proactive compliance at twu “part 2”...7/24/2017 3 the “eight steps” at twu1 1. identify...
TRANSCRIPT
7/24/2017
1
Proactive Compliance at TWU“Part 2”
Deena King, TWU Director of Compliance
Agenda• Part 1:
– Review the 2016-2017 Compliance Initiative
– Introduction to the “Three Lines of Defense”
• Part 2:– Compliance “Time Telling”
• Part 3:– Workshop
7/24/2017
2
Management Principle
Concentrate on building an organization—building a ticking clock—rather than telling time...take an architectural approach and concentrate on building organizational traits…
- Jim Collins & Jerry Porras
Built to Last, pp. 199-201 (paraphrased/emphasis added)
Last Year’s Initiative…
…or “Compliance Clock Building”
7/24/2017
3
The “Eight Steps” at TWU1
1. Identify Requirements/Assess Risk
2. Establish/ Modify Compliance Organization
3. Document Standards, Policies, and Procedures
4. Communicate Standards, Policies, and Procedures
5. Implement, Promote, and Enforce
6. Monitor, Audit, and Report
7. Continuous Improvement
8. Leadership/Corporate Culture
1 Adapted from Compliance in One Page ©2015. Used with permission.
Introduction to the “Three Lines of Defense”
Plugging Holes in the Fence
7/24/2017
4
What would happen if…• San Quentin was
missing one or two sections of the outer fence?
What would happen if…• Every player on a
football defense was on the field except the middle linebacker?
7/24/2017
5
What would happen if…• The night manager at
Tiffany & Co. left the front door unlocked all night?
Would all be lost?
Why or why not?
7/24/2017
6
The Value of LayersLocking the Building
Locking the Vault
Securing theFence
As Leaders at TWU We Must Protect…
Technology/Data
Reputation
LifePersonal Safety
Against Lawsuitsand Fines
Infrastructure/Assets
7/24/2017
7
In “internal control” language…• Three lines of defense
– First Line (“front lines”)• Managers/Directors &
Their Staff
In “internal control” language…• Three lines of defense
– Second Line• Specialty Offices:
– Environmental Health and Safety
– Compliance
– Risk Management
– DPS, etc.
7/24/2017
8
In “internal control” language…• Three lines of defense
– Third Line• Internal Auditors
In “internal control” language…• Three lines of defense
– Keeping an eye on all of these are:
• Cabinet
• Board of Regents
• External Auditors
• Regulators
7/24/2017
9
On the TWU Compliance Team…
• Everyone plays an important role!!
Why the Compliance Plans Matter• Because compliance at TWU is:
– HR
– Safety
– Privacy
– Accounting
– Disabilities
– Diversity
– Housing
– Grants Management
– Information Technology
– Copyright
– Research
– Tax
– Procurement
– And many more…
7/24/2017
10
Why the Compliance Plans Matter
Completed Plans
In‐Progress Plans
TBD
Why the Compliance Plans Matter• Helping TWU Protect:
– Life
– Personal safety
– Infrastructure/Assets
– Reputation
– Against lawsuits/fines
– Technology/Data
– Etc.
7/24/2017
11
Questions/Comments?
After the Break
Discussion of Compliance “Time Telling”
7/24/2017
12
** Break **Snacks in the Lobby
This Year’s Initiative:Compliance “Time Telling”
…or identifying potential holes in the fence by asking, “Are we in compliance?”
7/24/2017
13
Management Principle
Concentrate on building an organization—building a ticking clock—rather than telling time...take an architectural approach and concentrate on building organizational traits…
- Jim Collins & Jerry Porras
Built to Last, pp. 199-201 (paraphrased/emphasis added)
Compliance “Time Telling”
An important part of compliance is related to “time telling”…
“Are we in compliance?”
7/24/2017
14
The “Eight Steps” at TWU1
1. Identify Requirements/Assess Risk
2. Establish/ Modify Compliance Organization
3. Document Standards, Policies, and Procedures
4. Communicate Standards, Policies, and Procedures
5. Implement, Promote, and Enforce
6. Monitor, Audit, and Report
7. Continuous Improvement
8. Leadership/Corporate Culture
1 Adapted from Compliance in One Page ©2015. Used with permission.
Assess Risk/ Identify Requirements
Establish/Modify Compliance Organization
Document Standards, Policies, and Procedures
Communicate Standards, Policies, and Procedures
Implement, Promote, and Enforce
Monitor, Audit, and Report
TWU Compliance Process: The Model2
Leadership/Corporate Culture
Continuous
Improvement
Disclaimer: This model is provided as guidance only and can be modified to meet your needs. This document does not guarantee prevention of lawsuits, judgments, or fines and is not a substitute for the advice of an attorney. All information is provided without warranty, express, implied, or otherwise, including as to their legal effect and completeness.
