Establishing An Effective Compliance Program,
Establishing an Effective Compliance Program,
Compliance RISK ASSESSMENTS,
and the Role of General Counsel
June 25-28, 2006
PETER HARRINGTON
Harvard Medical School
Boston , Massachusetts
and
TOM SCHUMACHER
University of Minnesota
Minneapolis , Minnesota
I. INTRODUCTION
It is increasingly evident that senior leaders and managers, and trustees and directors, of an ever growing number of colleges and universities have come to the conclusion, or are coming to the conclusion, that their institutions need to establish some sort of formal “compliance program” in order to better ensure that they are adequately and responsibly carrying out their various ethical, legal and fiduciary responsibilities and obligations arising out of all of the institution’s various programs and activities, and that they are minimizing and appropriately safeguarding the institution and its directors, officers, employees, students and other constituencies against the risks and liabilities inherent in those programs and activities. The factors understood to be driving this trend include the increasing levels of public and regulatory scrutiny of corporate governance in the wake of Enron and other recent corporate financial scandals, the passage of the Sarbanes-Oxley law[1] in 2002 (directed at publicly traded corporations but whose provisions have influenced a reexamination of corporate controls in the non-profit sector), the increasing expectations of government regulators, accrediting bodies, and academic and industry groups – expressed in various regulatory and sub-regulatory guidance documents, management standards, and best practice recommendations - that institutions will establish and maintain appropriate and adequate compliance programs, and a significant increase in claims and liability exposures in areas such as gender discrimination, study abroad programs and human subjects research.
Once the decision has been made that a compliance program is needed, institutions must of course determine what the program will look like, how it will function, and how it will be administered and managed. Embedded in those inquiries are questions about the intended purposes and goals of the program, the preferred scope and cost of the program, and the location of the compliance function, and compliance officials, within the pre-existing university governance structure and hierarchy. While answers to many of these questions may vary from institution to institution, there appears to be a fairly broad consensus in the literature, and in published guidance from government and academic and industry groups, about the basic elements essential to successful compliance programs. These standard elements are well known by university audit and compliance officers, and increasingly, by university lawyers, controllers, risk managers and other management professionals as well.
The intention of this paper is to discuss a number of these essential compliance program elements, and to provide some useful recommendations, insights and cautions about them, as well as, whenever possible, citations or references to useful models or other resources that might assist university attorneys and others looking to help establish or improve their institution’s compliance programs.
Since one of the authors serves as a research compliance officer in a medical school (while the other is a university-wide compliance official with oversight of all risk areas), some of the discussion in certain sections will focus on issues or considerations specific to the compliance function in a unit- or school-based setting, or on compliance concerns specific to research and sponsored programs activities. Nonetheless, the article is intended to convey and discuss general principles applicable in a university-wide context and relevant to compliance risks in the full range of research and non-research activities.
II. GUIDELINES FOR COMPLIANCE PROGRAMS
The acknowledged “touchstone” set of guidelines for institutional compliance programs, which appear to serve as a template, or at least starting point, for other governmental and non-governmental compliance guidelines, are those contained in the United States Sentencing Guidelines for Organizations (“Sentencing Guidelines”), which were first issued in 1991 by Congress, acting through the United States Sentencing Commission, and were most recently revised and reissued in November of 2004[2]. The section of the amended Sentencing Guidelines entitled “Effective Compliance and Ethics Programs” identifies a framework of seven (7) core elements which it says are minimally necessary to ensure that the organization has met its core obligations to “exercise due diligence to prevent and detect criminal conduct and [ ] otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.” Those seven elements, which by now are familiar to many, and which will be elaborated upon in the sections to follow, are:
1. Adequate compliance standards and procedures;
2. Effective compliance oversight;
3. Careful delegation and due care in hiring/screening employees;
4. Effective training and education for roles and responsibilities;
5. Monitoring, auditing, and hot lines;
6. Enforcement for violations; and
7. Corrective action.
An equally useful and influential set of governmental guidelines for colleges and universities are those issued in draft form last December by the Office of the Inspector General of the U.S. Department of Health and Human Services and entitled “Draft OIG Compliance Program Guidance for Recipients of PHS Research Awards”[3] (“Draft OIG Guidelines”). While these guidelines are intended to provide recommendations for compliance programs focused on regulatory and financial aspects of federally sponsored research and service awards, the principles and practices they describe are readily generalizable and useful for structuring compliance programs overseeing virtually all activity areas. A recent statement issued by officials from COGR indicate that government sources have said that these OIG Guidelines will be “withdrawn,” presumably in response to the numerous public comments submitted to HHS which were critical of certain aspects of the guidelines. Nonetheless, because it is very likely that some federal agency (probably the National Science and Technology Council’s Committee on Science) will ultimately issue some sort of government-wide guidance similar to the DHHS Draft OIG Guidelines, and because the Draft OIG Guidelines in any case provides valuable insights concerning that agency’s perspectives on compliance programs, they remain an important resource for institutions establishing or evaluating their compliance programs.
The OIG describes the purpose of its draft guidance as being “to encourage the use of internal controls to effectively monitor adherence to applicable statutes, regulations, and program requirements.” While acknowledging the focus of the guidance to be “on grant compliance and administration issues,” the OIG also states its belief that its guidance will also assist institutions in developing compliance programs for their other activities …” The OIG makes clear, in its introductory comments, that its Guidance is not meant to provide rigid mandatory rules for compliance programs, but rather is meant as a set of recommendations and suggestions for institutions to consider if they decide to establish a compliance program. While noting that “the decision to adopt a compliance program is entirely voluntary,” the OIG also points out certain advantages related to such a program, including: “ensuring good stewardship of Federal funds by eliminating erroneous or improper expenditures”; improving grant administration processes; “demonstrating to employees and the community at large the institution’s commitment to honest and responsible conduct”; “identifying and correcting unlawful and unethical behavior at an early stage”; minimizing losses to the government and the institution through early detection; reducing the likelihood of government audits and investigations; and possible mitigation of penalties and other adverse enforcement actions in certain governmental enforcement cases.[4]
The Draft OIG Guidelines then go on to describe the eight basic elements of a comprehensive compliance program as follows:
(1) The development and distribution of written standards of conduct, as well
as written policies and procedures, that reflect the institution’s commitment to
compliance.
(2) The designation of a compliance officer and a compliance committee
charged with the responsibility for developing, operating, and monitoring
the compliance program, and with authority to report directly to the head
of the organization, such as the president and/or the board of regents in
the case of a university.
(3) The development and implementation of regular, effective
education and training programs for all affected employees.
(4) The creation and maintenance of an effective line of communication
between the compliance officer and all employees, including a process (such as
a hotline or other reporting system) to receive complaints or questions that are
addressed in a timely and meaningful way, and the adoption of procedures to
protect the anonymity of complainants and to protect whistleblowers from
retaliation.
(5) The clear definition of roles and responsibilities within the institution’s
organization and ensuring the effective assignment of oversight responsibilities.
(6) The use of audits and/or other risk evaluation techniques to monitor
compliance and identify problem areas.
(7) The enforcement of appropriate disciplinary action against employees or
contractors who have violated institutional policies, procedures, and/
or applicable Federal requirements for the use of Federal research dollars, and
(8) The development of policies and procedures for the investigation of
identified instances of non-compliance or misconduct. These should include
directions regarding the prompt and proper response to detected offenses,
such as the initiation of appropriate corrective action and preventive
measures.
Most of these elements are discussed in the succeeding sections of this paper. In addition, the OIG’s supplementary comments and statements found elsewhere in the Draft OIG Guidance, which elaborate on or explain the meaning and intent of these eight elements, are summarized in the outline-grid reproduced in Appendix A.
Another set of influential guidelines – in this case non-governmental guidelines – that should be very useful to higher education organizations seeking to establish or improve internal compliance controls in the sponsored programs area are those described in COGR’s publication entitled “Managing Externally Funded Programs at Colleges and Universities: A Guideline to Good Management Practices.” (the “COGR Guide”). The COGR Guide, which is the most detailed of the three guidance documents mentioned here, provides specific sets of performance standards and best practice recommendations for each of the various risk areas relating to sponsored research and sponsored programs activities, such as allowable costs, cost sharing, human subjects protection, awards management, environmental safety and intellectual property. The COGR Guide is organized to provide, for each of those and other identified risk areas, a hierarchical set of principles, each with multiple corresponding recommended “practices” and compliance “indicators”. For example, in the area of “Financial Administration” one of the enumerated “Principles” (relating to “cost sharing”) along with one of its subsidiary “Practices” and its multiple corresponding “Indicators” are described as follows:
Principle II-6. Cost Sharing: The institution has policies and procedures for properly monitoring and documenting cost sharing in the same manner as costs funded by the sponsor, including mandatory and voluntary committed investigator effort. These policies and procedures comply with federal requirements of OMB Circulars A-21/A-122 and A-110/2CFR215.
Practice A. The institution has written policies and procedures for cost sharing that are consistently applied in proposing, accumulating, and reporting costs both to external sponsors and within the institution.
Indicator 1. Cost sharing included in proposal budgets, accepted by the sponsoring agency, and made a condition of the award is considered to be an obligation of the institution.
Indicator 2. Investigator and staff effort as well as non-labor costs included as cost sharing obligations are appropriately recorded in the institution’s accounting records.
Indicator 3. Cost sharing expenditures meet the standards of allowability, allocability, and reasonableness consistent with federal cost principles and standards of sponsors.
Indicator 4. Institutional systems provide for appropriate monitoring of cost sharing for timeliness and adequacy of expenditure or in-kind valuation documentation.
Indicator 5. The institution reports required cost sharing in accordance with the terms and conditions of awards.
Indicator 6. Voluntary uncommitted cost sharing (i.e. investigator-donated additional time above that agreed to as a condition of the award) is excluded from the organized sponsored projects base used for computing the F&A cost rates.
The COGR Guide is closer to a detailed accreditation checklist than a general set of guidelines for the overall design of a comprehensive compliance program (although it contains a short list of recommended principles, practices and indicators for an overall compliance program as well). Nonetheless, it is an immensely valuable tool that compliance officials will certainly want to use when performing an evaluation and gaps-analysis of institutional policies and controls in the areas of research and sponsored programs.
III. CONSIDERATIONS AND RECOMMENDATIONS CONCERNING
SPECIFIC ASPECTS OF COMPLIANCE PROGRAMS
In the following sections, we will a number of the recommended components of a compliance program which are not covered in the companion paper (which covers codes of conduct, hotlines and non-retaliation policies) as well as issues relating to the relationship of the compliance function and compliance offices and officials with other university offices and officials, including lawyers in the office of general counsel.
A. OVERSIGHT, GOVERNANCE AND LEADERSHIP ISSUES
Of critical importance to the success of any university compliance program is the establishment of an effective governance structure for the compliance function which: will ensure the necessary awareness of compliance issues and needs among university directors and senior leadership, and the awareness and support of senior managers across all relevant schools, departments and business and administrative units; high level support for compliance programs initiatives, including the provision of adequate resources to ensure their success; clear delegation of compliance responsibilities to qualified designated personnel who are provided appropriate authority and who will report back to senior leaders; and an appropriate degree of coordination and/or integration of compliance functions across different units and programs to ensure consistent quality and effectiveness of compliance programs and safeguards and the avoidance of administrative redundancy and conflict.
The essential importance of senior leadership responsibility for compliance, and senior leadership commitment and support for a properly designed and effective compliance program, is a central theme in the Sentencing Guidelines. Those Guidelines specifically provide that:
1. The organization’s governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to [its] implementation and and effectiveness.
2. High level personnel …shall ensure that the organization has an effective compliance and ethics program… [for which ] specific individuals within high level personnel shall be assigned responsibility.
3. Specific individuals within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. [These individuals] shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the …program. To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.