Risks such as financial, operational, strategic, as well risk to the institution's reputation, can come from any number of sources. By crating a culture of compliance, the institution, its students, faculty and employees are better served.
ACTION: Designate an Institutional Compliance Assistance Officer and appoint an enterprise-wide Institutional Compliance Advisory Committee to serve as a cross-functional team from operating units with high risk compliance issues. The Institutional Compliance Assistance Officer serves as chair of the committee.
Areas to be considered include employment; student related; sponsored research; grants and contract post-award management; athletics; environmental health and safety; facilities and other compliance requirements.
ACTION: Submit to administration a risk-based compliance plan detailing compliance activities.
The first step in developing a risk-based compliance plan is accumulating system, local, state and federal details of laws, regulations, policies, and procedures to which the institution is subject. Next, the risk of non-compliance for all elements in the enterprise must be accessed. Generally, the risk model should consider both the financial and embarrassment risks of non-compliance and should also candidly self-assess compliance consciousness and recent histories of alleged or known non-compliant behavior. The risk based plan should summarize this process by providing a listing of all significant compliance requirements and a summary assessment (e.g. high, moderate, low) of the risk of non-compliance. Based on the risk assessment, the plan should describe the institution's compliance activities that will reduce the risks to reasonably low levels.
The risk-based compliance plan should present detail of how a combination of training and awareness programs, monitoring mechanisms, and changes in policies and procedures will equip individuals to understand their compliance obligations, set clear expectations for appropriate behavior, and provide insight into the ramifications of non-compliance. In the final analysis, the plan should demonstrate how individuals will become empowered to take an active role in reducing institutional risk.
ACTION: Establish cross-functional liaisons and develop a support structure sufficient to ensure accomplishment of the plan for each activity that is deemed to be high risk (e.g., human resources, environmental health and safety, NCAA, etc.).
While to a certain extent this may be a matter of coordinating existing resources and enhancing compliance-related activities, each risk area must document compliance functions, obtain and disseminate information, develop and administer training, and monitor effectiveness. In many cases this may require the establishment of subcommittees to focus on one particular high-risk area.
ACTION: Ensure that appropriate general and specialized compliance training for individuals whose responsibilities involve them in high-compliance-risk activities are being provided on a regular basis and that attendance levels are acceptable.
Availability and attendance records are key monitoring data that should be provided to and considered by the Institutional Compliance Advisory Committee at every meeting.
ACTION: Compile regular reports on compliance activities for presentation to administration.
The report should compare progress to date with the risk-based compliance plan, and should indicate areas where additional emphasis is required.
ACTION: Follow-up to determine that appropriate corrective, restorative action has been taken in the event of non-compliance.
The principal responsibilities of the Institutional Compliance Advisory Committee are:
• to ensure that compliance activities are appropriately risk-based; to continuously
assess and assure the effectiveness of the program;
• to keep administration aware of compliance risks, activities, and findings; and
• to ensure that the dissemination of information regarding compliance matters is not restricted.
The discharge of these responsibilities includes discussion of potential areas of non-compliance and ensuring that appropriate, corrective, restorative, and disciplinary actions are taken in the event of non-compliance. If the Institutional Compliance Assistance Officer believes that the appropriate, accountable party has not followed relevant policies and procedures regarding corrective, restorative, and/or disciplinary action, then the Institutional Compliance Assistance Officer should report concerns to the President. At that point, the President is responsible for the appropriateness of the actions taken to resolve the compliance issue.
ACTION: Establish a confidential mechanism that allows employees to obtain information regarding compliance issues and/or report instances of suspected non-compliance outside of the normal chain of command and in a manner that preserves confidentiality and assures non-retaliation.
The most common and acceptable methods of providing such a mechanism are the establishment of a Compliance Hotline. The key elements of a confidential mechanism programs include, but are not limited to,
• written documentation of all notifications received;
• a prompt cross-functional consultation and triage function (generally involving high ranking representatives from legal, security, internal audit, and human resources areas) to determine the need for and nature of appropriate investigative action;
• follow-up to assure timely and appropriate resolution of issues; and,
• documentation of the ultimate disposition of all calls received.
A summary of hotline activities should be presented, as needed, to the Institutional Compliance Advisory Committee.
ACTION: Develop a compliance manual which provides documentation of management's considerations of compliance, sets forth expectations and standards of conduct, and outlines methodologies to be employed to assess the effectiveness of the plan.
A manual should generally document the compliance structure; include copies of relevant documents, charters and policies; show examples of monitoring and reporting activities and forms; and document the process for evaluating compliance activities to annually self-assess its performance.
ACTION: Regularly audit the design and the effectiveness of the institution's enterprise-wide compliance systems.
In its audit plan, Internal Audit should include audit(s) of the design and effectiveness of the compliance function both enterprise-wide and at the unit level. The Institutional Compliance Advisory Committee, with assistance from the Compliance Officer, will be responsible for responding to such recommendations by developing action plans and timetables for remedial action. The Committee will be responsible for follow-up to ensure timely resolution.