SCCE Higher Education Compliance Conference
1
Improving the Effectiveness
of Your Institutional
Compliance Program
Robert Nobles, DrPH, MPH, CIP
Assistant Vice Chancellor for Research
Institutional Compliance Committee Chair
Bill Moles, CCEP, CIA, MBA
Director of Compliance
System Administration Institutional Compliance Office
Session Objectives
1. Developing an organizational
infrastructure for compliance that
satisfies the Federal Sentencing
Guidelines.
2. Overcoming communication obstacles
so that multiple university audiences
and stakeholders embrace a culture of
compliance.
3. Strategies for empowering compliance
officers.
The Age of Enforcement
Era of Compliance Process - Previous ≈50 years of
compliance focused on
development of compliance
infrastructures and education.
Age of Compliance
Enforcement - “I like to call this
the age of enforcement…There is
no longer any question about
what the rules are, there is no
longer any forgiveness of any
significant amount in the system
for lax enforcement, for failure to
comply.” (Kathleen Merrigan, Secretary of
Agriculture, April 6, 2010)
SCCE Higher Education Compliance Conference
2
Universities Penalized for Violations
• Stanford U – Inflated research overhead cost - $1.2 M
• U of Washington – Billing fraud - $35 M
• U of Texas – Underpayment of royalties - $12 M
• U of Minnesota – Misuse of federal grants - $32 M
• NYU Medical Center – Inflated grant costs - $15.5 M
• U of Penn. – Human subjects, conflict of interests - $514 K, closed center
• Northwestern U. – Inaccurate grant effort reporting - $5.5 M
• U of California – Mischarging research grants - $3.9 M
• NYU - $1.4 M, Penn - $1.6 M, Johns Hopkins $1.1 M – Preferred lenders
• U of Med and Dentistry of NJ - overbillings, political activity, no-bid contracts, inappropriate admissions - Dissolved and transferred to Rutgers
• U of Tennessee – Export control violation – Criminal charges
• UCLA – Death from lab accident – Criminal charges
• Penn State – Sexual assault – Criminal charges
5
ASSURANCE of Professional Conduct
in the Field of Research (“Professionalism”)
NIH Office of Research Integrity
Responsible Conduct of Research (RCR)
*Protection of Human Research Subjects (OHRP)
*Care and Use of Research Animals (OLAW)
*Research Misconduct (ORI)
*Conflicts of Interest and Commitment
*Data Acquisition, Management, Sharing and Ownership
Publication Practices, Responsible Authorship
Mentor / Trainee Responsibilities
Peer Review
Collaborative Science
ACCOUNTABILITY for
Expenditure of Federal Funds
Office of Management and Budget
(OMB-A21; OMB-133 etc. )
Office of Inspector General
Research Grants Administration Research Grants - Pre-award
Research Grants - Post-Award – Effort Reporting & Cost Sharing
– Allowability of Expenditures
– Sub-recipient Monitoring
– Grant reporting
Compliance - a Misnomer “Compliance, n. a yielding, disposed to oblige, conforming to the wishes of others”
“There is perhaps no other environment where this term’s connotation evokes such rancor” - R. Emery
Laboratory Safety
Principal Investigator Research Responsibility:
Export Regulations
Dept. of Commerce - Dept. of Defense
*Export of “Sensitive” Information and Technologies
Key Aspects of an Academic
Compliance Program
Federal, State, and Institutional
Policies
Institutional Leadership
Legal Affairs
Compliance Personnel & Committees
Faculty, Staff, and Students
Institutional Audit/Risk
Management
Academic Compliance
Infrastructure
SCCE Higher Education Compliance Conference
3
Compliance Program Components
Shared Accountability Model
DepartmentalControls
Training and Support
P&P, RiskAssessment, andMonitoring
Compliance Officers
Shared Values
8
• Honesty – Conveying information
truthfully and honoring commitments
• Accuracy – Reporting finding precisely
and taking care to avoid errors
• Efficiency – Using resources wisely and
avoiding waste
• Objectivity – Letting the facts speak for
themselves and avoiding improper bias
Codes of Conduct
• Professional codes
• Government regulations
• Institutional policies
• Personal convictions
“Don’t listen to him….He’s a socialist.”
SCCE Higher Education Compliance Conference
4
Importance of an Academic
Compliance Program
• Financial and Operational Risks
• Health & Safety Risks
• Reputational Risks
• Community
• Sponsors and Regulators
• Governmental Expectations (e.g., Title IX, DHHS OIG, NIH, NSF)
• Possibly Reduced Fines and Penalties
Importance of an Academic
Compliance Program
• Elimination of uncertainty and confusion about roles and
responsibilities
• Better quality research, operations
• Identifying and addressing problems early
• Reducing likelihood of government audits &
investigations
• Better trained workforce
When Non-Compliance Occurs
SCCE Higher Education Compliance Conference
5
Compliance Risk Consequences
• Imposition of fines and sentences
• Media coverage, blemished reputation
• Threat of whistleblower lawsuits
• More external regulatory and audit agency scrutiny
• Management time and effort for damage control
• Exclusion from governmental programs
• Probation and court-imposed programs
• Imposition of government-designed programs/procedures
Issue Etiology
Reliability and Reasonableness
“…it is recognized that research, service and administration are inextricably intermingled. A precise assessment of factors that contribute to costs is not always feasible, nor is it expected. Reliance, therefore, is placed on estimates in which a degree of tolerance is appropriate.” OMB Circular A-21, Section J.10 (Compensation for Personal Services)
Issue Etiology (2)
SCCE Higher Education Compliance Conference
6
“Scientist Behaving Badly”-- Nature 2005
Top Ten Behaviors
Percent*
Other behaviors
Percent*
Falsifying research data 0.3%Publishing the same data or results in two or more
publications 4.7%
Ignoring major aspects of human subjects
requirements0.3% Inappropriately assigning authorship credits
10.0%
Not properly disclosing involvement in firms whose
products are based on one's own research0.3%
witholding details of methodology or results in
papers or proposals 10.8%
Relationships with students, research subjects or
clients that may be interpreted as questionable1.4% Using inadequate or inappropriate research design
13.5%
Using another's ideas without obtaininjg
permission or giving due credit1.4%
Dropping observations or data points froam
analyses based os a feeling they were inaccurate15.3%
Unauthorized use of confidential information in
connection with one's own research1.7%
Inadequate record keeping related to research
projects 27.5%
Failing to present data that contradicts one's own
previous research6.0%
Circumventing minor aspects of human-subject
requirements7.6%
Overlooking others' use of flawed or questionable
interpretation of data12.5%
Changing the design, methodology or results of a
study in response to pressure from a funding
source
15.5%
* % who did this in previous 3 years
Martinson, Anderson and deVries. Nature 2005 435:737-738
Federal Sentencing Guidelines
Compliance Program Requirements
Programs should be based on requirements of the Federal
Sentencing Guidelines for Organizations
Due diligence and promotion of an ethical culture minimally
require the following:
1. Written standards of conduct and policies and
procedures
2. Designating a compliance officer and other appropriate
bodies (e.g., compliance oversight committee)
Federal Sentencing Guidelines
Compliance Program Requirements
3. Effective education and training
4. Audits and evaluation techniques to monitor compliance
5. Reporting processes and procedures for complaints
6. Appropriate disciplinary mechanisms
7. Investigation and remediation of systemic problems
8. Risk assessment necessary for design and operation of
the compliance program (Section 8B2.1(c))
SCCE Higher Education Compliance Conference
7
The University of Tennessee
Institutional Compliance Program
Board of Trustees
University President
Executive Compliance Committee
Board of Trustees Audit Committee
Institutional Compliance Office
UT Knoxville
UT Chattanooga
UT Martin
UT Health Science Center
UT Institute of Agriculture
UT Institute of
Public Service
Audit and Compliance
Services
Board of Trustee Audit Committee
• Created the Institutional Compliance
program in collaboration with the
President’s staff.
• Meets three times a year.
• Members receive a written progress
report for each campus before each
meeting.
• Each meeting includes a compliance
presentation on one compliance
topic.
[FSG §8B2.1(b)(2)(A)- Governing Authority
shall be knowledgeable.]
