ESTABLISHING AN EFFECTIVE COMPLIANCE PROGRAM, COMPLIANCE RISK ASSESSMENTS, AND THE ROLE OF GENERAL COUNSEL June 25-28, 2006 PETER HARRINGTON Harvard Medical School Boston, Massachusetts and TOM SCHUMACHER University of Minnesota Minneapolis, Minnesota I. INTRODUCTION It is increasingly evident that senior leaders and managers, and trustees and directors, of an ever growing number of colleges and universities have come to the conclusion, or are coming to the conclusion, that their institutions need to establish some sort of formal “compliance program” in order to better ensure that they are adequately and responsibly carrying out their various ethical, legal and fiduciary responsibilities and obligations arising out of all of the institution’s various programs and activities, and that they are minimizing and appropriately safeguarding the institution and its directors, officers, employees, students and other constituencies against the risks and liabilities inherent in those programs and activities. The factors understood to be driving this trend include the increasing levels of public and regulatory scrutiny of corporate governance in the wake of Enron and other recent corporate financial scandals, the passage of the Sarbanes-Oxley law1 in 2002 (directed at publicly traded corporations but whose provisions have influenced a reexamination of corporate controls in the nonprofit sector), the increasing expectations of government regulators, accrediting bodies, and academic and industry groups – expressed in various regulatory and sub-regulatory guidance documents, management standards, and best practice recommendations - that institutions will establish and maintain appropriate and adequate compliance programs, and a significant increase in claims and liability exposures in areas such as gender discrimination, study abroad programs and human subjects research. Once the decision has been made that a compliance program is needed, institutions must of course determine what the program will look like, how it will function, and how it will be administered and managed. Embedded in those inquiries are questions about the intended purposes and goals of the program, the preferred scope and cost of the program, and the location of the compliance function, and compliance officials, within the pre-existing university governance structure and hierarchy. While answers to many of these questions may vary from institution to institution, there appears to be a fairly broad consensus in the literature, and in published guidance from government and academic and industry groups, about the basic elements essential to successful compliance programs. These standard elements are well known by university audit and compliance officers, and increasingly, by university lawyers, controllers, risk managers and other management professionals as well. 1 15 USC 7201. The intention of this paper is to discuss a number of these essential compliance program elements, and to provide some useful recommendations, insights and cautions about them, as well as, whenever possible, citations or references to useful models or other resources that might assist university attorneys and others looking to help establish or improve their institution’s compliance programs. Since one of the authors serves as a research compliance officer in a medical school (while the other is a university-wide compliance official with oversight of all risk areas), some of the discussion in certain sections will focus on issues or considerations specific to the compliance function in a unit- or school-based setting, or on compliance concerns specific to research and sponsored programs activities. Nonetheless, the article is intended to convey and discuss general principles applicable in a universitywide context and relevant to compliance risks in the full range of research and non-research activities. II. GUIDELINES FOR COMPLIANCE PROGRAMS The acknowledged “touchstone” set of guidelines for institutional compliance programs, which appear to serve as a template, or at least starting point, for other governmental and non-governmental compliance guidelines, are those contained in the United States Sentencing Guidelines for Organizations (“Sentencing Guidelines”), which were first issued in 1991 by Congress, acting through the United States Sentencing Commission, and were most recently revised and reissued in November of 20042. The section of the amended Sentencing Guidelines entitled “Effective Compliance and Ethics Programs” identifies a framework of seven (7) core elements which it says are minimally necessary to ensure that the organization has met its core obligations to “exercise due diligence to prevent and detect criminal conduct and [ ] otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.” Those seven elements, which by now are familiar to many, and which will be elaborated upon in the sections to follow, are: 1. 2. 3. 4. 5. 6. 7. Adequate compliance standards and procedures; Effective compliance oversight; Careful delegation and due care in hiring/screening employees; Effective training and education for roles and responsibilities; Monitoring, auditing, and hot lines; Enforcement for violations; and Corrective action. An equally useful and influential set of governmental guidelines for colleges and universities are those issued in draft form last December by the Office of the Inspector General of the U.S. Department of Health and Human Services and entitled “Draft OIG Compliance Program Guidance for Recipients of PHS Research Awards”3 (“Draft OIG Guidelines”). While these guidelines are intended to provide recommendations for compliance programs focused on regulatory and financial aspects of federally sponsored research and service awards, the principles and practices they describe are readily generalizable and useful for structuring compliance programs overseeing virtually all activity areas. A recent statement issued by officials from COGR indicate that government sources have said that these 2 See USSC Sentencing Guidelines Manual, Section 8B2.1, available on line at http://www.ussc.gov/2004guid/gl2004.pdf. 70 CFR pp 71312-71320 (11/28/05), available on line at: http://www.oig.hhs.gov/fraud/docs/complianceguidance/PHS%20Research%20Awards%20Draft%20CPG.pdf 3 2 OIG Guidelines will be “withdrawn,” presumably in response to the numerous public comments submitted to HHS which were critical of certain aspects of the guidelines. Nonetheless, because it is very likely that some federal agency (probably the National Science and Technology Council’s Committee on Science) will ultimately issue some sort of government-wide guidance similar to the DHHS Draft OIG Guidelines, and because the Draft OIG Guidelines in any case provides valuable insights concerning that agency’s perspectives on compliance programs, they remain an important resource for institutions establishing or evaluating their compliance programs. The OIG describes the purpose of its draft guidance as being “to encourage the use of internal controls to effectively monitor adherence to applicable statutes, regulations, and program requirements.” While acknowledging the focus of the guidance to be “on grant compliance and administration issues,” the OIG also states its belief that its guidance will also assist