LawsRegulationsRegulators
2 Adapted from Compliance in One Page ©2015. Used with permission.
LawsRegulationsRegulators
7/24/2017
15
Management PrincipleFacts are better than dreams…[When] you start with an honest and diligent effort to determine the truth of the situation, the right decisions often become self-evident…You absolutely cannot make a series of good decisions without first confronting the brutal facts.
- Jim Collins
Good to Great, p. 69, 70 (emphasis added)
Monitor, Audit, Report
Survey Questions #15
• Monitor and Report: What plans or processes will be performed to monitor compliance in this area?
Survey Questions #16
• Audit and Report: What plans or processes will be performed to audit compliance in this area?
7/24/2017
16
The Legal Bit
The organization shall take reasonable steps…to ensure that the organization’s
compliance and ethics program is followed, including monitoring and auditing to detect
criminal conduct...USSG §8B2.1(b)(5)(A)
Here’s the problem…• TWU only has one internal audit department
• When it is at full staff, there are only 3 people in that department
• …and there are over 50 of you…
• …so…is there a better way to know whether or not we are “in compliance?”
7/24/2017
17
One solution…• …do not panic…
• …do not fear…
• …everything is going to be fine…
• …drum roll please…
• “Self-auditing”
Destinee’s bit goes here
7/24/2017
18
Why Self-auditing Helps…A Lot• Who knows best where
the holes in each fence are?
• Who NEEDS to know about these holes?
• What is the best way to tell them?
Management Principle
Take your managers plans, not problems
7/24/2017
19
Basic Steps of a Compliance Self-audit• You should have
received and email while Destinee was speaking
• Please open it and download the attachment
Self-audit Worksheet• A basic audit form contains around seven fields:
Law/Regulation (Title and/or Citation):
What do we need to do to comply?
Are we in compliance, Y/N/P/NA?
If yes or partial: What evidence can we provide that we are in compliance?
If no or partial: What do we need to change and how? (Key Actions)
Key Actions:Responsible
Party
Key Actions:Due Date
Notes
1)
2)
3)
00
1122 33 44 55
66
7/24/2017
20
Basic Steps of a Compliance Self-audit0. Identify the law/regulations (Title and/or Citation)
1. Make a list of what needs to be done to comply.
2. For each item on the list, answer the question, “Are we in compliance?• Yes, No, Partial, or Not Applicable to TWU
3. If yes or partial: a) What evidence can we provide that we are in compliance?
Basic Steps of a Compliance Self-audit4. If No or Partial:
a) What do we need to do and how will we do it? (Key Actions)
5. For Key Actions:a) Who will be the leader/doer?
b) What will be the goal due date?
6. Make any notes related to this item.
7/24/2017
21
Questions/Comments?
During the Break
1) Think of a compliance area where you knowyou are doing well and
2) Think of a compliance area where you know some things need to be done.
7/24/2017
22
After the Break
• Two workshop segments
1) Walk through “Yes” compliance self-audit steps
2) Walk through “No/Partial” compliance self-audit steps
** Break **Snacks in the Lobby
7/24/2017
23
Self-Audit Workshop Pt. 1
“Yes” we are in compliance and here is how we can prove it
“Yes” We are in ComplianceOpen the Word attachment and in the top line, type in a law or regulation you are responsible for complying with and a very short summaryLaw/Regulation (Title and/or Citation):
What do we need to do to comply?
Are we in compliance, Y/N/P/NA?
If yes or partial: What evidence can we provide that we are in compliance?
If no or partial: What do we need to change and how? (Key Actions)
Key Actions:Responsible
Party
Key Actions:Due Date
Notes
1)
2)
3)
Law/Regulation (Title and/or Citation):
ADA Web Access: All multimedia at TWU must be ADA‐compliant.
What do we need to do to comply?
Are we in compliance, Y/N/P/NA?
If yes or partial: What evidence can we provide that we are in compliance?
