Summer 2016
Our goals for this publication is to raise awareness of trending compliance issues that pertain to all employees and departments and to provide a refresher of the compliance program services and help line.
-
Little "c" vs. Big "C" Compliance
By Tessa Lucey, MHA, CHC, CHCP, Director of Compliance Services
Everywhere you look, there are regulations. And, where there are regulations, there are compliance requirements. Whether it be in your day-to-day lives or in your workplace, our actions are all impacted by both little c compliance and Big C Compliance. So, what am I talking about?
read more
Within higher education, little c compliance refers to all the laws, acts, statutes and regulations that govern our operations. OSHA, The Clery Act, FERPA, Uniform Guidance for Federal grants, Americans with Disabilities Act, The Higher Education Act, The Civil Rights Act, Title IX, Title IV Federal financial aid… the list goes on and on. Little c compliance is not created by the University. It is not created by the Compliance Department, by Administration, or by the Board of Trustees. Little c compliance is created in Washington D.C. and in Montpelier. Little c compliance is created when we enter into agreements or sign contracts that detail our responsibilities. Little c compliance encompasses all the things that we have to do because a government agency mandates it or because we signed a contract saying that we agreed to do it.
Big C Compliance is your compliance program. On the University level, Big C Compliance is me, it is the Office of Compliance Services, it's your Code of Business Conduct, it's your HelpLine. Big C Compliance is all of our policies and procedures. Big C Compliance is what we say we're going to do in order to comply with the little c compliance requirements. While little c compliance is made up of the regulations, Big C Compliance is the framework established to prevent, detect, respond to, mitigate and monitor suspected and potential violations to the regulations. Put more simply, little c compliance says what we have to do while Big C Compliance says how we're going to do it.
Put more simply, little c compliance says what we have to do while Big C Compliance says how we're going to do it.
Within your department or unit, you have policies, procedures, systems, tools, software programs, etc. to help you with little c compliance. Little c compliance can be job specific; it can be industry specific; it can pertain to society as a whole. For example, if you are working under a grant, you know about effort reporting. If you're not involved in research, you may have never heard of this. This is an example of job specific little c compliance requirement. FERPA, on the other hand, applies to all schools that receive funds under certain Department of Education programs. UVM is one of these schools. Therefore, we are all responsible to comply with FERPA. While some positions have access to more private student information than others, FERPA covers student information regardless of where it is stored or maintained. This is an industry specific little c compliance requirement. And, lastly, an example of a little c compliance pertaining to society as a whole is stealing. Stealing is wrong, stealing is illegal...period...no matter where you live, or where you work or what industry you're in.
Both little c compliance and Big C Compliance have an impact on operations. Both affect how we, as a University, function. While they are related, it is important that we also recognize the difference and how an effective compliance program, if implemented appropriately, can ease the burden and reduce the cost of little c compliance. While little c compliance says, "You must do this," Big C Compliance says, "Let's look at the whole process and see where we can make it work better." Where little c compliance says, "If you get caught not doing it, there's going to be enforcement," Big C Compliance says, "We all make mistakes. Let's be open and honest about our mistakes and let's work together to fix them now." And, when little c compliance says that your mistake will result in monetary fines or other penalties such as loss of federal funding or criminal prosecution, Big C Compliance says that we can reduce and, in some cases, avoid these punitive outcomes.
We're able to do this because having an effective compliance program has been proven to reduce the risk of violations. There are examples of organizations that avoided enforcement action including prosecution because they had an effective compliance program in place. Sometimes it's not about the individual violation but it's about the culture. It's about the story of the University. Does the University have a culture that turns its head when there's a potential violation? Or, are violations addressed and corrected promptly? Are violations swept under the rug and kept quiet or are they used as learning and improvement opportunity? An individual violation may not have been picked up, but when you have a history of identifying and correcting violations, that is when fines and penalties are reduced. When you have staff that are willing to speak up without a fear of retaliation then risks can be reduced and violations can be corrected before they become something that regulators need to identify. It is when you have this culture and your program is effective that regulators make decisions not to prosecute.
Your compliance program has been established so that as a University, we continually strive towards a "culture of compliance". By having all the elements of an effective program in place, the risk of violations decrease. In addition, when all those elements are in place and a violation does occur, we've got the tools to fix it so that when the regulators come knocking at our door, we've got a response. Let's face it...budgets and funding continues to be a challenge while the regulations and the enforcement continues to increase. We have to do things differently. We have to do more with less. We often feel like we spend most of our time stomping out forest fires. With an effective compliance program, the goal is to be able to simply blow out the match.
Think Before you Click
Never share your UVM login or password. With anyone. Ever
Most breaches occur because of human error. One of the most common is called "phishing". Bad guys send out emails making it look like something official. They use scary tactics and fear to get you to respond...they make it sound like bad things will happen if you don't. They are trying to trick you.
Continue reading...
If the email is asking you to enter your user name and password, if the email says things like, "Your mailbox will be deleted" or that "in order to increase your mailbox size you must do" something... it's not official. It's a scam. With your login information, criminals can gain access to our systems and to your personal information like your social security number or your bank account information.