institutions in developing compliance programs for their other activities …” The OIG makes clear, in its introductory comments, that its Guidance is not meant to provide rigid mandatory rules for compliance programs, but rather is meant as a set of recommendations and suggestions for institutions to consider if they decide to establish a compliance program. While noting that “the decision to adopt a compliance program is entirely voluntary,” the OIG also points out certain advantages related to such a program, including: “ensuring good stewardship of Federal funds by eliminating erroneous or improper expenditures”; improving grant administration processes; “demonstrating to employees and the community at large the institution’s commitment to honest and responsible conduct”; “identifying and correcting unlawful and unethical behavior at an early stage”; minimizing losses to the government and the institution through early detection; reducing the likelihood of government audits and investigations; and possible mitigation of penalties and other adverse enforcement actions in certain governmental enforcement cases. 4 The Draft OIG Guidelines then go on to describe the eight basic elements of a comprehensive compliance program as follows: (1) The development and distribution of written standards of conduct, as well as written policies and procedures, that reflect the institution’s commitment to compliance. (2) The designation of a compliance officer and a compliance committee charged with the responsibility for developing, operating, and monitoring the compliance program, and with authority to report directly to the head of the organization, such as the president and/or the board of regents in the case of a university. (3) The development and implementation of regular, effective education and training programs for all affected employees. (4) The creation and maintenance of an effective line of communication between the compliance officer and all employees, including a process (such as a hotline or other reporting system) to receive complaints or questions that are addressed in a timely and meaningful way, and the adoption of procedures to protect the anonymity of complainants and to protect whistleblowers from retaliation. 4 Id at page 71314. 3 (5) The clear definition of roles and responsibilities within the institution’s organization and ensuring the effective assignment of oversight responsibilities. (6) The use of audits and/or other risk evaluation techniques to monitor compliance and identify problem areas. (7) The enforcement of appropriate disciplinary action against employees or contractors who have violated institutional policies, procedures, and/ or applicable Federal requirements for the use of Federal research dollars, and (8) The development of policies and procedures for the investigation of identified instances of non-compliance or misconduct. These should include directions regarding the prompt and proper response to detected offenses, such as the initiation of appropriate corrective action and preventive measures. Most of these elements are discussed in the succeeding sections of this paper. In addition, the OIG’s supplementary comments and statements found elsewhere in the Draft OIG Guidance, which elaborate on or explain the meaning and intent of these eight elements, are summarized in the outlinegrid reproduced in Appendix A. Another set of influential guidelines – in this case non-governmental guidelines – that should be very useful to higher education organizations seeking to establish or improve internal compliance controls in the sponsored programs area are those described in COGR’s publication entitled “Managing Externally Funded Programs at Colleges and Universities: A Guideline to Good Management Practices.” (the “COGR Guide”). The COGR Guide, which is the most detailed of the three guidance documents mentioned here, provides specific sets of performance standards and best practice recommendations for each of the various risk areas relating to sponsored research and sponsored programs activities, such as allowable costs, cost sharing, human subjects protection, awards management, environmental safety and intellectual property. The COGR Guide is organized to provide, for each of those and other identified risk areas, a hierarchical set of principles, each with multiple corresponding recommended “practices” and compliance “indicators”. For example, in the area of “Financial Administration” one of the enumerated “Principles” (relating to “cost sharing”) along with one of its subsidiary “Practices” and its multiple corresponding “Indicators” are described as follows: Principle II-6. Cost Sharing: The institution has policies and procedures for properly monitoring and documenting cost sharing in the same manner as costs funded by the sponsor, including mandatory and voluntary committed investigator effort. These policies and procedures comply with federal requirements of OMB Circulars A-21/A-122 and A110/2CFR215. Practice A. The institution has written policies and procedures for cost sharing that are consistently applied in proposing, accumulating, and reporting costs both to external sponsors and within the institution. Indicator 1. Cost sharing included in proposal budgets, accepted by the sponsoring agency, and made a condition of the award is considered to be an obligation of the institution. 4 Indicator 2. Investigator and staff effort as well as non-labor costs included as cost sharing obligations are appropriately recorded in the institution’s accounting records. Indicator 3. Cost sharing expenditures meet the standards of allowability, allocability, and reasonableness consistent with federal cost principles and standards of sponsors. Indicator 4. Institutional systems provide for appropriate monitoring of cost sharing for timeliness and adequacy of expenditure or in-kind valuation documentation. Indicator 5. The institution reports required cost sharing in accordance with the terms and conditions of awards. Indicator 6. Voluntary uncommitted cost sharing (i.e. investigator-donated additional time above that agreed to as a condition of the award) is excluded from the organized sponsored projects base used for computing the F&A cost rates. The COGR Guide is closer to a detailed accreditation checklist than a general set of guidelines for the overall design of a comprehensive compliance program (although it contains a short list of recommended principles, practices and indicators for an overall compliance program as well). Nonetheless, it is an immensely valuable tool that compliance officials will certainly want to use when performing an evaluation and gaps-analysis of institutional policies and controls in the areas of research and sponsored programs. III. CONSIDERATIONS AND RECOMMENDATIONS CONCERNING SPECIFIC ASPECTS OF COMPLIANCE PROGRAMS In the following sections, we will a number of the recommended components of a compliance program which are not covered in the companion paper (which covers codes of conduct, hotlines and non-retaliation policies) as well as issues relating to the relationship of the compliance function and compliance offices and officials with other university offices and officials, including lawyers in the office of general counsel. A. OVERSIGHT, GOVERNANCE AND LEADERSHIP ISSUES Of critical importance to the success of any university compliance program is the establishment of an effective governance structure for the compliance function which: will ensure the necessary awareness of compliance issues and needs among university directors and senior leadership, and the awareness and support of senior managers across all relevant schools, departments and business and administrative units; high level support for compliance programs initiatives, including the provision of adequate resources to ensure their success; clear delegation of compliance responsibilities to qualified designated personnel who are provided appropriate authority and who will report back to senior leaders; and an appropriate degree of coordination and/or integration of compliance functions across different units and programs to ensure consistent quality and effectiveness of compliance programs and safeguards and the avoidance of administrative redundancy and conflict. 