Background
The University of Southern California’s (“USC” or “University”) Compliance and Ethics Program (“Program”) is designed to proactively identify, address and mitigate compliance risk with a focus on a continuous improvement of its processes and controls. The Program continues to evolve based on regulatory guidance (e.g., the Department of Justice elements of an effective compliance program, federal and state regulations and administrative guidance), and lessons learned from compliance reviews and investigations. The Program is anchored by the following 6 elements:
- Culture, Values, Governance, and Compliance Oversight
- Compliance Risk Identification and Assessment
- Policies, Standards and Systems
- Education, Training, and Outreach
- Monitoring, Auditing, Program Evaluation, and Continuous Improvement
- Investigations, Corrective Action, and Root Cause Analysis
Vision and Objectives
The USC Compliance and Ethics Program Framework and Standards (“Framework”) provides consistency and establishes accountabilities for meeting the elements of an effective compliance program as described above.
Furthermore, USC is committed to sustaining a Program that supports a culture where making decisions consistent with the University’s Unifying Values, doing the right thing, and complying with policies, laws and regulations are the expected and everyday courses of action.
Among other objectives, the Framework is designed to:
- Enable the University to proactively identify and manage compliance and ethics risks
- Provide a framework for designing and evaluating University compliance programs against core program elements
- Provide reasonable assurance that compliance management practices are conducted across compliance risk areas
- Ensure the University is aligning compliance resources in a risk-based manner
- Build on the University’s Unifying Values and behaviors
- Meet external guidance on overarching compliance and ethics programs
- Define core compliance roles and responsibilities throughout the University
Roles and Responsibilities
The Audit, Compliance, Risk, and Privacy Committee (ACRP) of the Board of Trustees provides Program oversight by:
- Engaging in discussions during regularly scheduled updates at each meeting of the ACRP from the Office of Culture, Ethics, and Compliance and selected risk areas regarding the effectiveness of the University’s compliance with legal and regulatory requirements;
- Reviewing, as needed, information from the University Compliance and Ethics Committee, via The Office of Ethics and Compliance regarding compliance management practices in place;
- Focusing on outcomes, themes, and trends from compliance investigations as well as the corrective action taken;
- Discussing insights from data regarding reporting of concerns throughout the University – provided by the Office of Ethics and Professionalism; and
- Receiving regular reports on the Culture Journey and Unifying Values and providing input and strategic guidance.
Senior leadership:
- Sets the “tone at the top” to foster a culture of ethical conduct and compliance with laws and regulations;
- Provides adequate resources for effective compliance and ethics operations; and
- Engages to drive Unifying Values and related behaviors across USC through the Culture Council and other forums, as needed
- Reviews reports on Program status, as well as emerging risks, in order to provide appropriate oversight and guidance.
The Office of Culture, Ethics, and Compliance:
- Enables the University, through the Program, to proactively identify and manage compliance and ethics risks;
- Maintains the Framework and performs and/or assists with periodic assessments of compliance areas against the Framework;
- Coordinates with other stakeholders, Institutional Risk Management, Audit Services, and General Counsel regarding mitigation of identified compliance risks;
- Builds and provides structure, tools, guidance and reports on processes and compliance and ethics risks;
- Provides periodic reports to the Audit, Compliance, Risk, and Privacy Committee and senior leadership about the content and operation of the Program in order to provide reasonable assurance that compliance management practices are in place
- Identifies, reviews, and tracks the designation of Compliance Leads for existing and new/ emerging compliance areas;
- Oversees the Culture Journey providing structure for values based discussions across USC;
- Arranges for periodic assessment of the Program; and
- Ensures that there is a charter for the Program and the Compliance and Ethics Committee.
Compliance Leads:
- Act as the subject matter expert for a particular compliance risk area;
- Assist in identifying and prioritizing compliance risks for the University;
- Establish standards to monitor and assess compliance Program implementation across the Program elements as set forth below;
- Implement compliance standards established and agreed to by the Compliance and Ethics Committee as appropriate to their respective compliance risk area(s);
- Coordinate with schools, units, and departments to implement internal controls;
- Engage with key stakeholders in areas of the University impacted by laws and regulations in their risk area(s);
- Participate in compliance program evaluations;
- Conduct ongoing assessments of compliance risks and adequacy of processes, personnel, and technology in place to mitigate those risks;
- Remediate breaches and/or issues identified and assists with implementing corrective action and program enhancements, as appropriate; and
- Share best practices and lessons learned across compliance risk areas.
