Compliance Risk Reviews

Overview

The Office of Institutional Compliance (OIC) is charged with maintaining a compliance program that is in alignment with the Federal Sentencing Guidelines’ elements of an effective compliance program. An important component of this criteria is monitoring the effectiveness of an organization's compliance efforts. The Chief Compliance Officer implemented Compliance Risk Reviews in the summer of 2017 as a way for the OIC to meet this criteria. This approach to monitoring provides an in depth look at priority risk areas and fostering a culture of continuous compliance improvement.

Compliance Risk Reviews (CRR) are a proactive process of collaborative, cross-disciplinary, cross-educational gap analysis and mitigation of the Institution’s compliance efforts. The scope of the CRR varies from a focused look at compliance efforts related to one regulation or policy (e.g. HIPAA) to a broad view across a class of regulations or policies (e.g. privacy regulations).

Continuous compliance improvement process

Compliance risk reviews align with two elements of effective compliance programs, per the Federal Sentencing Guidelines.

  • Risk identification and prioritization
  • Monitoring, auditing, and evaluating

Identifying risk areas to schedule for review is a collaborative process. Information is gathered from outside resources, such as the Society of Corporate Compliance and Ethics, the B1G Compliance Officer Network, and the Minnesota Compliance Officer Network. Incidents occurring in the compliance arena both locally and nationally are considered. Key regulatory changes and internal compliance and risk management conversations with the University’s compliance partner network, Executive Oversight Compliance Committee, and the Audit and Compliance Committee of the Board of Regents also influence which risk areas are on a regular schedule for review. As of 1/1/18, there are 34 risk areas that are planned for review in a 5 year cycle. Other risk areas are identified as reviews to be conducted “as needed”. This list can change depending on a number of factors.

  • Purchasing
  • Athletics - Title IX
  • Campus Safety
  • Conflicts of Interest
  • Discrimination and Affirmative Action
  • Biological & Lab Safety
  • Food Safety
  • Occupational Safety
  • Export Controls
  • Housing ADA
  • Cybersecurity
  • Acceptable Use - Information Technology
  • International Activities & Programs
  • Programs Involving Minors
  • HIPAA
  • Program Integrity Rules
  • Animal Research
  • Accounts Payable
  • Athletics - NCAA Compliance
  • Clinical Services
  • Disabilities and Accommodations
  • Donors and Gifts
  • Environmental Safety
  • Hazardous Materials
  • Controlled Substances
  • Financial Aid
  • Housing - Title IX
  • Immigration/International Students & Employees
  • Intellectual Property/Technology Transfer
  • Lobbying and Political Activities
  • FERPA
  • Privacy - Patients
  • Human Participant Research
  • Sexual Misconduct

The CRR process replaces what was known as the “Legal-Compliance Reporting Process (LCRP).” LCRP had been used by the University for more than 12 years as a method of monitoring compliance efforts through a system of self-reporting. This process had its strengths, but was retired in favor of a more collaborative process between compliance stakeholders and the OIC. We believe that the collaborative, cross-disciplinary, cross-educational elements of the CRR process make it far more effective. For questions please contact the Chief Compliance Officer Boyd Kumher

Timeline Key Activities
Weeks 1-3
  • Office of Institutional Compliance (OIC) researches the subject matter (risk area)
  • OIC drafts the topic-specific risk assessment tool and identifies participants/compliance partner for the risk
  • Reviews internally within OIC and adjusts the scope of the assessment, as needed
Week 4
  • Compliance partner and OIC meet (90-120 minutes) and discuss the overall process
  • Review scope, tool, and proposed timeline for this specific tool
Weeks 5-7
  • Compliance partner reviews the draft risk assessment tool
  • Prepares recommendations for adjusting scope, tool, timelines
  • Compliance partner and OIC meet to go over recommendations and rationale
Weeks 8-13
  • Compliance partner completes the self assessment
  • Submits to OIC
Weeks 14-16
  • OIC reviews the responses to the self assessment
  • Meets (60 minutes) with compliance partner to discuss – identify gaps/corrections
  • In-field verification completed, if needed
Weeks 17-20
  • Follows up on any outstanding matters
  • Summarizes the outcomes and report to the President, Executive Oversight and Compliance Committee, and others as needed