Back to Top
Effective Compliance Program

Seven Elements of an Effective Compliance Program

∧ Back to Top  

What is Compliance

Within higher education, institutions must follow, or rather, "comply" with, the myriad of laws and rules colleges and universities are subject to. This is not just limited to federal and state laws and regulations. Compliance for a higher education institutions also means following relevant case law, accreditation standards, as well as an institution’s own internal rules, policies and procedures, and even contractual obligations of the institution as a result of agreements codified into contract, employment contracts, and collective bargaining agreements.

Sources of Compliance at Higher Education Institutions

∧ Back to Top  

What is a Compliance Program

The Federal Sentencing Guidelines for Organizations recommends that all organizations have a comprehensive compliance program in place. A definition of a ‘compliance program’ that is generally accepted across all industries, including higher education, comes from the Federal Sentencing Guidelines for Organizations, a publication of the United States Sentencing Commission. According to the Guidelines, a ‘compliance and ethics program’ is defined as “a program designed to prevent and detect criminal conduct." A portion of the guidelines outlines what constitutes an “Effective Compliance and Ethics Program," and describes seven specific elements that are the minimum elements needed to form an effective compliance program. These seven elements are: Standards and Procedures (defined as “standards of conduct and internal controls that are reasonably capable of reducing the likelihood of criminal conduct”); organizational leadership and culture; reasonable efforts to exclude bad actors from managerial ranks; training and education; monitoring, auditing and evaluation of program effectiveness; performance incentives and disciplinary measures; appropriate remedial action; and risk assessment.

The original intent of these seven elements was to help provide a framework to federal judges who were determining culpability of a corporation that was convicted of wrongdoing, under the premise that the more robust a compliance and ethics program, the less severe the corporation’s punishment would be. While these elements were originally for this limited purpose of reducing liability, they have now become synonymous with the elements of an effective compliance program across all industries, including higher education.

∧ Back to Top  

Seven Elements of an Effective Compliance Program

According to Chapter 8 of the Federal Sentencing Guidelines, the elements of an effective Compliance Program are as follows:

    Establish compliance standards and procedures to be followed by employees and other agents to prevent and detect criminal conduct (via a Code of Ethical Conduct or some other means).
    High level company/ University personnel shall exercise reasonable oversight with respect to the implementation and effectiveness of a compliance and ethics program, and must be knowledgeable about the content and operation of the program.
    • Individuals with day-to-day responsibility must have the authority/ability to report directly to the board or an appropriate sub-committee at least annually regarding the effectiveness of the compliance program, and also when criminal conduct is discovered.
    Take reasonable steps to communicate its standards and procedures, and other aspects of the compliance and ethics program to members of the institution, including the governing authority, high level personnel, substantial authority personnel, organization employees, and the organization's agents (when appropriate). The communication should include establishing a compliance and ethics training and education that effectively communicates the standards and procedures to all employees by requiring participation in training and disseminating publications that explain in clear language WHAT is required. Information on individual's roles and responsibilities should also be disseminated.
    Take reasonable steps to ensure the compliance and ethics program is followed by monitoring and auditing to detect criminal activity or non-compliance, periodically evaluating the effectiveness of the compliance and ethics program through periodic risk assessment to identify criminal conduct, and to establish and publicize a mechanism that allows for anonymous and confidential reporting that allows for employees and agents to report or seek guidance regarding actual or criminal conduct without feal of retaliation.
    Standards shall be promoted and enforced consistently through well-publicized and accessible disciplinary guidelines. Further, establish a response to detected offenses and corrective action plans and consistently enforce standards through appropriate disciplinary mechanisms to prevent similar conduct. If criminal conduct is detected, the organization restitution or other reparations must be made, if appropriate; The criminal conduct should be reported and the organization should cooperate with the government officials. The compliance program should be assessed and amended as necessary to ensure further criminal conduct does not occur.
    When criminal conduct / non-compliance has been detected, the institution should take reasonable steps to respond appropriately to the conduct, and to prevent further similar conduct from occurring in the future, including any modifications to the organizations compliance and ethics program.
    Use reasonable efforts not to include any individual who the organization knew or should have known (through due diligence) to be engaged in illegal activities or conduct inconsistent with an effective compliance and ethics program.

∧ Back to Top  

Benefits of a Compliance Program

A Compliace Program is Proactive, Not Reactive: a Compliance Program helps to create a structure around all compliance obligations and risks, so that an institution is proactively understanding them, and making efforts to mitigate them in a consistent and proactive way before a crisis arises.  

Compliance helps an institution avoid:

∧ Back to Top  

The 7 Elements at SUNY

The following list are examples of some of the Compliance Structures SUNY has in place at the System level.  Campuses also have their own Compliance structures that comprise the seven elements at their institutions on a local level, in addition to the System-wide Compliance structures at SUNY System Administration. 

SUNY's System-wide Policies are available via the SUNY University-Wide Policies and Procedures webpage.

Standards and Procedures

Organizational Leadership and Culture

Training and Education

Monitoring, Auditing, Evaluation of Program Effectiveness, and Risk Assessment

Performance Incentives and Disciplinary Measures

Appropriate Remedial Measures

∧ Back to Top  

Compliance and Risk Terms Defined

Compliance, in general terms, is the act or process of ensuring  conformity with the laws, rules, regulations, policies, and contract terms; following and fulfilling the official requirements that an institution is subject to.  In the higher education context, the list of laws, rules, regulations, policies, and contracts that an institution must comply with are vast.  Examples of compliance topics in higher education include environmental health and safety, information security, athletics, disability and accessibility, conflict of interest and ethics, business continuity, emergency preparedness, education and student relations, employee relations and human resources, financial aid, equity and diversity, financial management practices and fraud, internal controls, healthcare, information management, international, immigration, research, public health and safety, student rights and responsibilities, among others. 

A compliance program, then, is the systematic way by which an institution ensures that the provisions of all the various laws, rules, regulations, and policies imposed by the authoritative agency, whether internal or external, are being met.

Enterprise Risk Management
ERM is a formal and continuous process that is designed to identify, assess, prioritize, and manage all risks and opportunities for an institution, not just the risks that are insurable. Correctly implemented, ERM can help to ensure that SUNY is meeting its strategic goals and objectives by providing an opportunity to coordinate and focus SUNY’s numerous risk management activities; creating a “risk-aware” culture; providing a formal mechanism for responding to significant events; and enhancing collaboration and communication throughout the system.

Enterprise Risk Management seeks to:

Traditional Risk Management/Loss Prevention (Insurance)
Risk management is the identification, assessment, and prioritization of risks.  The ISO 31000 defines risk management as “the effect of uncertainty on objectives, whether positive or negative.”  Traditional risk management deals with the insurable risks of an institution or corporation, and the insurance structures an institution needs to set up to have monetary assurance in the event of a risk loss.

Policies and Procedures
Policies and procedures are the principlesrules, and guidelines formulated or adopted by an organization to reach its long-termgoals.  They are typically published in a booklet or other form that is widely accessible.  Procedures usually outline the methods by which a policy should be followed.  Together, policies and procedures ensure that a point of view held by the governing body of an organization is translated into steps that result in an outcome compatible with that view.

Internal Control
Internal Control is the integration of activities, plans, attitudes, policies, systems, resources and efforts of the people of an organization working together to provide reasonable assurance that the organization will achieve its objectives and mission.

∧ Back to Top  

External Compliance Resources



∧ Back to Top  

Creating a Compliance Program at a Campus

Building a Proactive Compliance Program in Higher Education, Nedra Abbruzzese-Werling and Joseph Storch, 2015 University Risk Management and Insurance Journal, Volume 19, 2015, page 35.  URL to access Journals by Volume No.

∧ Back to Top  

The information contained on the SUNY Compliance website is for general campus guidance only and is not intended, nor can be relied upon, as legal advice or the imposition on SUNY campuses of specific policies or requirements. The site is intended to be an informational-only clearinghouse for some of the laws, rules, and regulations that may impact the State University of New York’s campuses. Additionally, given the rapid, changing nature of laws, rules and regulations, there may be delays or omissions contained on this site which therefore cannot be relied upon as complete. For complete compliance information, consult your campus compliance officials. For legal advice, consult your lawyer.