SCCE Higher Education Compliance Conference 1 Improving the Effectiveness of Your Institutional Compliance Program Robert Nobles, DrPH, MPH, CIP Assistant Vice Chancellor for Research Institutional Compliance Committee Chair Bill Moles, CCEP, CIA, MBA Director of Compliance System Administration Institutional Compliance Office Session Objectives 1. Developing an organizational infrastructure for compliance that satisfies the Federal Sentencing Guidelines. 2. Overcoming communication obstacles so that multiple university audiences and stakeholders embrace a culture of compliance. 3. Strategies for empowering compliance officers. The Age of Enforcement Era of Compliance Process - Previous ≈50 years of compliance focused on development of compliance infrastructures and education. Age of Compliance Enforcement - “I like to call this the age of enforcement…There is no longer any question about what the rules are, there is no longer any forgiveness of any significant amount in the system for lax enforcement, for failure to comply.” (Kathleen Merrigan, Secretary of Agriculture, April 6, 2010)
26
Embed
Improving the Effectiveness of Your Institutional ... · Improving the Effectiveness of Your Institutional Compliance Program Robert ... System Administration ... clie n t s t h a
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
SCCE Higher Education Compliance Conference
1
Improving the Effectiveness
of Your Institutional
Compliance Program
Robert Nobles, DrPH, MPH, CIP
Assistant Vice Chancellor for Research
Institutional Compliance Committee Chair
Bill Moles, CCEP, CIA, MBA
Director of Compliance
System Administration Institutional Compliance Office
• Stanford U – Inflated research overhead cost - $1.2 M
• U of Washington – Billing fraud - $35 M
• U of Texas – Underpayment of royalties - $12 M
• U of Minnesota – Misuse of federal grants - $32 M
• NYU Medical Center – Inflated grant costs - $15.5 M
• U of Penn. – Human subjects, conflict of interests - $514 K, closed center
• Northwestern U. – Inaccurate grant effort reporting - $5.5 M
• U of California – Mischarging research grants - $3.9 M
• NYU - $1.4 M, Penn - $1.6 M, Johns Hopkins $1.1 M – Preferred lenders
• U of Med and Dentistry of NJ - overbillings, political activity, no-bid contracts, inappropriate admissions - Dissolved and transferred to Rutgers
• U of Tennessee – Export control violation – Criminal charges
• UCLA – Death from lab accident – Criminal charges
• Penn State – Sexual assault – Criminal charges
5
ASSURANCE of Professional Conduct
in the Field of Research (“Professionalism”)
NIH Office of Research Integrity
Responsible Conduct of Research (RCR)
*Protection of Human Research Subjects (OHRP)
*Care and Use of Research Animals (OLAW)
*Research Misconduct (ORI)
*Conflicts of Interest and Commitment
*Data Acquisition, Management, Sharing and Ownership
Publication Practices, Responsible Authorship
Mentor / Trainee Responsibilities
Peer Review
Collaborative Science
ACCOUNTABILITY for
Expenditure of Federal Funds
Office of Management and Budget
(OMB-A21; OMB-133 etc. )
Office of Inspector General
Research Grants Administration Research Grants - Pre-award
Research Grants - Post-Award – Effort Reporting & Cost Sharing
– Allowability of Expenditures
– Sub-recipient Monitoring
– Grant reporting
Compliance - a Misnomer “Compliance, n. a yielding, disposed to oblige, conforming to the wishes of others”
“There is perhaps no other environment where this term’s connotation evokes such rancor” - R. Emery
Laboratory Safety
Principal Investigator Research Responsibility:
Export Regulations
Dept. of Commerce - Dept. of Defense
*Export of “Sensitive” Information and Technologies
Key Aspects of an Academic
Compliance Program
Federal, State, and Institutional
Policies
Institutional Leadership
Legal Affairs
Compliance Personnel & Committees
Faculty, Staff, and Students
Institutional Audit/Risk
Management
Academic Compliance
Infrastructure
SCCE Higher Education Compliance Conference
3
Compliance Program Components
Shared Accountability Model
DepartmentalControls
Training and Support
P&P, RiskAssessment, andMonitoring
Compliance Officers
Shared Values
8
• Honesty – Conveying information
truthfully and honoring commitments
• Accuracy – Reporting finding precisely
and taking care to avoid errors
• Efficiency – Using resources wisely and
avoiding waste
• Objectivity – Letting the facts speak for
themselves and avoiding improper bias
Codes of Conduct
• Professional codes
• Government regulations
• Institutional policies
• Personal convictions
“Don’t listen to him….He’s a socialist.”
