Heightened regulatory and compliance pressures on universities and foundations are prompting some rapid shifts in risk management.
“We’re in the most consequential regulatory period for higher ed in a generation,” according to George Suttles, executive director of the Commonfund Institute, who is based in New York City. “Colleges, universities and affiliated foundations or institutionally related foundations are navigating simultaneous pressure from federal enforcement, new tax law and the fundamentally shifting funding environment, all at the same time.”
The regulatory changes that took effect when Congress passed 2025’s One Big Beautiful Bill Act have spurred universities and foundations to reevaluate the operational risks they face. They are scrutinizing expanded reporting requirements, broader definitions of self-dealing and executive compensation, along with greater federal capacity to revoke nonprofits’ tax exemptions.
Advisers and consultants who are helping draft new policies and procedures to adapt to the altered regulatory climate point to the benefits of applying a multi-dimensional enterprise risk management framework, gathering new sources of data, documenting policies clearly and increasing board education.
Institutions of higher education, in particular, face multiple risks given the new regulations: potentially less federal funding, as well as possible reduced student enrollment due to demographic trends.
“It’s something I’ve been referring to as a poly-crisis,” Suttles says. “Higher ed is navigating multiple, interrelated crises at once, and the institutions that come through this well are the ones that got ahead of it, rather than waiting to react.”
Consider All Angles
Suttles highlights the importance of adopting a multi-dimensional enterprise risk management framework to help an institution evaluate interconnected and multiple crises. He says it will help universities and colleges confront the regulatory changes, while also grappling with the potential for declining enrollment and declining revenue, given demographic changes and the financial realities of families facing higher tuition bills.
He emphasizes the benefits of looking at all the risks, testing hypotheticals and analyzing outcomes relative to a stressed revenue model. Institutions should evaluate the impact that one risk or multiple risks would have on the organization if just one negative outcome occurs or if several happen at the same time.
“Multi-dimensional risk management frameworks are allowing you to see as much as you can of the shifting landscape as possible and then make decisions in real time,” Suttles says.
Consultant McKinsey & Co., in a document about its risk and resilience offerings for clients, stated: “The complexity and compounding nature of disruptions—from macroeconomic volatility, geopolitical shifts, and climate change to regulatory changes, cybersecurity threats, and public health emergencies—has flipped the risk management playbook on its head.”
It also, in a recent publication , described enterprise risk management capabilities as necessary to help clients weather economic crises using stress testing and rapid-recovery programs.
“Natural or operational disasters resulted in the creation of effective crisis-response projects,” wrote Senior Partner Cindy Levy and McKinsey Global Institute Director and Senior Partner Olivia White in a paper about enterprise risk management and risk culture. “Far-reaching regulatory and supervisory actions triggered work to articulate strategic risk appetite and strengthen internal-control frameworks.”
Establish the Right Processes
These interconnected policy issues are also altering how business- and board-level decisions are being made. For example, in the past, an endowment’s budget, planning and finance office would field any issues pertaining to taxes. But Suttles says he is now seeing everything elevated to a governance and leadership challenge, and he is advising the creation of cross-leadership committees and task forces that include representatives from management and trustees.
“We can’t manage these issues in silos, and the trustees can’t kick them down to management and say, ‘That isn’t in our purview,’ and management can’t say, ‘We don’t want trustees micromanaging us,’” Suttles says. “Everything has to be considered a governance and leadership challenge.”
Tony Lissuzzo, a senior vice president and a consultant in Callan’s Chicago office, sees new federal laws affecting endowments, foundations, health care institutions and public pensions with varying levels of severity. For many of the middle-market foundation and endowment clients with which he works, he finds applying Callan’s experience from working in the pension industry—one of the more regulated industries—provides a helpful parallel.
As a starting point, Lissuzzo recommends reviewing an organization’s governance documents and ensuring everything is set up in a thoughtful way. Next, he stresses the importance of having in place clearly delineated fiduciary lines—for instance, separating the investment policy statement, including fiduciary responsibilities, from a statement of beliefs that reflect the broader mission and beliefs of the organization.
“A lot of community foundations or endowments or arts organizations will have a statement of beliefs, and sometimes a committee would say, ‘This is how we want to think about investing,’ but you don’t want to put that in an investment policy statement, because that’s a fiduciary document,” Lissuzzo says. He adds that in today’s environment, given regulatory changes, he recommends reviewing that the corporate governance structure is set up correctly and that anything that is not a fiduciary responsibility goes into a statement of belief.
Start at Square 1
Lissuzzo also sees a secondary benefit in reviewing governance documents and fleshing out a statement of beliefs, because those conversations help guide investment committee meetings during challenging times.
“When something like this comes up, a lot of the conversations at the investment committee meetings have been, ‘What do we do?’” Lissuzzo says.
The committee members can then look at the investment beliefs and ask how they may be impacted by events and circumstances. Additionally, committee members can identify other issues they need to consider.
Lissuzzo finds this exercise especially important when working with a new client. He recommends starting with a comprehensive enterprise review that would vary by organization. For a hospital, it would involve looking deeper at the balance sheet and operating metrics; for a community foundation, it would involve delving into plans for grantmaking and fundraising; and for larger organizations, it would involve identifying employees earning more than $1 million, along with other reporting requirements.
“We try to get a full picture of the organization so when a change occurs, we know where it’s going to impact them, and we don’t have to play catch up,” Lissuzzo says.
For midsize foundations and endowments, Lissuzzo is also increasing education about regulatory and compliance changes and how those changes may or may not affect the organizations. For midsize private foundations, grant reporting has become more important, particularly if the foundation has shared services with a family office.
“They have to start dividing that more and more,” Lissuzzo says. “There’s a few things that we can help them [to] document more [of] what they’re doing, rather than change what they’re doing. A lot of these policies have been in place, but it’s more being affirmative in that, ‘Yes, you have good policies in place, and let’s document those.’”
Due to having such policies in place, Lissuzzo does not see his clients as at risk under increased federal authority to revoke nonprofits’ tax-exempt status.
Still, he stresses the importance of ongoing and continued education about good governance procedures. For example, with hospitals or universities that have employees earning at least $1 million—including, for example, college basketball coaches or CIOs—facing a new 21% excise tax on employee compensation, the key is once again to document it.
“Now you have to make sure you account for that and report it,” Lissuzzo says.
Document Everything
Similarly, with the new focus on eliminating self-dealing, Lissuzzo sees establishing and documenting practices as offering protection. The OBBBA changed the law regarding the 21% excise tax on executive compensation, which, starting this year, applies to all current and former employees of an “applicable tax-exempt organization” earning at least $1 million in compensation. Before the change, the tax only applied to the five most-compensated employees in an organization that were paid at least $1 million. Under the OBBBA, the tax applies to anyone earning compensation exceeding $1 million, and the provision is retroactive to include taxable years after December 31, 2016.
“We don’t want to overburden people with worries or concerns; we want to overburden them with, ‘Let’s do it right up front—let’s figure out the new reporting requirements,’” Lissuzzo says. “Let’s figure this all out—let’s put processes in place.”
Jennifer Gniady, a Washington-based partner at law firm Stradley Ronon who chairs the firm’s religious, educational and nonprofit organizations’ practice, also advocates that organizations take time to review their policies and procedures.
“Periodic review of policies and procedures to ensure their compliance is something that should be done regularly, and especially whenever there’s a change in administrations,” Gniady writes in response to written questions. “But universities and foundations shouldn’t undertake wholesale changes where there’s significant doubt about vague policies or enforcement warnings that aren’t part of more authoritative guidance processes. Taking time to really understand the implications is important so you aren’t overreacting or underreacting to changes.”
From a legal perspective, Gniady says the biggest challenge is the need for institutions to get further guidance that will lay out practical implementation and the limits of things such as revocation of tax-exempt status. For example, she asks, what does it really mean to be threatened with revocation for almost any level of noncompliance?
“We don’t really know, but we are seeing a number of successful challenges to arbitrary and even retaliatory actions,” Gniady adds. “No one wants to be the target of these actions, but it’s clear there’s a path to mitigating them.”
Looking ahead, it is hard to anticipate which regulatory and compliance changes will be lasting ones, but Gniady notes that changes that correlate closely to clear directives, such as Supreme Court decisions or administrative changes supported by significant due process, are most likely to remain.
“We know from past experience that directives based solely on executive orders tend to seesaw whenever administrations change,” Gniady says. “What’s most likely to stay long-term among universities and foundations are the lessons they’ve learned about being prepared to deal with shocks to the system.”
 |
Need for Tax Optimization, Liquidity Could Change ‘Endowment Model’ |
 |
Large Endowments Hold Steady With Private Market Allocations |
 |
How to Responsibly Address AI in Your Portfolio |
Tags: compliance, Endowments, Executive compensation, Governance, investment policy, Regulations, Risk Management