Audit Services:
- Partner with other University risk management functions to confirm there is a process to identify, assess, prioritize, and manage compliance and ethics risks;
- Partner with the Office of Culture, Ethics, and Compliance and coordinate with Institutional Risk Management to conduct risk assessments;
- Coordinate with the Office of Culture, Ethics, and Compliance, Institutional Risk Management, and General Counsel regarding mitigation of identified compliance risks; and
- Conduct subject matter specific compliance and risk-based audits as determined in the annual audit plan.
Institutional Risk Management:
- Through the Institutional Risk Management Committee and working group, partners with the Office of Culture, Ethics, and Compliance, General Counsel, and Audit Services to confirm there is a process to identify, assess, prioritize, and manage compliance and ethics risks;
- Coordinate with Office of Culture, Ethics, and Compliance and Audit Services to conduct risk assessments; and
- Coordinate with the Office of Culture, Ethics, and Compliance, Audit Services, and General Counsel regarding mitigation of identified compliance risks.
The role of General Counsel is to:
- Partner with the Office of Culture, Ethics, and Compliance, Audit Services, and Institutional Risk Management to confirm there is a process to identify, assess, prioritize, and manage compliance and ethics risks;
- Partner with Compliance Leads to identify compliance requirements (existing and emerging);
- Coordinate with the Office of Culture, Ethics, and Compliance, Audit Services, and Institutional Risk Management regarding mitigation of identified compliance risks; and
- Address legal issues that may arise from non-compliance activities in various compliance areas.
In addition to the overarching roles and responsibilities for the Program, the Office of Culture, Ethics, and Compliance (“OCEC”), Compliance Leads, and the Compliance and Ethics Committee (where applicable) have additional responsibilities with respect to the 6 elements under the Framework. The next section describes:
- The standards for each of the 6 elements of the Framework, along with these stakeholders’ roles; and
- The methods/evidence to assess progress in implementing the standards set forth in the Program Framework.
1. Culture, Values, Governance, and Compliance Oversight
Element includes:
- Accountability for creating and sustaining an ethical culture and supportive behaviors that bring USC’s unifying values to life
- A compliance organization and structure consisting of leadership oversight, a governance framework which defines clear roles and responsibilities, and sufficient authority, independence, and resources in compliance
- A culture which incentivizes making decisions consistent with core values, doing the right thing, and complying with policies, laws, and regulations
Standards
The Office of Culture, Ethics, and Compliance:
- Develops Program Framework reporting and communication protocols to ensure that compliance risks are identified and tracked across the University;
- Maintains the Program Framework and may perform periodic assessments of compliance areas against the Program Framework;
- Maintains a listing of Compliance Leads and Compliance and Ethics Committee members.
- Chairs Compliance and Ethics Committee meetings and regularly communicates with Compliance Leads regarding compliance risk and Framework implementation;
- Drives the USC-wide Culture Journey tied to implementing and sustaining behaviors tied to Unifying Values through relevant committees and annual culture plans; and
- Fosters a culture which incentivizes making decisions consistent with core values, doing the right thing, and complying with policies, laws, and regulations.
Compliance Leads:
- Participate on the Compliance and Ethics Committee through active participation and discussion of compliance risks, emerging themes, sharing of best practices and feedback on development of core program tools and resources;
- Implement or coordinate the implementation of the Program Framework for the compliance areas for which they are responsible taking steps to provide assurance that schools and units are engaged as needed;
- Engage with impacted business owners to implement the applicable compliance program elements; and
- Escalate to schools, departments, and leadership and the OCEC if business owners challenge the applicability of requirements to their area
- Fosters a culture which incentivizes making decisions consistent with core values, doing the right thing, and complying with policies, laws, and regulations.
