The Office of Institutional Compliance (OIC) is charged with maintaining a compliance program that is in alignment with the Federal Sentencing Guidelines’ elements of an effective compliance program. An important component of this criteria is monitoring the effectiveness of an organization's compliance efforts. The Chief Compliance Officer implemented Compliance Risk Reviews (CRR) in the summer of 2017 as a way for the OIC to meet this criteria. This approach to monitoring provides an in depth look at priority risk areas and fostering a culture of continuous compliance improvement.
Compliance Risk Reviews are a proactive process of collaborative, cross-disciplinary, cross-educational gap analysis and mitigation of the Institution’s compliance efforts. The scope of the CRR varies from a focused look at compliance efforts related to one regulation or policy (e.g. HIPAA) to a broad view across a class of regulations or policies (e.g. privacy regulations).
Collapse All
/Collaboration
Compliance risk reviews align with two elements of effective compliance programs, per the Federal Sentencing Guidelines.
- Risk identification and prioritization
- Monitoring, auditing, and evaluating
Selecting Risk Areas to Review
Identifying risk areas to schedule for review is a collaborative process. Information is gathered from outside resources, such as the Society of Corporate Compliance and Ethics, the B1G Compliance Officer Network, and the Minnesota Compliance Officer Network. Incidents occurring in the compliance arena both locally and nationally are considered. Key regulatory changes and internal compliance and risk management conversations with the University’s compliance partner network, Executive Oversight Compliance Committee, and the Audit and Compliance Committee of the Board of Regents also influence which risk areas are on a regular schedule for review. As of 1/1/18, there are 34 risk areas that are planned for review in a 5 year cycle. Other risk areas are identified as reviews to be conducted “as needed”. This list can change depending on a number of factors.
- Purchasing
- Athletics - Title IX
- Campus Safety
- Conflicts of Interest
- Discrimination and Affirmative Action
- Biological & Lab Safety
- Food Safety
- Occupational Safety
- Export Controls
- Housing ADA
- Cybersecurity
- Acceptable Use - Information Technology
- International Activities & Programs
- Programs Involving Minors
- HIPAA
- Program Integrity Rules
- Animal Research
- Accounts Payable
- Athletics - NCAA Compliance
- Clinical Services
- Disabilities and Accommodations
- Donors and Gifts
- Environmental Safety
- Hazardous Materials
- Controlled Substances
- Financial Aid
- Housing - Title IX
- Immigration/International Students & Employees
- Intellectual Property/Technology Transfer
- Lobbying and Political Activities
- FERPA
- Privacy - Patients
- Human Participant Research
- Sexual Misconduct
Prior Process
The CRR process replaces what was known as the “Legal-Compliance Reporting Process (LCRP).” LCRP had been used by the University for more than 12 years as a method of monitoring compliance efforts through a system of self-reporting. This process had its strengths, but was retired in favor of a more collaborative process between compliance stakeholders and the OIC. We believe that the collaborative, cross-disciplinary, cross-educational elements of the CRR process make it far more effective.
Key tasks and timeline
Timeline | Key Activities |
---|---|
Weeks 1-3 |
|
|
|
|
|
|
|
|
|
|
|
Templates
Samples
- Animals in Research (.pdf)
- Campus Safety, Including Clery (.pdf)
- Disability Accommodations (.pdf)
- Donors and Gifts (.pdf)
- Export Controls (.pdf)
- Housing- Title IX (.pdf)
- Information Security: Acceptable Use (.pdf)
- Intellectual Property and Technology Transfer (.pdf)
- International Activities (.pdf)
- Lab Safety (.pdf)
- Lobbying and Political Activities (.pdf)
- Privacy - Patients (.pdf)
- Privacy - Students (.pdf)
- Purchasing (.pdf)
- Safety of Minors (.pdf)
Questions?
If you have questions about the Compliance Risk Review process please contact the Chief Compliance Officer.