Compliance Program Framework
Southern Utah University (SUU) has established a compliance program directed by Campus Compliance Services through the SUU Office of Enterprise Risk Management (ERM), Compliance, and Safety. The program structure is made of a network of University committees, groups, compliance owners, and operational designee(s) providing subject matter expertise in maintaining compliance and ethics within their areas of work and daily activity. The SUU Compliance Program is overseen by the Enterprise Risk Management Advisory Committee (ERMAC), composed of senior leadership, and reinforced by the University Compliance Group (UCG). The UCG is made of key compliance owners who work with their operational level designee(s) to ethically carry out compliance of their shared obligations for which they have been tasked with compliance ownership on campus.
The SUU Compliance Program enables the University to provide centralized monitoring and substantive support by housing the program in Campus Compliance Services. It is there that the Campus Compliance Services coordinates university-wide efforts to develop and implement programs that support compliant and ethical operations through the use of the SUU Compliance Program Framework. The SUU Compliance Program Framework serves as a guide for the compliance program. The framework contains the basics as to how the SUU Compliance Program advances the mission, vision, and strategic plan of SUU.
The 6 component compliance framework has been established to help meet the requirements of §8B2.1 of the United States Sentencing Guidelines for Organizations that give the criteria to establish and maintain an “effective compliance and ethics program” (USSG, 2021).
Framework Summaries
The BUILD component of the SUU’s Compliance Program Framework is designed to help employees at SUU understand how compliance and ethics is their duty and how compliance and ethics is essential in their relationship with SUU and those they serve. Additionally, the BUILD component is meant to help build a culture of compliance and ethics that is essential for SUU to be an ethical place where all employees can feel empowered to achieve their potential.
Campus Compliance Services has developed the SUU Compliance Communication Structure for the SUU Compliance Program:
Under the authority of the SUU President, the Enterprise Risk Management Advisory Committee (ERMAC) and University Compliance Group (UCG) act as the organized working groups for the compliance program. These groups work together to effectively carry out the compliance program through:
- Assuming responsibility for the effectiveness of the compliance program in their areas of work by taking on roles of compliance owners, assigning compliance owners, or assigning designees for various compliance related activities.
- Promoting compliance of the laws and regulations for which they have been assigned by assuming or assigning compliance roles to appropriate personnel and making job description updates as needed. (Assignments of responsibility for specific laws and regulations can be found on the SUU Compliance Matrix).
- Assist the Campus Compliance Services by:
- Regularly Identifying Risks
- Participate in Risk assessments
- Mitigating Risks
- Communicate Needs
- Build a Culture of Compliance
- Give input to the SUU President and other offices and groups about related compliance obligations and needs.
- Promote a culture of hiring compliant and ethical people through the appropriate SUU policies and procedures.
All employees at SUU have a place in the BUILD component of the compliance framework. Most have a responsibility that is tied to the operational level of the SUU Compliance Communication Structure. Therefore, all employees have a moral or legal obligation in promoting compliant and ethical behavior for all laws and regulations that help SUU operate effectively and efficiently. If you have any compliance and ethics questions or concerns, then please refer to the websites below and contact the appropriate office.
The UNDERSTAND component of the SUU Compliance Program Framework involves identifying, assessing, analyzing and mitigating compliance risks. Further, this component is essential in helping SUU understand what it is that needs to be done regarding the compliance of laws and regulations.
Identifying compliance risks at SUU is done by creating and maintaining the SUU Compliance Matrix that has been compiled using the Higher Education Compliance Alliance Matrix combined with input and surveys from SUU compliance owners and/or designee(s). The SUU Compliance Matrix indicates the laws and regulations that SUU must comply with to mitigate legal liability and reputational risks associated with noncompliance. Each law and regulation that has been identified in the compliance matrix has been assigned to compliance owners. Each compliance owner is responsible for promoting the University’s compliance with the laws and regulations for which they have been assigned. Compliance duties may be carried out by the compliance owner themselves or designee(s) in their respective areas of work at SUU.
Assessing compliance risks on SUU’s campus is completed through the collaborative efforts of Campus Compliance Services and the various compliance owners and/or designee(s) on campus. Risk assessments are conducted in a two part process where the first part is completed by compliance owner(s) and/or designee(s) and the second part is a follow up review completed by Campus Compliance Services in coordination with the designated compliance owner(s) and/or designee(s). Once compliance risk assessments are completed, they are used to prioritize compliance risks on campus through SUU’s designated compliance and risk management software.
Analyzing compliance risks takes place after assessments have been completed. Analysis of risks focus on likelihood of occurrence, impact of occurrence, and other factors as needed. Together these factors determine the threat that the compliance risk poses on the institution and help guide the ERM Advisory Committee and the University Compliance Group determine mitigation priorities. This approach allows the compliance program to function and be aware of all compliance risks on campus. The compliance risks will be analyzed and compiled with ratings of High, Mid, or Low. Campus Compliance Services and the designated compliance owners see that all risk reports are made available through the compliance and risk management software where the results can be reported to the appropriate decision makers through the SUU Compliance Communication Structure to be mitigated effectively and efficiently.
Mitigating compliance risks are completed through various means. Once risks are mitigated, then the compliance risk is updated and reported accordingly in the compliance and risk management software. Mitigated risks can:
- Be reassessed using the compliance risk assessment
- Be audited for effectiveness
- Be left to operate until the next cycle of compliance risk assessments are completed for the law(s) and/or regulation(s).
All employees at SUU have a place in the UNDERSTAND component of the compliance framework. Most have a responsibility that is tied to the operational level of the SUU Compliance Communication Structure. Therefore, all employees have a moral or legal obligation in promoting compliant and ethical behavior for all laws and regulations that help SUU operate effectively and efficiently. If you have any compliance and ethics questions or concerns, then please refer to the websites below and contact the appropriate office.
The ESTABLISH component of the SUU Compliance Program Framework involves helping employees at SUU be aware of and understand the plans, standards, policies, and procedures established at SUU. Establishing plans, standards, policies, and procedures are essential to maintaining a compliant and ethical work environment.
Plans, standards, policies, and procedures are essential to assist all employees at SUU in how to do the right thing at SUU. The ESTABLISH component assists employees at SUU in the development, interpretation, and implementation of plans, standards, policies, and/or procedures when deemed appropriate.
Oftentimes a compliance risk will require that a plan, standard, policy, and/or procedure needs to be developed and implemented or revised to help achieve compliance. The SUU Office of Legal Affairs has provided helpful links for reviewing and drafting policies at SUU. The SUU Compliance Program highlights these links and other helpful policy links in this component of the SUU Compliance Program Framework.
Helpful links provided by the SUU Office of Legal Affairs:
- Policy Drafting Resources
- SUU Policies
- SUU Policy Resources
- SUU Policy Tracker
- SUU Policy Search
- SUU Policy FAQ
- Contact SUU Policy
- SUU Office of Legal Affairs
Campus Compliance Services also assists in promoting SUU’s Policy on Policies, Code of Ethics, Student Conduct Code, and Conflicts of Interest policies. The aforementioned policies are essential to the SUU Compliance Program and the ESTABLISH component of the framework. These policies help ESTABLISH expectations we have at SUU, and they will aid in maintaining a compliant and ethical environment.
All employees at SUU have a place in the ESTABLISH component of the Compliance Program Framework. Most have a responsibility that is tied to the operational level of the SUU Compliance Communication Structure. Therefore, all employees have a moral or legal obligation in promoting compliant and ethical behavior for all laws and regulations that help SUU operate effectively and efficiently. If you have any compliance and ethics questions or concerns, then please refer to the websites below and contact the appropriate office.
The COMMUNICATE component of the SUU Compliance Program Framework emphasizes training and educating all employees at SUU in their compliance and ethics obligations. Since we all have a purpose in maintaining a compliant and ethical campus, training and educating employees in their compliance related matters is vital.
Further, the COMMUNICATE component of the SUU Compliance Program will help Campus Compliance Services identify that the necessary training is in place to maintain compliance with laws and regulations. Campus Compliance Services may help develop and document training as needed.
The COMMUNICATE component of the SUU Compliance Program involves promoting the program by, “conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities” (USSG, 2021). Communicating the compliance program is primarily done through training sessions, but the following types of program training and promotion activities occur at SUU in order to maintain and promote compliance:
- Trainings required by law, regulation, policy, or by nature of job description
- In person trainings requested by individuals, groups, or committees
- Online trainings requested by individuals, groups, or committees
- Voluntary trainings
- Marketing and advertising of the compliance program through various channels
Training is a way to keep all employees at SUU educated about the SUU Compliance Program and promoting compliance and ethics on campus. The opportunity to conduct formal and informal training on specific laws and regulations is something that Campus Compliance Services can assist with to help all employees at SUU be knowledgeable about their duty to remain compliant and ethical.
All employees at SUU have a place in the COMMUNICATE component of the compliance framework. Most have a responsibility that is tied to the operational level of the SUU Compliance Communication Structure. Therefore, all employees have a moral or legal obligation in promoting compliant and ethical behavior for all laws and regulations that help SUU operate effectively and efficiently. If you have any compliance and ethics questions or concerns, then please refer to the websites below and contact the appropriate office.
The OBSERVE component of the SUU Compliance Program Framework emphasizes that employees at SUU are encouraged to monitor and report any compliance and ethics concerns observed at SUU. Through SUU Internal Audit, auditing occurs within the compliance program to help employees maintain and promote compliance with their compliance obligations.
Compliance at SUU is monitored and audited at all levels throughout the SUU Compliance Communication Structure. Compliance is monitored through a combined effort of Campus Compliance Services, ERM Advisory Committee, the University Compliance Group, and the SUU Risk Assurance Group. The SUU Compliance Program and its outcomes are audited by SUU Internal Audit.
When anyone on campus notices and reports noncompliance or unethical behavior and actions on campus they are protected from retaliation by various SUU policies in regards to what is being reported. Some of these policies that address reporting and/or retaliation include, but are not limited to SUU Policy 5.66, Policy 5.60, Policy 5.27, and Policy 5.0.
If any employee at SUU has questions regarding compliance and ethics in their areas of work, then they are encouraged to contact the appropriate institutional leader, department, or supervisor and address the concern as soon as possible, which often are identified in applicable policies. Additionally, all individuals at SUU are also encouraged to report instances of misconduct, noncompliance, and/or safety related concerns by using the links below. Last, University employees acting on behalf of the University may seek legal advice from the Office of Legal Affairs. For all Emergencies please dial 911.
Links for Reporting Concerns:
- Legal Advice for Compliance Owners, University Administrators, and Other University Employees acting on behalf of the University
- Report a Concern at SUU
- If you cannot find the concern that you are looking for on the previous links or you want to report anonymously, then you may use EthicsPoint
All employees at SUU have a place in the OBSERVE component of the Compliance Program Framework. Most have a responsibility that is tied to the operational level of the SUU Compliance Communication Structure. Therefore, all employees have a moral or legal obligation in promoting compliant and ethical behavior for all laws and regulations that help SUU operate effectively and efficiently. If you have any compliance and ethics questions or concerns, then please refer to the websites below and contact the appropriate office.
The REFINE component of the SUU Compliance Program involves implementing necessary modifications in the compliance and ethics program as needed. At SUU, we are always seeking continual improvement. When situations arise where practices need to be modified, then we modify accordingly to maintain and promote a compliant and ethical campus.
Through the REFINE component, reassessments of compliance risks may occur to monitor the effectiveness of the program and monitor the effectiveness of the initial mitigation plans that have taken place.
All employees at SUU have a place in the REFINE component of the Compliance Program Framework. Most have a responsibility that is tied to the operational level of the SUU Compliance Communication Structure. Therefore, all employees have a moral or legal obligation in promoting compliant and ethical behavior for all laws and regulations that help SUU operate effectively and efficiently. If you have any compliance and ethics questions or concerns, then please refer to the websites below and contact the appropriate office.
Reaching Out
The 6 component framework enables SUU to effectively “exercise due diligence to prevent and detect criminal conduct; and otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law” (USSG, 2021).
At SUU, we all have a place in the compliance program framework. Most have a responsibility that is tied to the operational level of the SUU Compliance Communication Structure. Therefore, all employees have a moral or legal obligation in promoting compliant and ethical behavior for all laws and regulations that help SUU operate effectively and efficiently. If you have any compliance and ethics questions or concerns, then please refer to the websites below and contact the appropriate office.
- SUU Office of Enterprise Risk Management, Compliance, and Safety for questions, concerns, or coordination regarding risk, compliance, and safety.
- SUU Internal Audit for questions or concerns regarding internal audit or ethics.
- SUU Office of Legal Affairs for advice about an issue or legal obligation.
- For all Emergencies please dial 911