Request For Information – Ethics and Compliance Investigations Services

July 15, 2008
Compliance Reporting Program
Request for Information
MMDD0-07152008-01I
______

Table of Contents

Introduction

Organizational Overview

Project Objectives

Project Requirements

RFI Process

RFI Timeline

Evaluation Criteria

RFI Response Instructions

RFP Receipt Acknowledgement

Inquiries

RFI Response Submission

Contact Information

Response Preparation Costs

Confidentiality

Appendix A

Functional Requirements Document

Appendix B

RFI Response Template

Contact Information

Background

Work Scope Questions

Required Functionality

Implementation Approach

Estimated Fees/Costs

Introduction

The University of California Office of the President is conducting a formal process for identifying Whistleblower Program Anonymous Hotline and investigations Case Management services which meet UCOP’s minimum qualifications. As part of this process, we are soliciting your organization for information on an ethics and compliance reporting product, to include the following features:

Anonymous Hotline/Helpline

Web-based Incident Reporting

Immediate Notification/Escalation Protocol

Investigations Case Management

Metrics, Benchmarking & Reporting

Security, Reliability & Availability

Relational Database Architecture

We are also seeking your organization’s interest in responding to a potential request for proposal (RFP), to be distributed at a later date.

This document serves as an invitation for your organization to participate in the vendor pre-qualification process by responding to this short Request For Information (RFI). We will use your responses to craft a business case and determine a short list of vendors that will be invited to bid.

Organizational Overview

The University of California (University) is an educational system comprised of ten campuses throughout California, whose mission is devoted to teaching, research and public service. This system owns five academic medical centers. There is a central administrative unit, the University of California Office of the President (UCOP), headquartered in Oakland. The University has over 201,000 graduate and undergraduate students and 160,000 faculty and staff, making UC the world's premier public university. The University also manages a Department of Energy (DOE) national laboratory that is engaged in energy and environmental research. The campuses are located at Berkeley, Davis, Irvine, Los Angeles, Merced, Riverside, Santa Barbara, Santa Cruz, San Diego, and San Francisco. The medical centers are located at Davis (Sacramento-based), Irvine, Los Angeles, San Diego and San Francisco. The national laboratory is located in Berkeley.

Project Objectives

The University of California, in conformance with the State of California’s Whistleblower Protection Act (WPA – Government Code Section 8547 - 8547.12), has implemented system-wide policies and procedures to support the reporting and investigation of suspected improper governmental activity. For details on the University’s Whistleblower Program, please see In addition, the University of California’s Ethics and Compliance Services department receives reports, both verbally and in writing, of suspected non-compliance with governmental rules and regulations that must be investigated, tracked and trended for performance improvement purposes.

Currently, the University’s implementation includes an independently-operated anonymous hotline, which is focused primarily on the Whistleblower Protection Act and receives approximately 300 original reports of alleged misconduct per year through the hotline service. This volume represents less than 25% of our overall investigations, however.

Currently, only internal audit investigations are tracked on a centralized database developed within the University. Other types of investigations are tracked locally, using a variety of systems. We do not currently use our hotline service provider’s case management functions.

The objective of this project is to establish a single, integrated system where all investigations are managed through the complete lifecycle, regardless of the method the reporter uses or the type of investigation we conduct. While our data must be consolidated for reporting purposes, granular user access controls must assure that only the appropriate parties can access the data and reports assigned to them or associated with their location.

In addition, we intend to analyze a variety of metrics in order to proactively address problem areas. For this purpose, we will need several views into our data: system-wide, medical centers as a group, national laboratories as a group, campuses as a group and locations as a whole. A location can consist of a campus alone, a campus plus medical center or a campus plus lab.

Finally, it is critical for the Universityof Californiato benchmark against similar higher education institutions – those which include campuses, medical centers and national laboratories. To accomplish this, our service provider must supply both hotline and case management services, encompassing the entire investigations portfolio, to a substantial number of universities.

Project Requirements

The following summarizes our requirements. For a complete description of our functional requirements, please see Appendix A.

  1. Anonymous Hotline/Helpline

A credible hotline service must provide live operators fluent in English and Spanish, and translation support for Asian languages (e.g. Cantonese, Mandarin, Japanese, Korean, Vietnamese, Thai, Tagalog, etc.). It must not only support anonymous access, but must also be perceived as being confidential, allowing the reporter to call back without self-identifying. It must be continuously available and provide reliable and complete information regarding the reported incident(s).

