Responsible officers are required to ensure that monitoring compliance with policies occurs, per Administrative Policy: Establishing Administrative Policies.
- What is monitoring?
Monitoring is the process of checking compliance with policy requirements. There is no requirement to monitor those elements of the policy that are “strongly encouraged” or otherwise expressed as optional.
- Why is policy monitoring required?
Information gathered through monitoring provides responsible officers or their designees, often the policy owner, an opportunity to identify compliance challenges with current policies and address low compliance rates.
- If I’m a policy owner, do I need to monitor everything covered by my administrative policy?
For higher risk policies, policy owners must use an active approach to monitoring required elements of a policy. In some circumstances directly monitoring compliance with a policy element may not be reasonable, and a more passive monitoring approach may be appropriate.
- What’s the difference between passive and active monitoring?
Passive monitoring typically involves taking action when a triggering event, such as a reported incident, occurs. Noncompliance could be a single isolated event or owners may, in the course of investigating the noncompliance, determine that there’s likelihood that there is a pattern to also be investigated. Passive monitoring is more appropriate for policies where the risk and impact of noncompliance is low and where it’s more difficult to actively monitor compliance. Active monitoring is generally where the policy owner establishes a regular plan to review key elements of the policy, determines the frequency of the monitoring, as well as the method.
- I’ve never monitored my policy before. What are acceptable approaches to actively monitoring policy requirements?
There are a number of ways to actively monitor compliance with the policy. The most common approaches include:
- creating and reviewing exception reports to capture activity outliers;
- reviewing a sampling of transactions that have occurred to see if they were in alignment with the policy requirements;
- approving all or some of the transactions prior to processing; or
- conducting an onsite review.
You may want to start with reviewing the requirements that are externally imposed (e.g., laws, regulations) and see how you might monitor those first. Then move on to those requirements that are imposed by the University, especially those which carry the greatest risk.
- I don’t have unlimited resources to conduct the monitoring. Do you have centralized funding that I can access to hire an employee to do this work?
We do not have central funds available for monitoring activities. In most situations, policy owners should be able to establish a monitoring plan that uses current resources and does not diminish current unit performance. For example, a unit may opt to use a sample size involving transactions that can be executed by current staff.
However, if the risk of a particular activity warrants additional resources or different prioritization of work being conducted by your unit that should lead to discussions with unit leadership.
- How do I document my monitoring efforts?
There is no required form for documenting monitoring; however, creating an Excel spreadsheet might be a good option. You will need to provide the compliance rate on the comprehensive review form the next time your policy is up for review.
- Do I need to report the results to anyone?
Results of monitoring should be communicated to someone in your leadership structure, at least annually. If there are significant findings through your monitoring activities, we strongly encourage you to notify your manager and senior leader.
- If I find areas where the compliance rate is low, what should my next steps be?
The action and escalation taken depends largely on the types of failures. Monitoring results should be shared with the appropriate management in the area being monitored and a process improvement plan developed where needed. In some cases it may be discovered that a policy requirement needs to be revised to improve clarity. For serious non-compliance in a high risk area, a training strategy may need to be deployed or other action, such as the supervisor starting the disciplinary process.
- Is there someone with whom I might speak to discuss my specific policies and an appropriate monitoring plan?
Yes. You may contact the Office of Institutional Compliance or work with your designated senior leader to find a structure that meets this requirement.