THINK BEFORE YOU CLICK
If you receive an email that either asks for your user name and password or brings you to a website that asks you to enter your user name and password, STOP!! Take a couple seconds (really, it just takes a couple seconds) and verify. How? Follow these steps:
- Put your cursor over the web address and see what pops up. That's it!! One step. If you see www.uvm.edu followed by something else, it's ok.
- If the web address says something completely different, report it to iso@uvm.edu.
This is where it gets a bit tricky.
If the web address does not have the "uvm.edu," before the first single slash ("/"), it's a trick and should be reported to iso@uvm.edu.
Just because "uvm.edu" is in the address somewhere, it doesn't mean it's OK...it HAS to be before the first single slash.
In general, if the website really comes from someone at UVM, it will start with www.uvm.edu or www.something.uvm.edu. If it starts with anything else, THINK BEFORE YOU CLICK. Contact iso@uvm.edu to be sure.
Nobody...and I repeat NOBODY...in an official capacity at UVM should be asking you for your login information. Ever. Also, emails that are for an official purpose will not use scare tactics. They won't make you panic. If the email does any of these things, contact iso@uvm.edu.
If you are ever unsure, THINK BEFORE YOU CLICK. Pause before you enter your login information. Contact ISO@uvm.edu, call the Chief Privacy Officer at 6-2003 or contact the compliance department at compliance@uvm.edu or 6-3086. Visit the Information Secuirty webpage for more information.
Recognizing and Curbing Discriminatory Harassment: What it is, Where it happens and What to do
The University prohibits sexual and other bias based harassment including harassing behavior motivated by race, color, religion, ancestry, national origin, place of birth, sexual orientation, disability, age, positive HIV-related blood test results, genetic information, gender identity or expression, or veteran status.
The effects of harassment on employees can be devastating. Unchecked harassment can erode trust, weaken goodwill and undermine productivity, as well as put our University at legal and financial risk. Harassment also is one of the factors cited in many compliance reports. It may not be the main topic of the report but as we get into the investigation, there are often elements of harassment that find their way into the report.
Continue reading...
The good news is that you, particularly if you are a manager or supervisor, can help maintain a positive workplace environment... an environment in which everyone has the opportunity to thrive. Here are some ways we can help prevent and stop harassing behavior in our workplace:
1) Recognize Harassing Behavior When You See It
Harassment typically takes one of three forms:
- Verbal Harassment: Sexually explicit or derogatory jokes, innuendo, name-calling, insults, comments or other verbal behavior based on a person's race, gender, religion, age, sexual orientation, or other protected characteristic as noted above.
- Physical Harassment: Inappropriate physical conduct, including unwanted touching or gestures. While physical harassment most often is based on sex, it can relate to any protected characteristic, including religion and disability.
- Visual Harassment: Any visual material, including posters, calendars, screen savers, web pages, comics, personal photos that is sexually explicit or derogatory of a protected characteristic.
2) Address the Behavior Right Away
We have a duty to protect all of our employees from harassment and discrimination. As part of that, supervisors and managers have a "duty to act" whenever they become aware of potential harassment-regardless of how you learn of it.
If a manager or supervisor sees or overhears behaviors that are potentially harassing, the best option is to address it right then, on the spot. You do not need to be aggressive, but you do need to point out that their behavior is inappropriate and stop it. Non-supervisors are also encouraged to address the behavior, but may feel more comfortable reporting the behavior to the employee's supervisor or via AAEO's Bias, Discrimination, & Harassment Incident Reporting Form (opens in new window).
Remember, doing nothing is never an acceptable option. When in doubt, at a bare minimum, reach out to AAEO or Compliance Services for guidance. You can contact AAEO at (802) 656-3368 or via AAEO's Bias, Discrimination, & Harassment Incident Reporting Form (opens in new window).
You can also contact the Office of Compliance Services at (802)-656-3086 or can report via the Ethics and Compliance Reporting & HelpLine (opens in new window)
3) Know Where Our Policies Apply
Our policies apply in any work-related setting-not just at daily work sites.
University functions held off-campus or during non-work hours, conferences, and business meals all typically are "work-related settings," harassing behaviors are prohibited in those settings as well. Visit UVM's anti-harassment policies and procedures.
4) Lead by Example
All employees' behavior, but particularly that of managers and supervisors, sets the tone for the workplace. Always be respectful and professional and others likely will follow suit. If you have any doubt, before you act, ask yourself whether you would be comfortable if your behavior were recorded with a smartphone and then posted to the internet, with a link sent to our senior leadership. If not, the behavior does not belong in the workplace!
Chatter: Fundraising for Non-UVM Groups
Are you selling raffle tickets for your child's school or having a bake sale to benefit a non-UVM group? Read on.....
In this section, we will go into a little more detail about a variety of selected topics designed to get people thinking about situations a little differently. If there is a black & white answer, we'll give it. If not, we'll try to explain the gray. Whenever possible, we will give real life examples. If you have a topic you'd like to see included, let us know. As always, individual identifying information will never be published without permission.
Recently, our office received an anonymous report of non-compliance. While all reports receive some level of investigation, let's map this out using both the way it was received (via an anonymous letter) and the way the investigation would have gone had the reporter used the Ethics and Compliance Reporting & HelpLine.
This edition of Chatter will address these two scenarios: (1) Can you sell raffle tickets or ask for donations from your co-workers? (2) Can you use University space for a purpose that is unrelated to University operations? And the answer is...
Continue reading...
It depends.
There are some policy requirements that must be met in order for certain scenarios to be acceptable. For example, the Solicitation policy requires that space be reserved for commercial solicitation (i.e., visits from vendors, sales of anything that benefits a for-profit entity). Under this same policy, reservations are not required for non-commercial solicitation (i.e., charitable fundraising for the benefit of the University, University-recognized groups and organizations, or other nonprofit or charitable organizations) in specific public locations that have been identified in the policy. Regardless of whether it is commercial or non-commercial solicitation, the use of the space cannot interfere with usual University operations. So, what does all that mean?
Asking co-workers to buy a raffle ticket does not violate UVM's policies as long as it doesn't interfere with the performance of your job, it is not done in a harassing or threatening manner and the purchase or donation is not required. This becomes especially tricky if you are a manager or supervisor and are asking your direct reports to purchase a raffle ticket, donate to a charity or sponsor you for a 5K. Those in a position of authority need to be sensitive to the individual situations of their colleagues. Does the manager make direct reports feel that they have to purchase something? Are direct reports going to feel as if not purchasing will make them look bad? Do those that donate get preferential treatment? Remember that everyone brings their own unique background to the table. Being a manager or supervisor inherently has some level of power. It may be best to avoid asking direct reports to buy a ticket or to donate unless you are certain that it will not be a problem.
Now, what about the bake sale? Let's assume that the bake sale was for a charitable organization so it qualified as non-commercial solicitation. This could be done in University space without prior reservation as long as it didn't interfere with usual operations. The use of the break room would be allowed as long as the use didn't prevent staff from using the space as designed. For example, if the bake sale took over the whole room during lunch and staff couldn't sit and eat, that would be prohibited. If it were a box of cupcakes and cookies sitting on the counter but staff could still eat lunch, that should not pose a problem.
Colleagues are often happy to help. Making a donation to a good cause or buying something as part of a fundraiser is something that people have been doing for ages. My parents brought candy bars to work when I still had hopes I'd be a professional soccer player. I've been donating to various charity walks, runs, etc. and I've bought more Girl Scout Cookies than I'd care to admit. But, it's when those things get in the way of official operations, when purchases and donations are expected or when others are inconvenienced that trouble arises.
Of course, there is always a chance that your department has specific policies that are more stringent than the University-wide policies so it's a good idea to check with your manager or supervisor before doing any fundraising or before using department space for any reason that is not related to University operations.
Spotlight on Policies
In policy spotlight, we focus on relevant and timely policies. It is your responsibility to read and understand the policies that pertain to your job. If you don't understand something or have questions, let your manager or supervisor know. You can always contact the Office of Compliance Services for help with anything policy-related.
This newsletter is focusing on existing policies that have recently been updated with important new revisions, Grievance and Peer Advisor Policy for Unrepresented Staff and the Effort Managing and Reporting on Sponsored Programs.
Continue reading...
Grievance and Peer Advisor Policy for Non-Represented Staff
The newly revised policy highlights include:
- Encouraging communication between employees and supervisors to address concerns prior to initiating a grievance.
- Clarifying the role of Peer Advisors in the grievance process.
- Simplifying what constitutes a grievance.
- Outlining how grievances are processed when an employee chooses to pursue a complaint of discrimination with the AAEO Office as part of the grievance allegations, when applicable.
- Eliminating the the formal mediation process to resolve disputes; however, the policy encourages employees and their supervisors to informally mediate potential grievances.
The complete Grievance and Peer Advisor Policy for Non-Represented Staff policy (PDF) may be found on the University's policy website.
Effort Management and Reporting on Sponsored Agreements
New changes and flexibility, due in part to new Federal Regulations (Uniform Guidance), include:
- PI's and Co PI's may now perform quarterly verifications and certifications for certain individuals working on awards they oversee.
- Faculty overload salary and related effort is now excluded from Institutional Base Salary (IBS) for non-12 month faculty. This includes supplemental compensation for Continuing and Distance Education classes.
- The length of absence or disengagement of effort on a project that would require sponsor pre-approval has been defined as three consecutive months or longer.
The complete Effort Management and Reporting on Sponsored Agreements policy (PDF) may be found on the University's policy website.
Every day, people are faced with challenges and difficult situations. And, every day, you and those you work with do things to uphold the values of UVM. This is your chance to tell these stories. All eligible submissions are entered into a drawing for a chance to win a prize.
Do you have a story about someone who acted in such a way that they inspired you? Or do you have a story about someone who exemplifies Our Common Ground?
Send your story to compliance@uvm.edu (email link) for your chance to win a prize.
Winners will be announced in the next newsletter*.
*Given the confidentiality of some matters relating to compliance and taking into consideration individual preference, stories will only be shared with permission and confidential or protected information will be removed.