establishing an effective compliance program

advertisement
ESTABLISHING AN EFFECTIVE COMPLIANCE PROGRAM,
COMPLIANCE RISK ASSESSMENTS,
AND THE ROLE OF GENERAL COUNSEL
June 25-28, 2006
PETER HARRINGTON
Harvard Medical School
Boston, Massachusetts
and
TOM SCHUMACHER
University of Minnesota
Minneapolis, Minnesota
I.
INTRODUCTION
It is increasingly evident that senior leaders and managers, and trustees and directors, of an ever
growing number of colleges and universities have come to the conclusion, or are coming to the
conclusion, that their institutions need to establish some sort of formal “compliance program” in order to
better ensure that they are adequately and responsibly carrying out their various ethical, legal and
fiduciary responsibilities and obligations arising out of all of the institution’s various programs and
activities, and that they are minimizing and appropriately safeguarding the institution and its directors,
officers, employees, students and other constituencies against the risks and liabilities inherent in those
programs and activities. The factors understood to be driving this trend include the increasing levels of
public and regulatory scrutiny of corporate governance in the wake of Enron and other recent corporate
financial scandals, the passage of the Sarbanes-Oxley law1 in 2002 (directed at publicly traded
corporations but whose provisions have influenced a reexamination of corporate controls in the nonprofit sector), the increasing expectations of government regulators, accrediting bodies, and academic
and industry groups – expressed in various regulatory and sub-regulatory guidance documents,
management standards, and best practice recommendations - that institutions will establish and maintain
appropriate and adequate compliance programs, and a significant increase in claims and liability
exposures in areas such as gender discrimination, study abroad programs and human subjects research.
Once the decision has been made that a compliance program is needed, institutions must of
course determine what the program will look like, how it will function, and how it will be administered
and managed. Embedded in those inquiries are questions about the intended purposes and goals of the
program, the preferred scope and cost of the program, and the location of the compliance function, and
compliance officials, within the pre-existing university governance structure and hierarchy. While
answers to many of these questions may vary from institution to institution, there appears to be a fairly
broad consensus in the literature, and in published guidance from government and academic and
industry groups, about the basic elements essential to successful compliance programs. These standard
elements are well known by university audit and compliance officers, and increasingly, by university
lawyers, controllers, risk managers and other management professionals as well.
1
15 USC 7201.
The intention of this paper is to discuss a number of these essential compliance program
elements, and to provide some useful recommendations, insights and cautions about them, as well as,
whenever possible, citations or references to useful models or other resources that might assist
university attorneys and others looking to help establish or improve their institution’s compliance
programs.
Since one of the authors serves as a research compliance officer in a medical school (while the
other is a university-wide compliance official with oversight of all risk areas), some of the discussion in
certain sections will focus on issues or considerations specific to the compliance function in a unit- or
school-based setting, or on compliance concerns specific to research and sponsored programs activities.
Nonetheless, the article is intended to convey and discuss general principles applicable in a universitywide context and relevant to compliance risks in the full range of research and non-research activities.
II.
GUIDELINES FOR COMPLIANCE PROGRAMS
The acknowledged “touchstone” set of guidelines for institutional compliance programs, which appear
to serve as a template, or at least starting point, for other governmental and non-governmental compliance
guidelines, are those contained in the United States Sentencing Guidelines for Organizations (“Sentencing
Guidelines”), which were first issued in 1991 by Congress, acting through the United States Sentencing
Commission, and were most recently revised and reissued in November of 20042. The section of the amended
Sentencing Guidelines entitled “Effective Compliance and Ethics Programs” identifies a framework of seven
(7) core elements which it says are minimally necessary to ensure that the organization has met its core
obligations to “exercise due diligence to prevent and detect criminal conduct and [ ] otherwise promote an
organizational culture that encourages ethical conduct and a commitment to compliance with the law.” Those
seven elements, which by now are familiar to many, and which will be elaborated upon in the sections to
follow, are:
1.
2.
3.
4.
5.
6.
7.
Adequate compliance standards and procedures;
Effective compliance oversight;
Careful delegation and due care in hiring/screening employees;
Effective training and education for roles and responsibilities;
Monitoring, auditing, and hot lines;
Enforcement for violations; and
Corrective action.
An equally useful and influential set of governmental guidelines for colleges and universities are
those issued in draft form last December by the Office of the Inspector General of the U.S. Department
of Health and Human Services and entitled “Draft OIG Compliance Program Guidance for Recipients of
PHS Research Awards”3 (“Draft OIG Guidelines”). While these guidelines are intended to provide
recommendations for compliance programs focused on regulatory and financial aspects of federally
sponsored research and service awards, the principles and practices they describe are readily
generalizable and useful for structuring compliance programs overseeing virtually all activity areas. A
recent statement issued by officials from COGR indicate that government sources have said that these
2
See USSC Sentencing Guidelines Manual, Section 8B2.1, available on line at http://www.ussc.gov/2004guid/gl2004.pdf.
70 CFR pp 71312-71320 (11/28/05), available on line at:
http://www.oig.hhs.gov/fraud/docs/complianceguidance/PHS%20Research%20Awards%20Draft%20CPG.pdf
3
2
OIG Guidelines will be “withdrawn,” presumably in response to the numerous public comments
submitted to HHS which were critical of certain aspects of the guidelines. Nonetheless, because it is
very likely that some federal agency (probably the National Science and Technology Council’s
Committee on Science) will ultimately issue some sort of government-wide guidance similar to the
DHHS Draft OIG Guidelines, and because the Draft OIG Guidelines in any case provides valuable
insights concerning that agency’s perspectives on compliance programs, they remain an important
resource for institutions establishing or evaluating their compliance programs.
The OIG describes the purpose of its draft guidance as being “to encourage the use of internal
controls to effectively monitor adherence to applicable statutes, regulations, and program requirements.”
While acknowledging the focus of the guidance to be “on grant compliance and administration issues,”
the OIG also states its belief that its guidance will also assist institutions in developing compliance
programs for their other activities …” The OIG makes clear, in its introductory comments, that its
Guidance is not meant to provide rigid mandatory rules for compliance programs, but rather is meant as
a set of recommendations and suggestions for institutions to consider if they decide to establish a
compliance program. While noting that “the decision to adopt a compliance program is entirely
voluntary,” the OIG also points out certain advantages related to such a program, including: “ensuring
good stewardship of Federal funds by eliminating erroneous or improper expenditures”; improving grant
administration processes; “demonstrating to employees and the community at large the institution’s
commitment to honest and responsible conduct”; “identifying and correcting unlawful and unethical
behavior at an early stage”; minimizing losses to the government and the institution through early
detection; reducing the likelihood of government audits and investigations; and possible mitigation of
penalties and other adverse enforcement actions in certain governmental enforcement cases. 4
The Draft OIG Guidelines then go on to describe the eight basic elements of a comprehensive
compliance program as follows:
(1) The development and distribution of written standards of conduct, as well
as written policies and procedures, that reflect the institution’s commitment to
compliance.
(2) The designation of a compliance officer and a compliance committee
charged with the responsibility for developing, operating, and monitoring
the compliance program, and with authority to report directly to the head
of the organization, such as the president and/or the board of regents in
the case of a university.
(3) The development and implementation of regular, effective
education and training programs for all affected employees.
(4) The creation and maintenance of an effective line of communication
between the compliance officer and all employees, including a process (such as
a hotline or other reporting system) to receive complaints or questions that are
addressed in a timely and meaningful way, and the adoption of procedures to
protect the anonymity of complainants and to protect whistleblowers from
retaliation.
4
Id at page 71314.
3
(5) The clear definition of roles and responsibilities within the institution’s
organization and ensuring the effective assignment of oversight responsibilities.
(6) The use of audits and/or other risk evaluation techniques to monitor
compliance and identify problem areas.
(7) The enforcement of appropriate disciplinary action against employees or
contractors who have violated institutional policies, procedures, and/
or applicable Federal requirements for the use of Federal research dollars, and
(8) The development of policies and procedures for the investigation of
identified instances of non-compliance or misconduct. These should include
directions regarding the prompt and proper response to detected offenses,
such as the initiation of appropriate corrective action and preventive
measures.
Most of these elements are discussed in the succeeding sections of this paper. In addition, the
OIG’s supplementary comments and statements found elsewhere in the Draft OIG Guidance, which
elaborate on or explain the meaning and intent of these eight elements, are summarized in the outlinegrid reproduced in Appendix A.
Another set of influential guidelines – in this case non-governmental guidelines – that should be
very useful to higher education organizations seeking to establish or improve internal compliance
controls in the sponsored programs area are those described in COGR’s publication entitled “Managing
Externally Funded Programs at Colleges and Universities: A Guideline to Good Management Practices.”
(the “COGR Guide”). The COGR Guide, which is the most detailed of the three guidance documents
mentioned here, provides specific sets of performance standards and best practice recommendations for
each of the various risk areas relating to sponsored research and sponsored programs activities, such as
allowable costs, cost sharing, human subjects protection, awards management, environmental safety and
intellectual property. The COGR Guide is organized to provide, for each of those and other identified
risk areas, a hierarchical set of principles, each with multiple corresponding recommended “practices”
and compliance “indicators”. For example, in the area of “Financial Administration” one of the
enumerated “Principles” (relating to “cost sharing”) along with one of its subsidiary “Practices” and its
multiple corresponding “Indicators” are described as follows:
Principle II-6. Cost Sharing: The institution has policies and procedures for properly
monitoring and documenting cost sharing in the same manner as costs funded by the
sponsor, including mandatory and voluntary committed investigator effort. These policies
and procedures comply with federal requirements of OMB Circulars A-21/A-122 and A110/2CFR215.
Practice A. The institution has written policies and procedures for cost sharing that are
consistently applied in proposing, accumulating, and reporting costs both to external sponsors
and within the institution.
Indicator 1. Cost sharing included in proposal budgets, accepted by the sponsoring agency, and
made a condition of the award is considered to be an obligation of the institution.
4
Indicator 2. Investigator and staff effort as well as non-labor costs included as cost sharing
obligations are appropriately recorded in the institution’s accounting records.
Indicator 3. Cost sharing expenditures meet the standards of allowability, allocability, and
reasonableness consistent with federal cost principles and standards of sponsors.
Indicator 4. Institutional systems provide for appropriate monitoring of cost sharing for
timeliness and adequacy of expenditure or in-kind valuation documentation.
Indicator 5. The institution reports required cost sharing in accordance with the terms and
conditions of awards.
Indicator 6. Voluntary uncommitted cost sharing (i.e. investigator-donated additional time
above that agreed to as a condition of the award) is excluded from the organized sponsored
projects base used for computing the F&A cost rates.
The COGR Guide is closer to a detailed accreditation checklist than a general set of guidelines
for the overall design of a comprehensive compliance program (although it contains a short list of
recommended principles, practices and indicators for an overall compliance program as well).
Nonetheless, it is an immensely valuable tool that compliance officials will certainly want to use when
performing an evaluation and gaps-analysis of institutional policies and controls in the areas of research
and sponsored programs.
III.
CONSIDERATIONS AND RECOMMENDATIONS CONCERNING
SPECIFIC ASPECTS OF COMPLIANCE PROGRAMS
In the following sections, we will a number of the recommended components of a compliance
program which are not covered in the companion paper (which covers codes of conduct, hotlines and
non-retaliation policies) as well as issues relating to the relationship of the compliance function and
compliance offices and officials with other university offices and officials, including lawyers in the
office of general counsel.
A. OVERSIGHT, GOVERNANCE AND LEADERSHIP ISSUES
Of critical importance to the success of any university compliance program is the establishment
of an effective governance structure for the compliance function which: will ensure the necessary
awareness of compliance issues and needs among university directors and senior leadership, and the
awareness and support of senior managers across all relevant schools, departments and business and
administrative units; high level support for compliance programs initiatives, including the provision of
adequate resources to ensure their success; clear delegation of compliance responsibilities to qualified
designated personnel who are provided appropriate authority and who will report back to senior leaders;
and an appropriate degree of coordination and/or integration of compliance functions across different
units and programs to ensure consistent quality and effectiveness of compliance programs and
safeguards and the avoidance of administrative redundancy and conflict.
5
The essential importance of senior leadership responsibility for compliance, and senior
leadership commitment and support for a properly designed and effective compliance program, is a
central theme in the Sentencing Guidelines. Those Guidelines specifically provide that:
1. The organization’s governing authority shall be knowledgeable about the content and
operation of the compliance and ethics program and shall exercise reasonable oversight with
respect to [its] implementation and and effectiveness.
2. High level personnel …shall ensure that the organization has an effective compliance and
ethics program… [for which ] specific individuals within high level personnel shall be
assigned responsibility.
3. Specific individuals within the organization shall be delegated day-to-day operational
responsibility for the compliance and ethics program. [These individuals] shall report
periodically to high-level personnel and, as appropriate, to the governing authority, or an
appropriate subgroup of the governing authority, on the effectiveness of the …program. To
carry out such operational responsibility, such individual(s) shall be given adequate
resources, appropriate authority, and direct access to the governing authority or an
appropriate subgroup of the governing authority.
The Draft OIG Guidelines also provide very specific recommendations concerning the design
and organization of a compliance program for sponsored research. Its recommendations specifically
include: that senior management (“such as” the president and board of directors) be involved in “the
development of all aspects of the compliance program”; that each organization appoint a compliance
officer who will have day-to-day responsibility for overseeing and coordinating the compliance
program; that the compliance officer should report directly to the institution’s president (or, in larger
organizations, to the provost or senior director of research administration) and have direct access to the
board of regents or other governing body, senior administration officials and legal counsel; that the
compliance officer “have sufficient funding, resources and staff to perform his or her responsibilities
fully”; that the compliance officer’s responsibilities include program oversight and monitoring, program
revisions, education and training delivery and oversight, policy development, assisting with audits and
reviews, investigating reports of noncompliance, and assuring appropriate reporting and corrective
action; that organizations establish a compliance committee “to advise the compliance officer and assist
in the implementation of the compliance program”; and that the compliance committee be composed of
officials with varying responsibilities within the organization and who possess subject matter expertise
in various areas of importance to compliance, such as finance, audit, legal, and biosafety.
An example of a charter for a university-wide compliance oversight committee, from the
University of Minnesota, is attached as Exhibit B.
While the Sentencing Guidelines and Draft OIG Guidelines provide very useful suggestions
concerning the design of compliance programs, they are best seen as articulating only general principles,
and not as prescribing specific models that institutions need to replicate in every detail. Indeed, the OIG
Draft Guidance has been criticized for being overly rigid and prescriptive in certain of its
recommendations, and many believe that when DHHS issues its final guidance, it will articulate a
greater recognition to the diversity of institutions and a greater acceptance of a variety of different
approaches to compliance.
The reality is that a compliance oversight model that makes great sense for one institution would
not work at all well for another institution. Universities with stronger and more independently
administered campuses or schools will have more highly decentralized governance structures. These
6
institutions may prefer to appoint school-based compliance officers rather than a single university-wide
compliance officer. The challenge for these institutions will be to determine how best to coordinate the
efforts of the multiple compliance offices and programs, to avoid duplication and conflict, and also to
ensure that the institution’s system-wise or university-wide governing board and leaders can fulfill their
fiduciary obligations and ensure compliance in all university activities. One way to do this might be to
have all decentralized compliance officers/programs report to a central university leader (who could
report directly to the president or board), and to have that leader both evaluate and provide direction and
support (such as through the provision of centralized employee training resources) to those unit-based
officers and programs. The challenge for an institution with a highly centralized governance structure
and a single university-wide compliance office and program will be that of developing effective
relationships and lines of communication with leaders and senior managers in each of the colleges,
schools, and other subordinate organizations, perhaps through designated local compliance “liaisons” or
“partners”.
While the design of each institution’s program will be unique in at least some of its respects, and
while there are bound to be variety of effective models that are designed quite differently from one
another, the view that emerges from the literature and the various guidelines discussed here, is that a
properly designed compliance program will feature certain essential characteristics such as: a highly
placed compliance officer (or officers), reporting regularly to senior leadership, charged with essential
compliance oversight duties, and vested with sufficient authority to ensure his/her/their effectiveness; a
fully informed and engaged senior leadership, chief executive and board; adequate resources and
institutional support for the compliance function; and some kind of compliance-related senior
management oversight or advisory committee to advise, assist and/or oversee the work of the
compliance officer and help ensure the success of the institutional compliance program.
B. COMPLIANCE RISK ASSESSMENTS
No attempt will be made here to discuss the topic of risk assessment in any level of detail.
Rather, some basic suggestions and observations will be provided in an attempt to provide a framework
for thinking about the problem. But for an excellent discussion of a risk assessment approach for a
higher education institution, as well as invaluable advice and a scalable framework for establishing an
effective compliance program at your college or university, see Effective Compliance Systems: A
Practical Guide for Education Institutions, David B. Crawford, Charles G. Chaffin and Scott
Scarborough, (The Institute of Internal Auditors Research Foundation, Nov. 2001).
Most approaches to risk assessment appear to involve, at a basic level, the identification of
activities that involve risk to the institution, the measurement of the degree of risk each involves, and the
comparison or ranking of degree of risk of those various activities. The process that involves all three
steps has sometimes been referred to as “strategic risk assessment,” since its end result is the
identification of risk-bearing activities most in need of attention by management, i.e. most in need of
some institutional intervention to minimize the risk.
The following will describe a basic approach to risk assessment, in an effort to offer a simple
model for possible comparison with other models, and to highlight some of the main challenges in this
area. To keep the discussion simpler and more focused, the discussion will presume an attempt at a
strategic risk assessment process for research compliance in a medical school setting.
Step One: Identify the various “compliance areas” or “risk areas” inherent in the institutional activity of
conducting sponsored research. As a first step, these risks could be divided first into “financial and
7
grants management” risks and non-financial “regulated research activity” risks. The area of “financial
and grant compliance” would include, for example: effort reporting; cost sharing; cost accounting
standards; equipment management; program income, procurement, and subrecipient monitoring. The
regulated research activities risks would include risk areas such as: export controls, human subject
protection, biosafety controls; animal welfare; and conflicts of interest. A more complete list of risk
areas within these two general categories are included in Appendix C.
Step 2: For each identified risk area, an inventory should be developed which identifies the applicable
legal, regulatory and institutional policy requirements relating to that area, and the offices, committees
and officials at the institution responsible for various administrative or compliance duties in the area.
One outcome of this exercise is to identify “subject matter experts” or “compliance leaders” with both
knowledge and responsibility in the various assigned areas who will be able to assist with the further
steps, including higher-level compliance assessments and targeted compliance enhancements or
improvements.
Step 3: A basic-level “gaps analysis” should be performed to determine whether university policies or
business or administrative processes are in place (at least on paper) to help ensure that all of the
identified legal and regulatory requirements are identified and internally communicated (even if not
fully understood and being complied with), and if any such basic gaps are found, to fill them.
Step 4: A next step would be to perform a higher-level compliance-program-type assessment in each of
the identified areas. This would involve assessing, in each area, the level of adequacy or degree of
completion of each of the seven substantive “elements of compliance” identified in the Draft OIG
Guidance, namely: written policies and procedures, effective training and education, effective lines of
communication, internal monitoring and auditing, published disciplinary guidelines, defined roles and
responsibilities, and appropriate response to problems and corrective actions.
Step 5: Determining, on a continuing basis, which of the areas in which deficiencies have been identified
in Step 4 need to be addressed and remedied on a priority basis, and how they ought best be addressed.
This step involves a somewhat more subjective analysis, based in part on the perceptions of institutional
leaders and staff, and probably external subject matter experts as well, about the greatest risks to the
institution. This analysis will generally involve some kind of an attempt at an objective quantification of
potential institutional harms that may result in the event of non-compliance, often through a review of
the “external environment” of federal agency and DOJ enforcement actions, case settlements, OIG audit
reports and work plans, and civil lawsuits. But it should also involve some kind of a survey of
institutional managers, staff and subject matter experts to obtain their “insider” perspectives on which
areas they perceive to be the greatest compliance risks and areas most in need of attention and some kind
of management intervention. This kind of internal “temperature taking,” which is a strategy often
associated with the “enterprise risk management” (“ERM”) approach to governance, can utilize the type
of survey instrument attached as Appendix C.
A few additional observations about this very basic form of “strategic risk assessment” are in
order. First, the concept of institutional “risk” is normally defined broadly to include, in addition to
financial risk (from potential damage awards, regulatory fines and penalties, costly remedial compliance
conditions imposed on the institution, and business disruptions), risks to institutional reputation and
prestige, and risks to the health and safety of employees, research subjects and community members.
Second, the ranking or prioritization of risks will necessarily involve making predictions about the
likelihood that a non-compliance event will occur and result in some adverse outcome affecting
institutional finances or reputation or the well being of the institution’s constituents, and the degree of
8
harm that will most likely be associated with that adverse outcome. Those predictions will in turn be
based on perceptions of the nature of the underlying activity (e.g. inherently dangerous or not), the
intensity of volume of the activity (e.g. “very few” versus “very many” clinical research trials) at the
particular institution, and the likelihood of a resulting enforcement action or lawsuit by regulators or
affected parties, or an expose by the local or national press or watchdog groups. Finally, the basic steps
outlined above may be re-ordered, depending on institutional priorities and strategic preferences. For
example, many institutions may choose to proceed with Step 5 and prioritize their risks before
undertaking the detailed 7-point compliance-program-type assessment described in Step 4 for those
identified “priority risks.”
C. ASSESSING YOUR COMPLIANCE CULTURE
1. Sentencing Guidelines and Related Regulatory Mandates
The Advisory Committee making recommendations to Congress on the 2004 revisions to the
U.S. Sentencing Guidelines placed great emphasis on organizational culture. Specifically, the
committee expanded the existing Guidelines to make the requirement to promote a culture of
compliance an explicit element of the framework. As amended, the Guidelines now state:
“To have an effective program to prevent and detect violations of law… and organization
shall … promote an organizational culture that encourages a commitment to compliance
with the law.” § 8B2.1(a).
