamo says the path forward for each higher education area is clear. “It is imperative that employees intending to enter into a contract adhere to established procedures for contract review, insurance, signature authority and record retention in order to protect the university and themselves. This makes for responsible stewardship of university resources. It is important to remember that the dollar value of the goods or services does not have a direct relationship to the amount of potential risk.”
There is no question that the past few years, defined by the pivot to hybrid operations, offered a glimpse of a weakness in longstanding college risk management plans. While many branches within a university may have had contingency plans, few knew how to handle an entire campus forced into closure.
Today, managing risk no longer rests in the general counsel’s office or the audit committee of the board, but involves the entire campus. Coming out of the pandemic, the traditional view of risk management has changed to more of a centralized contract management system.
“A centralized and enforceable contract management policy creates accountability for employees,” Adamo says. “It contributes to compliance with applicable laws and regulations, mitigation of institutional risk, protection of university property, human and financial resources, and alignment with the school’s mission. It streamlines processes, reduces risk and provides a central repository for all contracts and certificates of insurance, thereby reducing wasted time and resources.”
All for one and one for all
The University of California (UC) is one of those schools that has done a good job of facilitating collaboration across its campuses in contract documents. The university has a standing team that works to establish terms and conditions for contracts and purchase orders, as well as special cases like data security.
Every UC campus shares a common set of contract templates and terms and conditions that they use to conduct business and manage risk. This team helps the UC system be of common mind and speak with a stronger voice when negotiating with suppliers.
Justin Sullivan, Associate Vice Chancellor and Chief Procurement Officer at the University of California San Francisco, says education is as important as any provision in a contract. “Contracts try to anticipate what will happen if something goes wrong. Education plays the important role of preventing it from happening in the first place. Educating your campus on how to be a responsible member of the community can make a huge difference in the number of incidents a campus experiences and the severity.”
When it comes to drafting, reviewing and negotiating contracts, Sullivan says the process at UC is a team effort. While it tries to ensure everyone has the core skills needed for most contracts, it is critical to identify go-to experts for areas like data security or conflict of interest. Identifying these go-to experts helps the respective parties think through the nuance of a situation.
“We do our best to stick closely to our standard terms and conditions,” Sullivan says. “Barring that, negotiating with a clear picture of who will be using the product and how it will be used and making sure that your risk terms are appropriate for the situation.”
As it pertains to identifying and assessing risks, Sullivan has a handful of go-to rules he follows. Those include asking what data is being sent between organizations? Where will it be stored and how will it be used? The questions help define the risk of the activity. In addition, is the supplier taking legal responsibility for the solution, i.e., doing what it says it is going to do?
“After the beautiful PowerPoint and glossy demo, if the solution is basically as is, where is and at your own risk, ask some questions,” Sullivan says.
In the emerging world of AI Machine Learning Models, Sullivan says universities at least have a point of contact to help review and negotiate contracts. “The technologies have the potential to help us review contracts faster and more accurately. This should really allow our team to spend more time on strategies for managing the actual risks rather than identifying where it might be lurking in the contract. I think eventually if you are not using these tools, you will be at a tremendous disadvantage negotiating with companies that are exploiting them.”
Like it was before, higher education professionals must continue to pay close attention to varying degrees of risk management processes and plans. Doing so ensures that they are always giving themselves the opportunity to receive the right level of information at the right time.
5 ways to better risk management
- Identify the risk — Leverage the collective knowledge and experience of your entire team. Ask everyone to identify risks they have either experienced before or may have additional insight about. This process fosters communication and encourages cross-functional learning.
- Analyze the risk — Once you have identified possible problems, dig deeper. How likely are these risks to occur? And if they do occur, what will the ramifications be? How will you respond? By putting each risk under the microscope, you can uncover common issues across a project and further refine the risk management process for future projects.
- Prioritize the risk — Rank each risk by factoring in its likelihood of happening and potential effect on the project. This will give you a holistic view of the project at hand and pinpoints where the team’s focus should lie. Most importantly, it will help you identify workable solutions for each risk.
- Treat the risk — Starting with the highest priority risk first, task your team with either solving or at least mitigating it so that it is no longer a threat to the project.
Effectively treating and mitigating the risk also means using your team’s resources efficiently without derailing the project in the meantime.
- Monitor the risk — Clear communication among your team and stakeholders is essential. Send regular project updates. Check in with your risk managers individually to ensure there aren’t any red flags popping up throughout the project. Actively maintain the risk register. It should be a living document you and your team refer to often.
Source: Lucid (https://www.lucidchart.com/blog/risk-management-process)