Compliance Blueprint: Building Structures and Relationships
Transcript of Compliance Blueprint: Building Structures and Relationships
5/22/2014
1
David Galloway, BYU Compliance Officer
Sarah Campbell, BYU Associate University Counsel
Compliance Blueprint: Building Structures and Relationships
Compliance Blueprint: Building Structures and Relationships
AgendaAgenda
1. Compliance Planning Group
2. Governance
3. Management
2
5/22/2014
2
“In organizations, real power and energy is generated through relationships. The patterns of relationships and the capacities to form them are more important than tasks, functions, roles, and positions.”
Margaret WheatlyMargaret Wheatly
3
• University Culture
• Continuous Improvement
• Compliance Areas
FoundationsFoundations
4
5/22/2014
3
• Attitudes• Body Language• Context• Expectations• Feelings• Filters• Intentions• Likes/Dislikes• Medium
• Perspectives• Preoccupations• Prior Experience• Reaction• Relationships• Roles• Semantics• Understandings
Constructivist ModelConstructivist ModelInfo Source
Transmitter
Receiver
Destination
ChannelNoise
Receiver
Sender
5
StructureStructure
6
5/22/2014
4
7
Planning GroupPlanning Group
1. P
lannin
g G
roup
Compliance
General Counsel
Internal Audit
EH&S
8
5/22/2014
5
Internal audit and compliance functions at my school are…
9
Poll #1
A. Separate
B. Integrated
C. Other
How proactive is your general counsel?
10
Poll #2
A. Very
B. Somewhat
C. Ambivalent
D. Antagonistic
5/22/2014
6
General Counsel
Internal Audit
Compliance
EH&S
Planning GroupPlanning Group
Life Sciences Compliance Coordinator
Athletic Compliance Coordinator
FERPA Coordinator
Financial Aid Coordinator
Research Compliance Coordinator
HIPAA Coordinator
Information Security and Privacy Committee
PCI/Banking Security Committee
IRBAthletics Compliance
Committee
1. P
lannin
g G
roup
11
• Identify risks• Assess and analyze• Mitigate risks• Implement actions• Monitor and evaluate• Oversee hotline• Develop policy• Train
Role of Planning GroupRole of Planning Group
1. P
lannin
g G
roup
12
5/22/2014
7
Identify RisksIdentify Risks
1. P
lannin
g G
roup
13
• Management discussion• Ad hoc team• Benchmark with others• Consult outside counsel• Request formal audit• Develop “white paper”
Assess and AnalyzeAssess and Analyze
1. P
lannin
g G
roup
14
5/22/2014
8
“The organization shall take reasonable steps . . . to ensure that the organization’s compliance and ethics program is followed, including monitoringand auditing to detect criminal conduct . . . .”
Federal Sentencing Guidelines: §8B2.1(b)(5)
Monitoring and AuditingMonitoring and Auditing
1. P
lannin
g G
roup
15
Monitoring: Online, real time, measurement of control system effectiveness
Auditing: Periodic historic evaluation of the control system
Monitoring and AuditingMonitoring and Auditing
1. P
lannin
g G
roup
16
5/22/2014
9
• Conducted by compliance auditor
• Assessment tool approved by General Counsel
• Conclusions approved by General Counsel
1. P
lannin
g G
roup
Compliance AuditsCompliance Audits
17
Web Connection Telephone
Compliance HotlineCompliance Hotline
1. P
lannin
g G
roup
18
5/22/2014
10
Who manages your hotline?
19
Poll #3
A. Third party
B. We do
C. Don’t have one
Policy DevelopmentPolicy Development
1. P
lannin
g G
roup
Identify Need
Develop Policy
Get Approval
Communicate
Ensure Compliance
Revise
20
5/22/2014
11
Who manages policies?
21
Poll #4
A. Compliance
B. Legal
C. HR
D. Internal Audit
E. Risk Management
F. Other
TrainingTraining
1. P
lannin
g G
roupIdentify
Standards
Identify Audience
Determine Medium
Develop Content
Deliver Training
Evaluate Effectiveness
22
5/22/2014
12
• Meet weekly
• Share training
• Attend conferences
• Work jointly
• Communication plans
• Office proximity
Relationship TipsRelationship Tips
1. P
lannin
g G
roup
23
How often do you meet with legal, audit, and risk management to discuss compliance?
24
Poll #5
A. Monthly
B. Quarterly
C. Semi-annually
D. Annually
E. Never
5/22/2014
14
• Meet quarterly
• Determine compliance risks
• Receive audit reports
• Review hotline reports
Audit/Compliance CommitteeAudit/Compliance Committee
2. G
ove
rnance
27
• Meet monthly• Charter compliance committees• Designate compliance coordinators• Approve compliance programs• Monitor and assess compliance• Determine compliance risks• Receive reports from compliance
office• Review hotline reports
Executive CommitteeExecutive Committee
2. G
ove
rnance
28
5/22/2014
15
Do you report to a committee of the Board of Trustees or Regents?
29
Poll #6
A. Directly/Functionally
B. Administratively
C. Only activities and results
D. No, not at all
Is the committee you report to a joint audit/compliance committee?
30
Poll #7
A. Joint
B. Separate
C. Don’t report
5/22/2014
16
Do you have a university-wide executive compliance committee?
31
Poll #8
A. Yes
B. No
C. Working on it
• Ask to be invited to meetings• Invite them to meet with you• Provide substantive content (reports,
news, investigations, assessments)• Monthly compliance newsletter• Summarize specific laws (research
memos)
2. G
ove
rnance
Relationship TipsRelationship Tips
32
5/22/2014
18
• Set tone• Assist communication• Provide relevant news• Offer training to staff• Provide resources
Roles of ManagementRoles of Management
3. M
anagem
ent
35
Subject-matter experts who generally, as a part of other job responsibilities, provide monitoring and guidance to the university community in their area of their expertise.
FERPAFERPA
HIPAAHIPAA
GLBGLB
Info. Sec. & Privacy
Info. Sec. & Privacy
PCIPCI
FERPA
HIPAA
GLB
Info. Sec. & Privacy
PCI
Compliance CoordinatorsCompliance Coordinators
3. M
anagem
ent
36
5/22/2014
19
Do you use embedded compliance coordinators/partners?
37
Poll #9
A. Extensively
B. Somewhat
C. Not at all
What do they really do?
• Develop relationships within department and university
• Communicate
• Communicate
• Communicate
• Train/Educate
• Manage special compliance projects
• Hear and address employee confidential concerns
Compliance CoordinatorsCompliance Coordinators
3. M
anagem
ent
38
5/22/2014
20
• Keep small (6-8)
• Formal Charter
• Represent key constituents
• Meet regularly
• Oversee compliance
• Report periodically
Compliance CommitteesCompliance Committees
3. M
anagem
ent
39
• Academic Safety
• Athletics Compliance
• Background Checks
• Banking Information Security
• Campus Safety
• Child Protection
• Disability Standards
• Drug-Free
• FERPA
• HIPAA
• Information Security/Privacy
• IACUC
• Institutional Biosafety
• IRB
• PCI
• Radiation/Laser Safety
• Timely Notification
• Title IX
Compliance CommitteesCompliance Committees
3. M
anagem
ent
40
5/22/2014
21
We have effective institutional compliance committees?
41
Poll #10
A. Yes
B. Only the legally required ones
C. No
Compliance ProgramsCompliance Programs
Program Document
Policy
High-Level Procedures
Law and Regulations Duties
Training Plan
Monitoring Plan
3. M
anagem
ent
42
5/22/2014
22
• Regular group meetings• Periodic one-on-one meetings • Monthly compliance
newsletter• Summarize specific laws
(research memos)• Facilitate training sessions
and webinars
Relationship TipsRelationship Tips
3. M
anagem
ent
43
StructureStructure
44
5/22/2014
23
“In organizations, real power and energy is generated through relationships. The patterns of relationships and the capacities to form them are more important than tasks, functions, roles, and positions.”
Margaret WheatlyMargaret Wheatly
45
– David Galloway
Executive Director – Compliance and Audit/Compliance Officer
Brigham Young University
801-422-3854
– Sarah CampbellAssociate University Counsel
Brigham Young University
801-422-7667
46
CONTACTS: