Appendix A: Likelihood of Non-Compliance Scale
| Likelihood of Non-Compliance Scale | ||
| Rank | Scale | Frequency of Non-Compliance |
| 1 | Rare | May only occur in exceptional circumstances; less than once in 10 years. |
| 2 | Unlikely | Could occur at some time, at least once in 10 years. |
| 3 | Possible | May occur at some time, at least once in five years. |
| 4 | Likely | Will probably occur, at least once per year. |
| 5 | Almost Certain | Expected to occur in most circumstances, more than once per year. |
Appendix B: Control Effectiveness Scale
| Control Effectiveness Scale | ||
| Rank | Scale | Existing Controls |
| 1 | Excellent |
|
| 2 | Very Good |
|
| 3 | Good |
|
| 4 | Fair |
|
| 5 | Poor |
|
Appendix C: Impact Assessment Framework
| Measure of Impact | |||||||
| Rank | Scale | A. Legal/Compliance | B. Health & Safety | C. Financial | D. Strategic | E. Operational Disruption | F. Reputation |
| 0 | No Impact | Fully compliant | No risk of harm | No financial loss/impact | No impact on strategic goals | No disruption | No public visibility |
| 1 | Very Low | No legal or regulatory enforcement action | No injuries | Little financial loss or impact ≤ $499 | Slows progress on one strategic goal | Minimal disruption; no impact on service | Unsubstantiated, very low, or no news item |
| 2 | Low | Civil violation with little/no fines | First aid treatment | Financial loss/impact $500 - $999 | Slows progress on more than one strategic goal | Some disruption; limited inefficiencies or delays | Substantiated, low impact, low news profile |
| 3 | Moderate | Significant civil fines/penalties | Medical treatment | Financial loss/impact $1,000 - $99,999 |
Stops progress on one strategic goal |
Operational changes are necessary to adjust to conditions created by risk or control failure | Substantiated, public embarrassment, moderate impact, moderate news profile |
| 4 | High | Serious violation, criminal prosecution probable | Death or extensive injuries | Financial loss/impact between $100,000 - $499,000 |
Stops progress on more than one strategic goal |
Operations must significantly shift to adjust to conditions created by risk or control failure | Substantiated, public embarrassment, high impact, high news profile, third-party actions. |
| 5 | Critical | Significant violation, criminal conviction probable, loss of accreditation or licensure | Multiple deaths or several permanent disabilities | Financial loss/impact ≥ $500,000 or 5% of unit’s base | Loss of accreditation or license and/or reverses progress on one or more strategic goals | Operations are disabled | Substantiated, public embarrassment, high and widespread news profile, third party actions. |
Appendix D: Compliance Risk Examples
Compliance Risks may include, but are not limited to:
Academic and Student Services
- Failure to comply with financial aid regulations, resulting in audit findings or loss of eligibility
- Non-compliance with Title IX requirements for responding to complaints of sexual misconduct
- Mishandling of student information (e.g., FERPA violations)
Research and Sponsored Programs
- Failure to disclose outside financial interests in research
- Inadequate export control screening for international research collaborations
- Mismanagement of federal research grants or cost-sharing requirements
Information Security and Data Governance
- Use of unapproved third-party software or cloud services that violate data protection rules
- Unauthorized access to restricted institutional data due to weak access controls
- Failure to complete mandatory cybersecurity training or system patching
Environmental Health and Safety
- Environmental or laboratory safety violations (e.g., improper storage of hazardous materials)
- Non-compliance with safety protocols in research, clinical, or facilities operations
Administrative (i.e., Finance, Procurement, Human Resources)
- Unauthorized travel or purchases made using University TCard or PCard
- Failure to submit I9 form for new hires including student employees
- Non-compliance with Procurement protocols (e.g. improper use of non-competitive procurement exceptions)
- Unauthorized vendor contract execution and oversight
Appendix E: HECA Matrix
Appendix F: Survey Definitions
Compliance Risk: The potential for legal, financial, reputational, or operational harm resulting from a failure to follow laws, regulations, external standards, or University policies. These risks may arise from specific activities, decentralized processes, gaps in oversight, or the absence of appropriate controls.
The UConn Regulatory Compliance matrix (Appendix E) further lists identified regulations with compliance risks by institutional unit. Please note that this UConn Regulatory Compliance matrix, while extensive, is not exhaustive and other compliance risks may exist for your unit.
Control: Any policy, procedure, activity, or system designed to prevent, detect, or correct non-compliance with laws, regulations, external standards, or institutional policies. Controls help ensure that operations are conducted in accordance with applicable requirements and that risks are appropriately managed.
Controls may be:
- Preventive (e.g., system access restrictions, required pre-approvals)
- Detective (e.g., audits, exception reports, reconciliations)
- Corrective (e.g., policy updates, retraining, system reconfigurations after an issue is identified)
Monitoring: The ongoing activities conducted to ensure that controls are functioning as intended and that operations consistently comply with applicable laws, regulations, policies, and procedures.
Examples include but are not limited to:
- Generating and reviewing reports to assess compliance with system access restrictions
- Supervisors reviewing work for adherence to procedures
- Reviewing completion rates for mandatory training
- Conducting periodic reviews of financial transactions
- Tracking submission of required documentation or certifications