Compliance in Business Areas
Selecting one of the business areas covered – marketing, human resources, or information security, describe how critical the business function is to creating a compliant culture in an organization.
Of the three business areas covered information security is the area that may make the most critical contribution to creating a compliant culture in an organization. No other area, in my experience, has been subject to more well-meaning abuses than information security. Misunderstandings regarding copyright laws and their application in the educational environment have led to the inappropriate reproduction of huge amounts of material over the years. With the advent of readily avaiable information via the world wide web and the ease with which copyrighted software was once copied onto multiple workstations for the convenience of students and instructors the issue has become even more complicated. I once worked with an employee who refused to teach any software that he/she could not install on his/her home system using a bootlegged copy. A company can send an unmistakable message to its employees by establishing strict adherence to regulations governing this area of operation. The climate of sincerity and fairness that can be established by effective policies in this business area can have a positive impact in the other business areas identified.
Information security is an important issue. There are multitudes of paperwork on prospective and current students. Sometimes employees don't realize what may be thrown in the trash is compromising confidentiality. Records or even note papers must be shredded if not meant to be kept in a locked and fireproof file. At all times it is important to keep the files and if you have a file room, keep them locked at all times. It is important to check issues reguarding privacy at all times, in order to insure compliance and also keep prospects and students information confidential.
I was pleased to see that both Janie and Richard mention information security. Richard is on target with the exposure schools have to copyright laws in particular with the volume of students and faculty accessing various software and publications. The zero tolerance environment he mentioned is key to sending the message of compliance.
As for records, I agree with Janie on the need to shred. As an auditor, I like to do a simple test - look for the shredder(s). Are they accessible? I have seen some schools actually have a personal size shredder in offices which print a lot of record information - it's just as convenient to toss something in the shredder than the trash. If you cannot find a shredder or it's in a remote location (different floor, etc.), it's a good idea to dig deeper to see if they have a process in place to batch records for daily shredding.
It seems we are all in agreement with regards to information security being one of the largest issues that we need to deal with at the schools.
The copyright laws are always an issue. It is not uncommon to have instructors find some tidbit that they want to share with their students on the intranet and think nothing of printing the information for mass distribution without one thought about copyright laws.
We all print reports and information on our students and ensuring that our staff does not just throw the information in the trash without thinking is a constant issue. Not only do we have shredders available in most of the offices we also have large collection containers in high traffic areas that are collected and destroyed on a weekly basis at all of our facilities.
I also think that FERPA education is another challenge we face. The schools need to have a good program in place to educate all staff members on FERPA. I find that there can be so many misinterpretations with regards to what can and cannot be discussed about students and the release of student records.
Excellent points, Kathleen. It does seem that there are many mis-conceptions about FERPA. Some institutions implement policies that are more restrictive than FERPA to err on the side of caution. That sometimes leads employees to believe that the institutional policy IS the FERPA guideline. This particular MaxKnowledge course is an overview to compliance but, we intend to add additional courses that dig into each functional area. One of those courses should include some depth with regard to FERPA regulations.
The internal compliance review of marketing and advertising functions at career colleges are essential. What we state in our advertising and marketing materials is factual and supported by documentation. Furthermore, our catalog goes beyond the requirements of our accrediting body to provide students with the information they need to make an informed decision.
I would be very interested in a course on FERPA. Our campuses are requesting this information constantly. And, like the institutions Traci referred to I believe that my organization is currently more restrictive than the FERPA guidelines - which is causing the confusion on the campuses.
I agree with John that an internal review of marketing and advertising functions is essential. I am confident that our catalog meets or exceeds the requirments of our accrediting bodies and states, however we currently do not review every piece of our marketing/advertising materials. Adding this to a periodic internal review would certainly help. Do any/all of you review every piece of marketing/advertising? If so, how do you find the time?
I would love to hear from others on current practices. I can tell you that I have seen some schools use a "review" process before anything is published and then a "spot check" of current ads during a visit.
Does anyone else have any practices in place that you can share and whether or not you think they are effective in managing compliance with the mass volume of printed materials?
Information Security is very critical since schools must protect the information of students from fraudulant activities that could put someone's records in the wrong hands, which could leave the institution liable and cause them to suffer penalties.
I think Human Resources is also critical to creating a compliant culture. From the time a potential new Faculty or Staff member first visits your campus to interview through their initial orientation, they are exposed to and begin assessing your organizational values and culture. How are interviews conducted, is the appropriate pre-employment paperwork collected, how is orientation handled, are compliance issues integrated into orientation, etc. Human Resources not only needs to lead by example by being compliant with all of the regulations governing employment, they also need to be cognizant of their role in creating an overall first impression of the organization with new Faculty and Staff. Compliance issues need to be integrated and discussed as part of the orientation process in order to be seen as something the organization places a high value on.
Cheryl - Excellent points. The culture of the company is tied to perceptions of the employees and the HR department can influence this from the start. In addition to the governance of employment you mention, there are also accreditation requirements that tie back to HR including verification of credentials, licensing where necessary, and specific document collection. This is certainly a department that should not be overlooked as part of a comprehensive internal audit.
Privacy laws are increasingly strengthened and protection of confidential information should be a priority in schools and as part of a solid audit function.
I think Information Security is also critical to creating to compliant culture. Because is important to explain to all the personnel of the Institution the importance of the laws of FERPA, GLB and the Sys and that knows the information that can be share and as no, since any violation to these laws or guides could entail violations to the Institution.
Jorge - You bring up a good point about personnel understanding the importance of the various laws and regulations. Training is key to ensuring compliance - if employees don't know the guidelines, they don't know they are in violation and can unknowingly create problems for the college.
Human resources-related functions are absolutely essential to maintaining a compliant culture. In past experience, if you do not focus the appropriate level of attention on these types of issues, employees immediately get the impression that the organization does not value compliance and/or "follow the rules." Marketing is another key area, as it really is critical that you exercise truth in advertising. It is easy to overstate how much you believe in your school at the expense of keeping your feet firmly planted in reality.
Great points, Seth. This is clearly a "people" business and from an HR and marketing/recruitment perspective, it's easy for employees to say something wrong even if they do so inadvertently and/or with good intentions. Many schools who have done "mystery shopping" and/or call recording and review have been surprised by what they hear their employees say to prospects.
Just keep the marketing/ads factual, Lori. Sure, they'll be boring, but you won't have any regulatory problems.
To those of you who have not yet tried it, I strongly suggest that you arrange a mystery shopper to visit your own school. You may be very surprised with the results.
