Compliance: Risk Assessment & Inventory
| WJU Audit Committee|
Date to be reviewed:
The Wheeling Jesuit University compliance program is predicated upon a strong Risk Assessment and Compliance Inventory listing the areas of possible risk and the various regulations, policies and requirements which must be managed to minimize that risk to the University [NOTE: The Compliance Inventory is an expansion of the plan graciously shared by Catholic University in Washington, D.C. for the University to use as a benchmark].
2.1 Policy Statement
- The University will conduct a systematic process to identify, document, analyze and mitigate risk within the various compliance areas around campus.
- The University will develop a Compliance Inventory, by compliance area, of all identified risk and the associated regulations, policies and requirements for which University-wide compliance is mandated. This Compliance Inventory forms the nucleus of the University's Compliance plan.
- The University will conduct a Gap Analysis and develop an Action Plan to identify areas of risk, prioritize policies and procedures to bridge between available documentation and required documentation.
- Risk Assessment - The comprehensive process to identify, document, analyze and mitigate risk.
- Risk Matrix - The chart that correlates the probability of an occurrence with the severity of the occurrence.
- Compliance Inventory - A comprehensive list of relevant legal, regulatory and internal policies for which University-wide compliance is mandated by the government, regulatory agency, association to which the University belongs or the Board of Directors. This Inventory forms the nucleus of the University's compliance efforts in the areas of process improvement, training and assessment.
- Line Entry - Each row on the Compliance Inventory lists the requirements of one (1) individual regulation, policy or requirement, referred to as a source document, which must be managed to "best practices" to minimize the Risk of non-compliance.
- Managing Risk - The actions which must be undertaken in training, postings or other forms of communications in-line with "best practices" to minimize the Risk of non-compliance.
- Compliance Risk Assessment - A chart that establishes a numeric value between 1 and 20 as the basis for assessing the risk of non-compliance. It is based upon the probability that an event may occur as well as the severity of the event if it occurs with "1" being the highest Risk and "20" being the least.
2.3 Risk Assessment
- The functional experts on the Compliance Team will analyze, with members of their compliance area, the existing managerial controls and the areas in need of managerial control.
- Within the Compliance Area, the experts may use current or historical litigation, charges or complaints filed, external audit findings and recommendations, or general area consensus to identify possible risk.
- Within the Compliance Area, the experts will have a list of mandated regulations, policies and requirements from which to determine if the area is in compliance.
- The Compliance Team, as a whole, will assign Risk to each item noted, paying particular attention to those areas where controls are absent. An Action Plan will be developed to address the absent documentation.
- All subsequent information will be placed on one (1) controlling document, the Compliance Inventory.
2.4 Building the Compliance Inventory
The Compliance Team evaluates individual "line entries" according to the following twelve (12) columns:
- Item (inventory number) as described in 2.3 below.
- Regulation / Policy / Requirement is the source document on which a line entry is based.
- Area / Department / Administrator is the Compliance Area (which may cross over multiple departments), the Department(s) into which the line entry falls, and the administrator responsible for implementation.
- Summary of Requirements provides a brief description of the line entry mandated activities.
- Risk is determined from the Compliance Risk matrix and highlights the danger of non-compliance.
- Elements of Managing Risk defines what the responsible administrator must do to minimize the Risk.
- Applicable University Policies describes the University policy or procedure designed to minimize the Risk.
- Required Training or Notice defines what must be communicated, how it must be communicated and any associated training to minimize the Risk.
- Process / Policies / Procedures Status describes the point in development of managing the risk where the Administrator believes he / she is as of the date of the inventory.
- Measure of Compliance defines the deliverable, record, document, training, or outcome that must be available to demonstrate compliance with that line entry.
- In Compliance (Y / N) is an ASSESSMENT GUIDE for internal auditors to rate individual line entries and whether or not they are in compliance with the requirements of the line entry to minimize the risk.
- Corrective Actions to be in Compliance is an ASSESSMENT GUIDE for internal auditors to state the measures of compliance that need to be provided if the line entry is to be considered in compliance.
NOTE: The Compliance Inventory may list regulations, policies or requirements for which controls are absent or list concerns for which applicable regulations, policies or requirements have not been identified. These will be recognized in the Gap Analysis and appear on the Action Plan.
2.5 Maintaining the Compliance Inventory
The Compliance Team, in monthly meetings with the Compliance Coordinator, reviews portions of the Compliance Inventory and develops training and audits to aid in compliance. The Team may revise the Compliance Inventory as source documents are revised, added or deleted.
2.6 Assessing the Compliance Inventory
The Compliance Coordinator will establish a schedule (timeline) to audit the Inventory, review the line entries, review the compliance areas and insure that all relevant data is captured. External audits will suffice in years when they are completed and in lieu of an internal audit.
2.7 Inventory Index
Line items on the Compliance Inventory are maintained by compliance area and numbered as follows:
1.00 - 1.99 Employment and Personnel
2.00 - 2.99 Information Technology and Security
3.00 - 3.99 Athletics
4.00 - 4.99 Environmental, Occupational and Facilities
5.00 - 5.99 Student Related
6.00 - 6.99 Financial Controls and Taxation
7.00 - 7.99 Sponsored Programs
The authorization for this policy emanates from the Wheeling Jesuit University Board of Directors; it cannot be changed or modified absent the express written consent of the Audit Committee.
Compliance Risk Matrix