cartoon depiction of the University Hall clock tower with the M trail in the background

Institutional Compliance

Framework, Executive Summary, and Monitoring2023-2024

ԳٰǻܳپDz

UM’s commitment to legal and regulatory compliance is integral to fulfilling its vision and mission. Compliance in a highly decentralized higher education environment is complex. The University is subject to hundreds of state and federal laws and regulations, and each of UM’s thousands of employees has varying levels of responsibility for ensuring compliance with one or more of these laws and regulations. The Director of Institutional Compliance guides and supports a consistent framework to ensure that UM employees are coordinated in their compliance roles and responsibilities. This document describes UM’s Institutional Compliance Framework and provides an executive summary of baseline observations from the first year of the program.

Institutional Compliance Framework

The Federal government expects entities like colleges and universities to “promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law” and to “exercise due diligence to prevent and detect” wrongdoing. Through the United States Sentencing Guidelines (USSG), the Federal government has provided guidelines for establishing and maintaining an effective compliance program. UM’s Compliance Framework reflects the essential elements of an effective compliance program identified by the USSG. Each Program of Compliance and each Compliance Matter Area should carry out their compliance obligations factoring in the five elements of this Framework in their work and planning:

  1. High Level Oversight: University Leadership and Ultimately Responsible Parties have the obligation to set the expectation and provide the support needed to ensure UM has a robust compliance program. This means University Leadership will be aware that specific individuals who are appropriately educated about their role have been delegated operational responsibility for each Compliance Matter Area and Leadership will provide the necessary support and tools for those individuals to fulfill their roles.
  2. Standards, Policies and Procedures: The University will establish reasonable standards, policies, and procedures to facilitate full compliance with Board of Regents policy, Montana state law, and federal law. These policies should be in writing, easy to locate, understandable, reviewed, and reasonably updated. They should be appropriate to each Compliance Matter Area.
  3. Communication, Education and Training: University Leadership and Ultimately Responsible Parties should periodically communicate its standards, policies, and procedures to the campus community by conducting effective training programs and otherwise disseminating information appropriate to individual roles and responsibilities, and as required by relevant law and policy. Communication should include how to identify, and report concerns of non-compliance without fear of retaliation.
  4. Monitoring and Mitigation: The University will take reasonable steps to ensure that its ten Programs of Compliance are using the Framework in an effective and flexible way. This includes periodic monitoring of Compliance Matter Areas to understand the state of its compliance program and efforts to mitigate risks.
  5. Reporting, Response, and Culture of Accountability: The University will provide informal and formal systems, such as an anonymous hotline, to employees so they may report compliance concerns or seek guidance regarding potential or actual misconduct without fear of retaliation. The University will have a system(s) to respond appropriately to reports and to take actions to prevent further similar conduct which may include sanctions or discipline.

Programs of Compliance, Compliance Matter Areas, & Compliance Matrix

UM’s Institutional Compliance Program is organized around ten “Programs of Compliance.” The Director of Institutional Compliance maintains a matrix identifying the "Compliance Matter Areas” within each of the ten Programs of Compliance:

  1. Accreditation,
  2. 屹Գ𳾱Գ,
  3. ٳپ,
  4. Business Operations,
  5. Campus Safety and Health,
  6. Civil Rights,
  7. Financial Aid,
  8. ʰ,
  9. Research Compliance,
  10. Student Affairs.

The Compliance Matrix is an internal tool for the University to connect compliance requirements with the responsible offices and contacts to help manage UM’s legal and regulatory requirements more effectively in our decentralized environment.

The ten Compliance Programs are further divided into fifty-eight (58) Compliance Matter Areas. The Compliance Matter Areas will evolve over time as laws and regulations are not static. Compliance Matter Areas typically have one office with a specifically assigned employee(s) responsible for the day-to-day or operational tasks associated with the compliance obligation(s) and, each Compliance Matter Area carries out their compliance obligations factoring in the five elements of the Framework in their work and planning.

Institutional Compliance Initiatives

This year (fiscal year 2023-2024) was the inaugural year of the UM Institutional Compliance Program. The Director of Institutional Compliance met with the subject matter expert in nearly all of the 58 Compliance Matter Areas to elicit information describing how they operationalize the compliance framework for their program. The Director of Institutional Compliance also worked with colleagues across campus to provide needed guidance and support. Highlights of the work this year include:

  • Building baseline understanding of campus compliance programs
  • Updating the internal Compliance Matrix
  • Review of roles, responsibilities, structures, and practices related to specific compliance risks
  • Development of policies, procedures, and other documents
  • Identification of training initiatives, needs, and other efforts to foster learning and open communication related to compliance matters
  • Facilitation of cross-sector collaborations, communication and work plans involving complex regulations (i.e. Higher Education Act communication, State Authorization and Program Licensure, Gainful Employment Reporting)
  • Accreditation support in developing new procedures and convening a work group focused on identity verification
  • Deeper dive into specific regulations

Executive Summary of Year 1 Framework Observations

Summary ԳٰǻܳپDz

The UM employees serving as subject matter experts guiding complex regulatory processes are UM’s unsung heroes. Individuals in these roles have a strong commitment to ethical and compliant practices because they know their work ensures the ability of UM to meet its mission and vision which translates into how UM can serve students and support teaching, scholarship, and research. They also face a high degree of pressure as they are the ones who must respond to regular, scheduled, and unscheduled audits and visits from federal and state agencies and must often sign assurances that the entire university complies with certain laws and obligations.

Administration and Oversight

Many Compliance Programs require personnel within those programs and compliance matters to obtain specific training by law or best practice, so retention of highly trained and/or specialized individuals is key. As an example, UM’s procurement team must complete state-provided training to access state procurement data. Across campus, compliance programs intentionally develop roadmaps of career growth through training. For example, IT, Research Compliance, and the Registrar’s Office link training with career ladders to support office function and retention. Many of UM’s compliance programs do not have a deep bench of personnel with the expertise necessary to ensure compliance. Compliance Programs, however, are uniformly aware of the risk caused by any lack of capacity and mitigate this risk through cross-training.

Observation: UM executive leaders set the “tone at the top” by supporting compliance through resources for training and career ladders as well as deliberate cross-training efforts.

Standards, Policies and Procedures

Many Compliance Programs currently have key university policies in place in addition to area specific protocols that support compliance. Compliance Programs are actively mitigating risks by continuously identifying areas where policy gaps exist. Examples of this include NAGPRA and in the Clery arena where teams have identified needs for institutional policy. (The Director of Institutional Compliance is assisting with both policies). Additional mitigation strategies include UMLCC’s Policy Initiative. Under its Policy Initiative, UMLCC will increase communication and resources about policies and procedures by creating a webpage dedicated to university wide policies and procedures. It will implement a standardized and easy-to-follow process for policy review, maintenance, and policy initiation, which are key tools for compliance.

Observation: Policies and procedures provide a snapshot of values and a roadmap for day-to-day operations. They ensure compliance with laws and regulations, give guidance for decision-making, and streamline internal processes. Campus leaders may embed questions about policy in their decision-making processes: “Do we have an existing policy we need to follow, or do we lack a policy, but need one to ensure consistency?”

Education, Communication, and Training

Compliance Programs and their Compliance Matter Areas often need to reach outside their program to the broader UM community to provide critical education or request engagement by campus stakeholders. Education may be for all employees or maybe for a subset of employees. This education may be required periodically. Knowledge should be assessed, and participation should be tracked. Critical compliance education typically provides an overview of obligations flowing from laws, regulations and policies, flag UM values, create a positive workplace, and reduce risk of harm. Examples of critical compliance education for employees include things like Cyber- Security, Non-Discrimination, ADA practices, Ethics/Fraud/Conflict of Interest, and Privacy/FERPA training.

Besides broad-based critical compliance education, many Compliance Programs require specialized training for employees engaging in certain types of work. Examples include specialized training for those involved with sponsored research, jobs with workplace safety requirements, Campus Security Authority Training, HIPAA training and certain IT systems training. Areas with targeted audiences such as in research and safety are very successfully using platforms such as CITI to reach individuals, provide training modules, and track participation. Increased communication through the institutional compliance program recognized that tools such as CITI can be leveraged to meet broader compliance training needs.

Communication also includes requests for engagement by campus stakeholders. Examples of engagement and responses include required Conflict of Interest surveys to all employees, federal Section 117 Reporting, and program-based accreditation queries.

Observation: Compliance training is an area of opportunity for UM especially as the People and Culture Sector is working to strengthen on-boarding practices and learning how NeoEd can serve as a tool for employee outreach, housing content and tracking participation. Compliance training makes UM a better workplace and a more welcoming culture. It enables people to have the tools to do their work. UM may consider how compliance needs and educational enterprises can be expressed dynamically in its internal communications planning and outreach.

Monitoring and Mitigation

Compliance programs across UM are in constant cycles of monitoring and mitigation due to things like internal safeguards, standardized audit cycles, accreditation reporting, and site visits by federal and state auditors, program partners, and UM’s internal audit program. Examples of regular partner visits occur in international programs related to our international students and scholars. Sponsored research similarly has regular audits of their program. In addition, UM experiences investigative reviews instigated by federal partners.

Observation: Creating a consistent process that begins when entities receive word of anticipated monitoring could strengthen UM’s ability to support the Subject Matter Experts tasked with the associated work and ensure UM is able to appropriately respond after shared communication with partners and leadership.

Reporting and Response

UM has policies and procedures that empower employees to report compliance concerns. These policies enable employees to report policy violations or concerns to supervisors without retaliation. In addition, and when appropriate, employees should, and do, have access to specialized offices such as Research Compliance, the HIPAA Officer, the Title IX Coordinator, the ADA Coordinator, the Equal Opportunity Officer, to union representatives, and others in People and Culture. In addition, UM employees have access to the MUS compliance hotline where they can make anonymous reports on various concerns. The Board of Regent’s Policy has UM’s auditor overseeing the campus process associated with the MUS compliance hotline. UM takes steps to respond to all concerns raised. Records are typically maintained in the responding office whether concerns are raised by the hotline or through other methods.

Observation: Communication to the campus about resources and reporting options is critical, especially as key campus offices such as People and Culture, the Conflict, Resolution and Policy Office, the Dean of Students Office and CARE team, have undergone transition. Communicating where, how and to whom to report concerns is a key aspect of UM’s compliance with its legal obligations.