Executive Order GA-48
What is an Executive Order?
An executive order is a directive from a state鈥檚 governor (or the President of the United States) that manages the operations of the state鈥檚 government. Executive orders have the force of law and must be followed by the state鈥檚 agencies and their employees (including Texas public institutions of higher education and their faculty and staff employees).
What is Executive Order-48?
On November 19, 2024, Governor Greg Abbott issued 鈥 Hardening of State Government. The order is intended to protect the State of Texas sensitive and critical infrastructures from certain entities designated as foreign adversaries by the U.S. Department of Commerce: China (including Hong Kong), North Korea, Iran, Cuba, and Russia (鈥淒esignated Countries鈥); and Venezuelan President Nicolas Maduro. The executive order has direct implications for the 黑料视频 System and its component institutions, and for its faculty and staff employees.
Why did the U.S. Department of Commerce designate China (including Hong Kong), North Korea, Iran, Cuba, Russia and Venezuelan President Nicolas Maduro as 鈥渇oreign adversaries鈥?
The Commerce Department has determined that the designated countries and foreign leader 鈥渉ave engaged in a long-term pattern of serious instances of conduct significantly adverse to the national security of the United States or security and safety鈥 of individuals in the U.S.
What does Executive Order GA-48 consider 鈥渃ritical infrastructure鈥?
Critical infrastructure is defined as a communication infrastructure system, cybersecurity system, electric grid system, hazardous waste treatment system, or water treatment facility. .
Are 黑料视频 System faculty and staff employees allowed to travel to the designated countries to attend conferences or meetings, or to conduct other official 黑料视频 System business?
No. At this time, faculty and staff employees are prohibited from traveling to these countries to conduct official 黑料视频 System business. The executive order does not apply to business travel to Venezuela.
May 黑料视频 System faculty and staff employees travel to the designated countries to conduct official business if the designated country pays for the travel.
No. The executive order prohibits employees of all Texas public universities and state agencies from accepting any and all gifts from the designated countries, including paying for travel expenses.
Does Executive Order GA-48 prohibit 黑料视频 System faculty and staff employees from traveling to the designated countries for personal reasons?
No. Faculty and staff employees may travel to the designated countries for personal reasons. However, the order requires individuals to notify the 黑料视频 System before departing to one of the countries on personal travel. The executive order also requires individuals to provide certain information about the trip upon return. The executive order does not apply to personal travel to Venezuela.
How do I provide the pre-travel notice?
Faculty and staff employees should provide the required notice using the 黑料视频 System Personal Travel to Countries Designated as Foreign Adversaries Notification . The asks for: the 黑料视频 System component; First and Last Name; and Destination Country.
How do I provide the post-travel information?
Faculty and staff employees should provide the required post-travel information using the 黑料视频 System International Personal Travel Post-Trip Summary The post-travel asks for: the 黑料视频 System component; First and Last Name; Destination Country; Travel Begin and End Dates; and Purpose of Travel.
How will the 黑料视频 System use the pre-travel and post-travel information?
The information is being collected solely for the purpose of complying with Executive Order GA-48. The individual鈥檚 campus institutional compliance program will retain the information in accordance with state records retention laws.
Organizational Compliance 101
What is Compliance?
Compliance - sometimes referred to as organizational or institutional compliance - is a framework for facilitating adherence to federal and state laws and policies that govern the organization and for promoting ethical and lawful decision-making and conduct on the part of the organization鈥檚 employees. At the 黑料视频 System Administration, this includes incorporating the System鈥檚 ethics and standards of conduct, and its values into daily operations; knowing and following the laws and policies that affect these operations; educating ourselves on the functions we perform that can expose the System Enterprise to legal and regulatory repercussions; and devoting time and other resources to preventing and detecting violations of law and policies that give rise to risks associated with failing to comply with these laws and policies (i.e. 鈥渃ompliance risks鈥).
Where did institutional compliance originate?
High-profile scandals in the 1970s and 1980s highlighted the widespread practice of companies bribing politicians and government officials. In 1991, the Federal Sentencing Guidelines were promulgated in an attempt to bring greater consistency in sentencing, including sentencing organizations that were convicted of violating federal law.
See Pew Research Center. Public Trust in Government: 1958-2024. .
What is the purpose of the Federal Sentencing Guidelines?
The Guidelines: (1) incentivize organizations to self-police their corporate behavior; (2) provide guidance on effective compliance and ethics actions organizations can take to demonstrate a good-faith effort to self-police; and (3) hold organizations accountable based on defined culpability factors.
The organizational sentencing guidelines have wielded significant influence on corporate America鈥esigned to incentivize corporate self-policing through its 鈥榗arrot and stick鈥 philosophy鈥t has 鈥榗atalyzed vigorous efforts by companies to promote ethical performance and reduce organizational misconduct.
See United States Sentencing Commission. 鈥淭he Organizational Sentencing Guidelines: Thirty Years of Innovation and Influence. August 2022.
Do public agencies and universities need compliance programs?
High-profile scandals over the decades, such as ABSCAM and Iran-Contra, demonstrate why organizational compliance, accountability and responsibility is not limited to the private sector.
What is the benefit of having an institutional compliance program?
Compliance programs foster compliance with the law, which contributes to an organization鈥檚 effectiveness and mission accomplishment, including by eliminating the disruption and diversion of resources resulting from investigations into suspected misconduct. Practically, when determining whether to prosecute an organization for criminal conduct, the Department of Justice considers the 鈥渁dequacy and effectiveness of the corporation鈥檚 compliance program鈥 both at the time of the alleged conduct and at the time the federal government is deciding whether to prosecute. See DOJ Justice Manual 9-28.000 - Principles of Federal Prosecution of Business Organizations.
Is the 黑料视频 System Administration required to have a compliance program?
黑料视频 System Regulation 02.1000 requires each component of the System Enterprise to have a compliance program that is designed to prevent and detect violations of law and policies; and that encourages all employees and individuals acting on behalf of the System to conduct themselves lawfully, honestly and with integrity, including preventing retaliation against individuals who make good faith reports of suspected misconduct.
What can happen if the 黑料视频 System Administration does not have an effective compliance program?
An organization鈥檚 employees can be sentenced to prison for violating certain federal and state laws. While organizations cannot be sent to prison, they can be prosecuted, fined, ordered to make restitution, and prohibited from receiving federal and state funds. The U.S. Department of Justice has made it clear that the prosecution of organizational criminal conduct 鈥渋s a high priority.鈥 See 鈥淥verview of Organizational Guidelines鈥 and DOJ JM9-28.800.
How does an organization know when it has an effective compliance program?
The Federal Sentencing Guidelines expect compliance programs to have eight components:
- Standards and procedures reasonably capable of reducing the prospect of criminal activity
- Oversight by high-level personnel
- Due care in delegating substantial discretionary authority
- Effective communication to all levels of employees
- Reasonable steps to achieve compliance, which include systems for monitoring, auditing and reporting suspected wrongdoing without fear of retaliation
- Consistent enforcement of compliance standards including disciplinary mechanisms
- Reasonable steps to respond to and prevent repeated violations once a violation is detected
- Promotion of an organizational culture that encourages a commitment to compliance and the law
When determining whether an organization鈥檚 compliance program is effective, the U.S. Department of Justice asks three 鈥渇undamental鈥 questions:
- Is the compliance program well designed?
- Is the compliance program adequately resourced and empowered to function effectively?
- Does the organization鈥檚 compliance program work in practice?
See DOJ Criminal Division. 鈥淓valuation of Corporate Compliance Programs.鈥 Updated March 2023.
What does an effective compliance program look like in practice?
In 2005 the U.S. Department of Health and Human Services Office of the Inspector General published seven tangible requirements that a program must demonstrate in order to be effective:
- Written policies and procedures
- Compliance leadership and oversight
- Training and education
- Effective lines of communication
- Enforcement of Standards: incentives and consequences
- Risk assessments, audits, and monitoring
- Prompt response to detected violations and corrective action
See U.S. Department of Health and Human Services Office of the Inspector General. 鈥淕eneral Compliance Program Guidance.鈥
Reporting Suspected Wrongdoing by Speaking Up
What should I do if I suspect wrongdoing?
An employee or individual authorized to act on behalf of the 黑料视频 System who reasonably believes a System employee鈥檚 or vendor鈥檚 conduct violates law, Regents Rule, System Regulation, or policy is expected to speak up and report the suspected wrongdoing. Other individuals are encouraged to report suspected wrongdoing.
Why should I Speak Up?
Speaking up when we observe conduct that is not in the best interest of our 黑料视频 System community is a form of engagement. Speaking up also models exceptional standards by holding ourselves and others accountable.
Where can I Speak Up about suspected wrongdoing?
Suspected wrongdoing can be reported in several ways, including anonymously:
- Notify your supervisor unless your supervisor is the person suspected of the wrongdoing.
- Notify the 黑料视频 System Administration Compliance and Ethics Program at: 940.565.2156 or compliance@untsystem.edu.
- Online at the at: . (Reports can be made anonymously).
- Inform the if the suspected wrongdoing involves fraud, waste or abuse of public resources at or the agency鈥檚 fraud hotline at SAO Fraud Hotline at 1-800-TX-AUDIT (1-800-892-8348).
What if I am afraid to hold someone else accountable by Speaking Up about suspected wrongdoing?
Reporting suspected wrongdoing is in the best interest of the 黑料视频 System and the people we serve. To encourage a culture of accountability and compliance, the System against individuals who report suspected wrongdoing and has implemented a program to protect against retaliation. Also, the protects employees who report unlawful activity in good faith from retaliation.
Difference Between Compliance and Internal Audit
What is Compliance?
"Compliance鈥 - sometimes referred to as organizational or institutional compliance - is a framework for facilitating adherence to federal and state laws and policies that govern the organization, and for promoting ethical and lawful decision-making and conduct on the part of the organization鈥檚 employees. The Compliance & Ethics Program operationalizes this framework with a focus on establishing an organizational culture that is committed to ethical and lawful decision-making and on preventing and detecting violations of the law and policy (i.e. 鈥渃ompliance risks鈥). It also assists management officials continuously identify compliance risks and provides advice on controls to mitigate these risks.
What is Internal Audit?
According to the Institute of Internal Auditors, internal audit is 鈥渁n independent, objective assurance and consulting activity designed to add value and improve an organization鈥檚 operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes鈥and] provides assurance that internal controls in place are adequate to mitigate the risks, governance processes are effective and efficient, and organizational goals and objectives are met.鈥 See Institute of Internal Auditors. 鈥淲hat is Internal Audit?鈥 .
What is the difference between Compliance and Internal Audit?
The 鈥淭hree Lines of Defense鈥 model for risk governance depicts the difference between management, Compliance and Internal Audit this way:
- First line: Management has the primary responsibility to own and manage risks associated with day-to-day operational activities. Other accountabilities assumed by the first line include design, operation, and implementation of controls.
- Second line: The second-line function enables the identification of emerging risks in daily operation of the business. It does this by providing compliance and oversight in the form of frameworks, policies, tools, and techniques to support risk and compliance management.
- Third line: The third-line function provides objective and independent assurance. While the third line鈥檚 key responsibility is to assess whether the first- and second-line functions are operating effectively, it is charged with the duty of reporting to the board and audit committee, in addition to providing assurance to regulators and external auditors that the control culture across the organization is effective in its design and operation. See Deloitte. 鈥淢odernizing the three lines of defense model 鈥 an internal audit perspective.鈥 .
What is a 鈥渃ompliance risk鈥?
defines a 鈥渃ompliance risk鈥 is an action or inaction that exposes an organization to legal or regulatory sanctions. These sanctions can be in the form of fines or penalties, or in some cases criminal prosecution. 黑料视频 System Administration employee and individuals authorized to act on behalf of the System Enterprise can expose the organization to sanctions.
Are compliance risks the same as other risks?
Generally, a compliance risk exposes the System Enterprise to criminal liability or civil or administrative sanctions due to a violation of law or policy, including an ethics violation. On other risk, such as environmental, financial, governance, operational, people, reputational/brand, social and safety, strategic, and technological, expose the System to other types of potential harm.
What can I do to contribute to a culture of ethical and lawful conduct?
- Read the 黑料视频 System Administration policy and model exceptional ethical behavior
- Read the policy and demonstrate courageous integrity by speaking up when your training and experience leads you to believe wrongdoing has occurred.
- Stay current on your ethics and compliance-related training (e.g. conflict of interest, dual employment and outside activities, nondiscrimination, prohibition against sexual assault/ harassment, information security, and privacy).
How can I learn more about the 黑料视频 System Administration Compliance and Ethics Program?
Be curious and explore the Compliance and Ethics Program webpage often. You will find information about compliance in general, compliance news you can use in your daily professional activities, and more.
Compliance Review of Regulations and Policies
What is a Policy?
A policy is a governing principle that communicates and supports the organization鈥檚 values, standards and expectations; guides the behaviors, decisions and actions of employees and other individuals in their interactions with the 黑料视频 System and it鈥檚 component institutions; ensures compliance with applicable laws, 黑料视频 System Regents Rules, System Regulations and component institution policies; promotes the efficient and effective use of 黑料视频 System resources; and manages organizational risks. For a policy to be enforceable, it must be approved in accordance with 黑料视频 System Regents Rules 02.200.
Is there a difference between a policy and procedure?
Yes. A policy sets out the principles that guides the organization and must be approved by the chief executive officer of the 黑料视频 System or the particular component institution, and reviewed by the 黑料视频 System Office of General Counsel for legal sufficiency. Once approved for legal sufficiency and approved by the chief executive officer, policies are published in each organization鈥檚 policy manual, found at: /about-us/policies/. A procedure is the process that outlines how a policy will be implemented and can be approved by the official responsible for administering the function or operation addressed in the policy. Procedures may be included in documents such as guidelines and handbooks.
Why does the Compliance & Ethics Program review policies?
Effective policies are essential to an effective compliance program. An organization鈥檚 policies 鈥 鈥渇rom appropriate assignment of responsibility, to training programs, to lines of reporting and communication, to systems of incentives and discipline鈥 鈥 should contribute to the integration of compliance into its 鈥渙perations and workforce.鈥 U.S. Department of Justice Criminal Division 鈥淓valuation of Corporate Compliance Programs鈥 (Updated September 2024). The compliance review assists management officials, as the policy owners, fulfill their responsibilities to ensure policies address risks that could expose the organization and its employees to criminal, civil and regulatory sanctions. .
What does the Compliance & Ethics Program look for when reviewing policies?
Generally, the compliance policy review consists of:
- assessing whether a policy addresses a function or activity that could result in criminal, civil, or regulatory sanctions;
- assessing whether a policy aligns with applicable laws and policies (in consultation with the Office of General Counsel which is solely responsible for determining whether policies comply with applicable laws, Regents Rules, System Regulations and component institution policies);
- recommending measures that can be included in policies to prevent and detect possible violations of laws and policies;
- evaluating the adequacy of proposed measures in managing compliance risks;
- evaluating the impact, likelihood and velocity of compliance risk(s) addressed in the policy; and
- identifying areas where policies can facilitate ethical and value-based decision-making and conduct.
The full scope of the compliance review is in the 黑料视频 System Administration 鈥淐ompliance & Ethics Program Regulation and Policy Review Guide.鈥