You Already Have a Compliance Program. You Just Don’t Know it Yet.
Early in my career, I was hired as a new administrator at a mid-sized private institution. I was four months out of law school. I was still learning where the bathrooms were. A few weeks in, the General Counsel — a sharp, no-nonsense man who had clearly seen everything — walked into my office, placed a three-inch thick binder on my desk, and said, without ceremony: "Here are all the things I think we have to comply with. Go find out if we're doing that. And if we're not, fix it."
Then he left.
I was terrified. Not a little nervous — genuinely terrified. I had a law degree and approximately four months of professional experience. I didn't know everyone on campus. I didn't know whether we were complying with requirements I'd never heard of. I had no idea where to start, who to call, or what "fixing it" would even look like. I just had a binder, an expectation, and the very clear sense that I was in way over my head.
Here's what I eventually figured out: compliance was already happening on that campus.
It was happening in Financial Aid, where staff were quietly managing Title IV obligations. In HR, where someone tracked FMLA leave and OSHA requirements. In the Title IX office, in research compliance, in athletics, in the bursar's office.
Nobody called it a "compliance program." Nobody had drawn a map connecting all of it. But the actual daily work of keeping the institution out of trouble was being done — by people all over campus, working in isolation, without a shared language or a shared structure.
The problem wasn't that compliance wasn't happening. The problem was that nobody could see it whole.
What I needed was a framework. Something I could apply systematically — not just to the institution as a whole, but to any single regulatory area within it.
I eventually found it in the Federal Sentencing Guidelines for Organizations.
Most administrators have never heard of them. They're not a Department of Education regulation. They don't apply specifically to higher education. They were originally written to govern how courts sentence organizations convicted of federal crimes. And they are, technically, seven elements — not eight.
I call them eight.
Here's why: the Guidelines identify seven specific requirements for an effective compliance and ethics program. But compliance risk assessment — which the Guidelines treat as implicit — is so foundational to everything else the program does that the compliance profession widely treats it as its own distinct element. I agree. You can't prioritize training, allocate monitoring resources, or build mitigation plans without first knowing what your obligations are and where you're most at risk. So: eight elements. I'll own that.
And that framework maps almost perfectly onto what your institution is probably already doing in fragments across a dozen different offices.
The eight elements are: leadership and governance, written policies and standards of conduct, compliance risk assessment, training and communication, reporting mechanisms, monitoring and auditing, enforcement and disciplinary standards, and response to detected concerns.
Before you glaze over at that list — here's how I want you to read it:
✅ Leadership and governance: You have a General Counsel. A President. Maybe an Audit Committee of the Board. That's a start.
✅ Written policies: You have an employee handbook. Title IX policies. A code of conduct. Sponsored research requirements. They live in different places, managed by different people — but they exist.
✅ Training: You're doing mandatory harassment training. FERPA reminders. New employee orientation. Separate, uncoordinated, sometimes overwhelming — but it's happening.
✅ Reporting: You have an HR grievance process. A Title IX pathway. Maybe a hotline. The infrastructure is partial — but it's there.
I could go on. The point is this: look at your institution through the lens of these eight elements and you will almost certainly find that most of the compliance work is already being done. What's missing is the connective tissue. The shared map. The 30,000-foot view.
Here's what it actually looked like when I got to work.
I built a spreadsheet. I downloaded the Higher Education Compliance Alliance's Compliance Matrix — now maintained by NACUA — and used it as my starting point. Then I looked at the org chart and started making educated guesses about who might be responsible for compliance with specific regulations. And I started scheduling meetings.
A lot of meetings.
I had to humble myself completely to that process. I walked into people's offices — people who had been at this institution for decades, who knew things I would never know from reading a binder — and I asked them to teach me. What does your job actually look like? What keeps you up at night? What are you doing daily, monthly, quarterly, annually just to keep this place compliant?
What happened next still matters to me.
Because I came in curious instead of authoritative, people were willing to share. They told me about best practices in their areas that weren't in any compliance matrix I'd ever downloaded. They told me about tasks that had been assigned to them that didn't appear on anyone's radar. And — this is the part that stayed with me — some of them told me about compliance responsibilities they had been carrying alone, that they didn't fully know how to fulfill, that they had never spoken up about because they didn't know who to tell or whether it was safe to say so.
Those conversations were the real data. Not the binder. Not the downloaded matrix. The relationships.
With enough of those conversations, a picture started to emerge. A custom compliance matrix built from the actual work people were doing — not just the work someone assumed they were doing. And from that matrix, we could begin to assess risk: which obligations were being managed well, which were uncertain, which were genuinely at risk, and where we needed to focus first.
It took years. I want to be honest about that. This was not a six-month project. But step by step — with the eight elements as our roadmap — we built something real. A tracking system for every task on the matrix. Dashboards. A comprehensive training program. And eventually, a campus-wide Compliance and Ethics Program that moved beyond check-the-box compliance and actually tried to build a proactive culture of integrity on campus.
The work was hard. Building relationships was the key. But we could not have gotten there — not even close — without the structure that the Federal Sentencing Guidelines provided.
The roadmap didn't do the work. But without the roadmap, I would still be staring at that binder.
If any of this sounds familiar — if your campus has all of this happening in silos and nobody has connected it — here's where I'd suggest starting:
1️⃣ Download the NACUA Compliance Matrix (nacua.org/compliance-matrix). It's free, regularly updated, and the best starting point available. It won't cover everything specific to your institution, but it will cover more than you expect.
2️⃣ Look at your org chart and start guessing who is doing compliance work in each area. Schedule meetings. Come curious, not authoritative. Ask what they do and what keeps them up at night. You will learn more in those conversations than from any document.
3️⃣ Apply the eight elements to one area — just one. Where are the gaps? That's your starting point.
You don't need a new budget line. You don't need a new hire. The Federal Sentencing Guidelines explicitly recognize that smaller organizations can meet the compliance standard using available personnel rather than employing separate staff.
The work is already happening on your campus. The compliance is there. What's missing is the structure to make it coherent, visible, and sustainable — and the relationships to make that structure real.
That's not an impossible problem.
That's just an organizational one. And a human one.
I now work with higher education institutions at every stage of this journey — from that first overwhelming binder moment to mature, functioning programs. The roadmap is the same one I used. If this resonates, I'd love to connect.