Mission

To work proactively and collaboratively with members of the University community to promote an institutional culture of compliance and thus prevent and effectively address violations of law, regulation, and University policy and protocols.

Goals and Means

To establish and implement an effective compliance program that monitors, communicates and educates the University community about existing and emerging compliance requirements; raises awareness of the importance of ethics and compliance; coordinates institutional compliance activities; assesses and provides consultation on compliance training initiatives; develops compliance workplans; assesses and reports periodically to senior leadership and the Audit Committee of the Board of Trustees on progress toward compliance goals; and assists in the development of remediation plans as needed.

Roles and Structure

I. The Board of Trustees Audit Committee

A. Role relative to the Compliance Program

• Oversees the quality and effectiveness of UVM's Compliance Program.
• Keeps informed about Compliance Program status and effectiveness through regular reports from executive and operational officials, the Chief Safety and Compliance Officer (CSCO), and the Director of Compliance Services (DCS).
• Assesses management's response to compliance recommendations.

B. Structure

• The DCS reports to the CSCO.

II. The President

 A. Role relative to the Compliance Program

• Serves as a champion of the Compliance Program, working visibly to establish a culture of compliance and ethics throughout the institution.
• Supports the Compliance Program by directing the provision of a reasonable level of funding, staffing and space for the Office of Compliance and Privacy Services.
• Annually reviews the compliance risk assessment and work plan; meets regularly with the CSCO and DCS to discuss compliance issues facing the University.

 B. Structure

• The CSCO reports to the President.

III. The President's Senior Leadership (Vice Presidents)

 A. Role relative to the Compliance Program

• Provides leadership and support in operationalizing compliance initiatives within their areas of jurisdiction; assigns responsibility; ensures accountability.
• Keeps informed about Compliance Program status and effectiveness through periodic reports from operational officials, the CSCO, and DCS.
• Brings compliance concerns to the attention of the DCS.
•  Advises the DCS regarding the proposed institutional annual compliance work plan and the need for revisions thereto during the course of the year.

 B. Structure

• The President's Senior Leadership is advisory to the President.

IV. The Director of Compliance Services & Chief Privacy Officer

 A. Role relative to the Compliance Program

• Serves as the institutional officer responsible for the effective implementation of the Compliance Program and directs the Office of Compliance and Privacy Services.
• Works collaboratively with other governance, risk, and compliance (GRC) offices including the Offices of Audit Services, General Counsel, Information Security, Enterprise Technology Services, Risk Management, Police Services, Emergency Management, and Environmental Health & Safety.
• Institutes and maintains an effective compliance communication program for the University, including (a) promoting use of the Ethics and Compliance Reporting HelpLine; (b) championing awareness of the Code of Conduct and Ethical Standards, (c) understanding of new and existing compliance issues and related policies and procedures, and (d) responding to general compliance queries and/or facilitating communications with and between responsible officials.
• Performs an annual risk assessment to prioritize risks.
• Develops, in consultation with senior management, an annual compliance work plan.
• Provides reports on a periodic basis, and as directed or requested, to keep the Board Audit Committee, the President, and senior management informed of the operation and progress of Compliance Program efforts.
• Administers the Ethics and Compliance Reporting HelpLine, working in collaboration with the General Counsel and, the Chief Internal Auditor.
• Coordinates compliance activities within the institution, including the institutional response to new compliance requirements or government reviews.
• Assists responsible officials in identifying compliance gaps; developing unit compliance work plans when necessary or requested; and monitoring and assessing progress toward institutional and unit compliance work plan goals.
• Liaises with responsible officials and the Office of General Counsel (OGC) to initiate, develop, maintain, and revise policies and procedures for the University including compliance policies and procedures.
• Works proactively to assist responsible officials in identifying and assessing compliance with respect to privacy laws and regulations; promotes strategies to mitigate non-compliance, including assistance in developing policies and procedures for the collection, use and sharing of non-public protected data (NPPD).
• Works with department reviewers and with OGC to oversee the conflict of interest/conflict of commitment disclosure process.
• Works collaboratively with Human Resource Services (HRS) and other departments as appropriate to assist in developing effective compliance training programs.
• Convenes and/or Chairs compliance work groups, as identified/needed.

 B. Structure

• The DCS reports to the CSCO.

V. Audit Services

 A. Role relative to the Compliance Program

• Based on annual risk assessment, conducts periodic compliance audits.
• Monitors and reports to the President and the Board of Trustees Audit Committee on the status of management's response to audit observations.
• Investigates reports of non-compliance except insofar as the responsibility for investigations is otherwise assigned by University policy.

B. Structure

• The CIA reports to the Chair of the Audit Committee of the Board of Trustees with a dotted line to the President.

VI. The Office of the General Counsel

A. Role relative to the Compliance Program

• Monitors and advises responsible officials regarding, laws and policies, as well as legal developments, relevant to University programs, operations and activities.
• Counsels University officials on the legal implications of policy and other administrative decisions.
• Assists responsible officials in identifying best practices with regard to legal requirements and policy development.
• Drafts, reviews, and/or makes recommendations to officials regarding institutional transactions, contracts, and policies.
• Represents and/or oversees legal representation of UVM in the negotiation and/or resolution of significant commercial transactions, litigation, and agency proceedings.

VII. The Enterprise Risk Management and Operational Compliance Committee (ERMOCC) and Other Compliance Work Groups

A. Role relative to the Compliance Program

• Meet as needed to discuss the status of compliance initiatives, emerging issues, training opportunities, and best practices regarding a specific area of compliance.
• Identifies "gaps" in collaboration with the DCS for further action by responsible officials; assesses progress toward specified goals.

B. Structure

• Work group members are advisory to the DCS and one another and report to their supervisors through normal channels.

VIII. Division of Responsibilities: Executives, Oversight Officials, Operations Managers, Faculty, Staff, and Students

The key principle of an effective Compliance Program is that compliance is the responsibility of all members of the community for which the program is designed. Apart from the general duty we all have as community members to abide by the law and University policies, compliance is designed to protect the safety and well-being of individuals and the campus at large; enhance (and avoid damage to) the reputation of the University; offer professional, educational and personal opportunities for expansion of the individual and collective knowledge base; and direct financial and human resources principally toward proactive, and not punitive, measures.

University community members also have specific responsibilities associated with their role at UVM. In addition to the descriptions above, those responsibilities may be categorized as follows:

Executive: the single senior official responsible, and accountable to the President, for management of specific risks, who has the authority to allocate resources and take corrective action. Executives are Vice Presidents, Deans, Chief Officers, or equivalent. Each executive is charged by the President with coordinating compliance activities within the units reporting to them and for bringing any compliance concerns to the attention of the DCS. Delegation of functional responsibility does not relieve an executive of their obligation to ensure compliance.

Oversight: the official to whom the responsible executive delegates authority to manage the risks and responsibility for monitoring, investigating, reporting, training, and instituting other internal controls. Each oversight official shall take reasonable steps to ensure that all employees (including faculty and staff) in their unit(s) are familiar with any applicable laws, regulations, policies, or rules and are in compliance therewith. It is also the responsibility of the oversight official to ensure that other individuals (e.g., affiliates; contractors) conducting business with UVM are in compliance with governing legal, regulatory, or policy parameters. It is also the responsibility of the oversight official to address and, as required, report non-compliance incidents when discovered. At least once during the bi-annual enterprise risk management (ERM) process, the DCS will request from the oversight officials compliance information that will be used to compile a campus-wide report and work plan for the upcoming year.

Operational: the individual handling daily operations for managing the risk and otherwise actively addressing compliance responsibilities.

Individual: the obligation of all personnel and students to be knowledgeable about, and compliant with, the conduct standards and programmatic or operational requirements applicable to their University-related professional, work, and educational or recreational endeavors.

A secondary principle of the Compliance Program is that the Program is most likely to be effective if its orientation is proactive and it incentivizes favorable outcomes.

The third principle is one of accountability - imperative to the success of the Program is outcome assessment and follow-up to verify that appropriate corrective, restorative and/or disciplinary action is taken in the event of shortfalls or violations.

Compliance University Matrix

To facilitate due diligence in all areas of University operations affected by compliance obligations, the Office of Compliance and Privacy Services will maintain a top-level compliance matrix identifying the responsible official for each general area of compliance. This top-level matrix will be posted on the Office website.

Compliance HelpLine

The Ethics and Compliance Reporting HelpLine (the HelpLine) shall be administered by the Office of Compliance and Privacy Services in collaboration with OGC and the CIA. A written protocol shall be maintained by the DCS detailing the associated administrative responsibilities and procedures.

University Institutional Website

The Office of Compliance Services shall maintain the University Institutional Policies Website, inclusive of University Operating Procedures, and the policy review schedule. The Office is responsible for the archiving of policies.

Training

Relevant training for administrators, faculty and staff is essential to the success of a compliance program. The DCS will assist and advise with identifying priority areas for high-quality, effective communication, training and awareness programs.

‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾‾
November 4, 2013 • Revised Compliance Program description accepted by the Audit Committee
August 21, 2014 • Administrative revisions
April 8, 2022 • Administrative revisions
August 19, 2022 • Administrative revisions