Improving the Effectiveness of Your Institutional …...SCCE Higher Education Compliance Conference...

SCCE Higher Education Compliance Conference

1

Improving the Effectiveness

of Your Institutional

Compliance Program

Robert Nobles, DrPH, MPH, CIP

Assistant Vice Chancellor for Research

Institutional Compliance Committee Chair

Bill Moles, CCEP, CIA, MBA

Director of Compliance

System Administration Institutional Compliance Office

Session Objectives

1. Developing an organizational

infrastructure for compliance that

satisfies the Federal Sentencing

Guidelines.

2. Overcoming communication obstacles

so that multiple university audiences

and stakeholders embrace a culture of

compliance.

3. Strategies for empowering compliance

officers.

The Age of Enforcement

Era of Compliance Process - Previous ≈50 years of

compliance focused on

development of compliance

infrastructures and education.

Age of Compliance

Enforcement - “I like to call this

the age of enforcement…There is

no longer any question about

what the rules are, there is no

longer any forgiveness of any

significant amount in the system

for lax enforcement, for failure to

comply.” (Kathleen Merrigan, Secretary of

Agriculture, April 6, 2010)

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&docid=QJ2O5nRtgqk5vM&tbnid=ikGUJQTkFLEPMM:&ved=0CAUQjRw&url=http://en.wikipedia.org/wiki/United_States_Department_of_Education&ei=yG0QVIYlj7GCBMvogbAH&bvm=bv.74649129,d.eXY&psig=AFQjCNFQ6uPUwpCMmk0oy2X41kAL5aT9VQ&ust=1410449188666477


2

Universities Penalized for Violations

• Stanford U – Inflated research overhead cost - $1.2 M

• U of Washington – Billing fraud - $35 M

• U of Texas – Underpayment of royalties - $12 M

• U of Minnesota – Misuse of federal grants - $32 M

• NYU Medical Center – Inflated grant costs - $15.5 M

• U of Penn. – Human subjects, conflict of interests - $514 K, closed center

• Northwestern U. – Inaccurate grant effort reporting - $5.5 M

• U of California – Mischarging research grants - $3.9 M

• NYU - $1.4 M, Penn - $1.6 M, Johns Hopkins $1.1 M – Preferred lenders

• U of Med and Dentistry of NJ - overbillings, political activity, no-bid contracts, inappropriate admissions - Dissolved and transferred to Rutgers

• U of Tennessee – Export control violation – Criminal charges

• UCLA – Death from lab accident – Criminal charges

• Penn State – Sexual assault – Criminal charges

5

ASSURANCE of Professional Conduct

in the Field of Research (“Professionalism”)

NIH Office of Research Integrity

Responsible Conduct of Research (RCR)

*Protection of Human Research Subjects (OHRP)

*Care and Use of Research Animals (OLAW)

*Research Misconduct (ORI)

*Conflicts of Interest and Commitment

*Data Acquisition, Management, Sharing and Ownership

Publication Practices, Responsible Authorship

Mentor / Trainee Responsibilities

Peer Review

Collaborative Science

ACCOUNTABILITY for

Expenditure of Federal Funds

Office of Management and Budget

(OMB-A21; OMB-133 etc. )

Office of Inspector General

Research Grants Administration Research Grants - Pre-award

Research Grants - Post-Award – Effort Reporting & Cost Sharing

– Allowability of Expenditures

– Sub-recipient Monitoring

– Grant reporting

Compliance - a Misnomer “Compliance, n. a yielding, disposed to oblige, conforming to the wishes of others”

“There is perhaps no other environment where this term’s connotation evokes such rancor” - R. Emery

Laboratory Safety

Principal Investigator Research Responsibility:

Export Regulations

Dept. of Commerce - Dept. of Defense

*Export of “Sensitive” Information and Technologies

Key Aspects of an Academic

Compliance Program

Federal, State, and Institutional

Policies

Institutional Leadership

Legal Affairs

Compliance Personnel & Committees

Faculty, Staff, and Students

Institutional Audit/Risk

Management

Academic Compliance

Infrastructure


3

Compliance Program Components

Shared Accountability Model

DepartmentalControls

Training and Support

P&P, RiskAssessment, andMonitoring

Compliance Officers

Shared Values

8

• Honesty – Conveying information

truthfully and honoring commitments

• Accuracy – Reporting finding precisely

and taking care to avoid errors

• Efficiency – Using resources wisely and

avoiding waste

• Objectivity – Letting the facts speak for

themselves and avoiding improper bias

Codes of Conduct

• Professional codes

• Government regulations

• Institutional policies

• Personal convictions

“Don’t listen to him….He’s a socialist.”


4

Importance of an Academic

Compliance Program

• Financial and Operational Risks

• Health & Safety Risks

• Reputational Risks

• Community

• Sponsors and Regulators

• Governmental Expectations (e.g., Title IX, DHHS OIG, NIH, NSF)

• Possibly Reduced Fines and Penalties

Importance of an Academic

Compliance Program

• Elimination of uncertainty and confusion about roles and

responsibilities

• Better quality research, operations

• Identifying and addressing problems early

• Reducing likelihood of government audits &

investigations

• Better trained workforce

When Non-Compliance Occurs


5

Compliance Risk Consequences

• Imposition of fines and sentences

• Media coverage, blemished reputation

• Threat of whistleblower lawsuits

• More external regulatory and audit agency scrutiny

• Management time and effort for damage control

• Exclusion from governmental programs

• Probation and court-imposed programs

• Imposition of government-designed programs/procedures

Issue Etiology

Reliability and Reasonableness

“…it is recognized that research, service and administration are inextricably intermingled. A precise assessment of factors that contribute to costs is not always feasible, nor is it expected. Reliance, therefore, is placed on estimates in which a degree of tolerance is appropriate.” OMB Circular A-21, Section J.10 (Compensation for Personal Services)

Issue Etiology (2)


6

“Scientist Behaving Badly”-- Nature 2005

Top Ten Behaviors

Percent*

Other behaviors

Percent*

Falsifying research data 0.3%Publishing the same data or results in two or more

publications 4.7%

Ignoring major aspects of human subjects

requirements0.3% Inappropriately assigning authorship credits

10.0%

Not properly disclosing involvement in firms whose

products are based on one's own research0.3%

witholding details of methodology or results in

papers or proposals 10.8%

Relationships with students, research subjects or

clients that may be interpreted as questionable1.4% Using inadequate or inappropriate research design

13.5%

Using another's ideas without obtaininjg

permission or giving due credit1.4%

Dropping observations or data points froam

analyses based os a feeling they were inaccurate15.3%

Unauthorized use of confidential information in

connection with one's own research1.7%

Inadequate record keeping related to research

projects 27.5%

Failing to present data that contradicts one's own

previous research6.0%

Circumventing minor aspects of human-subject

requirements7.6%

Overlooking others' use of flawed or questionable

interpretation of data12.5%

Changing the design, methodology or results of a

study in response to pressure from a funding

source

15.5%

* % who did this in previous 3 years

Martinson, Anderson and deVries. Nature 2005 435:737-738

Federal Sentencing Guidelines

Compliance Program Requirements

Programs should be based on requirements of the Federal

Sentencing Guidelines for Organizations

Due diligence and promotion of an ethical culture minimally

require the following:

1. Written standards of conduct and policies and

procedures

2. Designating a compliance officer and other appropriate

bodies (e.g., compliance oversight committee)

Federal Sentencing Guidelines

Compliance Program Requirements

3. Effective education and training

4. Audits and evaluation techniques to monitor compliance

5. Reporting processes and procedures for complaints

6. Appropriate disciplinary mechanisms

7. Investigation and remediation of systemic problems

8. Risk assessment necessary for design and operation of

the compliance program (Section 8B2.1(c))


7

The University of Tennessee

Institutional Compliance Program

Board of Trustees

University President

Executive Compliance Committee

Board of Trustees Audit Committee

Institutional Compliance Office

UT Knoxville

UT Chattanooga

UT Martin

UT Health Science Center

UT Institute of Agriculture

UT Institute of

Public Service

Audit and Compliance

Services

Board of Trustee Audit Committee

• Created the Institutional Compliance

program in collaboration with the

President’s staff.

• Meets three times a year.

• Members receive a written progress

report for each campus before each

meeting.

• Each meeting includes a compliance

presentation on one compliance

topic.

[FSG §8B2.1(b)(2)(A)- Governing Authority

shall be knowledgeable.]

Board of Trustees

Board of Trustees Audit Committee


Audit and Compliance

Services


• Composed of President’s staff. [FSG §8B2.1(b)(2)(B)- High-personnel

ensure effective program.]

• Meets once a year.

• Receives the Audit Committee

update report (3 per year).

• Provided vision for the institutional compliance program when created.

Board of Trustees





8


• Oversees the campuses’ compliance risk assessments: o corrective actions taken o risks being assumed

• Assists campuses in overcoming

obstacles to compliance: o System-level policy changes o Organizing system-level task forces o Address resource needs

Board of Trustees





• Assists campuses in defining

acceptable levels of risk. • Oversees disciplinary actions.

[FSG §8B2.1(b)(6)- Consistent enforcement.]

• Provides visible support for

compliance efforts.

Board of Trustees





• Oversees and promotes the Code of Conduct. http://www.tennessee.edu/code/

[FSG § 8B2.1(b)(1) Establish standards.]

http://www.tennessee.edu/code/




9


• Promotes and coordinates activities for the hotline.

http://compliance.tennessee.edu/hotline.htm

[FSG §8B2.1(b)(5)(C)- Anonymous reporting

mechanism.]


• Develops and implements the university

compliance risk assessment process.

[FSG §8B2.1(c)- Risk Assessment.]

o Ensures consistency among campuses.

o Ensures a certain level of rigor.

o Improves efficiency (web-based tool).


• Identifies regulatory areas with significant compliance risk

o Approximately 430 compliance areas.

o Input from compliance officers and committees.

o http://compliance.tennessee.edu/resource.htm

http://compliance.tennessee.edu/hotline.htm

http://compliance.tennessee.edu/resource.htm


10


• Assists the campus/institute compliance committees in their various duties regarding the risk assessment.

o Provides campus compliance officers general compliance training and training for risk assessment.

o Manages data collected from the risk assessment.

o Helps facilitate consolidating compliance issues and in developing potential corrective actions.

o Shares valuable information among all campuses.

Campus Compliance Committees

* Plans are reviewed by the respective chains of command, who must determine what resources to allocate and what risks must be assumed.

*

**

** Would include progress on plans and risks being assumed.

Applicable Regulatory Areas

Academic 6 Health Care 13

Athletics 3 Legal 7

Communications 14 Privacy 8

Employee 25 Procurement 14

Environmental 13 Research 92

Facilities 26 Safety/Health 67

Federal Reporting 6 Student 37

Financial 6 Tax 17

Gifts 6 Transportation 2

Total 362


11

Assignment of Regulatory Areas

Number of Number of

Administrative Unit Compliance Officers Regulatory Areas

Chancellor 1 1

Provost/Academic 10 29

Finance & Administration 18 148

Development/Alumni Affairs 2 2

Human Resources 5 11

Equity & Diversity 1 11

Research 8 58

Communications 1 4

Student Life 8 19

Athletics 4 6

System Administration 17 73

Campus Compliance Officer

FSG §8B2.1. (b)(4)(A)- Provide training. (b)(5)(A)- Monitoring.

FSG §8B2.1.(b)(5)(B)- Risk Assessment.

FSG §8B2.1.(b)(7)- Taking corrective action.

FSG§8B2.1.(b)(2)(C)- Specific individuals with responsibility. (Should be “working” responsibility.)


Topics Covered in General Training

• Institutional Compliance Program organizational structure and assignment of responsibilities

• Overview of Federal Sentencing Guidelines (i.e., culpability factors and compliance program requirements)

• Disclosure of violations policy

• Whistleblower laws


12


Topics Covered in General Training

• False Claims Act

• Corporate Integrity Agreements and government oversight.

• Instructions for the compliance risk assessment

• Framework for identifying, describing and disclosing risks

• Identify control weaknesses.

• Identify areas of noncompliance.

• Identify areas of potential weakness to monitor closely.

• Take corrective actions where needed.

• Identify targeted areas in need of assistance.

• Provide a baseline to measure future performance and track improvements that have been implemented.

• Perform assessment in efficient and effective manner.

Risk Assessment –

The Objectives

1. Identify relevant regulatory areas.

2. Identify who has working responsibility for compliance at the campus level.

3. Campus compliance officers assess the risks.

4. Campus Compliance Committee identifies priorities and coordinates the development of plans of corrective actions.

Risk Assessment –

The Process


13

Risk Assessment – Web-based Tool

[Adapted from a risk assessment process developed by Robert Roach at NYU.]

Step 1

Identify and describe the violations (or category of violations) that are the greatest risks for the regulation.

Identify the violations you are most concerned about in the context of the controls and ethical environment that are in place. What violations are you most concerned with?


Step 2

Measure the level of impact for the specific risk/ violation. Each type of impact has five levels that have been specifically defined.

Types of Impacts:

• Financial

• Legal

• Operational

• Reputational

* The most likely level of impact.


IMPACTS

Financial Legal Operational Reputational Less than

$200,000

1 Technical violation of law or regulation.

Little or no fine or other consequences

probable.

1 No impact on operations. No loss in our

ability to conduct research or hold

classes.

0 Little or no risk to the university’s

reputation.

0

$200,000 to

$1 million

2 Government civil lawsuit or agency

finding/action where outcome results in

no increased governmental oversight or

loss of licensure.

2 Little or no impact on teaching or

research. Impact is limited to the

business/services operations only; with

possible disruption or closure for 1 or 2

days.

1 Slight risk to reputation. Possible bad

press, but no significant

consequences to students, faculty,

schools, or business units.

1

$1 million

to $5

million

3 Government civil lawsuit or agency

finding/action where outcome could

result in increased governmental

oversight or loss of licensure.

3 Teaching or research is disrupted 1 day

to 1 week; or business/ services

department disrupted 3 days to 2 weeks.

3 Moderate risk to reputation. Probable

short term bad press. Modest student,

faculty, donor, and/or constituent

fallout.

2

$5 million

to $10

million

4 Government civil lawsuit, criminal

investigation, or agency finding/action

limited to one college or business unit

that could result in loss of accreditation.

4 Teaching or research is disrupted for

greater than a week; or business/ services

department disrupted for greater than 2

weeks.

4 Significant negative press coverage.

Significant student, faculty, donor,

and/or constituent fallout.

4

Greater

than $10

million

5 Government civil lawsuit, criminal

investigation, or agency finding/action

involving multiple colleges or business

units that could result in loss of

accreditation.

5 Multiple departments are unable to

conduct research or hold classes for a

month or longer; or an entire department

(or greater) is eliminated. (Includes

exclusion from governmental programs)

5 Extensive and prolonged negative

press coverage. Significant

sponsor/board questions of

management. Extensive student,

faculty, donor, and/or constituent

fallout.

5


14


Measure the frequency of the risk/violation.

• Base this on your past experience as the

campus/institute compliance officer.

• Base this with consideration to the current

controls that are in place.

• Base it on the specific scenario you have

defined (i.e., how many times the scenario will

occur?)

• This is not the frequency of the violation being

discovered by an external party.

Step 3


FREQUENCY

Will probably not occur in the next year, based on

historical/industry experience.

1

Will probably occur one time in the next year, based on

historical/industry experience.

2.5

Will probably occur two to five times in the next year,

based on historical/ industry experience.

3

Will probably occur six to ten times in the next year,

based on historical/ industry experience.

3.5

Will probably occur more than ten times (or constantly)

in the next year, based on historical/ industry experience.

4


Step 4

Measure the level of control (five levels).

• Policy, Procedures, and Responsible Office

• Training

• Monitoring


15



• Has an entity external to the university audited this regulation

at your campus/institute within the past 10 years?

• Has the campus/institute received findings or penalties for

violating this regulation in the past 3 years?

• Is the campus/institute currently out of compliance or have

there been an unacceptable number of violations in the past

12 months?

• Do significant vulnerabilities or control weaknesses exist?

Step 5 EXTERNAL REVIEWS AND VIOLATIONS

Risk Assessment Web Tool

Use FileMaker Pro.

For simple application- 3 to 4 weeks to develop.

http://compliance.tennessee.edu/riskutk.html




16


17

Risk Assessment –

Web-based Tool

• Provides a framework for the compliance officer to describe and assess the compliance risk.

• Formalizes the process for identifying compliance issues and establishing priorities.

• Helps document the compliance officers’ due diligence in addressing weaknesses.

• The risk assessment can be easily updated in the future (after first occurrence, the template fosters efficiency for future risk assessments).


18

Measures of Risk

Inherent Risk = Financial + Legal + Operational + Reputational + Frequency

Controls Effectiveness % = Policy/Procedures + Training + Monitoring

Residual Risk = Inherent Risk X (1 – Controls Effect. %)

* A starting point. Very roughly identifies regulations with high impacts and low levels of controls. Indicates may need to review controls. Does not eliminate need to address areas where we have violations.


19

Developing Corrective Action Plans

1. Review risks and consolidate related issues.

2. Assemble work team and develop a very brief description of the proposed solution.

3. Campus Committee reviews brief descriptions, asks questions, and makes recommendations.

4. Work team develops the detailed plan and includes an estimate of resources needed. (Provide Corrective Action template.)

Developing Corrective Action Plans

5. Campus Committee reviews final proposed plan.

6. Campus Committee presents proposed plans to Chancellor’s Cabinet.

7. Campus Committee monitors the implementation of the approved plans.

Corrective Action Template

COMPLIANCE CORRECTIVE ACTION TEMPLATECompliance Officer:

Preliminary Plan ID(s):

Regulation ID Number(s):

Risk Serial Number(s):

CONTROLS TO IMPLEMENT (enter information for all that apply)

Policy/Procedure Changes

Brief explanation of any policy/procedure changes and

why they are needed:

Approvals/endorsements needed for changes:


20


Training

Brief explanation of why the training is needed:

Brief description of course content:

Who will perform the training:

Who will receive the training:

The preferred frequency of the training:

Training methodology (e.g., in-class; web):

Methodology for identifying participants.

The training records that will be maintained:


Monitoring

Brief explanation of the monitoring that will be

performed (e.g., inspections; violation reports):

Preferable frequency of monitoring:

Enforcement

Explanation of how violations will be handled:

Violation reports and who will receive them:

Appropriate penalties for violations:

Additional Relevant Information on Controls:

Provide any other relevant information (including

remaining significant risks that are still being assumed):


RESOURCES NEEDED (enter information for all that apply)

Additional Funding

Increased staffing

List individual positions, primary responsibilities, and

approximate salary range:

Equipment

General description and approximate cost:

Maintenance cost, if significant:

Software

Description and approximate cost:

Annual licensing fee if applicable:


21


Supplies


Services provided by external sources


Travel


Construction


Other Financial Costs

Description of any other costs that will require

additional funding:


Additional Time/Effort Expended by Current Positions (if applicable)

List position (or office) and the additional

responsibilities/effort:

IMPLEMENTATION

If some or all of the corrective actions have been

implemented, please explain.

Group Activity

The audience is being asked

to spend five (5) minutes

identifying positions or

individuals within their

institution who should be

informed of a significant non-

compliance event (e.g.

chemical fire resulting from

noncompliance causing

injury or death; or human

subjects violation resulting in

a federal audit).

Jesse Gelsinger

(1981- 1999) died

in a gene “therapy”

clinical trial at the

age of 18 after

suffering a

massive toxic

shock reaction


22

Communication Strategies

“Educators, scientists, and

researchers face specific

challenges as they

communicate technical

information to educate the

general public and other

non-technical audiences.”

Source: S. Hutcheson. Effective Use of Risk Communication Strategies for

Health & Safety Educational Materials. October 1999 // Volume 37 //

Number 5 // Feature Articles // 5FEA1

Purpose of Risk Communication

• Enlightenment (Improve risk

understanding)

• Right-to-know

• Attitude

modification

• Legitimatize the

institutional risk

• Risk Reduction

• Behavior change (encouraging protective

behavior)

• Emergency

readiness

• Public engagement

• Participation of

those potentially

impacted

Source:S. Lang et al. Risk Communication. 2001 World Health Organization (WHO). Water Quality:

Guidelines, Standards and Health. Edited by Lorna Fewtrell and Jamie Bartram. Published by IWA

Publishing, London, UK. ISBN: 1 900222 28 0


23

Communicating Risks

• Recognize the institutions’ attitude about the potential risk

• Risk = Hazard + Perception

• Establish the existence and severity of the risk

• Demonstrate the risk poses a potential threat to institutional abilities and values

• Illustrate specific steps to avoid the risk

Adapted from: S. Hutcheson. Effective Use of Risk Communication Strategies for Health & Safety Educational Materials. October 1999 // Volume 37 // Number 5 // Feature Articles // 5FEA1

Source:S. Lang et al. Risk Communication. 2001 World Health Organization (WHO). Water Quality:

Guidelines, Standards and Health. Edited by Lorna Fewtrell and Jamie Bartram. Published by IWA

Publishing, London, UK. ISBN: 1 900222 28 0

Tenets Needed:

1) Credibility

2) Context

3) Content

4) Clarity

5) Continuity and

consistency

6) Channels

7) Capability of

audience


24

Effective Internal Communication

Leads to Empowerment

In order to fulfill our mission of serving the people of

Tennessee and beyond through the discovery,

communication and application of knowledge, we

must be committed as a statewide workforce to

promoting responsible and ethical behavior in

everything we do. — Dr. Joe DiPietro, University of Tennessee President

In our journey to the Top 25, reducing our risks,

maintaining integrity in our research and scholarly

activities, and protecting all of our faculty, staff, and

students will be vital to helping us reach or collective

university goals.

— Dr. Jimmy Cheek, UT Knoxville Chancellor

Empowerment Begins with

Institutional Leadership

What are Mechanism for Empowerment

Three (3) Basic Steps

1. Meet the regulatory needs by

building a foundation of

compliance

2. Meet the researcher’s needs

and fulfill their wish list

3. Meet the needs of the research

administrative staff


25

Meeting the Regulatory Needs

• Perform systematic assessments of each functional area

• Maintain and obtain Accreditation (promote external assessments)

• Insure compliance committees are more than functional

• Encourage staff training and certification

Meeting the Researcher Needs

• Improve speed of

submission review and

approval

• Insure availability of

competent staff to

respond to questions

• Insure availability of

appropriate trainings

• Utilize electronic

submission solutions

• Create effective

communication strategies

Meeting the Staff Needs

• Insure leadership provides

the infrastructure for

success

• Understand and contribute

to the culture of compliance

• Promote internal and

external training

opportunities

• Create and foster flexibility

(outcome based activities)

• Create internal rewards


26

Robert Nobles, DrPH, MPH, CIP

Assistant Vice Chancellor for Research

UT Knoxville Institutional Compliance Committee Chair

(865) 974-3053

[email protected]

Bill Moles, CCEP, CIA Director of Compliance

Office of Institutional Compliance University of Tennessee System

(865) 974-4438 [email protected]

mailto:[email protected]

mailto:[email protected]

Improving the Effectiveness of Your Institutional …...SCCE Higher Education Compliance Conference...

Documents

Transcript of Improving the Effectiveness of Your Institutional …...SCCE Higher Education Compliance Conference...