5 The essential importance of senior leadership responsibility for compliance, and senior leadership commitment and support for a properly designed and effective compliance program, is a central theme in the Sentencing Guidelines. Those Guidelines specifically provide that: 1. The organization’s governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to [its] implementation and and effectiveness. 2. High level personnel …shall ensure that the organization has an effective compliance and ethics program… [for which ] specific individuals within high level personnel shall be assigned responsibility. 3. Specific individuals within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. [These individuals] shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the …program. To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority. The Draft OIG Guidelines also provide very specific recommendations concerning the design and organization of a compliance program for sponsored research. Its recommendations specifically include: that senior management (“such as” the president and board of directors) be involved in “the development of all aspects of the compliance program”; that each organization appoint a compliance officer who will have day-to-day responsibility for overseeing and coordinating the compliance program; that the compliance officer should report directly to the institution’s president (or, in larger organizations, to the provost or senior director of research administration) and have direct access to the board of regents or other governing body, senior administration officials and legal counsel; that the compliance officer “have sufficient funding, resources and staff to perform his or her responsibilities fully”; that the compliance officer’s responsibilities include program oversight and monitoring, program revisions, education and training delivery and oversight, policy development, assisting with audits and reviews, investigating reports of noncompliance, and assuring appropriate reporting and corrective action; that organizations establish a compliance committee “to advise the compliance officer and assist in the implementation of the compliance program”; and that the compliance committee be composed of officials with varying responsibilities within the organization and who possess subject matter expertise in various areas of importance to compliance, such as finance, audit, legal, and biosafety. An example of a charter for a university-wide compliance oversight committee, from the University of Minnesota, is attached as Exhibit B. While the Sentencing Guidelines and Draft OIG Guidelines provide very useful suggestions concerning the design of compliance programs, they are best seen as articulating only general principles, and not as prescribing specific models that institutions need to replicate in every detail. Indeed, the OIG Draft Guidance has been criticized for being overly rigid and prescriptive in certain of its recommendations, and many believe that when DHHS issues its final guidance, it will articulate a greater recognition to the diversity of institutions and a greater acceptance of a variety of different approaches to compliance. The reality is that a compliance oversight model that makes great sense for one institution would not work at all well for another institution. Universities with stronger and more independently administered campuses or schools will have more highly decentralized governance structures. These 6 institutions may prefer to appoint school-based compliance officers rather than a single university-wide compliance officer. The challenge for these institutions will be to determine how best to coordinate the efforts of the multiple compliance offices and programs, to avoid duplication and conflict, and also to ensure that the institution’s system-wise or university-wide governing board and leaders can fulfill their fiduciary obligations and ensure compliance in all university activities. One way to do this might be to have all decentralized compliance officers/programs report to a central university leader (who could report directly to the president or board), and to have that leader both evaluate and provide direction and support (such as through the provision of centralized employee training resources) to those unit-based officers and programs. The challenge for an institution with a highly centralized governance structure and a single university-wide compliance office and program will be that of developing effective relationships and lines of communication with leaders and senior managers in each of the colleges, schools, and other subordinate organizations, perhaps through designated local compliance “liaisons” or “partners”. While the design of each institution’s program will be unique in at least some of its respects, and while there are bound to be variety of effective models that are designed quite differently from one another, the view that emerges from the literature and the various guidelines discussed here, is that a properly designed compliance program will feature certain essential characteristics such as: a highly placed compliance officer (or officers), reporting regularly to senior leadership, charged with essential compliance oversight duties, and vested with sufficient authority to ensure his/her/their effectiveness; a fully informed and engaged senior leadership, chief executive and board; adequate resources and institutional support for the compliance function; and some kind of compliance-related senior management oversight or advisory committee to advise, assist and/or oversee the work of the compliance officer and help ensure the success of the institutional compliance program. B. COMPLIANCE RISK ASSESSMENTS No attempt will be made here to discuss the topic of risk assessment in any level of detail. Rather, some basic suggestions and observations will be provided in an attempt to provide a framework for thinking about the problem. But for an excellent discussion of a risk assessment approach for a higher education institution, as well as invaluable advice and a scalable framework for establishing an effective compliance program at your college or university, see Effective Compliance Systems: A Practical Guide for Education Institutions, David B. Crawford, Charles