If no or partial: What do we need to change and how? (Key Actions)
Key Actions:Responsible
Party
Key Actions:Due Date
Notes
1)
2)
3)
00
7/24/2017
24
“Yes” We are in ComplianceIdentify one thing TWU should be doing to comply that we are doing and put “Yes” in column 2 and a list of evidence in column 3. For “Yes”, columns 5-7 are “NA.”Law/Regulation (Title and/or Citation):
ADA Web Access: All multimedia at TWU must be ADA‐compliant.
What do we need to do to comply?
Are we in compliance, Y/N/P/NA?
If yes or partial: What evidence can we provide that we are in compliance?
If no or partial: What do we need to change and how? (Key Actions)
Key Actions:Responsible
Party
Key Actions:Due Date
Notes
1)
11IT reviews all technology purchases Yes
1. https://servicecenter.twu.edu/TDClient/Requests/ServiceDet?ID=8279
2. http://www.twu.edu/accessibility/3. Documentation showing these processes
are being followed.
NA NA NA
22 33
Workshop: Your Turn• Open the Basic Self-Audit Worksheet and fill in the
blanks for at least one “Yes” in your areaLaw/Regulation (Title and/or Citation):
What do we need to do to comply?
Are we in compliance, Y/N/P/NA?
If yes or partial: What evidence can we provide that we are in compliance?
If no or partial: What do we need to change and how? (Key Actions)
Key Actions:Responsible
Party
Key Actions:Due Date
Notes
1)
2)
3)
7/24/2017
25
Self-Audit Workshop Pt. 2
“No” (or partial) we are not in compliance and here is what we
need to do
“No” We are not in ComplianceIdentify one thing TWU should be doing to comply that we are NOT doing. Type a short summary in column 1 and put “No” in column 2. Law/Regulation (Title and/or Citation):
ADA Web Access: All multimedia at TWU must be ADA‐compliant.
What do we need to do to comply?
Are we in compliance, Y/N/P/NA?
If yes or partial: What evidence can we provide that we are in compliance?
If no or partial: What do we need to change and how? (Key Actions)
Key Actions:Responsible
Party
Key Actions:Due Date
Notes
1)
2)
IT reviews all technology purchases Yes
1. https://servicecenter.twu.edu/TDClient/Requests/ServiceDet?ID=8279
2. http://www.twu.edu/accessibility/3. Documentation showing these processes
are being followed.
NA NA NA
Identify non‐compliant media No11
22
7/24/2017
26
“No” We are not in ComplianceIdentify what, who, and when and put this information in columns 3-5. Add any special instructions/notes/comments in column 6.Law/Regulation (Title and/or Citation):
ADA Web Access: All multimedia at TWU must be ADA‐compliant.
What do we need to do to comply?
Are we in compliance, Y/N/P/NA?
If yes or partial: What evidence can we provide that we are in compliance?
If no or partial: What do we need to change and how? (Key Actions)
Key Actions:Responsible
Party
Key Actions:Due Date
Notes
1)
2)
IT reviews all technology purchases Yes
1. https://servicecenter.twu.edu/TDClient/Requests/ServiceDet?ID=8279
2. http://www.twu.edu/accessibility/3. Documentation showing these processes
have been followed.
NA NA NA
Identify non‐compliant media No
33 44 55661. Set up a process to identify non‐compliant
media and remove or update it.ADA Task Force
July 2019The ADA Task Force will begin this process Fall 2017
Management Principle
• To accomplish the plan, what is needed?– Personnel?
– Finances?
– Time?
– Re-ordered priorities?
– Leadership support?
7/24/2017
27
Workshop: Your Turn• Open the Basic Self-Audit Worksheet and fill in the
blanks for at least one “No” in your areaLaw/Regulation (Title and/or Citation):
What do we need to do to comply?
Are we in compliance, Y/N/P/NA?
If yes or partial: What evidence can we provide that we are in compliance?
If no or partial: What do we need to change and how? (Key Actions)
Key Actions:Responsible
Party
Key Actions:Due Date
Notes
1)
2)
3)
How Self-Audit Helps TWU• It helps TWU protect:
– Life
– Personal safety
– Infrastructure/Assets
– Reputation
– Against lawsuits/fines
– Technology/Data
– Etc.
7/24/2017
28
What’s Next: 2017-18 Compliance Initiative
• Sometime in the next few months– An invitation from the Office of Compliance
• Higher Education Compliance Alliance matrix applicable to your area
• For others, we will look at some additional opportunities
Questions/Comments?
7/24/2017
29
Thank you!…and time for door prizes and
lunch!!
Destinee [email protected]
Deena [email protected]