This is consistent with legislative and regulatory reforms, both before and after the Amendment
to the Guidelines. These include the Sarbanes-Oxley Act of 2002 (“SOX”), (companies to adopt codes
of conduct with “standards that are reasonably designed to promote honest and ethical conduct”) §406;
SEC regulations (recognizing that a “code of ethics” include “written standards that are reasonably
designed to deter wrongdoing and to promote honest and ethical conduct”) 68 Fed. Reg. 5110, 5118.
Although in the highly-regulated world of the SEC, the views expressed by its Director, Office of
Compliance Inspections and Examinations perhaps best capture the current regulatory mentality across
many regulatory bodies:
“The culture of compliance is too important to be left to subjective impressions. Through our
new methodologies we are turning it into a formal examination technique. We are taking it very
seriously.”
“The Culture of Compliance,” Lori Richards, (April 23, 2003).
http://www.sec.gov/news/speech/spch042303lar.htm.5
5
Ms. Richards further remarked:
[W]e have prepared a formal approach to assessing your culture of compliance. We think that every good
culture of compliance has at least five elements. First, it has a strategic vision. Compliance activities have
to relate to some larger strategic goal. Second, it identifies the specific risks that could arise within each
strategic area. The devil, as they say, is in the details. Third, it establishes control points for each of these
risks. Fourth, it is well documented. Documentation provides transparency, both internal, to senior
management, and external, to auditors and regulators. Fifth and finally, specific people are accountable for
managing each specific element of the compliance system. You can have the best policies and procedures
in the world, but if no one is making them work, they will be useless.
Id.
9
2. Compliance Culture Assessment Strategies.
At the most general level, however, assessing your compliance culture should evaluate
the behavioral norms and views of your faculty and staff against key indicators for a “health”
compliance culture. This is in many ways the more traditional, expansive view of “culture” beyond
programmatic elements. Factors to consider in this assessment may include:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Employee awareness of ethical/legal issues that arise at work
Looking for ethics/compliance advice within the organization
Employee knowledge of workplace rules
Employee willingness to inform management of problems/ deliver “bad
news” to management
Employee willingness to report legal violations (e.g. call the “hot line”)
Employee commitment to the organization
Employee perceptions that leadership pays attention to ethics and cares about ethical
conduct as much as the bottom line.
Employees perception of fair treatment within the organization
Institutional ethics and values are openly discussed and are integrated into
decisionmaking
Employees perceive that ethical behavior is rewarded and unethical behavior punished, at
all levels. 6
3. Examples: Culture Assessment Questions
As one strategy to consider, many institutions, including the University of Minnesota, currently
survey faculty and staff culture generally on a period basis. A typical “culture” survey may include a
host of topics, from compensation satisfaction to professional development. This may be an ideal
location to integrate questions essential to a compliance culture. For example, in the University of
Minnesota’s most recent survey, employees were asked the following questions:
Strongly
Disagree
I know where to
report violations of
law or policy (such
as the University's
confidential
reporting line.)
I believe I would
be protected from
retaliation if I
report a suspected
violation.
Disagree
Agree to
to Some
Some
Strongly
Extent
Uncertain Extent Agree
1
2
3
4
5
1
2
3
4
5
6
Source: Managing Ethics and Legal Compliance: What works and what hurts, Trevino et al, 41 California Management
Review, No. 2 1999.
10
University
leadership
demonstrates
integrity and
ethical behavior.
1
2
3
4
5
I have experienced or observed significant misconduct (violation of law, workplace rules, or
significant University policy) in my unit/department within the last twelve months?
Yes
No
If Yes,
If the misconduct was not known by responsible University officials, did you or someone
else report it to responsible University officials or the University’s confidential reporting
service?
Yes,
I reported it
Yes,
others reported it
No,
it was not reported
Don’t
know
If Yes,
Do you believe responsible University officials took appropriate corrective action?
Yes
No
Don’t Know
D. OTHER ASPECTS OF A COMPLIANCE PROGRAM
Without going into any level of detail, brief mention should be made of a few of the other most
essential aspects of a compliance program.
1. Education and Training & the Promotion of Responsible Conduct
The Advisory Committee making recommendations to Congress on the 2004 revisions to the
U.S. Sentencing Guidelines (the “Advisory Committee”) re-emphasized and enhanced the requirements
for compliance-related education programs. The most significant change made to this element was
inclusion of the explicit directive to engage in compliance training, and that such training includes the
Board, organizational leaders, and all employees. The Advisory Committee recognized that successful
training had two components: (1) effectively communicating compliance standards, roles and
responsibilities to all organizational agents and (2) motivating them to comply. It concluded that “all
organizations should engage in active compliance training.” Based upon the role organizational leaders
play in overseeing the compliance program, the Committee further emphasized “that all levels of the
organizational hierarchy should be made aware of their compliance responsibilities, from the governing
authority on down to organizational agents.” Most commentators have interpreted this to mean that
compliance specific education is required for boards or an appropriate board committee.
The degree to which, and manner in which, education and training is conducted will vary from
institution to institution, based on the nature and intensity of risk-bearing activities, the institution’s
perceptions of risk, resource availability, institutional culture and other factors. A common question that
11
arises is the degree to which training should be a centralized function, run out of a central compliance or
employee training office that can perhaps better ensure that training modules and programs are
structured and evaluated appropriately and consistently across all units, or should be a decentralized
function delegated to the administrative units responsible for the given activity which are more likely to
be administered by subject matter experts with practical insights on the day to day operations they are
tasked with overseeing. Perhaps the best, albeit highly resource-intensive, model is the hybrid model
established by Stanford University in its Cardinal Curriculum through which training modules are
developed for each particular risk area through a partnership between a central training department that
brings curriculum design and evaluation expertise and the subject matter experts responsible for the
administrative and compliance functions in that particular area. Stanford has also recently introduced its
STARS “training and registration” system which permits the institution, among other things, to track all
compliance training that occurs in its decentralized training environment. Information about Stanford’s
impressive training program is available to the public online at http://ora.stanford.edu/cardinal/.
2. Auditing, Monitoring and Trending
The 2004 amendments to the Sentencing Guidelines make three changes to the USSC’s original
monitoring and auditing requirements. First, the original guidelines listed compliance monitoring and
auditing as examples of good compliance practices, but did not make them expressly required. The
amendments make these required, so that “regular compliance evaluations through auditing and
monitoring practices are essential features of every compliance program.” Second, the amended
Guidelines add a new requirement to regularly review and assess the compliance program itself. The
Committee distinguished between (1) traditional monitoring to review “the adherence of organizational
activities to applicable laws and compliance program requirements” and (2) evaluation of “the
sufficiency of managerial practices comprising an organization’s compliance program to ensure a
reasonable likelihood of success.” The Committee observed that “regular evaluations of program
effectiveness are an essential means to ensure the completeness and success of the compliance
program.” Thus the new Guideline states that due diligence requires the organization to “take
reasonable steps to evaluate periodically the effectiveness of the organization’s program to prevent and
detect violations of the law.” Third, the amendments make clear that monitoring and auditing programs
should be based upon regular risk assessments (discussed above). The change “clarifies that
characteristics of monitoring, auditing, and evaluation efforts, such as the targeting and frequency of
compliance assessments, should correspond to the likelihood of compliance problems in particular
organizational activities.”
There are a number of possible sources of “trending information,” i.e. information providing
evidence of which particular compliance problems are occurring – or are thought to be occurring – with
the greatest frequency at your institution. Certainly, audit reports from both the institution’s external
auditors (e.g. auditors performing the annual A-133 Audit for sponsored programs) and internal auditors
(e.g. performing confidential departmental or program audits) are among the most useful sources of
information about compliance problems. Other sources include hotline/helpline reports, statements and
questions made by employees at focus group meetings and training sessions, and actual discovered or
reported noncompliance events, all of which can and should be compiled and evaluated in some fashion.
In addition, employee satisfaction surveys administered by personnel and workforce development
offices can contain (and could be explicitly designed with assistance of compliance personnel to contain)
questions about institutional compliance intended to elicit employees observations and concerns about
compliance in their areas.
12
3. Reporting & Corrective Action
It is of course essential that internal reporting of non-compliance be encouraged, through
language establishing that expectation in Codes of Conduct and through protective provisions for
whistleblowers in well publicized non-retaliation policies. It is equally essential that institutional
policies and procedures are sufficient to ensure that all instances of non-compliance required to be
reported to external agencies are in fact reported, and that appropriate corrective and, when necessary,
disciplinary action, is taken following review and investigation of instances of alleged noncompliance.
No attempt will be made here to discuss this broad topic in grater detail. However, an excellent template
for institutional policies intended to encourage reporting, and to appropriately address noncompliance
concerns, is the one developed by the University of Minnesota, which is available on line at
http://www.fpd.finop.umn.edu/groups/ppd/documents/policy/Reporting_Violations.cfm.
E. ROLE OF LEGAL COUNSEL
Lawyers clearly play a very significant and important role in compliance programs. First, they
are responsible for providing legal advice to the institution and have the final word on legal issues facing
the institution. Hence, whenever there are questions about the scope or meaning of regulatory
requirements, the institution’s particular duties under those regulations, or the manner in which the
institution should discharge its duties to best ensure compliance with the regulations, the lawyers are the
ones who will need to provide the answers, or at least their best professional advice for institutional
leaders to consider in making decisions about institutional management. Second, lawyers will often be
the most knowledgeable “subject matter experts” in any given area, and can help with risk assessment,
the design of compliance controls and policies, and employee training in those areas. Third, lawyers can
help compliance leaders better understand the external enforcement and liability environment, by
keeping compliance officials updated on enforcement and litigation trends, and identifying new and
emerging regulatory challenges. Fourth, lawyers will often need to assist with investigations of
wrongdoing, particularly advising on issues of due process and hearing procedures and appeals, and
sometimes leading such investigations and protecting institutional findings under attorney-client or other
applicable privileges. Fifth, lawyers are invaluable resources when it comes to policy drafting and
development, with usually strong writing and analytical skills and with a trained eye for due process and
related legal issues. Finally, and more generally, due to the institution-wide perspective they bring, and
their keen eye for potential problems and pitfalls that can lead to conflict and litigation, lawyers should
be seen as key partners who can assist and provide useful advice to compliance personnel on the full
range of an institution’s compliance activities.
III. CONCLUSION
There is no question that compliance programs are increasingly becoming part of the landscape
at colleges and universities, due to external pressures such as Sarbanes Oxley, more thorough rigorous
external auditing processes, governmental expectations expressed in guidance like the Draft OIG
Guidance and U.S Sentencing Guidelines, as well as internal pressures from institutional directors and
senior leaders, employees and actual and potential whistleblowers. The bad news is that successful
compliance programs can be a significant challenge to establish and maintain. But the good news is that
many useful tools, guidance materials and model policies, like those developed at the University of
Minnesota and at Stanford University, as well as materials available through conferences like this one,
are available to help guide institutions looking to establish or improve their compliance programs.
13
APPENDIX A
Summary of DHHS OIG 11/05 CPG: 8 Elements
Policies and
Procedures
regarding
federal
requirements
"Policies and procedures should be developed under the direction and supervision of the
compliance officer, the compliance committee, and relevant institutional officials
"Policies should be reviewed at regular intervals to ensure they are current and relevant"
Policies provided to all faculty, staff and students affected by them; suggestion for putting them on
a single internet site
Code of Conduct Should "detail the fundamental principles, values and framework for action
within an organization…should articulate the institution's expectation of commitment to
compliance by management, employees, and agents, and should summarize the broad ethical and
legal principles under which the institution must operate; should be applicable to all employees.
Code of Conduct: Senior management "such as the board of regents and president" and others
should participate in the development of the code of conduct
Designation of
Compliance
Officer and
Compliance
Committee
Compliance Officer primary responsibilities: "optimally should report directly to the institution's
president and should have direct access to the board of regents, senior administration officials, and
legal counsel"
Compliance Officer primary responsibilities: Overseeing and monitoring implementation of the
compliance program
Compliance Officer primary responsibilities: Reporting on a regular basis to the board of regents,
president and compliance committee
Compliance Officer primary responsibilities: Periodically revising the program to respond to
changes
Compliance Officer primary responsibilities: Developing, coordinating, and participating in
education programs that focus on the elements of the compliance program, and seeking to ensure
that all affected employees understand and comply with pertinent federal and state standards
Compliance Officer primary responsibilities: Developing policies and procedures
Compliance Officer primary responsibilities: Assisting the intuitional internal or independent
auditors in coordinating compliance reviews and monitoring activities
Compliance Officer primary responsibilities: Reviewing, and where appropriate acting in response
to reports of noncompliance received through the hotline, or otherwise brought to compliance
officer's attention by internal audit or counsel
Compliance Officer primary responsibilities: "independently investigating and acting on matters
related to compliance. The compliance officer should have the flexibility to design and coordinate
internal investigations (e.g. responding to reports of problems or suspected violations) and any
resulting corrective action (e.g. making necessary improvements to policies and practices, and
taking appropriate disciplinary action) with particular departments or institution activities
Compliance Officer primary responsibilities: participating with counsel in the appropriate
reporting of any self-discovered violations of federal requirements
14
Compliance Officer primary responsibilities: "continuing the momentum/ revising or expanding
the compliance program after the initial years of implementation"
Compliance Officer primary responsibilities: "compliance officer must have authority to review
all documents and other information relevant to compliance activities"
Compliance Committee: Established to advise the compliance officer and assist in the
implementation of the compliance program
Compliance Committee: suggested membership "operations, finance, audits, human resources, and
legal, as well as faculty members. All committee members should have the requisite seniority and
comprehensive experience within their respective areas to recommend and implement any
necessary changes to policies or procedures.
Compliance Committee: "the committee should function as an extension of the compliance officer
and provide the organization with increased oversight"
Conducting
Effective
Training
An institution should provide general training sessions that cover such issues as ethical standards
and the institution's commitment to compliance issues. All employees, and where feasible and
appropriate contractors, should receive the general training. General training should include the
contents of the institution's compliance program, such as the roles of the compliance officer and
the committee" and the hot line and "both a description of the many types of compliance issues
that administrators, faculty and other employees may need to address...and the sources of guidance
for resolving those issues
More specific training for more specialized audiences, for example administrative personnel who
manage award funding
General and specific training sessions should be provided both upon initial employment with the
institution as well as on some periodic schedule…specialized training should be provided on a
more frequent basis, perhaps annually or more frequently.
The Compliance Officer should maintain records of all formal training undertaken by the
institution as part of the compliance program. This should include attendance logs, descriptions of
the training sessions, and copies of the material distributed at the training sessions.
Institution needs to establish a mechanism to ensure that employees receive the training they need.
"Adherence to the training requirements as well as other provisions of the compliance program
should be a factor in the annual evaluation of each employee"
Effective Lines
of
Communication
Confidentiality and non-retaliation policies should be developed and distributed to all employees
"In addition to serving as a contact point for reporting problems and initiating appropriate
responsive action, the compliance officer should be viewed as someone to whom personnel can go
for clarification on the institution's policies"
"an effective employee exit Interview program could be designed to solicit information from
departing employees regarding potential misconduct and suspected violations of the institution's
policies and procedures"
Identification of areas of risk or concern through periodic surveys
Hotline/ reporting mechanism made available to all employees and communicated; "employees
should be permitted to report matters on an anonymous basis
Reported matters should be reviewed promptly; matters which suggest substantial violations of
federal program requirements should be documented and investigated promptly.
"The compliance officer should maintain a thorough record of such complaints, as well as any
investigation, its results, and any remedial or disciplinary action taken."
May "provide [hotline] information, redacted of individual identifiers, to the institution's senior
management, such as the board of regents and the president, and to the compliance committee.
Auditing and
Monitoring
Auditing of institution's operations and activities is a critical internal control; should follow
"Yellow Book" Government Accounting Standards
15
Conduct risk assessments to determine where to devote audit resources, and for separate
performance audits. May wish to consider the three research risk areas identified in the CPG;
"risk assessments could be coordinated by the compliance office."
Monitoring of the implementation of the compliance program itself and an ongoing evaluation
process. The compliance officer should document this monitoring process and provide these
assessments to the institution's senior management and compliance committee.
"The nature of the [compliance reviews] could include prospective systemic review of the
institution's processes, protocols, and practices, or a retrospective review of actual practices in a
particular area."
