In the past year, compliance issues plaguing higher education touched on nearly every area of academic and social life—public space and free speech, harassment and sexual assault, academic integrity, and athletics. Universities and colleges face a range of significant risks in complying with applicable laws and regulations and require robust compliance programs specifically tailored to address their needs. Above all, a compliance program should be capable of identifying and mitigating a university’s unique risks so that when an issue arises, the institution is prepared to respond quickly and appropriately.
[dropcap]I[/dropcap]n the past year, compliance issues plaguing higher education touched on nearly every area of academic and social life—public space and free speech, harassment and sexual assault, academic integrity, and athletics. Universities and colleges face a range of significant risks in complying with applicable laws and regulations and require robust compliance programs specifically tailored to address their needs. Above all, a compliance program should be capable of identifying and mitigating a university’s unique risks so that when an issue arises, the institution is prepared to respond quickly and appropriately.
In this article, we outline six components of a strong compliance program and provide suggestions on how they can be incorporated.
Leadership. Buy-in from leadership at the highest levels of the university, and deeply within each of the university’s departments, is necessary for sustaining a successful compliance program. A program in name and on paper only is likely to be misunderstood and sidelined, setting up the risk that the opportunity to detect and prevent larger issues is missed. The U.S. Sentencing Guidelines—which provide guidance for the sentencing of individuals and organizations convicted of crimes in federal court—note, in addressing how seriously an organization took its legal obligations, that an organization’s governing authority must be knowledgeable about the content and operation of the compliance and ethics program and must “exercise reasonable oversight with respect to the implementation and effectiveness” of the program. Beyond a university’s Board of Trustees, it is incumbent on leadership (specific high-level personnel such as the president and deans who have substantial control over or role in the making of policy within the administration), as well as department heads and administrators across the university, to communicate the university’s expectations regarding compliance and the critical value of the university’s compliance program and its efforts.
Culture. A culture of compliance should be promoted in all aspects of university life. Again, looking to the U.S. Sentencing Guidelines, an “effective compliance and ethics program” requires that an organization “promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.” A negative culture in one department may impact the seriousness with which compliance is viewed throughout the university. A positive culture may seem to be an intangible aspiration, but there are specific principles a university may consider. For example, a positive compliance culture may be marked by a program that is well-funded, including an adequate number of compliance personnel and a budget for the education and monitoring efforts the compliance personnel need to undertake. Compliance personnel who are independent, have access to key decision makers, have a speaking role in meetings with senior administrators regarding pressing issues, and are well-respected at the highest levels and within university departments are also indications of a positive culture around compliance.
Visibility. Compliance personnel who have genuine visibility into each department’s activities are valuable both in terms of spotting issues and in generating a level of trust with the department to which they are assigned. As an initial step, this requires department personnel to view compliance personnel as legitimate, useful, and aligned with the department’s best interests in the context of the university’s best interests. Training of departmental leadership in providing key information to compliance personnel and affirmatively contacting compliance personnel with questions and concerns is critical. For example, should a dean or university grievance committee receive an email from a student wishing to remain anonymous in alleging sexual assault at a campus party, each person or entity receiving the complaint should know to consult with compliance personnel to ensure the handling of informal and anonymous complaints are appropriate and in compliance with federal law.
Structure and reporting lines. The structure of the compliance program and its position within the administration of a university can fundamentally determine its success. A centralized compliance program allows its personnel to implement university-wide policies, identify patterns of concern, and apply mitigation efforts university-wide. A centralized program also serves as a clearinghouse for information as it is escalated from the departmental level and as it is messaged back to those departments. Meanwhile, a decentralized compliance program can lead to information silos where individual departments attempt to identify and mitigate their own risks with localized policies, training, and investigations. For example, left to its own devices, the athletic department may attempt to investigate and address complaints on its own, without appreciating the legal and compliance risks of the university as a whole, at least initially, in its response. This approach can leave a university open to public criticism, regulatory interest, and litigation.
In addition, clear lines for reporting and accountability can strengthen the status of a compliance program within a university’s administration, although there are multiple methods for achieving such a structure. As long as senior compliance personnel have an independent path to report issues to the university’s Board of Trustees, a variety of reporting structures may be appropriate. The size and complexity of the university’s administration will often determine to whom compliance personnel directly report. For example, compliance personnel may work as part of a central team that reports to a Chief Compliance Officer, who in turn reports to the university’s General Counsel. Alternatively, a university may create a compliance committee of senior-level administrators from each university department, and that committee may report to the Audit Committee of the Board. Regardless of how the compliance organization is structured, the lines of reporting and accountability should be clearly demarcated and publicized so that no one assumes someone else is responsible for identifying and handling particular issues.
Policies, training, and monitoring. A university should have a process in place to update and strengthen its policies on a regular basis as new risks arise. Compliance personnel are better equipped to identify new issues when they regularly and formally monitor the adequacy of the university’s policies and procedures. In addition to having and updating written policies, university compliance programs should provide regular training on the policies; with specific sessions geared to particular departments and risks. The risk of misuse of federal funds from a research grant will be fundamentally different from certain risks germane to an athletic department. Therefore, compliance personnel should conduct university-wide trainings on topics of general relevance, as well as targeted trainings of smaller groups of personnel based on the particular risks and typical issues those personnel face. The ultimate goal served by sound policies, training, and monitoring is to prevent issues before an internal complaint, a whistleblower report, or a law enforcement inquiry comes to fruition.
Incentives and penalties. A university should consider integrating compliance into its performance evaluations, compensation, and disciplinary measures. For example, as part of an annual performance review, an employee’s supervisor can provide an assessment of the employee’s attention to department policies and procedures. Soft rewards—such as positive letters saved to the employee’s performance file—may also be considered. Discipline for compliance breaches—from warnings to suspension to termination—may be effective in preventing non-compliant behavior. A university that plans to incorporate compliance into performance, compensation, and discipline should also ensure that it communicates any new expectations and specific metrics to its employees.
Tailoring a compliance program to a university.
In the end, there is no one formula for sustaining an effective compliance program. The key is to assess the unique risks that the university knows to exist, and the possible risks that could arise in the future. A compliance program should be developed around those risks, and then sustained with substantial support from the highest levels of the university. Of course, in the ideal world, a compliance program will effectively mitigate risks and identify and prevent non-compliance in every aspect of university life. In reality, it is likely that unpredictable and challenging compliance issues will arise. It is especially during those times when a thoughtfully crafted and implemented compliance program will serve a university’s best interests— internally, with regulators, and in the public eye.
Reid Schar and Sarah Weiss are partners with the law firm of Jenner & Block in Chicago. Mr. Schar co-chairs the firm’s Investigations, Compliance, and Defense Practice, and he has taught and lectured at Northwestern University Pritzker School of Law.