Taking Compliance from Policy to Practice: Managing in a Sea of Change
November 6, 2013
Compliance is an area of higher education law and policy that keeps college and university presidents and chancellors up at night--not unlike the reaction of institutional counsel. Given the many challenges facing institutions of higher education, the shortage of resources at most institutions, and increased calls for accountability on multiple fronts from external voices (e.g., federal and state policy-makers, accrediting bodies, etc.), many institutional leaders are hard-pressed to find sufficient time and energy to focus on compliance matters. Yet the growing importance of strong, effective compliance programs is becoming increasingly clear.
Here are a few thoughts from the perspective of a (relatively new) president on approaching the topic of compliance from an institutional perspective.
Institutional Model and Structure
With regard to a structure for overall compliance responsibility, I do not believe that there is a single “best” model for all institutions of higher education. Large research universities with medical schools and hospitals have very different compliance needs than small liberal arts colleges, for example. Some institutions might choose to have a chief compliance officer; others will choose to work through a compliance committee that cuts across departmental and unit lines. In choosing a model for a specific institution, factors such as the types and degrees of compliance risks for that particular institution, its history regarding compliance issues, backgrounds of personnel in compliance-related offices within the organization, and overall budget should all be considered.
There is no need to reinvent the wheel here. We can continue to learn from the models developed by other institutions of higher learning, keeping in mind our varying missions and needs. We can also utilize the resources of our national higher education organizations, like NACUA and the Higher Education Compliance Alliance (www.higheredcompliance.org)--both to develop a catalog of compliance risks that apply to our institutions and to review best practices and models nationally. In some respects, decisions regarding the development of a structure to handle compliance obligations are not unlike decisions about other challenges and priorities that cut across the entire institution (diversity, for example). Furthermore, our compliance approaches and structures must remain flexible enough to evolve over time as needs and circumstances change--in other words, as new compliance obligations and risks arise or become more prevalent.
Perfection is not the Goal
A good compliance program cannot have perfection as its goal. Risk is inherent in any institution where cutting-edge teaching and research is being done, and where there are thousands of students and employees. The goal is not to eliminate all compliance risks, but rather to identify potential risks and then to prevent or manage them to the extent reasonably possible in light of other institutional goals and priorities.
When people think about the topic of compliance in general, they can be easily overwhelmed with the vast array of laws and regulations that apply to an institution. It may be helpful to think about the subject in more manageable clusters of issues (especially when first developing compliance functions), and to set priorities in stages over time when developing new programs and policies. There will never be enough human or financial resources to do the job perfectly, especially in an era when institutions of higher education are under relentless pressure to cut “administrative” costs and positions.
Institutional leaders must make the case to governing boards, legislators, and other stakeholders that spending a certain amount of human and financial resources on compliance is essential to the sustenance of the academic mission. As regulatory burdens continue to increase (from all levels of government), this message becomes even more important. Compliance obligations are not likely to lessen anytime soon, so we need to educate a variety of constituencies about their purposes and resource implications.
Importance of Internal Coordination and Communication
One of the most important messages institutional leaders can send is the need for constant internal coordination and communication on compliance issues. While our institutions have different units or departments with specialized compliance expertise and experience, a healthy and well-functioning compliance program requires efforts that cut across the traditional silos in higher education. Virtually every unit or department will have some type of compliance-related responsibilities for which its people are the resident experts, and for which they control relevant information or have relevant authority. Accordingly, fostering a culture of regular interaction and dialogue on compliance issues is crucial.
Some institutions have established cross-cutting compliance committees to ensure that such communications take place. Offices such as institutional counsel and internal audit (among others), if they exist on campus, can be essential participants in such groups. Some institutions might also choose to focus particular efforts and attention on compliance areas that present particularly high risks (financial, legal, reputational, or otherwise), such as research, athletics, health records, or data privacy. Even if an institution has a chief compliance officer or specially designated compliance function, it will be essential for personnel in all units to understand that compliance is everyone’s responsibility.
Institutional leaders can also help to foster communications regarding compliance by holding regular meetings with personnel who have oversight for key areas of compliance, and ensuring that compliance concerns are on the agenda for discussion. Institutional leaders must convey the message that they are not afraid to hear bad news about potential compliance risks, costs, or concerns that might need attention. Discussion of compliance obligations can be explicitly included in individual performance reviews as well, since employees tend to pay attention to areas in which they know they will be evaluated and held accountable.
Staff members who have responsibility for various areas of compliance should not just identify gaps or problems for institutional leaders, but also offer potential approaches or solutions. As institutions, we should also periodically determine whether there are new or creative ways to protect ourselves from certain types of risks. For example, Virginia’s public institutions recently collectively obtained a form of cyber-security insurance.
Presidents and chancellors can also use the help of staff in identifying those compliance issues that merit particular board-level attention and oversight because of board fiduciary responsibilities, the level of risk (financial, legal, reputational or otherwise), etc. Board audit committees can be a helpful starting point for many such discussions, depending on the nature of the issue involved.
Fostering a Culture of Reporting and Response
Institutions can greatly improve their compliance programs by having in place strong policies that protect individuals who raise good-faith compliance concerns, and in particular that prohibit retaliation against such individuals. It is helpful to publicize avenues for different sources of complaints so that employees know to whom they can go with concerns. The easier it is for people to register concerns internally—-and the more they see that such concerns are treated seriously and expeditiously—-the less likely they will be to resort to external agencies when they first become aware of potential concerns. New employee orientation sessions and websites are among the tools that can be used to communicate this message.
Institutions can also strive to build good rapport with regulatory and oversight agencies with whom they must deal periodically on compliance issues. Regulators are human, too—-if they believe that an institution’s personnel are trustworthy and competent, they are far more likely to give an institution the benefit of the doubt when potential questions or problems arise.
Education and Training
Ongoing educational and training efforts are critical to successful compliance programs. Unless someone is dealing with a particular law or regulation on a regular basis, they are likely to be unaware of all of its nuances and requirements. New legal and policy developments provide good opportunities to practice preventive law, and institutional leaders can promote compliance efforts by ensuring that resources exist to support such educational programs. This is often an area that is cut during tight budget times, but education and training for compliance-related purposes need to remain high institutional priorities at all times.
Special care should be taken in creating records related to compliance. On the one hand, it is helpful to document and publicize compliance efforts. On the other hand, at public institutions, documents that are created and that identify potential institutional compliance risks or shortcomings may be subject to state open public records laws (unless a particular exemption applies), and/or used by adverse parties in litigation. Appropriate use of attorney-client communications is one strategy that might be helpful to protect certain compliance-related communications.
One of the key areas in which institutions can improve compliance oversight is to develop clear guidelines for signatory authority for the approval of contracts, transactions, or other major university decisions and initiatives. When an employee knows that he or she is the responsible party for a contract or other decision, he or she is more likely to review it carefully. It also makes it easier for everyone in the process to know with whom they should be dealing. Signatory authority guidelines can be posted on websites and updated regularly with relevant delegations of authority or other changes.
Institutional Policies, Accreditation, and Other Compliance Obligations: Compliance obligations don’t begin and end with external laws and regulations. We must also pay attention to our own institutional policies and procedures. It is helpful to have easily accessible, searchable policy libraries online that are readily available to all employees.
Likewise, accreditation requirements are an increasingly important source of compliance obligations and merit special attention—-not just when an institution is facing a site visit or reaccreditation review. For all schools or programs that are accredited by an external body, therefore, it is helpful to have someone who is designated as the in-house expert on the relevant accreditation requirements.
Tone from the Top
Institutional leaders have an important role to play in conveying the message, internally and externally, that compliance responsibilities will be taken seriously—and that ethical conduct and decision-making will be recognized and rewarded. At James Madison University, a new institution-wide ethics initiative (The Madison Collaborative: Ethical Reasoning in Action) has been introduced, in which we hope faculty and staff will join with our students in discussing the importance of ethical decision-making in our professional, civic, and personal lives. Leaders can play a key role in creating safe spaces for the discussion of ethical issues, and in conveying the message that ethical or compliance shortcuts will not be permitted or encouraged.
Sometimes people feel that compliance obligations are a burden that simply gets in the way of the more fun and creative aspects of their jobs. At their best, however, compliance programs can be educational, enriching, and can be used to help individuals and units do their jobs more effectively. Compliance obligations are here to stay, so compliance efforts must be given the same respect as other institutional priorities.