"reviews should evaluate whether (1) the institution has policies covering identified risks; (2)
policies were implemented and communicated; (3) the policies were followed"
Enforcing
Standards
through WellPublicized
Disciplinary
Guidelines
"should include clear and specific disciplinary policies that set out the consequences of violating
federal or state requirements, the institution's code of conduct, or its policies or procedures"
Should consistently undertake appropriate disciplinary action across the institution for the
disciplinary policy to have the required deterrent effect. Intentional and material noncompliance
should not be tolerated and should subject transgressors to significant sanctions
Disciplinary action may also be appropriate when a responsible employee's failure to detect a
violation is attributable to his or her negligence or reckless conduct
Responding to
Detected
Problems and
Developing
Corrective
Action
Initiatives
Compliance officer or other official should immediately investigate allegations to determine
materiality; take decisive steps to correct problem, and implement corrective action plan as
appropriate
where investigation shows credible evidence of misconduct that may violate criminal, civil or
administrative law, the institution should promptly report to the appropriate authorities within a
reasonable period, but not more than 60 days, after determining there is credible evidence of a
violation.
"Once the investigation is completed . . . The compliance officer should notify the appropriate
authorities of the outcome of the investigation
Establishing
Roles and
Responsibilities
and Assigning
Oversight
Responsibility
Should clearly delineate the responsibilities of all persons involved with the conduct of federally
supported research, including both administration or department personnel with oversight
responsibility as well as principal investigators and other personnel who are engaged in research.
Roles and responsibilities should be clearly communicated and accessible
16
APPENDIX B
Compliance Oversight Committee
Purpose
The Compliance Oversight Committee will oversee the University’s compliance activities and program
to ensure they are reasonably designed, implemented, enforced and generally effective in preventing and
detecting violations of the law. The committee will further take or recommend such actions as are
necessary to promote an organizational culture that encourages a commitment to compliance and ethical
conduct.
Responsibilities
The Committee members will be knowledgeable about the content and operation of the University’s
compliance and ethics program. The Committee will further exercise reasonable oversight over the
implementation and effectiveness of the program, including:
● Assuring that individuals with operational responsibility conduct regular ongoing risk
assessment; regularly reviewing risk assessments; and recommending and assuring that appropriate steps
are taken to design, implement, or modify compliance activities to reduce the compliance risks identified
by risk assessments.
● Assuring that compliance roles and responsibilities are clearly established across the
University system, and that due care is taken in delegating substantial authority.
● Assuring that the University implements standards of conduct, policies, procedures and
internal control systems reasonably capable of reducing misconduct, including the Board of Regents
Code of Conduct.
● Exercising reasonable oversight over compliance activities, including periodically requesting
and receiving information on the implementation and effectiveness of the compliance and ethics
program from individuals with day-to-day operational responsibility, as well as the Director of
Institutional Compliance.
● Assuring that individuals responsible for the compliance and ethics program have adequate
resources, authority, and competencies to carry out their responsibilities.
● Assuring that the University’s compliance standards, procedures and expectations, including
the Board of Regents Code of Conduct, are effectively communicated through education and training
programs, publications, and other appropriate means.
● Assuring that reasonable steps have been taken to achieve compliance with laws, policies, and
procedures throughout the University through the use of reasonably designed auditing and monitoring
systems as well as periodic evaluation of the compliance program’s effectiveness.
17
● Assuring the University maintains an effective mechanism for employees and agents to report
or seek guidance regarding potential or actual wrongdoing, including mechanisms to allow for
anonymous reporting, and appropriate safeguards to protect against potential retaliation.
● Assuring that compliance is promoted and enforced consistently through appropriate
incentives and disciplinary measures, including discipline of employees responsible for violations and, if
warranted, discipline of employees for failing to reasonably detect offenses; further assuring that
appropriate actions are taken to prevent similar offenses, including making any necessary modifications
to the compliance program.
● Reporting, or directing the reporting, on the implementation and effectiveness of the
compliance program to the Board of Regents Audit Committee.
● Taking such other actions, or making such other recommendations, as are necessary to
promote an ethical organizational culture.
Membership
The membership of the Compliance Oversight Committee will consist of members of senior
management selected by the University’s President, and other persons as deemed appropriate. The
initial membership will include:
●
●
●
●
●
●
Vice President for Human Resources
Vice President for Research
Vice President for University Services
General Counsel
University Auditor
Director of Institutional Compliance
Operations
The Committee will meet at least quarterly and at such other times as it elects. The Director of
Institutional Compliance will provide administrative support to the Committee, as well as serving as a
member. The Committee may delegate compliance activities to other committees or persons as it deems
appropriate.
18
APPENDIX C
REGULATED RESEARCH ACTIVITIES (“Non-Financial”) (“RRA”)
Activity/Risk Area
Reputational
Risk
High
Med
Low
Health, Safety &
Operational
Risk
High
Med
Human Subject
Protection & IRB
Animal Welfare &
IACUC
Stem Cells – NonFinancial Compliance
Biosafety & COMS
Select Agents
Export Controls
Environmental/Occupatio
nal Health & Safety
Clinical Trials & FDA
Financial Conflicts of
Interest
Intellectual Property &
Bayh-Dole Compliance
Data Privacy & Security
(including HIPPA
19
Low
Financial Risk
High
Med
Low
Overall
Priority
Ranking
(1-11)
FINANCIAL and GRANTS MANAGEMENT (“FGM”)
Activity/Risk Area
Reputational
Risk
High
Med
Low
Health, Safety &
Operational
Risk
High
Pre-Award & Proposal
Requirements
Subrecipient Monitoring
Award Management, including
Financial & Technical Reports,
Records and Data
Time & Effort Reporting
Cost Allocation, including
Cost Transfers & Cost Sharing
Stem Cells – Cost Allocation
Program Income
Allowable Costs
Reporting Support from Other
Sources
Financial and Cost Accounting
& Reporting
Procurement
Equipment Use &
Management
International Programs:
Oversight
20
Med
Low
Financial Risk
High
Med
Low
Overall
Priority
Ranking
(1-13)
Download