Examples of Methods/Evidence to Monitor Progress
- Meeting attendance
- Updated Program Framework
- Documents reflecting key compliance contacts (e.g., inventory of business owners responsible for specific compliance activities, RACI models for compliance area programs)
- Committee charters, membership lists or meeting agendas for any risk area specific compliance committees
- Reports from Compliance Leads to key administrators, deans, and other leadership
- Compliance and culture related communications from senior leadership
- Headcounts of compliance personnel/resources
2. Compliance Risk Identification and Assessment
Element includes:
- Identification of applicable laws and regulations, as well as a process to monitor new and changing requirements
- A regular, repeatable compliance risk assessment process which includes an inventory and prioritization of compliance risks
- Guidelines for updating risks off cycle, as needed
Standards
The Office of Culture, Ethics, and Compliance:
- Develops and maintains a compliance and ethics risk universe for the University;
- Confirms there is a process to identify, assess, prioritize, and manage compliance and ethics risks (in conjunction with Audit Services, General Counsel, and Institutional Risk Management);
- Develops a set of tools and enablers (e.g., questionnaires, templates) to assist Compliance Leads in their periodic risk assessments;
- Presents and communicates, as needed, new compliance requirements that may impact multiple risk areas;
- Obtains periodic updates from the Compliance Leads on top compliance risk areas, as requested;
- Reports compliance breaches related to top risks to leadership and the ACRP, as appropriate; and
- If new or emerging compliance risk areas are identified with no owner, undertakes steps to designate a Compliance Lead as described in the Roles and Responsibilities section in conjunction with the appropriate Compliance Leads and/or functional area.
Compliance Leads:
- Participate in the compliance risk assessment process described above;
- In partnership with the Office of General Counsel, identify, monitor, and interpret laws, regulations, and standards for the compliance risk area;
- Communicate significant (including new and emerging) compliance and ethics risks to the OCEC and the Compliance and Ethics Committee as they emerge;
- For top risks identified in the compliance risk assessment process, engage with impacted schools, units, and departments to determine how to manage/mitigate the risk and advise OCEC, leadership and ACRP, if applicable, on the management/mitigation plan as requested;
- Escalate compliance breaches relating to top risks to OCEC and leadership;
- Maintain a catalog or listing of top compliance risks for the compliance area with identification of role/party accountable for the Program in those areas; and
- Work with departments and functions to implement processes to address new or changed regulations.
Examples of Methods/Evidence to Monitor Progress
- Catalog of the University’s risk universe (OCEC)
- Catalog of compliance requirements for top risks
- Documents reflecting key compliance contacts (e.g., inventory of those responsible for specific compliance activities)
- Process for identifying new or changed compliance requirements and assigning accountability (e.g., RACI)
- Compliance risk assessment results and related improvement plans
- Mitigation plans tied to compliance risks
- Agendas or meeting minutes from meetings with schools, units, and departments that reflect discussions/action plans regarding identified compliance risks
- Metrics for tracking the top risks have been effectively mitigated over time
3. Policies, Standards, and Systems
Element includes:
- Established policies, standards, and systems designed to reduce the risk of non-compliance
- Communication of core policies, standards and systems to impacted faculty, staff or students
- Controls to prevent and detect non-compliance
Standards
The Office of Culture, Ethics, and Compliance:
- Maintains a policy governance framework to create more consistency and accountability, remove siloes, and provide more visibility and guidance on USC’s policy lifecycle;
- Maintains a Policy on Policy that sets forth the requirements for updating existing or creating new policies, policy review cycle, policy templates, and approval process;
- Maintains tools and resources for engaging and supporting stakeholders in carrying out the Program;
- Supports the Policy Governance Committee whose goal is to engage a cross-functional, core group of USC stakeholders to advise on opportunities to improve and further streamline USC’s policy governance processes and continuously improve processes;
- Assists the Policy Review Core Team in its goal of reviewing and advising on University policies ;
- Periodically considers and reviews policies, standards, and systems to ensure they are designed and effective in reducing the University’s risk of non-compliance; and
- Assists in developing policies, procedures, and system improvements, as requested by the Compliance Leads and/or business owners.
Compliance Leads:
- Assist policy owners to maintain applicable, easy-to-understand policies and procedures for their respective compliance risk area(s) in accordance with Policy Management requirements;
- Implement and enforce policies, procedures, standards and systems;
- Maintain an inventory of applicable policies and procedures for their respective compliance risk area(s);
- Confirm policies and procedures are in place, as needed, to address compliance requirements and identify any material gaps in policies/procedures;
- Identify if USC policies and procedures apply to all schools, departments, and units or if there are areas where schools or units may not integrate with the function or address compliance area on their own;
- If schools, departments, and/or units manage compliance differently, confirm that compliance management adheres to the Framework;
- Distribute policies to impacted employees, as needed;
- Perform – at a minimum – a biennial review of policies to identify gaps and ensure they adequately address current and emerging;
- Determine if off-cycle or emergency events require updates to, or creation of, policies and procedures; and
- Engage with business leaders to integrate compliance requirements in business operations and systems.
Examples of Methods/Evidence to Monitor Progress
- List of core compliance policies
- Policy employee acknowledgements, if applicable
- Process and approval logs for updating/revising policies
- Training and communication plans for new or significantly revised policies
- Charter for the Policy Governance Committee
4. Education, Training and Outreach
Element includes:
- Support available to the University community to educate on and communicate about compliance requirements, policies, procedures, and ethical decisions
- Consultation processes, where needed, to assist with understanding of compliance requirements and ethical obligations
- Availability of subject matter experts to engage, consult, and advise on compliance matters
Standards
The Office of Culture, Ethics, and Compliance:
- Periodically provides high-level messages to the USC community regarding the Code of Ethics and its relevance to emerging topics;
- Assists in developing compliance education and outreach, as requested by Compliance Leads and/or schools, units, and departments;
- Maintains a catalog of mandatory compliance training; and
- Develops an annual compliance and ethics communication plan, in conjunction with the Compliance and Ethics Committee, which includes targeted messaging from senior leaders that highlight the University’s commitment to compliance and ethics, tied to events or milestones (e.g., gift-giving around the holiday season, leadership messages when new research grants are awarded).
Compliance Leads:
- In partnership with counsel, communicate new or changed laws, regulations, and standards to impacted individuals across the University;
- Ensure that impacted employees within their compliance area receive training and education regarding the compliance requirements or applicable policies and procedures in their area, as necessary based on risk; and
- Assist in developing compliance-related education and training, as necessary or applicable.
The Compliance and Ethics Committee:
- Serves as a forum for sharing best practices for training and communication; and
- Provides input regarding a compliance and ethics communication plan, in conjunction with the OCEC, which includes targeted messaging from senior leaders that highlight the University’s commitment to compliance and ethics, tied to events or milestones.
Examples of Methods/Evidence to Monitor Progress
- Catalog of compliance trainings and targeted employees (by role/title/department)
- Training/education communication plans
- Examples of compliance-related communications
- Process for tracking training distribution, participation, and completion
- Metrics for training effectiveness over time (e.g., year-over-year number of sessions and participation/completion rate)
- Resolution process for non-compliance and failing to complete training requirements
5. Monitoring, Auditing, Program Evaluation, and Continuous Improvement
Element includes:
- Establishment of monitoring procedures using available data (e.g., documents, records) to detect instances of non-compliance and determine the risk of non-compliance
- Utilization of metrics and KPIs to measure compliance effectiveness and identify opportunities for improvement
- Program improvement based on identification of trends and themes
- Regular Program assessments to identify gaps, strengths, and opportunities Standards
The Office of Culture, Ethics, and Compliance:
- Reviews the Program Framework on a periodic basis or when the regulatory landscape or University risk profile changes;
- Assesses University compliance programs against the Program Framework;
- Updates the Program Framework and governance, new compliance risks, enforcement guidance, and/or feedback from the Compliance and Ethics Committee and senior management;
- Assists in developing monitoring plans and suggests Key Performance Indicators (KPI) to be implemented by Compliance Leads and schools, units, and departments, as requested;
- Evaluates the use of data analytic techniques to identify compliance risks and/or outlier transactions or activities; prioritizes areas where data analytics would benefit the most; and requests resources accordingly in consultation with Compliance Leads; and
- Shares best practices and lessons learned across compliance areas.
Compliance Leads
- Create and maintain monitoring plans commensurate with compliance risk levels in partnership with schools, units, and departments;
- Participate in the assessment of their respective compliance programs, whether self-led or performed by OCEC;
- Understand and identify what data their compliance area has and what Key Performance Indicators and metrics are available and tracked; document the types and sources of data (e.g., systems, databases, spreadsheets);
- Analyze results from monitoring and audits to identify trends, patterns, and themes to assist with the prioritization of mitigation plans aligned with the top compliance risks;
- Provide regular updates on compliance and any critical issues identified as a result of monitoring and audits to OCEC and senior leadership;
- Develop and oversee the process for responding to external/government monitoring requirements, as needed; and
- Notify the OCEC and leadership, in accordance with escalation protocols, where applicable, regarding any external/government audits or assessments conducted.
Examples of Methods/Evidence to Monitor Progress
- Reports of monitoring of compliance activities
- Annual report to the Audit, Compliance, Risk, and Privacy Committee and the Cabinet
- Self-assessments of compliance areas
- Documentation of monitoring reviews
- Documentation of data analytics to monitor compliance
- Listing of key data sources and information
- Key compliance metrics for assessment and continuous monitoring
- Compliance dashboards and monitoring reports or systems
- Metrics for monitoring policy and procedure effectiveness
6. Investigations, Corrective Action, and Root Cause Analysis
Element includes:
- Resources and processes for investigating, documenting, and reporting potential violations of compliance requirements
- Policies and procedures for responding to and remediating non-compliance or ethics issues
- Analysis of the underlying reason for the occurrence of non-compliance and processes for addressing identified gaps in policies, processes, controls, or other procedures that were implicated in known failures and protocols for selfreporting
Standards
The Office of Professionalism and Ethics (“OPE”)
- Manages the USC complaint hotline, evaluates, responds to, and triages misconduct reports to the appropriate office(s) for further review, when necessary;
- Coordinates with OCEC, Human Resources, EEO-TIX, Audit Services, OCAP, General Counsel, DPS, external agencies, and Compliance Leads to ensure that investigations are conducted by the proper office(s) in accordance with University policy and procedures;
- Investigates certain matters impacting the university, including some compliance and ethics allegations;
- Provides a quality assurance function for reporting and investigative functions among university offices;
- Escalates certain high-risk compliance and ethics issues to leadership and the OCEC (e.g., remediation plans not being carried out, recurring non-compliance, trends with certain schools, departments, units)
The Office of Culture, Ethics, and Compliance:
- Coordinates with OPE, Human Resources, General Counsel and Compliance Leads to ensure that assigned investigations are conducted in accordance with University policy;
- Coordinates with OPE and reports high risk compliance investigations to the Audit, Compliance, Risk, and Privacy Committee and senior leadership, as applicable;
- Develops guidelines for Compliance Leads to escalate certain compliance and ethics issues to the OCEC (e.g., remediation plans not being carried out, recurring non-compliance);
- Escalates issues to senior leadership and the Board in accordance with established guidelines;
- Tracks compliance-related cases in the University-wide case management system administered by OPE and obtains relevant investigations data to identify trends and themes;
- Monitors the implementation of corrective action plans in response to cross-cutting compliance and ethics issues in conjunction with Compliance Leads, as applicable.
Compliance Leads
- Ensure that adequate compliance area resources are available for investigations, including subject matter expertise for their compliance area;
- Are responsible for working with schools, units, and departments on remediation and tracking corrective action to closure;
- Escalate certain high risk compliance and ethics issues to leadership and the OCEC (e.g., remediation plans not being carried out, recurring noncompliance, trends with certain schools, departments, units); and
- Notify the OCEC and leadership regarding ongoing investigations which may impact the approach to compliance
The Compliance and Ethics Committee
- Communicates with the Office of Professionalism and Ethics and other offices, departments, or functions that conduct investigations regarding trends and themes from investigations;
- Uses info; and
- Discusses corrective action plans, including metrics of implementation progress and effectiveness.
Examples of Methods/Evidence to Monitor Progress
- Escalation protocols and investigation procedures
- Case management process
- Summary statistics of investigations performed and corresponding information such as case aging and resolution
- Training materials and attendance logs for key investigatory personnel
- Reports to the Audit, Compliance, Risk, and Privacy Committee and the Cabinet
- Corrective action protocols and processes
- Consequences frameworks, where applicable
- Periodic reports of monitoring the implementation of corrective action plans in response to compliance issues
- Periodic reports of improvement plans in response to compliance issues
- Root cause analysis framework and related trends (e.g., monitoring of root causes stemming from similar issues)