  1. Web-based Incident Reporting

A credible web-based incident reporting service must also provide continuously available English and foreign-language pages, including Spanish, Chinese, Japanese, Thai, etc. It must be fully anonymous and confidential, allowing check-back without self-identification. Its interactive script must elicit reliable and complete information regarding the reported incident(s).

  1. Immediate Notification/Escalation Protocol

While this hotline is not an emergency reporting system, it must report incidents by e-mail in a timely manner, including escalation by telephone of potentially critical situations. As the nature of the information contained in these reports is highly confidential, distribution must be accomplished through a secure reporting mechanism.

  1. Investigations Case Management

Local users must be able to open cases independently of the hotline and web-based incident reporting functions. The case management system must track to completion, allowing for individual cases to be linked together or cross-referencing by various fields, such as complainant, accused or department of accused.

  1. Metrics, Benchmarking & Reporting

We require a wide variety of metrics, on an institution, location and state-wide level, including calendar, academic and fiscal year reporting, with cross-year comparisons on a quarterly basis. Reports must group institutions by both location and type (e.g. campus, medical center, laboratory). Benchmarking statistics must be appropriate to the grouping. Ad hoc and user-defined queries and reports must be supported.

  1. Security, Reliability & Availability

We require our data and access pages to be domiciled on a separate domain. All access must be SSL, 128-bit encrypted. In addition, an industry-standard authentication protocol such as VeriSign or PCI must be employed. A Two-Factor Authentication method is desirable. System reliability and availability must be assured through continuous monitoring techniques, active network intrusion detection and business continuity exercises.

  1. Relational Database Architecture

The database architecture must allow searches on combinations of fields, such as status, allegation category, department, disposition, consequences, etc. It must support drill-downs, roll-ups and a variety of groupings and cross-references. Files of various types can be accepted as attachments to cases.

RFI Process

In responding to this RFI, please provide only the information requested. Responses will be evaluated based on your ability to address and answer succinctly the questions presented. If it is necessary to provide additional information beyond what has been specifically requested, please include it as an attachment to your response.

  1. Organizations intending to respond to the RFI must acknowledge receipt of the RFI by August 1, 2008. Questions related to the RFI must be submitted to the RFI Administrator by this date as well.
  2. A “Vendors’ Conference Call” will be conducted on August 8, 2008 for UCOP to respond to the submitted questions.
  3. To submit your RFI response, please complete the RFI Response Template (Appendix B) of this RFI by August 22, 2008 at 3:00 p.m. (PDT).
  4. Upon receipt, UCOP will review and analyze RFI responses against a set of pre-defined criteria.
  5. Organizations invited to bid on the resulting RFP will be notified of the selection process and timeline.

RFI Timeline

All RFI responses must be received by 3:00 p.m. (PDT) on August 22, 2008. UCOP reserves the right to reject any responses received after the due date and time. Below is the overall timeline:

Activity / Date
RFI is issued to vendors / July 15, 2008
Vendors acknowledge the RFI and submit questions / August 1, 2008
Bidders Conference Call / August 8, 2008
RFI responses due from vendors / August 22, 2008
Follow-up conversations conducted with vendors and UCOP / August 29, 2008
Approved vendors notified; RFP development begins / September 5, 2008

Evaluation Criteria

Key evaluation criteria will include but not be limited to the following:

  • Ability of organizations to fully meet the defined business requirements
  • Implementation methodology and plan
  • Overall perceived “fit” with UCOP’s needs

RFI Response Instructions

RFP Receipt Acknowledgement

Please acknowledge by August 1, 2008, that your organization has received this RFI by sending an email to Diane L. Diotte, RFI Administrator, at . On this date, organizations must also submit their questions related to the RFI.

Inquiries

On August 8, 2008, UCOP will conduct a conference call to respond to submitted questions. The call will last approximately 90 minutes. The call time and dial-in information will be provided to those organizations who have acknowledged receipt of RFI by August 1, 2008. August 1, 2008 is also the deadline for e-mailing your questions and comments to the RFI Administrator.

RFI Response Submission

We require a uniform format be used for RFI responses. Responses not adhering to the format standards outlined below may be disqualified from consideration.

  1. Your organization must complete the RFIResponse Template with requiredinformation entered into the spaces provided. Please provide succinct but complete information to every question and information request, including those with multiple parts.
  2. In cases where an item requested does not apply, or if unable to respond, reference the number and indicate the reason for no response.
  3. Response must consist of ONLY the answers to the questions or information requests set forth in the RFI. If it is necessary to include additional information, please provide the information as a separate attachment. Please mark and label the attachment clearly (e.g., For additional information see Attachment X).
  4. You must submit your response electronically in MS Word file format.
  5. All responsess must be received by 3:00 p.m. (PDT) on August 22, 2008. UCOP reserves the right to reject any proposal received after the due date and time.

Responses shall be submitted in the format described. Responses in any other format will be considered informal and will be rejected. Conditional proposals will not be considered. Each response must be signed by an individual authorized to extend formal responses. If the bidder fails to provide any of the following information, with the exception of the mandatory response certification, the University may, at its sole discretion, ask the bidder to provide the missing information or evaluate the response without the missing information.

Respondents should organize and submit their responses in the order and format presented. Responses must provide a response to all requirements stated in the RFI. Incomplete responses are subject to disqualification, however, the University reserves the right at its sole discretion, to require the Bidder to supply any missing information which cannot be included or amended after the proposal due date. Emphasis should be on completeness and clarity of content. Responsels must be accurate; errors or omissions of a material nature will result in rejection of a proposal.

Responses shall be prepared simply and economically, providing a straightforward, concise description of the vendor's capability to satisfy the requirements of the Request for Information. Special bindings, color displays, etc., are not desired. Promotional materials are especially discouraged.

Contact Information

Inquiries and responses concerning this RFI should be addressed to:

Diane L. Diotte, C.P.M.

Principal Buyer & Supervisor/UCOP

UCLA Campus Procurement

10920 Wilshire Boulevard, Suite 650

Los Angeles, California90024-6508

Response Preparation Costs

Your organization will assume all costs incurred in providing responses to the RFI, in providing any additional information required by UCOP to facilitate the evaluation process, travel costs for meetings and interviews, and in connection with performing due diligence. The issuance of this RFI does not obligate UCOP to accept any of the resulting proposals. UCOP makes no commitments, implied or otherwise, that this RFI process will result in a business transaction with one or more of the organizations.

As noted above, all costs incurred in the preparation and submission of responses and associated documentation, as well as any related presentations and/or product demonstrations, shall be borne by the Respondent.

Confidentiality

Your organization should treat as confidential all information contained in this RFI and obtained in subsequent communications UCOP. In addition, your organization should regard UCOP’s process of evaluating applications as strictly confidential business information. None of the information described inthis RFI may be duplicated, used or disclosed, in whole or in part, without the written permission of UCOP.

Your organization may not make any public announcement or release any information regarding UCOP’s process without its written permission. However, as a public institution, UCOP may have to disclose, upon request, certain aspects of the information provided…etc. [language to be provided].

All responses, supporting materials, and related documentation will become the property of University. This Request for Information shall be kept for a period of five (5) years from date of submission and made part of a file or record that shall be open to public inspection. If the response contains information that qualifies as a trade secret under California law or is otherwise protected from disclosure under applicable law, such information must be marked with the following legend:

"CONFIDENTIAL INFORMATION"

All information submitted as part of the response must be open to public inspection (except items marked as trade secrets or other information not subject to disclosure under applicable law). Should a request be made of University for information that has been designated as confidential by the Respondent and on the basis of that designation, University denies the request for information, the Bidder shall be responsible for all legal costs necessary to defend such action if the denial is challenged legally.

Appendix A

Functional Requirements Document

Our high-level requirements include the following specific functions. Detailed requirements for implementation of the hotline, case management and reporting features will be provided in the RFP.

