Compliance Blueprint: Building Structures and Relationships

5/22/2014

1

David Galloway, BYU Compliance Officer

Sarah Campbell, BYU Associate University Counsel

Compliance Blueprint: Building Structures and Relationships


AgendaAgenda

1. Compliance Planning Group

2. Governance

3. Management

2

5/22/2014

2

“In organizations, real power and energy is generated through relationships. The patterns of relationships and the capacities to form them are more important than tasks, functions, roles, and positions.”

Margaret WheatlyMargaret Wheatly

3

• University Culture

• Continuous Improvement

• Compliance Areas

FoundationsFoundations

4

5/22/2014

3

• Attitudes• Body Language• Context• Expectations• Feelings• Filters• Intentions• Likes/Dislikes• Medium

• Perspectives• Preoccupations• Prior Experience• Reaction• Relationships• Roles• Semantics• Understandings

Constructivist ModelConstructivist ModelInfo Source

Transmitter

Receiver

Destination

ChannelNoise

Receiver

Sender

5

StructureStructure

6

5/22/2014

4

7

Planning GroupPlanning Group

1. P

lannin

g G

roup

Compliance

General Counsel

Internal Audit

EH&S

8

5/22/2014

5

Internal audit and compliance functions at my school are…

9

Poll #1

A. Separate

B. Integrated

C. Other

How proactive is your general counsel?

10

Poll #2

A. Very

B. Somewhat

C. Ambivalent

D. Antagonistic

5/22/2014

6

General Counsel

Internal Audit

Compliance

EH&S

Planning GroupPlanning Group

Life Sciences Compliance Coordinator

Athletic Compliance Coordinator

FERPA Coordinator

Financial Aid Coordinator

Research Compliance Coordinator

HIPAA Coordinator

Information Security and Privacy Committee

PCI/Banking Security Committee

IRBAthletics Compliance

Committee

1. P

lannin

g G

roup

11

• Identify risks• Assess and analyze• Mitigate risks• Implement actions• Monitor and evaluate• Oversee hotline• Develop policy• Train

Role of Planning GroupRole of Planning Group

1. P

lannin

g G

roup

12

5/22/2014

7

Identify RisksIdentify Risks

1. P

lannin

g G

roup

13

• Management discussion• Ad hoc team• Benchmark with others• Consult outside counsel• Request formal audit• Develop “white paper”

Assess and AnalyzeAssess and Analyze

1. P

lannin

g G

roup

14

5/22/2014

8

“The organization shall take reasonable steps . . . to ensure that the organization’s compliance and ethics program is followed, including monitoringand auditing to detect criminal conduct . . . .”

Federal Sentencing Guidelines: §8B2.1(b)(5)

Monitoring and AuditingMonitoring and Auditing

1. P

lannin

g G

roup

15

Monitoring: Online, real time, measurement of control system effectiveness

Auditing: Periodic historic evaluation of the control system

Monitoring and AuditingMonitoring and Auditing

1. P

lannin

g G

roup

16

5/22/2014

9

• Conducted by compliance auditor

• Assessment tool approved by General Counsel

• Conclusions approved by General Counsel

1. P

lannin

g G

roup

Compliance AuditsCompliance Audits

17

Web Connection Telephone

Compliance HotlineCompliance Hotline

1. P

lannin

g G

roup

18

5/22/2014

10

Who manages your hotline?

19

Poll #3

A. Third party

B. We do

C. Don’t have one

Policy DevelopmentPolicy Development

1. P

lannin

g G

roup

Identify Need

Develop Policy

Get Approval

Communicate

Ensure Compliance

Revise

20

5/22/2014

11

Who manages policies?

21

Poll #4

A. Compliance

B. Legal

C. HR

D. Internal Audit

E. Risk Management

F. Other

TrainingTraining

1. P

lannin

g G

roupIdentify

Standards

Identify Audience

Determine Medium

Develop Content

Deliver Training

Evaluate Effectiveness

22

5/22/2014

12

• Meet weekly

• Share training

• Attend conferences

• Work jointly

• Communication plans

• Office proximity

Relationship TipsRelationship Tips

1. P

lannin

g G

roup

23

How often do you meet with legal, audit, and risk management to discuss compliance?

24

Poll #5

A. Monthly

B. Quarterly

C. Semi-annually

D. Annually

E. Never

5/22/2014

13

StructureStructure

25

26

5/22/2014

14

• Meet quarterly

• Determine compliance risks

• Receive audit reports

• Review hotline reports

Audit/Compliance CommitteeAudit/Compliance Committee

2. G

ove

rnance

27

• Meet monthly• Charter compliance committees• Designate compliance coordinators• Approve compliance programs• Monitor and assess compliance• Determine compliance risks• Receive reports from compliance

office• Review hotline reports

Executive CommitteeExecutive Committee

2. G

ove

rnance

28

5/22/2014

15

Do you report to a committee of the Board of Trustees or Regents?

29

Poll #6

A. Directly/Functionally

B. Administratively

C. Only activities and results

D. No, not at all

Is the committee you report to a joint audit/compliance committee?

30

Poll #7

A. Joint

B. Separate

C. Don’t report

5/22/2014

16

Do you have a university-wide executive compliance committee?

31

Poll #8

A. Yes

B. No

C. Working on it

• Ask to be invited to meetings• Invite them to meet with you• Provide substantive content (reports,

news, investigations, assessments)• Monthly compliance newsletter• Summarize specific laws (research

memos)

2. G

ove

rnance


32

5/22/2014

17

StructureStructure

33

34

5/22/2014

18

• Set tone• Assist communication• Provide relevant news• Offer training to staff• Provide resources

Roles of ManagementRoles of Management

3. M

anagem

ent

35

Subject-matter experts who generally, as a part of other job responsibilities, provide monitoring and guidance to the university community in their area of their expertise.

FERPAFERPA

HIPAAHIPAA

GLBGLB

Info. Sec. & Privacy


PCIPCI

FERPA

HIPAA

GLB


PCI

Compliance CoordinatorsCompliance Coordinators

3. M

anagem

ent

36

5/22/2014

19

Do you use embedded compliance coordinators/partners?

37

Poll #9

A. Extensively

B. Somewhat

C. Not at all

What do they really do?

• Develop relationships within department and university

• Communicate

• Communicate

• Communicate

• Train/Educate

• Manage special compliance projects

• Hear and address employee confidential concerns

Compliance CoordinatorsCompliance Coordinators

3. M

anagem

ent

38

5/22/2014

20

• Keep small (6-8)

• Formal Charter

• Represent key constituents

• Meet regularly

• Oversee compliance

• Report periodically

Compliance CommitteesCompliance Committees

3. M

anagem

ent

39

• Academic Safety

• Athletics Compliance

• Background Checks

• Banking Information Security

• Campus Safety

• Child Protection

• Disability Standards

• Drug-Free

• FERPA

• HIPAA

• Information Security/Privacy

• IACUC

• Institutional Biosafety

• IRB

• PCI

• Radiation/Laser Safety

• Timely Notification

• Title IX

Compliance CommitteesCompliance Committees

3. M

anagem

ent

40

5/22/2014

21

We have effective institutional compliance committees?

41

Poll #10

A. Yes

B. Only the legally required ones

C. No

Compliance ProgramsCompliance Programs

Program Document

Policy

High-Level Procedures

Law and Regulations Duties

Training Plan

Monitoring Plan

3. M

anagem

ent

42

5/22/2014

22

• Regular group meetings• Periodic one-on-one meetings • Monthly compliance

newsletter• Summarize specific laws

(research memos)• Facilitate training sessions

and webinars


3. M

anagem

ent

43

StructureStructure

44

5/22/2014

23

“In organizations, real power and energy is generated through relationships. The patterns of relationships and the capacities to form them are more important than tasks, functions, roles, and positions.”

Margaret WheatlyMargaret Wheatly

45

– David Galloway

Executive Director – Compliance and Audit/Compliance Officer

Brigham Young University

[email protected]

801-422-3854

– Sarah CampbellAssociate University Counsel

Brigham Young University

[email protected]

801-422-7667

46

CONTACTS:

5/22/2014

24

David Galloway, BYU Compliance Officer

Sarah Campbell, BYU Associate University Counsel



Compliance Blueprint: Building Structures and Relationships

Documents