SCCE Higher Education Compliance Conference
4
Importance of an Academic
Compliance Program
• Financial and Operational Risks
• Health & Safety Risks
• Reputational Risks
• Community
• Sponsors and Regulators
• Governmental Expectations (e.g., Title IX, DHHS OIG, NIH, NSF)
• Possibly Reduced Fines and Penalties
Importance of an Academic
Compliance Program
• Elimination of uncertainty and confusion about roles and
responsibilities
• Better quality research, operations
• Identifying and addressing problems early
• Reducing likelihood of government audits &
investigations
• Better trained workforce
When Non-Compliance Occurs
SCCE Higher Education Compliance Conference
5
Compliance Risk Consequences
• Imposition of fines and sentences
• Media coverage, blemished reputation
• Threat of whistleblower lawsuits
• More external regulatory and audit agency scrutiny
• Management time and effort for damage control
• Exclusion from governmental programs
• Probation and court-imposed programs
• Imposition of government-designed programs/procedures
Issue Etiology
Reliability and Reasonableness
“…it is recognized that research, service and administration are inextricably intermingled. A precise assessment of factors that contribute to costs is not always feasible, nor is it expected. Reliance, therefore, is placed on estimates in which a degree of tolerance is appropriate.” OMB Circular A-21, Section J.10 (Compensation for Personal Services)
Issue Etiology (2)
SCCE Higher Education Compliance Conference
6
“Scientist Behaving Badly”-- Nature 2005
Top Ten Behaviors
Percent*
Other behaviors
Percent*
Falsifying research data 0.3%Publishing the same data or results in two or more
• Assists the campus/institute compliance committees in their various duties regarding the risk assessment.
o Provides campus compliance officers general compliance training and training for risk assessment.
o Manages data collected from the risk assessment.
o Helps facilitate consolidating compliance issues and in developing potential corrective actions.
o Shares valuable information among all campuses.
Campus Compliance Committees
* Plans are reviewed by the respective chains of command, who must determine what resources to allocate and what risks must be assumed.
*
**
** Would include progress on plans and risks being assumed.
Applicable Regulatory Areas
Academic 6 Health Care 13
Athletics 3 Legal 7
Communications 14 Privacy 8
Employee 25 Procurement 14
Environmental 13 Research 92
Facilities 26 Safety/Health 67
Federal Reporting 6 Student 37
Financial 6 Tax 17
Gifts 6 Transportation 2
Total 362
SCCE Higher Education Compliance Conference
11
Assignment of Regulatory Areas
Number of Number of
Administrative Unit Compliance Officers Regulatory Areas
Chancellor 1 1
Provost/Academic 10 29
Finance & Administration 18 148
Development/Alumni Affairs 2 2
Human Resources 5 11
Equity & Diversity 1 11
Research 8 58
Communications 1 4
Student Life 8 19
Athletics 4 6
System Administration 17 73
Campus Compliance Officer
FSG §8B2.1. (b)(4)(A)- Provide training. (b)(5)(A)- Monitoring.
FSG §8B2.1.(b)(5)(B)- Risk Assessment.
FSG §8B2.1.(b)(7)- Taking corrective action.
FSG§8B2.1.(b)(2)(C)- Specific individuals with responsibility. (Should be “working” responsibility.)
Campus Compliance Officer
Topics Covered in General Training
• Institutional Compliance Program organizational structure and assignment of responsibilities
• Overview of Federal Sentencing Guidelines (i.e., culpability factors and compliance program requirements)
• Disclosure of violations policy
• Whistleblower laws
SCCE Higher Education Compliance Conference
12
Campus Compliance Officer
Topics Covered in General Training
• False Claims Act
• Corporate Integrity Agreements and government oversight.
• Instructions for the compliance risk assessment
• Framework for identifying, describing and disclosing risks
• Identify control weaknesses.
• Identify areas of noncompliance.
• Identify areas of potential weakness to monitor closely.
• Take corrective actions where needed.
• Identify targeted areas in need of assistance.
• Provide a baseline to measure future performance and track improvements that have been implemented.
• Perform assessment in efficient and effective manner.
Risk Assessment –
The Objectives
1. Identify relevant regulatory areas.
2. Identify who has working responsibility for compliance at the campus level.
3. Campus compliance officers assess the risks.
4. Campus Compliance Committee identifies priorities and coordinates the development of plans of corrective actions.
Risk Assessment –
The Process
SCCE Higher Education Compliance Conference
13
Risk Assessment – Web-based Tool
[Adapted from a risk assessment process developed by Robert Roach at NYU.]
Step 1
Identify and describe the violations (or category of violations) that are the greatest risks for the regulation.
Identify the violations you are most concerned about in the context of the controls and ethical environment that are in place. What violations are you most concerned with?
Risk Assessment – Web-based Tool
Step 2
Measure the level of impact for the specific risk/ violation. Each type of impact has five levels that have been specifically defined.
Types of Impacts:
• Financial
• Legal
• Operational
• Reputational
* The most likely level of impact.
Risk Assessment – Web-based Tool
IMPACTS
Financial Legal Operational Reputational Less than
$200,000
1 Technical violation of law or regulation.
Little or no fine or other consequences
probable.
1 No impact on operations. No loss in our
ability to conduct research or hold
classes.
0 Little or no risk to the university’s
reputation.
0
$200,000 to
$1 million
2 Government civil lawsuit or agency
finding/action where outcome results in
no increased governmental oversight or
loss of licensure.
2 Little or no impact on teaching or
research. Impact is limited to the
business/services operations only; with
possible disruption or closure for 1 or 2
days.
1 Slight risk to reputation. Possible bad
press, but no significant
consequences to students, faculty,
schools, or business units.
1
$1 million
to $5
million
3 Government civil lawsuit or agency
finding/action where outcome could
result in increased governmental
oversight or loss of licensure.
3 Teaching or research is disrupted 1 day
to 1 week; or business/ services
department disrupted 3 days to 2 weeks.
3 Moderate risk to reputation. Probable
short term bad press. Modest student,
faculty, donor, and/or constituent
fallout.
2
$5 million
to $10
million
4 Government civil lawsuit, criminal
investigation, or agency finding/action
limited to one college or business unit
that could result in loss of accreditation.
4 Teaching or research is disrupted for
greater than a week; or business/ services
department disrupted for greater than 2
weeks.
4 Significant negative press coverage.
Significant student, faculty, donor,
and/or constituent fallout.
4
Greater
than $10
million
5 Government civil lawsuit, criminal
investigation, or agency finding/action
involving multiple colleges or business
units that could result in loss of
accreditation.
5 Multiple departments are unable to
conduct research or hold classes for a
month or longer; or an entire department
(or greater) is eliminated. (Includes
exclusion from governmental programs)
5 Extensive and prolonged negative
press coverage. Significant
sponsor/board questions of
management. Extensive student,
faculty, donor, and/or constituent
fallout.
5
SCCE Higher Education Compliance Conference
14
Risk Assessment – Web-based Tool
Measure the frequency of the risk/violation.
• Base this on your past experience as the
campus/institute compliance officer.
• Base this with consideration to the current
controls that are in place.
• Base it on the specific scenario you have
defined (i.e., how many times the scenario will
occur?)
• This is not the frequency of the violation being
discovered by an external party.
Step 3
Risk Assessment – Web-based Tool
FREQUENCY
Will probably not occur in the next year, based on
historical/industry experience.
1
Will probably occur one time in the next year, based on
historical/industry experience.
2.5
Will probably occur two to five times in the next year,
based on historical/ industry experience.
3
Will probably occur six to ten times in the next year,
based on historical/ industry experience.
3.5
Will probably occur more than ten times (or constantly)
in the next year, based on historical/ industry experience.
4
Risk Assessment – Web-based Tool
Step 4
Measure the level of control (five levels).
• Policy, Procedures, and Responsible Office
• Training
• Monitoring
SCCE Higher Education Compliance Conference
15
Risk Assessment – Web-based Tool
Risk Assessment – Web-based Tool
• Has an entity external to the university audited this regulation
at your campus/institute within the past 10 years?
• Has the campus/institute received findings or penalties for
violating this regulation in the past 3 years?
• Is the campus/institute currently out of compliance or have
there been an unacceptable number of violations in the past
12 months?
• Do significant vulnerabilities or control weaknesses exist?
* A starting point. Very roughly identifies regulations with high impacts and low levels of controls. Indicates may need to review controls. Does not eliminate need to address areas where we have violations.
SCCE Higher Education Compliance Conference
19
Developing Corrective Action Plans
1. Review risks and consolidate related issues.
2. Assemble work team and develop a very brief description of the proposed solution.
3. Campus Committee reviews brief descriptions, asks questions, and makes recommendations.
4. Work team develops the detailed plan and includes an estimate of resources needed. (Provide Corrective Action template.)
Developing Corrective Action Plans
5. Campus Committee reviews final proposed plan.
6. Campus Committee presents proposed plans to Chancellor’s Cabinet.
7. Campus Committee monitors the implementation of the approved plans.
CONTROLS TO IMPLEMENT (enter information for all that apply)
Policy/Procedure Changes
Brief explanation of any policy/procedure changes and
why they are needed:
Approvals/endorsements needed for changes:
SCCE Higher Education Compliance Conference
20
Corrective Action Template
Training
Brief explanation of why the training is needed:
Brief description of course content:
Who will perform the training:
Who will receive the training:
The preferred frequency of the training:
Training methodology (e.g., in-class; web):
Methodology for identifying participants.
The training records that will be maintained:
Corrective Action Template
Monitoring
Brief explanation of the monitoring that will be
performed (e.g., inspections; violation reports):
Preferable frequency of monitoring:
Enforcement
Explanation of how violations will be handled:
Violation reports and who will receive them:
Appropriate penalties for violations:
Additional Relevant Information on Controls:
Provide any other relevant information (including
remaining significant risks that are still being assumed):
Corrective Action Template
RESOURCES NEEDED (enter information for all that apply)
Additional Funding
Increased staffing
List individual positions, primary responsibilities, and
approximate salary range:
Equipment
General description and approximate cost:
Maintenance cost, if significant:
Software
Description and approximate cost:
Annual licensing fee if applicable:
SCCE Higher Education Compliance Conference
21
Corrective Action Template
Supplies
General description and approximate cost:
Services provided by external sources
General description and approximate cost:
Travel
General description and approximate cost:
Construction
General description and approximate cost:
Other Financial Costs
Description of any other costs that will require
additional funding:
Corrective Action Template
Additional Time/Effort Expended by Current Positions (if applicable)
List position (or office) and the additional
responsibilities/effort:
IMPLEMENTATION
If some or all of the corrective actions have been
implemented, please explain.
Group Activity
The audience is being asked
to spend five (5) minutes
identifying positions or
individuals within their
institution who should be
informed of a significant non-
compliance event (e.g.
chemical fire resulting from
noncompliance causing
injury or death; or human
subjects violation resulting in
a federal audit).
Jesse Gelsinger
(1981- 1999) died
in a gene “therapy”
clinical trial at the
age of 18 after
suffering a
massive toxic
shock reaction
SCCE Higher Education Compliance Conference
22
Communication Strategies
“Educators, scientists, and
researchers face specific
challenges as they
communicate technical
information to educate the
general public and other
non-technical audiences.”
Source: S. Hutcheson. Effective Use of Risk Communication Strategies for
Health & Safety Educational Materials. October 1999 // Volume 37 //
Number 5 // Feature Articles // 5FEA1
Purpose of Risk Communication
• Enlightenment (Improve risk
understanding)
• Right-to-know
• Attitude
modification
• Legitimatize the
institutional risk
• Risk Reduction
• Behavior change (encouraging protective
behavior)
• Emergency
readiness
• Public engagement
• Participation of
those potentially
impacted
Source:S. Lang et al. Risk Communication. 2001 World Health Organization (WHO). Water Quality:
Guidelines, Standards and Health. Edited by Lorna Fewtrell and Jamie Bartram. Published by IWA
Publishing, London, UK. ISBN: 1 900222 28 0
SCCE Higher Education Compliance Conference
23
Communicating Risks
• Recognize the institutions’ attitude about the potential risk
• Risk = Hazard + Perception
• Establish the existence and severity of the risk
• Demonstrate the risk poses a potential threat to institutional abilities and values
• Illustrate specific steps to avoid the risk
Adapted from: S. Hutcheson. Effective Use of Risk Communication Strategies for Health & Safety Educational Materials. October 1999 // Volume 37 // Number 5 // Feature Articles // 5FEA1
Source:S. Lang et al. Risk Communication. 2001 World Health Organization (WHO). Water Quality:
Guidelines, Standards and Health. Edited by Lorna Fewtrell and Jamie Bartram. Published by IWA
Publishing, London, UK. ISBN: 1 900222 28 0
Tenets Needed:
1) Credibility
2) Context
3) Content
4) Clarity
5) Continuity and
consistency
6) Channels
7) Capability of
audience
SCCE Higher Education Compliance Conference
24
Effective Internal Communication
Leads to Empowerment
In order to fulfill our mission of serving the people of
Tennessee and beyond through the discovery,
communication and application of knowledge, we
must be committed as a statewide workforce to
promoting responsible and ethical behavior in
everything we do. — Dr. Joe DiPietro, University of Tennessee President
In our journey to the Top 25, reducing our risks,
maintaining integrity in our research and scholarly
activities, and protecting all of our faculty, staff, and
students will be vital to helping us reach or collective
university goals.
— Dr. Jimmy Cheek, UT Knoxville Chancellor
Empowerment Begins with
Institutional Leadership
What are Mechanism for Empowerment
Three (3) Basic Steps
1. Meet the regulatory needs by
building a foundation of
compliance
2. Meet the researcher’s needs
and fulfill their wish list
3. Meet the needs of the research
administrative staff
SCCE Higher Education Compliance Conference
25
Meeting the Regulatory Needs
• Perform systematic assessments of each functional area
• Maintain and obtain Accreditation (promote external assessments)
• Insure compliance committees are more than functional
• Encourage staff training and certification
Meeting the Researcher Needs
• Improve speed of
submission review and
approval
• Insure availability of
competent staff to
respond to questions
• Insure availability of
appropriate trainings
• Utilize electronic
submission solutions
• Create effective
communication strategies
Meeting the Staff Needs
• Insure leadership provides
the infrastructure for
success
• Understand and contribute
to the culture of compliance
• Promote internal and
external training
opportunities
• Create and foster flexibility
(outcome based activities)
• Create internal rewards
SCCE Higher Education Compliance Conference
26
Robert Nobles, DrPH, MPH, CIP
Assistant Vice Chancellor for Research
UT Knoxville Institutional Compliance Committee Chair