Slide 1 - University of Texas System

Document Sample
Slide 1 - University of Texas System Powered By Docstoc
					                       Managing High Risks:
               Duties and Responsibilities of the
                University Compliance Officer

                 Effective Compliance Systems in Higher Education
                              5th Annual Conference
                              Tuesday, June 5th, 2007
                                   Austin, Texas

                                              Steve Jung
                  Director of Internal Audit and Institutional Compliance, Emeritus
                                         Stanford University

Thanks to UT!!!!!!!!
                                                                                  Slide 1
   Context for Institutional Compliance
   ICOs have many different roles and
   What does it mean for ICOs to manage risk?
   Updated look at the highest risk areas in
    higher education
   Ideas for enhancing compliance risk
   Evolution toward use of best practices?
                                       Slide 2
Context for Compliance Programs
              Nature of the university is becoming
               more complex, risks proliferating
              Rules becoming more numerous and
               complex; new ones emerge constantly
              Legal and sponsor enforcement is
               becoming more aggressive
              Non-compliance findings can be
               embarrassing and costly (settlements
               just the tip of the iceberg)
              Many universities have developed
               institutional compliance programs, the
               rest are either developing or
               considering them
              But there are many different models…
                                          Slide 3
The Many ICP Models/ICO Roles
               Coordinate/Support vs.
                Assume Line Responsibility
               Address specific high risk
                areas (e.g., research, Med
                School) vs. entire institution
               Combined with other functions
                (e.g., internal audit, risk
                management) vs. standalone
               Medicare billing involvement
               Reporting to higher (e.g.,
                system, board) level
               Other dimensions?
                                     Slide 4
       What Does It Mean for ICO to
             “Manage” Risk?
   Ensure highest enterprise risk areas are identified (and
    scan the horizon for emerging risks)
   Ensure responsible parties are identified for each area
   Identify responsibility gaps and get them filled
   Promote and/or carry out specialized and general (e.g.,
    Code of Conduct) compliance training
   Ensure compliance activities are being monitored
   Ensure non-compliance is identified and discouraged
   Identify effectiveness gaps and promote fixes
   Promote a “Culture of Compliance”
                                                  Slide 5
     Identifying Enterprise Compliance Risks
   Stanford ERA method demonstrated at last year’s
    UT Compliance Conference…
   Brings together top managers (including faculty) in
    a facilitated group session
   Uses electronic balloting to “vote” on risks
   Identifies current and most salient risks as
    perceived by those most involved
   Provides sound basis for Enterprise Risk
   But don’t forget to keep it flexible for emerging
    risks…e.g., student financial aid CoI
                                               Slide 6
        Last Year’s Demo of Stanford ERA…
   What keeps you awake at night when you think
    about compliance risks facing your institution?
   Think about your university as a whole
   Vote your overall level of concern…combine
    potential for loss with probability of occurrence
   5-point score, 5=high, 1=low

    Handout: Results from last year’s demo…any new
    high risks to add?
                                                 Slide 7
                2006 UT Compliance Conf Results

                                 Brainstorming and Rating Session

                           Compliance Risk Ratings (5=High, 1=Low)                                  Mea    S.D.
PI time and effort reporting on grants and contracts: faculty time allocation; support units        4.67   0.60
 not giving the right guidance
Information security breaches                                                                       4.33   0.67
Information privacy breaches and risk of identity theft                                             4.10   0.79
Laboratory student/staff safety: non-compliance with OSHA, blood born pathogens, etc.               3.93   0.68
Inadequate disaster preparedness: terrorists response, health and safety, business recovery         3.70   1.04
Conflicts of interest: especially faculty relationships with industry                               3.55   0.84
Inadequate subrecipient monitoring: A-133 requirement to ensure costs transferred                   3.41   1.07
 thru prime agreements are allowable, etc.
Conflicts of interest: especially faculty and their own start-ups                                   3.41   0.83
Theft of information related to credit card charge processing (non-compliance with PCI              3.39   1.04
 security standards)
Research misconduct: faculty misbehaviors - inaccuracy of data analysis/recording                   3.37   0.98
Failure to comply with export control regulations: whole range of issues                            3.36   1.32
Improper handling of select agents and toxins: controls, following government rules that            3.31   1.34
 attend to use; transferring
Investigators conducting unapproved research: activities not approved by convened body              3.28   0.91
 such as IRB, animal safeguards panel, etc.
Self destructive student behavior, e.g., underage and binge drinking                                3.23   1.29
Clinical research billing: improperly billing federal government instead of trial sponsors          2.93   1.36
Clinical research billing: improperly billing participants or their insurance                       2.40   1.25
Hospital billing: improper Medicare procedure coding by faculty physicians                          1.93   1.34