  1. Anonymous Hotline/Helpline

1.1 24/7 Toll Free Accessibility with Support for International Calls

1.2 Language Translation with Spanish Speaking Agents Available

1.3 No VoiceMail; Guaranteed Answer within 60 Seconds

1.4 No Call Recording

1.5 No CallerIDs Displayed or Captured

1.6 Agent Confidentiality Agreements

1.7 Password Protected Call-Back/ Update

  1. Web-based Incident Reporting

2.1 24/7 Accessibility

2.2 Foreign Language Pages; Spanish & Asian

2.3 No Persistent Cookies

2.4 No Server-Side Logging

2.5 No IP Addresses Captured/Displayed

2.6 Live Chat Offered

2.7 Password Protected Check-Back/ Update

  1. Immediate Notification/Escalation Protocol

3.1 Immediate Reporting via E-Mail

3.2 Escalation of Critical Incidents by Telephone

3.3 Notification Levels User-Defined by Location & Allegation Category

3.4 System-wide & Location-level CC lists

3.5 Secure Hyperlink Incident Distribution

3.6 Tracking of Access to Incident Report Hyperlink

3.7 Update Notes Sent on Reporter Call-Back/Check-Back & on Case Closure

  1. Investigations Case Management

4.1 User Access Levels by Location for Open, Update & Close

4.2 Support for Multiple Allegations, Accuseds & Complainants

4.3 Date-Triggered Tickler for Queueing & Reporting

4.4 Ability to Delegate Cases While Sharing Access for Update or Closure

4.5 Ability to Flag Cases as Sensitive & Escalate

4.6 Ability to Specify Required Fields at Case Status Level

4.7 Ability to Link Cases based on Accused, Complainant or Department

  1. Metrics, Benchmarking & Reporting

5.1 Benchmark with University Systems & Medical Centers

5.2 Report Medical Centers as a Group & Along with Each Campus

5.3 Roll-Up & Summarize Allegation Categories

5.4 Summarize Data on User-Defined Values/Parameters

5.5 Calendar Year, Academic Year & Fiscal Year Reporting

5.6 Cross-Year Statistical Comparisons by Quarter

5.7 User-Defined Ad Hoc Queries & Reporting on all Data Elements

  1. Security, Reliability & Availability

6.1 SSL 128-bit Encryption; VeriSign or PCI

6.2 Two-Factor Authentication Option

6.3 Secure Hyperlink Report Distribution

6.4 Continuous Availability Monitoring

6.5 Separate Domain per Customer

6.6 Active Network Intrusion Detection & Response

6.7 Business Continuity Plan with Routine Simulation Exercises

  1. Relational Database Architecture

7.1 Searchable on Field Combinations

7.2 Cross-Referenced Data (e.g. Complainant, Accused, Allegation)

7.3 User-Defined Fields/Specified Allowed Values

7.4 Attach Documents to Case (e.g. doc, pdf, xls, jpg, etc.)

7.5 Define Medical Centers, Campuses & Labs in Institution-Type Groups

7.6 Combined View of MedicalCenter or Lab with its Corresponding Campus

7.7 Downloadable Extracts in Standard MS Office Formats

Appendix B

RFI Response Template

Instruction: Please answer as briefly as possible, and submit your answers electronically in this MS Word document.

Contact Information

Primary Contact
Company
Name / Title
Address / Telephone
E-mail / Fax
Alternate Contact
Company
Name / Title
Address / Telephone
E-mail / Fax

Background

Question / Response
  1. Please provide a brief description of your company, 3 years of financial history, how long you have been in business and key strengths.

  1. Please describe in detail your organization’s experience with large complex clients, including any higher education and public sector clients.

  1. Does your company have any existing relationships (alliances) with the University of California? If so, describe.

  1. Please provide a brief summary of why your organization’s current capability and available solutions fit the needs of UCOP as outlined in this RFI. Please do not exceed four paragraphs.

Work Scope Questions

Question / Response
  1. Provide an overall description of the solution you propose for our Anonymous Hotline.

  1. Provide an overall description of the solution you propose for web-based reporting of incidents.

  1. Provide an overall description of the solution you propose for notification & escalation of reports.

  1. Provide an overall description of the solution you propose for managing our entire investigations portfolio.

  1. Provide an overall description of the solution you propose for reporting, including metrics & benchmarking against higher education institutions & medical centers.

  1. Provide an overall description of the solution you propose for ensuring the security, reliability & availability of our data.

  1. Provide an overall description of the solution you propose for ensuring the scalability & maintainability of your database & systems architecture.

Required Functionality

Instructions: Please specify your ability to provide the requirements listed. In the Availability column, indicate availability by using one of the following codes: