Tufts University

Institutional Compliance

What is Institutional Compliance?

Institutional Compliance is an initiative to provide better coordination, management and monitoring of the risks associated with federal, state and local laws and regulations. While Tufts has individuals responsible for monitoring compliance with specific laws and regulations in various areas of operations, Institutional Compliance helps to promote a University-wide perspective to ensure that all significant compliance risks are being addressed and well managed. Institutional Compliance also helps to promote a culture of compliance and ethics consistent with Tufts’ Business Conduct Policy.

How does Institutional Compliance accomplish these objectives?

Institutional Compliance accomplishes these objectives through:

1. helping to improve the infrastructure that supports regulatory compliance
2. promoting compliance education and training
3. facilitating compliance with specific areas of regulation
4. facilitating the assessment of compliance risks
5. developing risk mitigation strategies
6. monitoring compliance with specific laws and regulations
7. communicating significant new or revised regulations to the appropriate officials

Why is Institutional Compliance Needed?

Laws and regulations affecting universities have become increasingly complex. Certain major universities have experienced adverse publicity in the press and incurred substantial fines for research, environmental health and safety, employment, student aid and other types of compliance violations. This has led to a movement where nearly all the major research institutions have initiated some form of compliance program.

Is there guidance for Institutional Compliance?

Guidance for institutional compliance has been developed in recent years. In 1991 the U.S. Sentencing Guidelines for Organizations first described the elements for effective compliance and further expanded them in 2004. The University of Texas system contributed substantially to compliance in higher education in the late 1990s when a compliance program was mandated by the Texas Board of Regents throughout the UT system after several significant compliance failures. The National Association of College and University Business Officers first published a model program for higher education in 2000. The National Institutes of Health began issuing compliance guidance for various types of organizations in 1998 and specifically for its grant recipients in 2003. In early 2005, the first integrated framework for compliance and ethics was published by the Open Compliance and Ethics Group, a not-for profit organization. There are other sources as well.

With all of this guidance, what do we follow?

Fortunately, most compliance guidance is broad and has common themes. Institutional compliance is a long term process and there is no single solution that works for all organizations. The common or core elements for institutional compliance are:

1. Risk Assessment All activities are systematically evaluated for compliance risks. A process is instituted to ensure risks are regularly evaluated. Controls are matched to the severity of risk.
2. Responsible Parties and Roles Roles and responsibilities for compliance risk areas are clearly defined and documented. Individuals are adequately empowered to carry out their responsibilities.
3. Standards and Procedures Compliance standards, practices and procedures are written, clearly established and reasonably designed to reduce the risk of non-compliant conduct. Clear standards of conduct are established and widely distributed.
4. Program Oversight A compliance officer and other appropriate bodies (e.g., compliance committees) are designated and charged with the responsibility for developing, operating, and monitoring the compliance program, with authority to report directly to the Board and/or the President/CEO.
5. Awareness, Education and Training Compliance standards and procedures are effectively communicated, and the institution ensures that responsible individuals receive timely and appropriate education and training.
6. Lines of Communication An effective method of communication is developed between the compliance function and all employees, including a “hot line” to receive complaints, as well as a mechanism to respond to questions.
7. Monitoring and Auditing Systems are implemented to detect non-compliant conduct and identify problem areas.
8. Enforcement Standards are consistently enforced through identification of non-compliance and appropriate consequences based upon clear and specific disciplinary policies.
9. Corrective Action Systems effectively ensure prompt investigation of non-compliance, reporting where appropriate, and proper responses to prevent similar breakdowns in the future.

Have all these elements been implemented by institutions of higher education which have established institutional compliance?

Not across the board. Implementing these elements is done by degree as part of a long term process. We continually look for ways to improve each of the elements. In some respects, it is a moving target as the principles for good compliance evolve.

What are some major areas of regulatory compliance?

For research universities, some of the most significant compliance laws and regulations are in the area of sponsored research. This includes the use of human subjects and animals in research; research policy such as research misconduct and conflict of interest; grants administration; laboratory safety and licensing technology obtained through research. For all educational institutions, student financial aid, privacy and security of records are important. Federal and state regulations governing non-discrimination, employment and finance are also significant.

If I think there is a non-compliance issue, what should I do first?

Tufts has developed a policy for reporting significant instances of suspected non-compliance:

http://finance.tufts.edu/?pid=13

You should become familiar with this policy and follow its guidance. In general, suspected instances of non-compliance should first be reported to the appropriate University manager responsible for enforcement and monitoring the issue. The policy provides a mechanism for reporting significant instances of suspected non-compliance through an anonymous link when other options have been exhausted or you feel uncomfortable discussing the matter with a supervisor or responsible manager.