                                                                                               Slide 8
     Importance of Using Balloting Technology
                      in ERA
   Participation of all individuals: anonymous input
   Ah-ha: immediate discussion
   Understanding: time for more extensive analysis,
    leading to joint understanding of high risk areas
   Consensus: can quickly prioritize highest risks
   Quick and efficient: maximum management input
    with minimum of manager time invested
   Communications: rapid (same day) data exports
    and reports
                                            Slide 9
      Importance of Good Facilitation Skills
                     in ERA

   Key to success is effective brainstorming and
    full participation by attending managers
   Must be able to capture the essential elements
    of the risks being articulated, in real time
   Need to keep the process moving and not let it
    get bogged down in disagreements or debates
   Maintain institutional perspective
   …and a sense of humor (:>)

                                           Slide 10
       Identify Responsible Parties
   Must understand the organization and its
    culture…if you don’t have the understanding,
    beg, borrow or steal it until you develop it
   Get buy-in from senior academic management…
    find influential faculty allies (e.g., Dean of
   Have the President or Provost delegate
    responsibility if it is not already clear
   Other ideas?

                                          Slide 11
Identify Responsibility Gaps and Get
             Them Filled
   Use examples from other universities
    (Poster Children) problems…vicarious
   Leverage existing resources and talents
   Assemble “working groups” of your
    institutional compliance committee
   Where necessary, seek funds
   Other ideas?
                                        Slide 12
           Promote or Carry Out
            Compliance Training
   Become a training guru…provide
    specialized skills and capabilities, e.g.,
    web-based training development tools
   Champion an institution-wide Learning
    Management System
   Utilize training resources developed
    elsewhere (but adapt them if possible)
   Other ideas?

                                            Slide 13
       Ensure Active Monitoring of
         Compliance Activities
   Regularly present monitoring results at
    Institutional Compliance Committee
   Get support from your internal auditor, if IA
    is not part of your operation
   For especially high risk areas, do it yourself
    if you must
   Higher level reporting (for some schools)
   Other ideas?
                                           Slide 14
        Ensure Non-Compliance Is
   Critical role of academic management…when
    a commitment to compliance becomes real
   Need not be “public” if it becomes “visible”
    to those who are knowledgeable
   Call on a high level champion, e.g., Chair of
    Audit and Compliance Committee, if
    absolutely necessary (but rarely)
   Other ideas?

                                          Slide 15
     Identify Effectiveness Gaps and
              Promote Fixes
   Work with involved management to consider
    workable changes and encourage action
   Focus senior management’s attention on
    areas where monitoring is picking up
    constant or serious problems, informally at
    first, formally if necessary
   Leverage the experiences of other schools
    (constantly network to identify them)
   Other ideas?
                                         Slide 16
     Promote Culture of Compliance
   Build upon senior leadership support (tone at
    the top)…the “Regent Estrada” effect
   Ensure that compliance is seen as supportive
    of the faculty’s mission…a “good thing”
   Minimize bureaucracy, maximize empathy
   Manage a confidential reporting mechanism
   Don’t forget the recent revisions to the
    Federal Sentencing Guidelines
   Other ideas?

                                         Slide 17
   Per David Crawford: Teach, Oversee,
   Per Ed Robinson: Be a leader!

   Other Ideas for Sharing Good Practices?

                 Good Luck!!

                                       Slide 18

Shared By: