cfo.com

Print this article | Return to Article | Return to CFO.com

Penn State Disaster a System-Wide Failure

Risk experts I've spoken to have the same question: What happened to risk management at Penn State?
Caroline McDonald, CFO.com | US
August 6, 2012

Power corrupts, as the old saying goes, and this was certainly the case at Penn State University, which for years chose to shield a pedophile rather than risk the reputation of its lucrative football team.

From top to bottom, the system failed: from the then-president to risk management to the school's janitors. They all chose to protect themselves rather than risk losing their jobs or damaging the football team, according to the 267-page Freeh Report released in July.

The report found that four of the most powerful people at Penn State - its president, senior vice president, athletic director, and Joe Paterno, its venerated head football coach - all failed to protect children from a predator.

Those individuals were also "unchecked" by the board of trustees, which did not perform its oversight duties. Even after the board was made aware of investigations of Jerry Sandusky, it was unprepared to deal with the crisis. In other words, the entire system failed the kids entrusted to its care, according to the report.

Risk experts I've spoken to have the same questions: What happened to risk management at Penn State? How could something of the magnitude of the Sandusky scandal stay hidden for so long?

Not only were there witnesses to some events involving Sandusky and young boys on the Penn State campus, but law enforcement was also called in. And nothing was done - and the school never took action. Penn State has even had a list of policies and procedures to go by since 1986, "promoting ethical conduct and encouraging crime reporting," according to the Freeh report.

Risk-management expert Kristina Narvaez, president and CEO of ERM Strategies LLC, explains that like the leaders at Penn State, CFOs might also not be aware of enterprise risks throughout their own organization, because often risks are seen in silos. While a risk may be recognized in one department, it may not be well understood how the risk can affect other areas of the organization.

Most organizations in the United States have not fully implemented enterprise risk management (ERM) - which is designed to take a holistic, enterprisewide approach - into their strategic-planning process, Narvaez says.

While it's tempting to believe that was then and this is now, and that things would be different with today's risk management and board oversight, a 2011 survey shows that not a lot has changed. A survey of higher education governance by the Association of Governing Boards of Universities and Colleges found that in terms of risk assessment, only about one-third of all boards have a formal process for comprehensive risk assessment, which may be why reputational risk disasters keep happening.

Robert E. Hoyt, professor of risk management and insurance at Terry College of Business, University of Georgia, observes that word about Sandusky got out at the top of the organization, but the decision was made not to take action. And "if there is no willingness to take action, the crime will continue," he says.

Whether or not a protocol existed for this type of offense is also a question, he says, adding that this kind of situation is something all campuses need to be on the watch for, since universities bring young people onto their campus for summer programs. One thing schools need to be diligent about is background checks, he says, especially for adults working with youths.

Despite all the head-scratching and soul-searching, this much remains obvious: a university's or a company's risk management is only as good as it is allowed to be. If everyone chooses to hide an issue, it will remain hidden, for awhile.

The mistake organizations make, including the Catholic Church and other large institutions, is believing they can keep something like this concealed. As we've seen over and over, the truth will come to light, and the longer an organization waits, the worse the damage.

The important thing is that such organizations have turned their back and failed to do the right thing: that is the reputational risk. The collateral damage is the reputation of a fine school and its football team, and the funding that helped the school's educational programs. Sadly, many innocent people are being punished along with the university. 

 




CFO Publishing Corporation 2009. All rights reserved.