Board of Trustees
Board of Trustees Audit Committee
Institutional Compliance Office
Audit and Compliance
Services
Executive Compliance Committee
• Composed of President’s staff. [FSG §8B2.1(b)(2)(B)- High-personnel
ensure effective program.]
• Meets once a year.
• Receives the Audit Committee
update report (3 per year).
• Provided vision for the institutional compliance program when created.
Board of Trustees
University President
Executive Compliance Committee
Institutional Compliance Office
SCCE Higher Education Compliance Conference
8
Executive Compliance Committee
• Oversees the campuses’ compliance risk assessments: o corrective actions taken o risks being assumed
• Assists campuses in overcoming
obstacles to compliance: o System-level policy changes o Organizing system-level task forces o Address resource needs
Board of Trustees
University President
Executive Compliance Committee
Institutional Compliance Office
Executive Compliance Committee
• Assists campuses in defining
acceptable levels of risk. • Oversees disciplinary actions.
[FSG §8B2.1(b)(6)- Consistent enforcement.]
• Provides visible support for
compliance efforts.
Board of Trustees
University President
Executive Compliance Committee
Institutional Compliance Office
Institutional Compliance Office
• Oversees and promotes the Code of Conduct. http://www.tennessee.edu/code/
[FSG § 8B2.1(b)(1) Establish standards.]
SCCE Higher Education Compliance Conference
9
Institutional Compliance Office
• Promotes and coordinates activities for the hotline.
http://compliance.tennessee.edu/hotline.htm
[FSG §8B2.1(b)(5)(C)- Anonymous reporting
mechanism.]
Institutional Compliance Office
• Develops and implements the university
compliance risk assessment process.
[FSG §8B2.1(c)- Risk Assessment.]
o Ensures consistency among campuses.
o Ensures a certain level of rigor.
o Improves efficiency (web-based tool).
Institutional Compliance Office
• Identifies regulatory areas with significant compliance risk
o Approximately 430 compliance areas.
o Input from compliance officers and committees.
o http://compliance.tennessee.edu/resource.htm
SCCE Higher Education Compliance Conference
10
Institutional Compliance Office
• Assists the campus/institute compliance committees in their various duties regarding the risk assessment.
o Provides campus compliance officers general compliance training and training for risk assessment.
o Manages data collected from the risk assessment.
o Helps facilitate consolidating compliance issues and in developing potential corrective actions.
o Shares valuable information among all campuses.
Campus Compliance Committees
* Plans are reviewed by the respective chains of command, who must determine what resources to allocate and what risks must be assumed.
*
**
** Would include progress on plans and risks being assumed.
Applicable Regulatory Areas
Academic 6 Health Care 13
Athletics 3 Legal 7
Communications 14 Privacy 8
Employee 25 Procurement 14
Environmental 13 Research 92
Facilities 26 Safety/Health 67
Federal Reporting 6 Student 37
Financial 6 Tax 17
Gifts 6 Transportation 2
Total 362
SCCE Higher Education Compliance Conference
11
Assignment of Regulatory Areas
Number of Number of
Administrative Unit Compliance Officers Regulatory Areas
Chancellor 1 1
Provost/Academic 10 29
Finance & Administration 18 148
Development/Alumni Affairs 2 2
Human Resources 5 11
Equity & Diversity 1 11
Research 8 58
Communications 1 4
Student Life 8 19
Athletics 4 6
System Administration 17 73
Campus Compliance Officer
FSG §8B2.1. (b)(4)(A)- Provide training. (b)(5)(A)- Monitoring.
FSG §8B2.1.(b)(5)(B)- Risk Assessment.
FSG §8B2.1.(b)(7)- Taking corrective action.
FSG§8B2.1.(b)(2)(C)- Specific individuals with responsibility. (Should be “working” responsibility.)
Campus Compliance Officer
Topics Covered in General Training
• Institutional Compliance Program organizational structure and assignment of responsibilities
• Overview of Federal Sentencing Guidelines (i.e., culpability factors and compliance program requirements)
• Disclosure of violations policy
• Whistleblower laws
SCCE Higher Education Compliance Conference
12
Campus Compliance Officer
Topics Covered in General Training
• False Claims Act
• Corporate Integrity Agreements and government oversight.
• Instructions for the compliance risk assessment
• Framework for identifying, describing and disclosing risks
• Identify control weaknesses.
• Identify areas of noncompliance.
• Identify areas of potential weakness to monitor closely.
• Take corrective actions where needed.
• Identify targeted areas in need of assistance.
• Provide a baseline to measure future performance and track improvements that have been implemented.
• Perform assessment in efficient and effective manner.
Risk Assessment –
The Objectives
1. Identify relevant regulatory areas.
2. Identify who has working responsibility for compliance at the campus level.
3. Campus compliance officers assess the risks.
4. Campus Compliance Committee identifies priorities and coordinates the development of plans of corrective actions.
Risk Assessment –
The Process
SCCE Higher Education Compliance Conference
13
Risk Assessment – Web-based Tool
[Adapted from a risk assessment process developed by Robert Roach at NYU.]
Step 1
Identify and describe the violations (or category of violations) that are the greatest risks for the regulation.
Identify the violations you are most concerned about in the context of the controls and ethical environment that are in place. What violations are you most concerned with?
Risk Assessment – Web-based Tool
Step 2
Measure the level of impact for the specific risk/ violation. Each type of impact has five levels that have been specifically defined.
Types of Impacts:
• Financial
• Legal
• Operational
• Reputational
* The most likely level of impact.
Risk Assessment – Web-based Tool
IMPACTS
Financial Legal Operational Reputational Less than
$200,000
1 Technical violation of law or regulation.
Little or no fine or other consequences
probable.
1 No impact on operations. No loss in our
ability to conduct research or hold
classes.
0 Little or no risk to the university’s
reputation.
0
$200,000 to
$1 million
2 Government civil lawsuit or agency
finding/action where outcome results in
no increased governmental oversight or
loss of licensure.
2 Little or no impact on teaching or
research. Impact is limited to the
business/services operations only; with
possible disruption or closure for 1 or 2
days.
1 Slight risk to reputation. Possible bad
press, but no significant
consequences to students, faculty,
schools, or business units.
1
$1 million
to $5
million
3 Government civil lawsuit or agency
finding/action where outcome could
result in increased governmental
oversight or loss of licensure.
3 Teaching or research is disrupted 1 day
to 1 week; or business/ services
department disrupted 3 days to 2 weeks.
3 Moderate risk to reputation. Probable
short term bad press. Modest student,
faculty, donor, and/or constituent
fallout.
2
$5 million
to $10
million
4 Government civil lawsuit, criminal
investigation, or agency finding/action
limited to one college or business unit
that could result in loss of accreditation.
4 Teaching or research is disrupted for
greater than a week; or business/ services
department disrupted for greater than 2
weeks.
4 Significant negative press coverage.
Significant student, faculty, donor,
and/or constituent fallout.
4
Greater
than $10
million
5 Government civil lawsuit, criminal
investigation, or agency finding/action
involving multiple colleges or business
units that could result in loss of
accreditation.
5 Multiple departments are unable to
conduct research or hold classes for a
month or longer; or an entire department
(or greater) is eliminated. (Includes
exclusion from governmental programs)
5 Extensive and prolonged negative
press coverage. Significant
sponsor/board questions of
management. Extensive student,
faculty, donor, and/or constituent
fallout.
5
SCCE Higher Education Compliance Conference
14
Risk Assessment – Web-based Tool
Measure the frequency of the risk/violation.
• Base this on your past experience as the
campus/institute compliance officer.
• Base this with consideration to the current
controls that are in place.
• Base it on the specific scenario you have
defined (i.e., how many times the scenario will
occur?)
• This is not the frequency of the violation being
discovered by an external party.
Step 3
Risk Assessment – Web-based Tool
FREQUENCY
Will probably not occur in the next year, based on
historical/industry experience.
1
Will probably occur one time in the next year, based on
historical/industry experience.
2.5
Will probably occur two to five times in the next year,
based on historical/ industry experience.
3
Will probably occur six to ten times in the next year,
based on historical/ industry experience.
3.5
Will probably occur more than ten times (or constantly)
in the next year, based on historical/ industry experience.
4
Risk Assessment – Web-based Tool
Step 4
Measure the level of control (five levels).
• Policy, Procedures, and Responsible Office
• Training
• Monitoring
SCCE Higher Education Compliance Conference
15
Risk Assessment – Web-based Tool
Risk Assessment – Web-based Tool
• Has an entity external to the university audited this regulation
at your campus/institute within the past 10 years?
• Has the campus/institute received findings or penalties for
violating this regulation in the past 3 years?
• Is the campus/institute currently out of compliance or have
there been an unacceptable number of violations in the past
12 months?
• Do significant vulnerabilities or control weaknesses exist?
Step 5 EXTERNAL REVIEWS AND VIOLATIONS
Risk Assessment Web Tool
Use FileMaker Pro.
For simple application- 3 to 4 weeks to develop.
http://compliance.tennessee.edu/riskutk.html
SCCE Higher Education Compliance Conference
16
SCCE Higher Education Compliance Conference
17
Risk Assessment –
Web-based Tool
• Provides a framework for the compliance officer to describe and assess the compliance risk.
• Formalizes the process for identifying compliance issues and establishing priorities.
• Helps document the compliance officers’ due diligence in addressing weaknesses.
• The risk assessment can be easily updated in the future (after first occurrence, the template fosters efficiency for future risk assessments).
SCCE Higher Education Compliance Conference
18
Measures of Risk
Inherent Risk = Financial + Legal + Operational + Reputational + Frequency
Controls Effectiveness % = Policy/Procedures + Training + Monitoring
Residual Risk = Inherent Risk X (1 – Controls Effect. %)
* A starting point. Very roughly identifies regulations with high impacts and low levels of controls. Indicates may need to review controls. Does not eliminate need to address areas where we have violations.
SCCE Higher Education Compliance Conference
19
Developing Corrective Action Plans
1. Review risks and consolidate related issues.
2. Assemble work team and develop a very brief description of the proposed solution.
3. Campus Committee reviews brief descriptions, asks questions, and makes recommendations.
4. Work team develops the detailed plan and includes an estimate of resources needed. (Provide Corrective Action template.)
Developing Corrective Action Plans
5. Campus Committee reviews final proposed plan.
6. Campus Committee presents proposed plans to Chancellor’s Cabinet.
7. Campus Committee monitors the implementation of the approved plans.
Corrective Action Template
COMPLIANCE CORRECTIVE ACTION TEMPLATECompliance Officer:
Preliminary Plan ID(s):
Regulation ID Number(s):
Risk Serial Number(s):
CONTROLS TO IMPLEMENT (enter information for all that apply)
Policy/Procedure Changes
Brief explanation of any policy/procedure changes and
why they are needed:
Approvals/endorsements needed for changes:
SCCE Higher Education Compliance Conference
20
Corrective Action Template
Training
Brief explanation of why the training is needed:
Brief description of course content:
Who will perform the training:
Who will receive the training:
The preferred frequency of the training:
Training methodology (e.g., in-class; web):
Methodology for identifying participants.
The training records that will be maintained:
Corrective Action Template
Monitoring
Brief explanation of the monitoring that will be
performed (e.g., inspections; violation reports):
Preferable frequency of monitoring:
Enforcement
Explanation of how violations will be handled:
Violation reports and who will receive them:
Appropriate penalties for violations:
Additional Relevant Information on Controls:
Provide any other relevant information (including
remaining significant risks that are still being assumed):
Corrective Action Template
RESOURCES NEEDED (enter information for all that apply)
Additional Funding
Increased staffing
List individual positions, primary responsibilities, and
approximate salary range:
Equipment
General description and approximate cost:
Maintenance cost, if significant:
Software
Description and approximate cost:
Annual licensing fee if applicable:
SCCE Higher Education Compliance Conference
21
Corrective Action Template
Supplies
General description and approximate cost:
Services provided by external sources
General description and approximate cost:
Travel
General description and approximate cost:
Construction
General description and approximate cost:
Other Financial Costs
Description of any other costs that will require
additional funding:
Corrective Action Template
Additional Time/Effort Expended by Current Positions (if applicable)
List position (or office) and the additional
responsibilities/effort:
IMPLEMENTATION
If some or all of the corrective actions have been
implemented, please explain.
Group Activity
The audience is being asked
to spend five (5) minutes
identifying positions or
individuals within their
institution who should be
informed of a significant non-
compliance event (e.g.
chemical fire resulting from
noncompliance causing
injury or death; or human
subjects violation resulting in
a federal audit).
Jesse Gelsinger
(1981- 1999) died
in a gene “therapy”
clinical trial at the
age of 18 after
suffering a
massive toxic
shock reaction
SCCE Higher Education Compliance Conference
22
Communication Strategies
“Educators, scientists, and
researchers face specific
challenges as they
communicate technical
information to educate the
general public and other
non-technical audiences.”
Source: S. Hutcheson. Effective Use of Risk Communication Strategies for
Health & Safety Educational Materials. October 1999 // Volume 37 //
Number 5 // Feature Articles // 5FEA1
Purpose of Risk Communication
• Enlightenment (Improve risk
understanding)
• Right-to-know
• Attitude
modification
• Legitimatize the
institutional risk
• Risk Reduction
• Behavior change (encouraging protective
behavior)
• Emergency
readiness
• Public engagement
• Participation of
those potentially
impacted
Source:S. Lang et al. Risk Communication. 2001 World Health Organization (WHO). Water Quality:
Guidelines, Standards and Health. Edited by Lorna Fewtrell and Jamie Bartram. Published by IWA
Publishing, London, UK. ISBN: 1 900222 28 0
SCCE Higher Education Compliance Conference
23
Communicating Risks
• Recognize the institutions’ attitude about the potential risk
• Risk = Hazard + Perception
• Establish the existence and severity of the risk
• Demonstrate the risk poses a potential threat to institutional abilities and values
• Illustrate specific steps to avoid the risk
Adapted from: S. Hutcheson. Effective Use of Risk Communication Strategies for Health & Safety Educational Materials. October 1999 // Volume 37 // Number 5 // Feature Articles // 5FEA1
Source:S. Lang et al. Risk Communication. 2001 World Health Organization (WHO). Water Quality:
Guidelines, Standards and Health. Edited by Lorna Fewtrell and Jamie Bartram. Published by IWA
Publishing, London, UK. ISBN: 1 900222 28 0
Tenets Needed:
1) Credibility
2) Context
3) Content
4) Clarity
5) Continuity and
consistency
6) Channels
7) Capability of
audience
SCCE Higher Education Compliance Conference
24
Effective Internal Communication
Leads to Empowerment
In order to fulfill our mission of serving the people of
Tennessee and beyond through the discovery,
communication and application of knowledge, we
must be committed as a statewide workforce to
promoting responsible and ethical behavior in
everything we do. — Dr. Joe DiPietro, University of Tennessee President
In our journey to the Top 25, reducing our risks,
maintaining integrity in our research and scholarly
activities, and protecting all of our faculty, staff, and
students will be vital to helping us reach or collective
university goals.
— Dr. Jimmy Cheek, UT Knoxville Chancellor
Empowerment Begins with
Institutional Leadership
What are Mechanism for Empowerment
Three (3) Basic Steps
1. Meet the regulatory needs by
building a foundation of
compliance
2. Meet the researcher’s needs
and fulfill their wish list
3. Meet the needs of the research
administrative staff
SCCE Higher Education Compliance Conference
25
Meeting the Regulatory Needs
• Perform systematic assessments of each functional area
• Maintain and obtain Accreditation (promote external assessments)
• Insure compliance committees are more than functional
• Encourage staff training and certification
Meeting the Researcher Needs
• Improve speed of
submission review and
approval
• Insure availability of
competent staff to
respond to questions
• Insure availability of
appropriate trainings
• Utilize electronic
submission solutions
• Create effective
communication strategies
Meeting the Staff Needs
• Insure leadership provides
the infrastructure for
success
• Understand and contribute
to the culture of compliance
• Promote internal and
external training
opportunities
• Create and foster flexibility
(outcome based activities)
• Create internal rewards
SCCE Higher Education Compliance Conference
26
Robert Nobles, DrPH, MPH, CIP
Assistant Vice Chancellor for Research
UT Knoxville Institutional Compliance Committee Chair
(865) 974-3053
Bill Moles, CCEP, CIA Director of Compliance
Office of Institutional Compliance University of Tennessee System
(865) 974-4438 [email protected]