The Compliance Assessment Model

Keeping in mind the heuristic nature of the real world (see Some Thoughts on Strategy: The Heuristic Model), it is useful to have a model to use in developing the compliance program. The model in Figure 1 represents the compliance model that forms the basis for evaluating the BYU–Hawaii compliance program.

Starting with Management Commitment, Identity Requirements, Define Institution Standards, Document Policy and Procedures to Implement Standards, Communicate Standards, Policies, and Procedures, Implement Policies and Procedures, and Monitor Program Effectiveness, this image explains the Compliance Assessment Model. The three compliance programs are explained on the cube's side representing the various compliance programs to which the Compliance Assessment Model might be applied.

Figure 1 - The Compliance Model

This model is based on the requirements of the Federal Sentencing Guidelines.

Management Commitment

Management commitment is the key to the overall success of the compliance model.

Management commitment is exhibited by the allocation of time, money, and resources to achieve the compliance goals set forth by the institution. Without strong management commitment, the compliance model is unable to advance to the steps of training, implementation, and monitoring. In addition, management must be knowledgeable in the various facets of the compliance program and must be providing appropriate oversight and supervision to the program.

Establish Standard

The next three elements can be described as establishing an institutional standard. The FSG requires that the organization “establish standards and procedures to prevent and detect criminal conduct.” To do this, the organization must

Identify Requirements including gaining an understanding of which laws and regulations are applicable to BYU–Hawaii and becoming familiar with the requirements of these laws. A complete listing would be daunting and probably ineffective. We should, however, identify those areas of law that represent the greatest risks to the institution and recognize that the identification and addressing of significant compliance risks is a continuous process.
It is helpful to categorize our compliance requirements into broad areas; for example, the requirements associated with the Clery Act might be considered a part of the overall Campus Security area. FERPA and Payment Card Industry Data Security Standards might be included as part of the general area of Information Security. See the Compliance Universetablein Section 3 to see the compliance area structure used by BYU–Hawaii.

There are several resources to assist with this element. One, focused primarily on institutions of higher education, is the Campus Legal Information Clearinghouse maintained by The Catholic University and the American Council on Education. It is also useful to develop a standard for capturing information and research about specific areas of the law. See the Research Memo resource at the end of this section for an example.
And, as the inset box on the next page indicates, there is a useful Continuous Risk Assessment model that can help with identifying and prioritizing compliance risks.
Define Institution Standards This includes determining how the institution will address the laws and regulations, including the policies and procedures that will govern the institution’s compliance efforts. This element involves translating the legal and regulatory requirements into the policies and procedures of the institution; essentially, translating the law into actionable policies and procedures. Like all the elements of the compliance program, this is an ongoing process. In this instance, it involves identifying the requirement, understanding who in the organization should own the requirement, working to identify or develop appropriate institution standards for compliance, and gaining consensus on the implementation of the standards.
Document Policies and Procedures to Implement Standards. Once the institution standards have been developed, they should be formalized into policies. Policy documentation should be formal and should achieve the attributes of being accessible (easy for users to find and understand), relevant, accurate, and current. Processes should be established to ensure the policies and procedures are comprehensive enough to cover the applicable laws and are periodically reviewed to ensure their continued effectiveness. Included in this element are the policy development and deployment process, policy and procedure standards and presentation, and the process for reviewing and updating policies and procedures. An example of a suggested policy/procedure format using an institution's intranet can be seen in the resources at the end of this section.

Communicate Standards, Policies, and Procedures

The FSG requires institutions to “communicate [the] standards and procedures, and other aspects of the compliance and ethics program, to the individuals [employ-ees] appropriate to [their] respective roles and responsibilities. Communicating the standards, policies, and procedures may take many forms. Generally, institutions establish formal documented policies and procedures and a code of conduct and ethics that summarizes the primary compliance elements of the policies and procedures. Additional training, both formal and informal, as well as other forms of communication, will be needed. Like all the elements of an effective compliance program, the process of communicating standards, policies, and procedures is a continuous one.

Implement Policies and Procedures

“The organization shall take reasonable steps to ensure that the organization’s compliance and ethics program is followed.”An institution must not only articulate its commitment to good governance, compliance, and risk management principles, but it must integrate these concepts into the culture of the institution. It is not sufficient to have policies and procedures in place; the policies and procedures must be documented, well communicated, and enforced. Implementing policies and procedures includes publishing the policies and procedures, informing the university community of them, providing training where appropriate to employees who are expected to follow them, and monitoring to ensure policies and procedures are understood and followed.

Monitoring and Auditing to Ensure the Effectiveness of the Compliance Program

The FSG requires “monitoring and auditing to detect criminal conduct; to evaluate periodically the organization’s compliance and ethics program, and to have and publicize a system. . . whereby the organization’s employees may report criminal conduct. . . without fear of retaliation.”Central to any continuous improvement program is reviewing results to ensure they achieve the desired goals. Compliance programs should be reviewed on at least three levels: individual, entity, and institution.

Individual monitoring is accomplished informally by employees as they perform their work. Employees who are well-trained and aware of the compliance requirements should monitor their work and that of others around them, noting any potential compliance failures and addressing them immediately. Its employees are an institution’s first and best tool to ensure compliance.
Entity-level monitoring is a more formal process of identifying key compliance requirements, developing monitoring programs, and conducting periodic or continuous assessments to ensure the primary elements of the law are being followed.
Institution monitoring and auditing are generally conducted by a central function, either the internal audit department or the compliance function, or a combination of both. Institution monitoring typically will evaluate the overall adequacy of the compliance program and its components.

While often utilizing similar tools, monitoring and auditing are different concepts. The primary differentiating characteristics are independence and objectivity.

Auditing: Auditing is generally a formal process, conducted by certified audit professionals independent of the area being audited, and following established auditing standards. Accountability for audit activity is generally to the Chief Audit Executive and the audit committee of the Board of Directors or Trustees.

Monitoring: Monitoring is often a less structured process which may employ audit tools and techniques, but may be conducted by operations or compliance personnel as a means of measuring compliance effectiveness. Accountability for monitoring is often to the cognizant management responsible for the compliance program, but may also be to a compliance committee of the Board of Directors or Trustees.

Resources

Following are resources that assist in understanding this element of the BYU–Hawaii Compliance Program.

RESOURCES	DESCRIPTION
Some thoughts on Strategy: The Heuristic Model	A discussion of the hierarchical versus heuristic approach to problem-solving.
University Compliance Areas	Listing of the 23 compliance areas defined for BYU–Hawaii.
Research Memo Template	Example of how to document our understanding of the requirements of the laws and regulations.
Continuous Risk Assessment	A model for conducting a continual “on-line real-time” risk assessment for compliance risks. This presentation is from the perspective of the internal audit function, but the model is equally valuable to compliance officers.