G. Chaffin and Scott Scarborough, (The Institute of Internal Auditors Research Foundation, Nov. 2001). Most approaches to risk assessment appear to involve, at a basic level, the identification of activities that involve risk to the institution, the measurement of the degree of risk each involves, and the comparison or ranking of degree of risk of those various activities. The process that involves all three steps has sometimes been referred to as “strategic risk assessment,” since its end result is the identification of risk-bearing activities most in need of attention by management, i.e. most in need of some institutional intervention to minimize the risk. The following will describe a basic approach to risk assessment, in an effort to offer a simple model for possible comparison with other models, and to highlight some of the main challenges in this area. To keep the discussion simpler and more focused, the discussion will presume an attempt at a strategic risk assessment process for research compliance in a medical school setting. Step One: Identify the various “compliance areas” or “risk areas” inherent in the institutional activity of conducting sponsored research. As a first step, these risks could be divided first into “financial and 7 grants management” risks and non-financial “regulated research activity” risks. The area of “financial and grant compliance” would include, for example: effort reporting; cost sharing; cost accounting standards; equipment management; program income, procurement, and subrecipient monitoring. The regulated research activities risks would include risk areas such as: export controls, human subject protection, biosafety controls; animal welfare; and conflicts of interest. A more complete list of risk areas within these two general categories are included in Appendix C. Step 2: For each identified risk area, an inventory should be developed which identifies the applicable legal, regulatory and institutional policy requirements relating to that area, and the offices, committees and officials at the institution responsible for various administrative or compliance duties in the area. One outcome of this exercise is to identify “subject matter experts” or “compliance leaders” with both knowledge and responsibility in the various assigned areas who will be able to assist with the further steps, including higher-level compliance assessments and targeted compliance enhancements or improvements. Step 3: A basic-level “gaps analysis” should be performed to determine whether university policies or business or administrative processes are in place (at least on paper) to help ensure that all of the identified legal and regulatory requirements are identified and internally communicated (even if not fully understood and being complied with), and if any such basic gaps are found, to fill them. Step 4: A next step would be to perform a higher-level compliance-program-type assessment in each of the identified areas. This would involve assessing, in each area, the level of adequacy or degree of completion of each of the seven substantive “elements of compliance” identified in the Draft OIG Guidance, namely: written policies and procedures, effective training and education, effective lines of communication, internal monitoring and auditing, published disciplinary guidelines, defined roles and responsibilities, and appropriate response to problems and corrective actions. Step 5: Determining, on a continuing basis, which of the areas in which deficiencies have been identified in Step 4 need to be addressed and remedied on a priority basis, and how they ought best be addressed. This step involves a somewhat more subjective analysis, based in part on the perceptions of institutional leaders and staff, and probably external subject matter experts as well, about the greatest risks to the institution. This analysis will generally involve some kind of an attempt at an objective quantification of potential institutional harms that may result in the event of non-compliance, often through a review of the “external environment” of federal agency and DOJ enforcement actions, case settlements, OIG audit reports and work plans, and civil lawsuits. But it should also involve some kind of a survey of institutional managers, staff and subject matter experts to obtain their “insider” perspectives on which areas they perceive to be the greatest compliance risks and areas most in need of attention and some kind of management intervention. This kind of internal “temperature taking,” which is a strategy often associated with the “enterprise risk management” (“ERM”) approach to governance, can utilize the type of survey instrument attached as Appendix C. A few additional observations about this very basic form of “strategic risk assessment” are in order. First, the concept of institutional “risk” is normally defined broadly to include, in addition to financial risk (from potential damage awards, regulatory fines and penalties, costly remedial compliance conditions imposed on the institution, and business disruptions), risks to institutional reputation and prestige, and risks to the health and safety of employees, research subjects and community members. Second, the ranking or prioritization of risks will necessarily involve making predictions about the likelihood that a non-compliance event will occur and result in some adverse outcome affecting institutional finances or reputation or the well being of the institution’s constituents, and the degree of 8 harm that will most likely be associated with that adverse outcome. Those predictions will in turn be based on perceptions of the nature of the underlying activity (e.g. inherently dangerous or not), the intensity of volume of the activity (e.g. “very few” versus “very many” clinical research trials) at the particular institution, and the likelihood of a resulting enforcement action or lawsuit by regulators or affected parties, or an expose by the local or national press or watchdog groups. Finally, the basic steps outlined above may be re-ordered, depending on institutional priorities and strategic preferences. For example, many institutions may choose to proceed with Step 5 and prioritize their risks before undertaking the detailed 7-point compliance-program-type assessment described in Step 4 for those identified “priority risks.” C. ASSESSING YOUR COMPLIANCE CULTURE 1. Sentencing Guidelines and Related Regulatory Mandates The Advisory Committee making recommendations to Congress on the 2004 revisions to the U.S. Sentencing Guidelines placed great emphasis on organizational culture. Specifically, the committee expanded the existing Guidelines to make the requirement to promote a culture of compliance an explicit element of the framework. As amended, the Guidelines now state: “To have an effective program to prevent and detect violations of law… and organization shall … promote an organizational culture that encourages a commitment to compliance with the law.” § 8B2.1(a). This is consistent with legislative and regulatory reforms, both before and after the Amendment to the Guidelines. These include the Sarbanes-Oxley Act of 2002 (“SOX”), (companies to adopt codes of conduct with “standards that are reasonably designed to promote honest and ethical conduct”) §406; SEC regulations (recognizing that a “code of ethics” include “written standards that are reasonably designed to deter wrongdoing and to promote honest and ethical conduct”) 68 Fed. Reg. 5110, 5118. Although in the highly-regulated world of the SEC, the views expressed by its Director, Office of Compliance Inspections and Examinations perhaps best capture the current regulatory mentality across many regulatory bodies: “The culture of compliance is too important to be left to subjective impressions. Through our new methodologies we are turning it into a formal examination technique. We are taking it very seriously.” “The Culture of Compliance,” Lori Richards, (April 23, 2003). http://www.sec.gov/news/speech/spch042303lar.htm.5 5 Ms. Richards further remarked: [W]e have prepared a formal approach to assessing your culture of compliance. We think that every good culture of compliance has at least five elements. First, it has a strategic vision. Compliance activities have to relate to some larger strategic goal. Second, it identifies the specific risks that could arise within each strategic area. The devil, as they say, is in the details. Third, it establishes control points for each of these risks. Fourth, it is well documented. Documentation provides transparency, both internal, to senior management, and external, to auditors and regulators. Fifth and finally, specific people are accountable for managing each specific element of the compliance system. You can have the best policies and procedures in the world, but if no one is making them work, they will be useless. Id. 9 2. Compliance Culture Assessment Strategies. At the most general level, however, assessing your compliance culture should evaluate the behavioral norms and views of your faculty and staff against key indicators for a “health” compliance culture. This is in many ways the more traditional, expansive view of “culture” beyond programmatic elements. Factors to consider in this assessment may include: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Employee awareness of ethical/legal issues that arise at work Looking for ethics/compliance advice within the organization Employee knowledge of workplace rules Employee willingness to inform management of problems/ deliver “bad news” to management Employee willingness to report legal violations (e.g. call the “hot line”) Employee commitment to the organization Employee perceptions that leadership pays attention to ethics and cares about ethical conduct as much as the bottom line. Employees perception of fair treatment within the organization Institutional ethics and values are openly discussed and are integrated into decisionmaking Employees perceive that ethical behavior is rewarded and unethical behavior punished, at all levels. 6 3. Examples: Culture Assessment Questions As one strategy to consider, many institutions, including the University of Minnesota, currently survey faculty and staff culture generally on a period basis. A typical “culture” survey may include a host of topics, from compensation satisfaction to professional development. This may be an ideal location to integrate questions essential to a compliance culture. For example, in the University of Minnesota’s most recent survey, employees were asked the following questions: Strongly Disagree I know where to report violations of law or policy (such as the University's confidential reporting line.) I believe I would be protected from retaliation if I report a suspected violation. Disagree Agree to to Some Some Strongly Extent Uncertain Extent Agree 1 2 3 4 5 1 2 3 4 5 6 Source: Managing Ethics and Legal Compliance: What works and what hurts, Trevino et al, 41 California Management Review, No. 2 1999. 10 University leadership demonstrates integrity and ethical behavior. 1 2 3 4 5 I have experienced or observed significant misconduct (violation of law, workplace rules, or significant University policy) in my unit/department within the last twelve months? Yes No If Yes, If the misconduct was not known by responsible University officials, did you or someone else report it to responsible University officials or the University’s confidential reporting service? Yes, I reported it Yes, others reported it No, it was not reported Don’t know If Yes, Do you believe responsible University officials took appropriate corrective action? Yes No Don’t Know D. OTHER ASPECTS OF A COMPLIANCE PROGRAM Without going into any level of detail, brief mention should be made of a few of the other most essential aspects of a compliance program. 1. Education and Training & the Promotion of Responsible Conduct The Advisory Committee making recommendations to Congress on the 2004 revisions to the U.S. Sentencing Guidelines (the “Advisory Committee”) re-emphasized and enhanced the requirements for compliance-related education programs. The most significant change made to this element was inclusion of the explicit directive to engage in compliance training, and that such training includes the Board, organizational leaders, and all employees. The Advisory Committee recognized that successful training had two components: (1) effectively communicating compliance standards, roles and responsibilities to all organizational agents and (2) motivating them to comply. It concluded that “all organizations should engage in active compliance training.” Based upon the role organizational leaders play in overseeing the compliance program, the Committee further emphasized “that all levels of the organizational hierarchy should be made aware of their compliance responsibilities, from the governing authority on down to organizational agents.” Most commentators have interpreted this to mean that compliance specific education is required for boards or an appropriate board committee. The degree to which, and manner in which, education and training is conducted will vary from institution to institution, based on the nature and intensity of risk-bearing activities, the institution’s perceptions of risk, resource availability, institutional culture and other factors. A common question that 11 arises is the degree to which training should be a centralized function, run out of a central compliance or employee training office that can perhaps better ensure that training modules and programs are structured and evaluated appropriately and consistently across all units, or should be a decentralized function delegated to the administrative units responsible for the given activity which are more likely to be administered by subject matter experts with practical insights on the day to day operations they are tasked with overseeing. Perhaps the best, albeit highly resource-intensive, model is the hybrid model established by Stanford University in its Cardinal Curriculum through which training modules are developed for each particular risk area through a partnership between a central training department that brings curriculum design and evaluation expertise and the subject matter experts responsible for the administrative and compliance functions in that particular area. Stanford has also recently introduced its STARS “training and registration” system which permits the institution, among other things, to track all compliance training that occurs in its decentralized training environment. Information about Stanford’s impressive training program is available to the public online at http://ora.stanford.edu/cardinal/. 2. Auditing, Monitoring and Trending The 2004 amendments to the Sentencing Guidelines make three changes to the USSC’s original monitoring and auditing requirements. First, the original guidelines listed compliance monitoring and auditing as examples of good compliance practices, but did not make them expressly required. The amendments make these required, so that “regular compliance evaluations through auditing and monitoring practices are essential features of every compliance program.” Second, the amended Guidelines add a new requirement to regularly review and assess the compliance program itself. The Committee distinguished between (1) traditional monitoring to review “the adherence of organizational activities to applicable laws and compliance program requirements” and (2) evaluation of “the sufficiency of managerial practices comprising an organization’s compliance program to ensure a reasonable likelihood of success.” The Committee observed that “regular evaluations of program effectiveness are an essential means to ensure the completeness and success of the compliance program.” Thus the new Guideline states that due diligence requires the organization to “take reasonable steps to evaluate periodically the effectiveness of the organization’s program to prevent and detect violations of the law.” Third, the amendments make clear that monitoring and auditing programs should be based upon regular risk assessments (discussed above). The change “clarifies that characteristics of monitoring, auditing, and evaluation efforts, such as the targeting and frequency of compliance assessments, should correspond to the likelihood of compliance problems in particular organizational activities.” There are a number of possible sources of “trending information,” i.e. information providing evidence of which particular compliance problems are occurring – or are thought to be occurring – with the greatest frequency at your institution. Certainly, audit reports from both the institution’s external auditors (e.g. auditors performing the annual A-133 Audit for sponsored programs) and internal auditors (e.g. performing confidential departmental or program audits) are among the most useful sources of information about compliance problems. Other sources include hotline/helpline reports, statements and questions made by employees at focus group meetings and training sessions, and actual discovered or reported noncompliance events, all of which can and should be compiled and evaluated in some fashion. In addition, employee satisfaction surveys administered by personnel and workforce development offices can contain (and could be explicitly designed with assistance of compliance personnel to contain) questions about institutional compliance intended to elicit employees observations and concerns about compliance in their areas. 12 3. Reporting & Corrective Action It is of course essential that internal reporting of non-compliance be encouraged, through language establishing that expectation in Codes of Conduct and through protective provisions for whistleblowers in well publicized non-retaliation policies. It is equally essential that institutional policies and procedures are sufficient to ensure that all instances of non-compliance required to be reported to external agencies are in fact reported, and that appropriate corrective and, when necessary, disciplinary action, is taken following review and investigation of instances of alleged noncompliance. No attempt will be made here to discuss this broad topic in grater detail. However, an excellent template for institutional policies intended to encourage reporting, and to appropriately address noncompliance concerns, is the one developed by the University of Minnesota, which is available on line at http://www.fpd.finop.umn.edu/groups/ppd/documents/policy/Reporting_Violations.cfm. E. ROLE OF LEGAL COUNSEL Lawyers clearly play a very significant and important role in compliance programs. First, they are responsible for providing legal advice to the institution and have the final word on legal issues facing the institution. Hence, whenever there are questions about the scope or meaning of regulatory requirements, the institution’s particular duties under those regulations, or the manner in which the institution should discharge its duties to best ensure compliance with the regulations, the lawyers are the ones who will need to provide the answers, or at least their best professional advice for institutional leaders to consider in making decisions about institutional management. Second, lawyers will often be the most knowledgeable “subject matter experts” in any given area, and can help with risk assessment, the design of compliance controls and policies, and employee training in those areas. Third, lawyers can help compliance leaders better understand the external enforcement and liability environment, by keeping compliance officials updated on enforcement and litigation trends, and identifying new and emerging regulatory challenges. Fourth, lawyers will often need to assist with investigations of wrongdoing, particularly advising on issues of due process and hearing procedures and appeals, and sometimes leading such investigations and protecting institutional findings under attorney-client or other applicable privileges. Fifth, lawyers are invaluable resources when it comes to policy drafting and development, with usually strong writing and analytical skills and with a trained eye for due process and related legal issues. Finally, and more generally, due to the institution-wide perspective they bring, and their keen eye for potential problems and pitfalls that can lead to conflict and litigation, lawyers should be seen as key partners who can assist and provide useful advice to compliance personnel on the full range of an institution’s compliance activities. III. CONCLUSION There is no question that compliance programs are increasingly becoming part of the landscape at colleges and universities, due to external pressures such as Sarbanes Oxley, more thorough rigorous external auditing processes, governmental expectations expressed in guidance like the Draft OIG Guidance and U.S Sentencing Guidelines, as well as internal pressures from institutional directors and senior leaders, employees and actual and potential whistleblowers. The bad news is that successful compliance programs can be a significant challenge to establish and maintain. But the good news is that many useful tools, guidance materials and model policies, like those developed at the University of Minnesota and at Stanford University, as well as materials available through conferences like this one, are available to help guide institutions looking to establish or improve their compliance programs. 13 APPENDIX A Summary of DHHS OIG 11/05 CPG: 8 Elements Policies and Procedures regarding federal requirements "Policies and procedures should be developed under the direction and supervision of the compliance officer, the compliance committee, and relevant institutional officials "Policies should be reviewed at regular intervals to ensure they are current and relevant" Policies provided to all faculty, staff and students affected by them; suggestion for putting them on a single internet site Code of Conduct Should "detail the fundamental principles, values and framework for action within an organization…should articulate the institution's expectation of commitment to compliance by management, employees, and agents, and should summarize the broad ethical and legal principles under which the institution must operate; should be applicable to all employees. Code of Conduct: Senior management "such as the board of regents and president" and others should participate in the development of the code of conduct Designation of Compliance Officer and Compliance Committee Compliance Officer primary responsibilities: "optimally should report directly to the institution's president and should have direct access to the board of regents, senior administration officials, and legal counsel" Compliance Officer primary responsibilities: Overseeing and monitoring implementation of the compliance program Compliance Officer primary responsibilities: Reporting on a regular basis to the board of regents, president and compliance committee Compliance Officer primary responsibilities: Periodically revising the program to respond to changes Compliance Officer primary responsibilities: Developing, coordinating, and participating in education programs that focus on the elements of the compliance program, and seeking to ensure that all affected employees understand and comply with pertinent federal and state standards Compliance Officer primary responsibilities: Developing policies and procedures Compliance Officer primary responsibilities: Assisting the intuitional internal or independent auditors in coordinating compliance reviews and monitoring activities Compliance Officer primary responsibilities: Reviewing, and where appropriate acting in response to reports of noncompliance received through the hotline, or otherwise brought to compliance officer's attention by internal audit or counsel Compliance Officer primary responsibilities: "independently investigating and acting on matters related to compliance. The compliance officer should have the flexibility to design and coordinate internal investigations (e.g. responding to reports of problems or suspected violations) and any resulting corrective action (e.g. making necessary improvements to policies and practices, and taking appropriate disciplinary action) with particular departments or institution activities Compliance Officer primary responsibilities: participating with counsel in the appropriate reporting of any self-discovered violations of federal requirements 14 Compliance Officer primary responsibilities: "continuing the momentum/ revising or expanding the compliance program after the initial years of implementation" Compliance Officer primary responsibilities: "compliance officer must have authority to review all documents and other information relevant to compliance activities" Compliance Committee: Established to advise the compliance officer and assist in the implementation of the compliance program Compliance Committee: suggested membership "operations, finance, audits, human resources, and legal, as well as faculty members. All committee members should have the requisite seniority and comprehensive experience within their respective areas to recommend and implement any necessary changes to policies or procedures. Compliance Committee: "the committee should function as an extension of the compliance officer and provide the organization with increased oversight" Conducting Effective Training An institution should provide general training sessions that cover such issues as ethical standards and the institution's commitment to compliance issues. All employees, and where feasible and appropriate contractors, should receive the general training. General training should include the contents of the institution's compliance program, such as the roles of the compliance officer and the committee" and the hot line and "both a description of the many types of compliance issues that administrators, faculty and other employees may need to address...and the sources of guidance for resolving those issues More specific training for more specialized audiences, for example administrative personnel who manage award funding General and specific training sessions should be provided both upon initial employment with the institution as well as on some periodic schedule…specialized training should be provided on a more frequent basis, perhaps annually or more frequently. The Compliance Officer should maintain records of all formal training undertaken by the institution as part of the compliance program. This should include attendance logs, descriptions of the training sessions, and copies of the material distributed at the training sessions. Institution needs to establish a mechanism to ensure that employees receive the training they need. "Adherence to the training requirements as well as other provisions of the compliance program should be a factor in the annual evaluation of each employee" Effective Lines of Communication Confidentiality and non-retaliation policies should be developed and distributed to all employees "In addition to serving as a contact point for reporting problems and initiating appropriate responsive action, the compliance officer should be viewed as someone to whom personnel can go for clarification on the institution's policies" "an effective employee exit Interview program could be designed to solicit information from departing employees regarding potential misconduct and suspected violations of the institution's policies and procedures" Identification of areas of risk or concern through periodic surveys Hotline/ reporting mechanism made available to all employees and communicated; "employees should be permitted to report matters on an anonymous basis Reported matters should be reviewed promptly; matters which suggest substantial violations of federal program requirements should be documented and investigated promptly. "The compliance officer should maintain a thorough record of such complaints, as well as any investigation, its results, and any remedial or disciplinary action taken." May "provide [hotline] information, redacted of individual identifiers, to the institution's senior management, such as the board of regents and the president, and to the compliance committee. Auditing and Monitoring Auditing of institution's operations and activities is a critical internal control; should follow "Yellow Book" Government Accounting Standards 15 Conduct risk assessments to determine where to devote audit resources, and for separate performance audits. May wish to consider the three research risk areas identified in the CPG; "risk assessments could be coordinated by the compliance office." Monitoring of the implementation of the compliance program itself and an ongoing evaluation process. The compliance officer should document this monitoring process and provide these assessments to the institution's senior management and compliance committee. "The nature of the [compliance reviews] could include prospective systemic review of the institution's processes, protocols, and practices, or a retrospective review of actual practices in a particular area." "reviews should evaluate whether (1) the institution has policies covering identified risks; (2) policies were implemented and communicated; (3) the policies were followed" Enforcing Standards through WellPublicized Disciplinary Guidelines "should include clear and specific disciplinary policies that set out the consequences of violating federal or state requirements, the institution's code of conduct, or its policies or procedures" Should consistently undertake appropriate disciplinary action across the institution for the disciplinary policy to have the required deterrent effect. Intentional and material noncompliance should not be tolerated and should subject transgressors to significant sanctions Disciplinary action may also be appropriate when a responsible employee's failure to detect a violation is attributable to his or her negligence or reckless conduct Responding to Detected Problems and Developing Corrective Action Initiatives Compliance officer or other official should immediately investigate allegations to determine materiality; take decisive steps to correct problem, and implement corrective action plan as appropriate where investigation shows credible evidence of misconduct that may violate criminal, civil or administrative law, the institution should promptly report to the appropriate authorities within a reasonable period, but not more than 60 days, after determining there is credible evidence of a violation. "Once the investigation is completed . . . The compliance officer should notify the appropriate authorities of the outcome of the investigation Establishing Roles and Responsibilities and Assigning Oversight Responsibility Should clearly delineate the responsibilities of all persons involved with the conduct of federally supported research, including both administration or department personnel with oversight responsibility as well as principal investigators and other personnel who are engaged in research. Roles and responsibilities should be clearly communicated and accessible 16 APPENDIX B Compliance Oversight Committee Purpose The Compliance Oversight Committee will oversee the University’s compliance activities and program to ensure they are reasonably designed, implemented, enforced and generally effective in preventing and detecting violations of the law. The committee will further take or recommend such actions as are necessary to promote an organizational culture that encourages a commitment to compliance and ethical conduct. Responsibilities The Committee members will be knowledgeable about the content and operation of the University’s compliance and ethics program. The Committee will further exercise reasonable oversight over the implementation and effectiveness of the program, including: ● Assuring that individuals with operational responsibility conduct regular ongoing risk assessment; regularly reviewing risk assessments; and recommending and assuring that appropriate steps are taken to design, implement, or modify compliance activities to reduce the compliance risks identified by risk assessments. ● Assuring that compliance roles and responsibilities are clearly established across the University system, and that due care is taken in delegating substantial authority. ● Assuring that the University implements standards of conduct, policies, procedures and internal control systems reasonably capable of reducing misconduct, including the Board of Regents Code of Conduct. ● Exercising reasonable oversight over compliance activities, including periodically requesting and receiving information on the implementation and effectiveness of the compliance and ethics program from individuals with day-to-day operational responsibility, as well as the Director of Institutional Compliance. ● Assuring that individuals responsible for the compliance and ethics program have adequate resources, authority, and competencies to carry out their responsibilities. ● Assuring that the University’s compliance standards, procedures and expectations, including the Board of Regents Code of Conduct, are effectively communicated through education and training programs, publications, and other appropriate means. ● Assuring that reasonable steps have been taken to achieve compliance with laws, policies, and procedures throughout the University through the use of reasonably designed auditing and monitoring systems as well as periodic evaluation of the compliance program’s effectiveness. 17 ● Assuring the University maintains an effective mechanism for employees and agents to report or seek guidance regarding potential or actual wrongdoing, including mechanisms to allow for anonymous reporting, and appropriate safeguards to protect against potential retaliation. ● Assuring that compliance is promoted and enforced consistently through appropriate incentives and disciplinary measures, including discipline of employees responsible for violations and, if warranted, discipline of employees for failing to reasonably detect offenses; further assuring that appropriate actions are taken to prevent similar offenses, including making any necessary modifications to the compliance program. ● Reporting, or directing the reporting, on the implementation and effectiveness of the compliance program to the Board of Regents Audit Committee. ● Taking such other actions, or making such other recommendations, as are necessary to promote an ethical organizational culture. Membership The membership of the Compliance Oversight Committee will consist of members of senior management selected by the University’s President, and other persons as deemed appropriate. The initial membership will include: ● ● ● ● ● ● Vice President for Human Resources Vice President for Research Vice President for University Services General Counsel University Auditor Director of Institutional Compliance Operations The Committee will meet at least quarterly and at such other times as it elects. The Director of Institutional Compliance will provide administrative support to the Committee, as well as serving as a member. The Committee may delegate compliance activities to other committees or persons as it deems appropriate. 18 APPENDIX C REGULATED RESEARCH ACTIVITIES (“Non-Financial”) (“RRA”) Activity/Risk Area Reputational Risk High Med Low Health, Safety & Operational Risk High Med Human Subject Protection & IRB Animal Welfare & IACUC Stem Cells – NonFinancial Compliance Biosafety & COMS Select Agents Export Controls Environmental/Occupatio nal Health & Safety Clinical Trials & FDA Financial Conflicts of Interest Intellectual Property & Bayh-Dole Compliance Data Privacy & Security (including HIPPA 19 Low Financial Risk High Med Low Overall Priority Ranking (1-11) FINANCIAL and GRANTS MANAGEMENT (“FGM”) Activity/Risk Area Reputational Risk High Med Low Health, Safety & Operational Risk High Pre-Award & Proposal Requirements Subrecipient Monitoring Award Management, including Financial & Technical Reports, Records and Data Time & Effort Reporting Cost Allocation, including Cost Transfers & Cost Sharing Stem Cells – Cost Allocation Program Income Allowable Costs Reporting Support from Other Sources Financial and Cost Accounting & Reporting Procurement Equipment Use & Management International Programs: Oversight 20 Med Low Financial Risk High Med Low Overall Priority Ranking (1-13)