5/8/2012
1
Compliance and Ethics Programming for Small Campuses
SCCE – Higher Education ConferenceAustin, TXJune 2012
Mark MeaneyDirector, Ethics and ComplianceOffice of Ethics, Compliance and Audit ServicesUniversity of California, Office of the President
Presenting
Barry LongDirector, Internal Audit & Advisory ServicesUniversity of California, Santa Cruz
5/8/2012
2
Leveraging Resources through Effective Communication across Risk Disciplines
The University of California (UC) systemwide Ethics and Compliance Program
– regulatory environment (the problematic)
– commitment (the response)
– infrastructure (decentralized environment)
A small campus implementation – UC Santa Cruz– constraints and vision
– keys to establishing workgroup
– strategy implementation
Next steps– full involvement and maturing reporting protocol
Overview
4
5/8/2012
3
The Problematic: Regulatory Bodies and Requirements Impacting UC
5
*Including but not limited to the agencies listed
FERPA Patriot Act
SEVIS
Clery Act
CLIA
HHS
OHRP
DOE
OMB
GLBA
PCIDSS
ADA
DMCAOIG CMS
NCAA
HIPAA IRS
EPAOSHA
ITAR
EAR
FPPC
DOL
FMLA
EEO
USDA
FDA
DOJ
DOT
NIH
NSF
July 2008, the UC Regents established the University of California Systemwide Ethics and Compliance Program
To demonstrate the University’s commitment to ethical and lawful behaviors;
To support faculty, staff and student compliance with state and federal law, Regents’ policies, and UC policies;
To promote adherence to the University of California Statement of Ethical Values and Standards of Ethical Conduct;
To help people recognize and respond appropriately to situations that might arise at the University, and
To support prevention, detection and resolution of conduct that does not conform to applicable laws and/or UC policy.
The Response
6
5/8/2012
4
The Office of Ethics, Compliance & Audit Services (ECAS), University of California, Office of the President, administers the UC Systemwide Ethics & Compliance Program in partnership with other University functions.
• The Office has adopted a enterprise risk-based approach to the “Seven Elements”
• Ethics & Compliance, Internal Audit, HR, Legal, Risk Services
1. Standards of Conduct & Policies and Procedures2. Oversight & Governance3. Education & Training4. Communication & Reporting5. Enforcement & Screening6. Auditing & Monitoring7. Response & Prevention
The UC Systemwide Ethics and Compliance Program
7
The UC Systemwide Ethics and Compliance Program
8
5/8/2012
5
UC Ethics and Compliance Program
9
UC Riverside
UC Santa Barbara
UC Santa Cruz
UC San Diego
UC San FranciscoUC Berkeley
UC Davis
UC Irvine
UC Los Angeles
UC Merced
The Regents’ Committee on Compliance & Audit
UC PresidentSVP-Chief Compliance &
Audit Officer
Systemwide & UCOP
• UCSC is one of the smallest of the 10 campus UC system
• $596M operating budget
• Approximately 16,600 students and 3,700 faculty/staff
• The campus Vice Chancellor for Business and Administrative Services also serves as Campus Ethics and Compliance Officer (CECO).
UCSC - Small Campus Profile
No dedicated resource for ethics and compliance program
10
5/8/2012
6
Challenges
• Funding constraints
• No dedicated resources
• Compliance responsibilities are added to existing duties at all levels
• Each unit has its own perspective on risk and compliance
Advantages
• Less layers of management
• Improved/direct communication
• Trust/established relationships
• Forced to leverage resources
Small Campus Constraints and Vision
11
• CECO support needed
• Vision of mid-level working group
• Identify success cycle and information sources
• Understanding roles and identifying key functional leaders
• Establishing reporting framework
• Formation of ERMCP workgroup
• Communicating the vision
Creating the Vision and Framework at UCSC
12
5/8/2012
7
The Risk and Compliance Success Cycle
13
INTEGRATION OF ENTERPRISE RISK AND COMPLIANCE
Considering Risk and Compliance Informational Sources
14
ERMCP Working Group
Central Offices
Internal Audit
Campus Units
Process Owners
Risk Services
Controllers Office
Campus Committees
UCOP/ECAS
5/8/2012
8
Understanding Roles in Managing Risks
15
Identification of Key Functional Leaders
16
ExecutiveCommittee
Management Committee
Process Owners
Executive Director/Director
Executive Director/Director
Executive Director/Director
Executive Director/Director
Executive Director/Director
Executive Director/Director
Department Director/Manager
Department Director/Manager
Department Director/Manager
Department Director/Manager
Department Director/Manager
Department Director/Manager
5/8/2012
9
Functional Protocol between Campus Groups
17
Formation of ERMCP Workgroup
18
CAMPUS-WIDE RISK ASSESMENT, MONITORING & AUDITING
COMMITTEE REPRESENTATION
Internal Audit Director
CAMPUS-WIDE RISK ASSESMENT, MONITORING & AUDITING
COMMITTEE REPRESENTATION
Internal Audit Director
RISK AREAS MONITORED/MANAGED BY \INDIVIDUAL CAMPUS UNITS
COMMITTEE REPRESENTATIONEVC Office / Info Practices/Privacy.Conflict of interest/Info practices coordination/Privacy
Ethical behaviorTitle IX/Sexual Harassment
Information protection and Information technology securityITS client services and security director
RISK AREAS MONITORED/MANAGED BY \INDIVIDUAL CAMPUS UNITS
COMMITTEE REPRESENTATIONEVC Office / Info Practices/Privacy.Conflict of interest/Info practices coordination/Privacy
Ethical behaviorTitle IX/Sexual Harassment
Information protection and Information technology securityITS client services and security director
RISK AREAS MONITORED/
MANAGED BY CENTRALCAMPUS OFFICES
COMMITTEE REPRESENTATIONFinancial compliance
Campus controller
Human resources compliance /whistleblower/Title IX
SHR Asst. VC
Student welfare, conduct, & financial aid services compliance
Colleges, Housing & Educational Svcs. Asst. VC
RISK AREAS MONITORED/
MANAGED BY CENTRALCAMPUS OFFICES
COMMITTEE REPRESENTATIONFinancial compliance
Campus controller
Human resources compliance /whistleblower/Title IX
SHR Asst. VC
Student welfare, conduct, & financial aid services compliance
Colleges, Housing & Educational Svcs. Asst. VC
ERMCPMgmt.
Committee
Risk AreasMonitored/Managed
Jointly
Committee Representation Safety, emergency management, business continuity,
liability, property and key personnel riskPublic Safety & Risk Services AVC, Police & Fire chief, Risk services director
Health, safety, environmental compliance and loss preventionEH&S director
Research complianceResearch compliance director
5/8/2012
10
Communicating the Vision
19
• Communicating committee charge and expectations
• Establishing ground rules for workgroup discussions–
– Confidentiality
– Safe place
– Internal audit partner
• Defining risk and understanding risk perspectives
• Developing trust through respectful dialogue and common goal.
Keys to Operating an Effective Working Group
Establishing trust is key to a successful risk working group
20
5/8/2012
11
The Enterprise Risk Management & Compliance Program (ERMCP) is intended to provide the campus with an effective infrastructure and processes to identify and manage significant risks, including the risk of non-compliance with laws, regulations, policies, and contractual obligations.
Creating ERMCP Charge
21
Committee Mission
ERMCP Working Group
Central Offices
Internal Audit
Campus Units
Process Owners
Risk Services
Controllers Office
Campus Committees
UCOP/ECAS
Risk Assessment Perspectives - Article
22
5/8/2012
12
Understanding Risk Perspectives by Discipline
23
Internal Audit Risk Services Compliance
identification of a resource at risk plus an event
identification of a resource at risk plus an event
Identification of potential regulatory compliance risks
Identification of potential regulatory compliance risks
identification of the entity or process objectives
identification of the entity or process objectives
Initial Step in Risk Assessment
Considers the efficiency and effectiveness of an organization’s governance, risk management, and control activities in meeting its objectives
Considers the risks across the organization as events or opportunities that can be
optimized from a perspective of asset
protection and cost savings
Considers the health of the ethical culture, management
of significant issues, and compliance with laws and
regulations
• Monthly meetings
• Roundtable ID and discussion on risks
• Establishment of risk database
• OptionFinder risk polling sessions
• Specialty Subgroups charged to research risk areas, prepare risk mitigations plans, and report back to the workgroup
Work Group Operations
24
5/8/2012
13
UCSC
RISK
RISKRISK
1. Risk identification and tracking
2. Preliminary risk assessment
3. Establishing a common understanding of each key risk
1. Enterprise risks are continually identified by UC and UCSC offices and monitored by the ERMCP Mgmt Committee (MC)
2. The MC performs a preliminary evaluation of each risk twice a year and identifies high priority risks
warranting further review
3. One or more MC members sponsor each high priority risk and brief the full MC, providing background, describing risk factors and predicting consequences
4. The MC evaluates each high priority risk based on urgency and consequence to determine which it believes are most important for the campus to address
5. Developing a risk mitigation strategy
5. The risk sponsor prepares an analysis and mitigation plan for presentation to the MC and Executive Committee (CECRC)
6. Deciding if the risk and mitigation strategy should go to the Campus Ethics & Compliance Risk Comm/
ERMCP Executive Comm.
6. Each risk analysis and mitigation plan is presented to the MC meeting seeking a recommendation that it be forwarded to
the CECRC
7. ERMCP Exec. Comm./CECRC receives risk analysis and mitigation strategy and takes action
UCSC ENTERPRISE RISK MANAGEMENT AND COMPLIANCE PROGRAM DECEMBER 2011 STRATEGY IMPLEMENTATION UPDATE
RISK RISK
RISK RISK
RISK
RISK
RISK
4. More thoughtfully reassessing and prioritizing each key risk
ENTERPRISE RISK MANAGEMENT AND COMPLIANCE PROGRAM MANAGEMENT COMMITTEE – DECEMBER 2011
7. Proposed: Pertinent CECRC/Exec subcommittees review the risk and
mitigation plan and forward analysis and recommendation to the full CECRC
UC COMPLIANCE PROGRAM
ERMCP puts forward compliance risks for reporting to the UC
Ethics and Compliance Office and inclusion in the Annual Campus Compliance Plan
UCOP
RISK
Compliance INVENTOR
YRETURNS
RISK INVENTORY
RISK
RISKRISK
RISKRISK
RISK
COMP
RISK
RISKRISK
RISK
RISKS BEING MONITORED AND PERIODICALLY REEVALUATED (Unprioritized)
• Hazard risks
• Operational risks
• Compliance risks
• Financial risks
• Strategic risks
• Reputation risks
NEWLY IDENTIFIED RISKS PENDING PRELIMINARY REVIEW
• Lack of understanding the full extent of the behavioral health needs of the UCSC community
• Veterans and disability outreach compliance • Assignment of responsibility for ensuring compliance• Significant increases in workers compensation cases• Lack of a formally defined campus fraud risk management
program
RISK
RISK ANALYSIS AND MITIGATION PLAN IN DEVELOPMENT (Unprioritized)
• Restricted data maintained on department-managed or individual workstations
• Workplace violence/domestic terrorism • Suitability for employment• Restricted/sensitive data maintained in mobile
devices • Building water leak detection and reporting• Laboratory safety• Facility physical security systems (pending)
SCHEDULED FOR EXECUTIVE COMMITTEE (CECRC) ANALYSIS AND
PRESENTATION
• Restricted data maintained on department-managed or individual workstations
RISK INVENTORY
ANALYSIS AND MITIGATION PLAN UNDER REVIEW BY MANAGEMENT COMMITTEE
• Restricted data maintained on department-managed or individual workstations
• Workplace violence/domestic terrorism
UC ETHICS AND COMPLIANCE OFFICE REPORTING AND CAMPUS ANNUAL
COMPLIANCE PLAN
• UCSC Annual Compliance Plan Fiscal Year 2011-12
COMP
5/8/2012
14
• Some text
Annual Compliance PlanFiscal Year 2010-2011
27
• Analyst position to support committee
• Support and integration with Academic Community
• Mature reporting protocol to executive committee
Next Steps
28
5/8/2012
15
Better Alignment of Ethics & Compliance, Internal Audit and Risk Management
Step 1: Emerging
Reactive
Panic• Get it done!• Operate in silos• Deploy resources as
necessary from wherever
Step 2: Evolving
Anticipative
Acceptance• Efficiency• See connections
between work of various risk disciplines
• Automation• Plan future approach
Step 3: Maturing
Collaborative
Coordination• Comprehensive risk
profile• Prioritization of risk
mitigation activities• Use risk data
components for multiple purposes
Step 4: Mature
Predictive
Manage in Unison• Analysis of objectives• Analytics of historical risk
data and environmental conditions
• Complete visibility of risk• Metrics based on
predictive modeling• Behavioral outcomes in
relation to modeling• Improved decision-
making
Tactical StrategicMaturity often varies by scale
Maturity Model: The Convergence Evolution
Better Alignment of Ethics & Compliance, Internal Audit and Risk Management
Step 1: Emerging
Reactive
Panic• Get it done!• Operate in silos• Deploy resources as
necessary from wherever
Step 2: Evolving
Anticipative
Acceptance• Efficiency• See connections
between work of various risk disciplines
• Automation• Plan future approach
Step 3: Maturing
Collaborative
Coordination• Comprehensive risk
profile• Prioritization of risk
mitigation activities• Use risk data
components for multiple purposes
Step 4: Mature
Predictive
Manage in Unison• Analysis of objectives• Analytics of historical risk
data and environmental conditions
• Complete visibility of risk• Metrics based on
predictive modeling• Behavioral outcomes in
relation to modeling• Improved decision-
making
Tactical StrategicMaturity often varies by scale
Maturity Model: The Convergence Evolution at the Campus Level
• No organizational compliance process and systems
• “Put out fires” mentality• Silos among risk disciplines
• “Planning” mentality• Greater integration among risk
disciplines• Creation of mid-management
compliance risks committees reporting to CECRC
• Comprehensive campus risk profile
• Collaboration on risk mitigation activities
• Behavioral outcomes
?
