Engaging Frontline Staff: Individual Compliance Responsibility

By Sarah Couture (Principal at Couture Consulting LLC in Indianapolis, IN.)

Originally Posted on: Compliance Cosmos

A compliance program’s success is seen in its ability to engage each person in the organization—not only senior leaders and managers but all frontline staff—in their individual compliance responsibilities. Compliance is everyone’s job. But how can the compliance program reach every individual in a meaningful way? Staff need more than the knowledge that a compliance program, a code of conduct, and policies exist; they need a personal understanding of how to do one’s job compliantly and a commitment to doing the right thing and speaking up if there is suspected noncompliance. Frontline staff engagement is an organization’s first line of defense against fraud, waste, and abuse. We must instill in all staff that they are critical to our organization’s success, not just in patient care, quality, and safety, but in our organization’s compliance.

Certainly, frontline staff engagement starts with leaders and managers who are both committed to compliance and actively promote the compliance program. Promoting the program includes providing frontline staff with the tools needed for their jobs and underscoring a culture of compliance. The compliance program should also focus its strategy and efforts on instilling the value of compliance in each person in the organization. First, the compliance program staff should be active, approachable, and visible throughout the organization. Visiting departments, being present at operations meetings, and getting to know staff develop rapport. When staff know your name and face, they are more comfortable reaching out if they have a question or suspect an issue.

Second, review your general compliance training. How does it address commitment at an individual level and all levels? Does it clearly communicate compliance expectations, what to report, and how to report? Also, confirm that general compliance training is required for all staff.

Third, regularly survey staff regarding their compliance knowledge and perspectives on the culture. This reinforces that staff have a voice and are essential to compliance. This also displays the compliance program’s commitment to engaging staff. There are many great survey questions to consider in the HCCA–OIG’s Measuring Compliance Program Effectiveness: A Resource Guide.[1]

Finally, consider how to leverage frontline staff in more active compliance promotion. This may be through a compliance liaison or compliance champion model and can be part of a frontline staff person’s career advancement planning.

1 HCCA–OIG Compliance Effectiveness Roundtable, Measuring Compliance Program Effectiveness: A Resource Guide, March 27, 2017, https://oig.hhs.gov/documents/toolkits/928/HCCA-OIG-Resource-Guide.pdf.

Copyright 2024 Compliance Today, a publication of the Health Care Compliance Association (HCCA)

Managers: Key to Compliance Program Effectiveness

By Sarah Couture (Principal at Couture Consulting LLC in Indianapolis, IN.)

Originally Posted on: Compliance Cosmos

It is essential that compliance programs engage their organization’s senior leaders. This is not only an expectation from a regulatory perspective but also critical to fostering compliance program effectiveness.

Engaging operations in compliance is vital to ensuring compliance. The March column discussed the importance of senior leadership compliance engagement.[1] Senior leaders drive operational compliance, setting the expectation for compliant functions. While senior leaders should “clearly articulat[e] the company’s ethical standards, conve[y] and disseminat[e] them in clear and unambiguous terms, and demonstrat[e] rigorous adherence by example,” managers—those who supervise departments and teams—work to implement these goals, “reinforc[ing] those standards and encourage[ing] employees to abide by them.”[2] This management compliance responsibility includes ensuring employees have the necessary resources to perform their jobs compliantly (i.e., policies and procedures, appropriate training), monitoring high-risk functions, promoting a culture of transparency and encouraging reporting, and being part of corrective action plans and remediation of risk where identified.

Engaging management is key to ensuring compliance. Managers oversee departments and teams of frontline staff, often performing very high-risk functions: billing and coding, patient care, patient access, IT, human resources, etc. Management engagement in compliance should result in frontline staff knowing how to perform their job functions compliantly and quickly reporting concerns that may impact compliance.

The first step in successful management engagement is effective communication and education. Managers must understand compliance expectations to be able to implement them. Consider developing compliance training specific for managers describing their compliance responsibility and its significance, including specific expectations such as those discussed earlier. These expectations would also ideally be included in managers’ job descriptions and as a component in performance evaluations and bonus calculations. Ensure regular communications with managers to reinforce expectations, as well as provide reminders, examples of compliance successes, and ways to further engage. Second, develop an approach to personally connect compliance team members with managers.

This may include regular “rounds” or visits by compliance and offering to participate in and/or present at department meetings. The approach should prioritize compliance visibility and reinforce that compliance is an available and approachable resource for managers. Respond timely to questions and requests for help, and mentor managers as they address concerns or complete remediation activities. Finally, consider—with other leaders, including HR—how compliance involvement by managers, such as serving as a compliance “champion,” can be part of a manager’s career advancement. This concept is also discussed in the 2023 updates to DOJ’s Evaluation of Corporate Compliance Programs.

1 Sarah M. Couture, “Senior leadership engagement,” Compliance Today, March 2024, https://compliancecosmos.org/senior-leadership-engagement.

2 U.S. Department of Justice, Criminal Division, Evaluation of Corporate Compliance Programs, updated March 2023, https://www.justice.gov/criminal-fraud/page/file/937501/download.

Copyright 2024 Compliance Today, a publication of the Health Care Compliance Association (HCCA)

Senior Leadership Engagement

By Sarah Couture (Principal at Couture Consulting LLC in Indianapolis, IN.)

Originally Posted on: Compliance Cosmos

It is essential that compliance programs engage their organization’s senior leaders. This is not only an expectation from a regulatory perspective, but it is critical to foster compliance program effectiveness.

An organization’s senior leadership is made up of executives who oversee various parts of operations. Frequently referred to as the “C-suite,” they often have titles that include the term “chief” (e.g., chief operating officer (COO)), denoting that they have operational oversight of a function. For an organization to have a culture of compliance and pursue compliant operations, it is crucial that senior leaders be engaged in compliance; they must understand compliance, be “bought-in” to and drive compliance. As with the board of directors, senior leaders determine the “tone at the top” that feeds the culture of compliance. From a practical perspective, a compliance program will struggle to succeed without senior leadership’s engagement. In addition to the pragmatic perspective, there is a regulatory compliance expectation of senior leaders. Government guidance makes it clear that senior leaders have a responsibility to not only ensure the organization has an effective compliance program[1] but also actively promote the “company’s ethical standards,” as well as to convey and disseminate them “in clear and unambiguous terms,” and demonstrate “rigorous adherence by example.”[2] The way that senior leaders make business decisions, lead their teams, communicate, etc., should evidence, both in word and action, their commitment to the compliance program and compliant operations.

While this engagement is vital, it can sometimes be daunting. Compliance officers must focus on communication and connections. Help senior leaders understand their compliance responsibilities through ongoing education and training. If leaders have not been supportive, it may be that they are not aware of the expectations. Consider training content specifically for leadership that outlines their compliance roles and responsibilities and their important part in supporting a culture of compliance. Confirm that the responsibilities are reinforced in job descriptions and performance evaluations.

Pursue intentional relationships with senior leaders and strive to be seen as a helpful peer and thought partner who is approachable, available, and strategic. Ideally, compliance should already be part of the leadership team. Beyond the group interactions, prioritize regular and scheduled one-on-one meetings with senior leaders who oversee specific risk areas. Finally, develop a new leader meet-and-greet process and introduce yourself and the compliance program to help build rapport in early tenure.

1 U.S. Sentencing Commission, “2018 Chapter 8 – Sentencing of Organizations,” Federal Sentencing Guidelines, 2018, https://www.ussc.gov/guidelines/2018-guidelines-manual/2018-chapter-8.

2 U.S. Department of Justice, Criminal Division, Evaluation of Corporate Compliance Programs, updated March 2023, https://www.justice.gov/criminal-fraud/page/file/937501/download.

Copyright 2024 Compliance Today, a publication of the Health Care Compliance Association (HCCA)

Compliance Culture Begins with An Engaged Board

By Sarah Couture (Principal at Couture Consulting LLC in Indianapolis, IN.)

Originally Posted on: Compliance Cosmos

Compliance programs must successfully engage with a variety of stakeholders to ensure program effectiveness. Because of their fiduciary duties and oversight responsibility, compliance programs should prioritize engagement with the board of directors (or a delegated subcommittee). According to Chapter 8 of the Federal Sentencing Guidelines, the board of directors, as the organization’s governing authority, “shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.”[1]

How can a compliance officer effectively engage board members regarding their compliance responsibilities?

Remember, the tone at the top starts with the board of directors. It is essential that board members both understand and support compliance efforts, as a compliant culture starts with an engaged board.

1 U.S. Sentencing Commission, “2018 Chapter 8 – Sentencing of Organizations,” accessed November 11, 2023, https://www.ussc.gov/guidelines/2018-guidelines-manual/2018-chapter-8.

2 HCCA-OIG Compliance Effectiveness Roundtable, Measuring Compliance Program Effectiveness:  A Resource Guide, March 27, 2017, https://oig.hhs.gov/documents/toolkits/928/HCCA-OIG-Resource-Guide.pdf.

Copyright 2024 Compliance Today, a publication of the Health Care Compliance Association (HCCA)

The Value of Engaging People for Your Compliance Program’s Success

By Sarah Couture (Principal at Couture Consulting LLC in Indianapolis, IN.)

Originally Posted on: Compliance Cosmos

Much of a compliance program’s success—and its ability to successfully prevent and detect fraud, waste, and abuse—rises and falls on its strategy and approach with people. The vision and planning of every compliance program must acknowledge that people are essential to its success, and then prioritize and be intentional to develop relationships and engage a variety of key stakeholders in its implementation. From those inside the organization—such as the compliance program staff, board members, and operations leaders and managers, to those outside the organization, like network contacts, students, and outside advisors—this column will help readers appreciate who needs to be part of the compliance program’s strategy, why each is essential for program effectiveness, and how to engage and leverage the people within and around our compliance programs to ensure success.

How does a smart “people strategy” promote compliance program effectiveness? Intentional engagement with board members contributes to successful oversight. Prioritizing investment in your compliance program staff creates a more valuable, efficient, and qualified team to implement the program. Building rapport with and inspiring operational leaders and managers in their compliance responsibility fosters operations accountability for “owning” and driving compliance in their areas of purview. Intentional collaboration and planning with outside partners ensure your resources’ most effective and efficient use and promote the best outcomes. In addition, intentionally developing our own professional networks ensures that we have industry peers and thought partners who provide opportunities for mentoring, personal development, and investment in students and those new to compliance to help our own programs grow and ensure the longevity and success of the profession.

Pursuing a strategy that prioritizes people for compliance program success is not difficult, but it does take planning and intentionality. Include in your compliance plan and development strategy how the program will engage and work to help develop stakeholders: board members, senior leaders, operations leaders and managers, and frontline staff. Include in your education and training plan, and/or compliance program plan, compliance program staff investment initiatives, identifying the resources needed, and general or specific investment goals for the department. Ensure documentation of the plans as well as the implementation of them to evidence the strong work of the program. Have an open mind and know that your approaches will likely evolve as you go. Because our organizations, teams, and risk profiles are dynamic and changing, we need to ensure our plans—including those for people’s engagement—can flex and evolve as necessary to ensure effectiveness.

Copyright 2024 Compliance Today, a publication of the Health Care Compliance Association (HCCA)

The New OIG General Compliance Program Guidance: What to Know, What to Do

Most healthcare compliance professionals are well aware of the recently published HHS-OIG General Compliance Program Guidance (https://oig.hhs.gov/documents/compliance-guidance/1135/HHS-OIG-GCPG-2023.pdf) (GCPG). Released in November 2023, the resource consolidates, modernizes, and updates compliance guidance for the healthcare industry. This Perspectives will provide an overview of the GCPG, discuss observations, and provide recommendations on how compliance professionals should begin to use the guidance.


Healthcare segment-specific compliance program guidance documents, to help guide newly forming healthcare compliance programs, were released in the Federal Register in the late 1990s into the early 2000s and addressed compliance program basics as well as specific segment risks for industry segments including but not limited to hospitals, skilled nursing facilities, clinical laboratories, small physician practices, etc. See https://oig.hhs.gov/compliance/compliance-guidance/.  There have been other compliance program guidance documents released over the years, including one specific to healthcare governing boards and one regarding measuring program effectiveness, as well as development of a variety of other helpful compliance resources available on the OIG website. See https://oig.hhs.gov/compliance/.

For new healthcare providers or for new compliance professionals, the information available likely seemed scattered, as there has been no overarching source for compliance guidance. The new GCPG, written for the healthcare industry as a whole, helps solve this. (Note – ICPGs, or industry-segment specific compliance program guidances, will be published by OIG starting in 2024. Stay tuned!).

One of my favorite features of the GCPG is how the document both consolidates and clarifies information. What was once in multiple separate documents is now largely consolidated into a clear, well-flowing, and pragmatically approached document. It should help newer compliance professionals “connect the dots” and should help our senior leaders and board members see the bigger picture. In addition to clarifying and condensing, the document also provides modernization. The GCPG, as well as the forth-coming ICPGs, will be updated as needed on the OIG’s website and will no longer be published in the Federal Register. The consolidation and modernization should result in clearer communication to the compliance and healthcare communities. This is evidence of the ever-evolving profession we are in! And this is a good evolution.

The GCPG provides a clear explanation of what it is and what it is not, provides a summary of pertinent regulations, presents a refreshed list of the Seven Elements and explains each one, discusses some additional areas of focus, and provides links to and explanations of other compliance resources. Along the way, the guidance provides multiple practical tips and examples. Along with the clear content and format, these user-friendly features of the guidance make it feel fresh, modern, and applicable. I particularly appreciate Section II – the discussion of selected relevant federal laws. To me as a compliance professional who is not a lawyer, the overview, discussion, checklists, and tips provided feel digestible. Compliance professionals may be able to use content from the regulation summaries in their compliance education and communication, as the clear ways they are presented should also better inform operations and finance leaders and other stakeholders about these risk and mitigation approaches.

There is a ”new” arrangement of the seven elements; not new elements, but organized in a new way. Those that are more seasoned in compliance know that the way the elements are put together and organized varies slightly between compliance resources. I prefer this arrangement to the “2017 OIG Measuring Compliance Program Guidance: A Resource Guide” arrangement, which included Screening as an element. Screening, which is a control that is used related to the risk of engaging with an excluded party, is not included in the new GCPG list. This arrangement also adds risk assessment as part of the auditing and monitoring element. Some have called risk assessment the “eight element” because it was essential to the compliance program but never listed as one of the seven elements. I have never viewed it as a separate element, but rather a foundational principle underscoring all of the other elements. Our policies, our auditing, our education and training, and so on, should all be based on our risk assessment, and also evolve as our risk assessment evolves.


There are several topics discussed within the GCPG that seem especially emphasized, and others that may have had had less emphasis in the past but seem to be more of an area of focus in this new guidance.

This is not new. The conversation is not new. The recommendation is not new. Yet there are many healthcare provider organizations and individuals with whom I have crossed paths that do not believe OIG has historically been clear on their recommendations regarding the authority, independence, and seating of the compliance officer. If the past guidance or presentations by OIG were not clear enough (which, from my perspective were pretty clear: “report directly to CEO, board (not CFO or Legal),”[i] “sufficient autonomy from management”[ii], “report directly to the CEO and the governing body”[iii], “OIG believes an organization’s Compliance Officer should neither be counsel for the provider, nor be subordinate in function or position to counsel or the legal department, in any manner”[iv], etc.), OIG reemphasizes and clarifies their view. See page 37, as well as the paragraph with the bold content on page 39.

The discussion regarding compliance incentives is not new either – it is discussed as part of an effective compliance program in Chapter 8 of the Federal Sentencing Guidelines.[v] Yet many healthcare provider organizations struggle to have meaningful, let alone robust, approaches to compliance incentives. Incentives help us approach compliance proactively. Prioritize development and implementation of a collaborative compliance incentives plan in 2024.

In the overview section I shared my perspective on risk assessment as part of the foundation for the seven elements. The GCPG discusses the benefits of a collaborative risk assessment approach, such as an ERM (Enterprise Risk Management) process, encouraging risk assessment collaboration with “audit, quality, and risk management functions.” This is a wise approach to prevent silos, duplication and/or omission, and encourage engagement and partnerships across the various functions that help the organization manage and mitigate risk. It also provides several paragraphs of discussion on the importance of data analytics relative to risk identification. If you do not think in data analytics terms, leverage someone on your team or someone in your organization to thought partner with you on incorporating data analytics into not only your approach to risk assessment, but also across your compliance program. That could be, and maybe will be, an entire future Perspectives topic!

The term “medical necessity” is used ten times in the GCPG. Repetition can indicate priority. The auditing and monitoring section discusses the importance of auditing medical necessity, by an appropriately credentialed clinician, as part of claims reviews/audits. I have long taught on the importance of having a diversity of skill sets in the compliance program. Compliance programs may need to think beyond their usual ways of performing billing and coding audits with billers and coders and include medical necessity auditing by a clinician as part of the audit plan.

Since effectiveness is the goal, organizations should have an intentional approach to assessing the effectiveness of the compliance program. From my professional perspective, this would include both a self-assessment element, for which there are many resources including the OIG resource referenced in the GCPG, Measuring Compliance Program Effectiveness: A Resource Guide,[vi] and an every-few-years external assessment. This blended approach balances time, pragmatism, resource availability, and the importance of both self-reflection and objectivity.

Like the rest of the document, the reporting to the government discussion provides a high-level but understandable view of self-reporting. Obviously, something that can be overwhelming for compliance officers and organizations, this section is a good place to start for how to begin navigating reporting to the government. And this is something you will want to work on with counsel.

The GCPG includes helpful and pragmatic guidance for both large and small organizations. I think the name of the game here is common sense and creativity.

If you thought “medical necessity” was referenced a lot at ten times, the word “quality” appears in the GCPG fifty-eight times! This is certainly an area of increased focus that healthcare compliance programs will need to include going forward.

It was not clear to me when I first entered the healthcare compliance profession pivoting from my nursing career, why quality and safety risk were seemingly absent from the range of risks with which compliance was concerned. I assume it was because it was not viewed as a fraud, waste, or abuse risk. As healthcare compliance has evolved, we have seen more and more references to quality care and its connection to the False Claims Act; not just regarding unnecessary services or excessive services that should not be billed, but also relating to billing of what was determined to be substandard or worthless services. From policies to operations engagement to Compliance Committee to risk assessment, compliance professionals need to widen their purviews to include quality and safety in their compliance program approach if they have not already done so.

Thoughts on how to use the guidance

If you have not yet read it in its entirety, read it and take notes. I first skimmed it to get an overview, then I read and took notes to help me digest. Then I printed it and saved it on my desktop for ready reference. This is a document we will want to keep reviewing.

It is voluntary guidance. It is not meant to be a model compliance program. Use it as a guide and remember that your compliance program needs to be tailored for the size and complexity of your organization and based on your risk assessment.

Include the new GCPG in discussions with and in your next presentations to your leadership, Compliance Committee, and Board. Provide both an overview of the what and the why. Provide them with the link and encourage them to review it. Discuss specifics of the guidance relative to your compliance program. How does this change your priorities for 2024? How does it reinforce directions you have been planning?

As you review and mull over the GCPG, consider how you can use the guidance as one of the tools for assessing your program’s effectiveness and how some of the tips and ideas within could impact your approaches to some of your program elements. Make these plans with your Compliance staff and/or Compliance Committee. Consider documenting your program improvement plans to be able to track progress.

Stay in front. Things are always changing. Find ways to stay informed, communicate new information to stakeholders, and keep your program dynamic and updated. Subscribe to listservs, review enforcement actions, read relevant government agency news, get involved in the compliance community and network. Remember that the ICPGs will be rolling out  in 2024 with specifics for your and other industry segments.

[i] https://oig.hhs.gov/documents/toolkits/928/HCCA-OIG-Resource-Guide.pdf

[ii] https://www.justice.gov/criminal-fraud/page/file/937501/download

[iii] https://oig.hhs.gov/documents/compliance-guidance/798/cpghosp.pdf

[iv] https://oig.hhs.gov/documents/root/162/Practical-Guidance-for-Health-Care-Boards-on-Compliance-Oversight.pdf

[v] 2018 Chapter 8 | United States Sentencing Commission (ussc.gov)

[vi] https://oig.hhs.gov/documents/toolkits/928/HCCA-OIG-Resource-Guide.pdf

Emerging ERM Lessons from COVID-19: Considerations for Compliance Officers and Managers of Risk

By Jeffrey Driver, JD, MS, and Sarah Couture, RN, CHC, CHRC

Originally Posted on: Compliance Cosmos

For months, our world, our country, our healthcare systems, and our lives have been drastically altered by the COVID-19 pandemic. It has been impossible to hide from the realities of the pandemic as news, social media, and conversations with friends and colleagues have frequently centered on the continuously developing COVID-19 stories. At the same time, our healthcare systems have not been able to hide or be sheltered from the course-altering effects of the pandemic. Healthcare providers around the country have been rocked in multiple ways, including their financial health, their ability to take care of patients, and the new normal of taking both small and drastic measures to help prevent COVID-19 transmission. While pandemics are no “black swan” events,[1] very few in our country were fully ready for the effects of one. Households rushed to hoard pantry supplies and toilet paper, and healthcare systems clamored to reorganize operations and try to guess and react to what was coming next. Businesses and organizations around the country and around the world are wondering what they could have done to be more prepared. Should they have known this was coming? Could they have more intentionally planned for and forecasted this event in order to be better equipped to handle the sequelae of the pandemic, or even been able to flourish through it and come out stronger on the other side? These are questions that our country’s healthcare leaders should be asking. And many of the answers can be found in the discipline of enterprise risk management (ERM).

ERM overview

While ERM programs are not new to healthcare, many healthcare organizations may not have a good understanding of ERM either because they do not have an ERM program or because their ERM functions are not structured or have not been updated in an industry-standard way. Past iterations of risk management roles or programs may have included only a slice of an organization’s risk profile, such as insurance or malpractice risk, or patient safety or quality risk. Modern ERM, however, includes all risks that could affect an organization, from the boardroom to the storeroom, as well as everything in between within an organization and risk adjacent or external to the organization. Any risk that could affect an organization is considered in ERM.

The best practice of ERM provides a framework by which all organizational risks are identified, thoroughly analyzed and prioritized, and appropriately mitigated in order to allow the organization to make thoughtful and informed business decisions. Modern ERM does more than protect value; it also creates value. The business decisions resulting from a best practice ERM framework can create value by looking for risk mitigation/treatments that are both protective and beneficial for the organization’s bottom line by providing a financial return on risk and compliance management investments. In addition, ERM helps enhance compliance effectiveness, ensures interdepartmental understanding and collaboration, promotes proactive mitigation of risk instead of reactive responses, and helps strengthen organizations during events that create uncertainty.

ERM will be most successful when those involved in the ERM process all speak the same language, have a similar set of risk perspectives, and have a common way of viewing the risk management process. This can be achieved by developing the organization’s risk management framework and processes. At a high level, an ERM framework helps an organization define how it will survey the universe of risks, prioritize and select the risks to mitigate, and then allocate appropriate resources to address the risks. There are two alternative main frameworks popularly used in ERM: International Organization for Standardization guidelines[2] and Committee of Sponsoring Organizations of the Treadway Commission guidance.[3] Both frameworks have been updated recently, displaying continued growth and evolution in the field of risk management. A simple internet search shows how much has been written about each framework and how each could be more beneficial in different contexts. Organizations pursuing risk management should explore both frameworks and develop a pragmatic solution based on one or a combination of the frameworks.

In order to ensure that all of the organization’s risks are considered, it is important to consider whom to involve in the ERM program. There is no one right answer as to who should lead ERM activities. Large organizations may have a chief risk officer whose primary responsibility is to oversee ERM. Organizations with fewer resources or varying organizational dynamics may appoint the chief compliance officer, chief financial officer, vice president of internal audit, or another executive to oversee ERM. In the authors’ view, it makes little difference who “owns” it, as long as the owner has sufficient authority to lead the program and the purview of the program is truly enterprise wide and ensures input of all risks from around the organization.

When deciding who should provide input on risk and collaborate with the ERM function, the phrase “from the boardroom to the storeroom” will again be helpful. Ensure that each operational area has a conduit to direct its risks into the ERM process. Even if assessed informally or without much structured thought, understanding, prioritizing, and mitigating risk is not new to operational areas. A normal part of doing business and running operations is continual understanding and mitigation of risks.

In essence, all operational areas in a healthcare organization have some sort of micro risk-management processes going on to manage specific business processes and outcomes. Throughout this article, we will use the terms “micro risk” and “micro risk management” to describe risk management efforts that occur within a specific operational area that are in place only to address those risks that are relevant for that specific area. By contrast, we will use the terms “macro risk” and “macro risk management” to describe enterprise-wide risk management efforts that are in place to address risks that are applicable to and potentially significant for the organization as a whole. In some operational areas, like compliance and finance, the micro risk management, or selection and management of relevant risks, may be intentional, well defined, and documented. In other operational areas, like supply chain or food or interpreter services, the management of pertinent risk may not be formalized or documented, yet it occurs as the operations ebb and flow and as issues arise and require solutions. In many healthcare organizations, each area’s micro risk-management efforts occur in silos and in disparate ways that are specific to each department. While multiple and often informal micro risk-management efforts may be occurring around the organization, there may be little to no effort on the part of the organization as a whole to understand the micro risks of each area, and understand how the micro risks may affect the organization as a whole. ERM programs provide a framework for the enterprise and its leadership to understand not only the micro risk-management efforts taking place disparately, but also provide a forum for those micro risks to be evaluated at the macro, or enterprise-wide, impact level. Many risks will remain primarily relevant for only the operational area to address, but some risks, as assessed through the ERM framework, will become larger and more complex macro risks that must be understood and addressed at the enterprise level. Thus, ERM capitalizes on the expertise, risk knowledge, and risk management efforts from partnerships around the organization and ensures that relevant risks that could reasonably affect the organization as a whole are identified, prioritized, and addressed. Additionally, ERM can help organizations standardize risk assessment processes in the various operational areas in order to more efficiently and effectively prioritize enterprise-wide risk.

ERM and compliance

So how should managers of micro risk interface with ERM? More specific to this audience, how should compliance officers interface with ERM? Whether or not compliance officers realize it, compliance and ERM have more in common than they have different. Like peanut butter and jelly, compliance and ERM work on risk together, but in complementary ways. Compliance operations are driven by assessment and prioritization of compliance risk. ERM helps the organization as a whole understand and evaluate compliance risk and other micro operational risks that affect the whole in order to develop an accurate and cohesive picture of the organization’s risk profile. Best practice organizations develop micro and macro risk-management structures that ensure consistency between micro risk-management efforts, resulting in standardized information flow into the macro ERM framework. Compliance and ERM should be speaking the same risk management language and working from the same risk management playbook, just from different ends of the spectrum. Compliance is the subject matter expert and risk owner of the compliance micro risks, and ERM is the risk jack-of-all-trades and collaborative organizer that brings together the organization’s micro risks for ERM coordination and assessment. Successful ERM programs understand the value of collaboration and the subject matter expertise of each of the managers of micro risk, including the compliance officer. And compliance officers can best help their organizations by not only appropriately assessing and managing compliance risk but also being an active contributor to the organization’s ERM efforts.

ERM and COVID-19

Returning to the questions from the introduction, could an ERM program have helped a healthcare organization be better prepared for the COVID-19 pandemic, and how can an organization be better prepared for the next big risk management challenge? Many thought leaders across various industries have debated whether the pandemic was a black swan event—an event with devastating consequences that was almost impossible to predict and almost impossible to be ready for—others yet argue that the pandemic was more of a “gray swan” event—predictable and subject to risk management controls. While there are very good arguments on all sides of this debate, one thing rings true in all of the arguments: A robust enterprise-wide risk management program is essential. Healthy and maturing ERM programs do more than just assess risk and help allocate resources for risk treatment. With time, investment, and data analysis, ERM programs evolve into sophisticated systems that are nimble and proactive, novel and even groundbreaking, where leaders come together to evaluate real-time issues and predict and prepare for what is likely to come next. So the real value in ERM is not only in the ongoing assessment and treatment of risk, but in the growth and evolution of the ERM program that draws on a wide cache of leadership expertise to plan strategy and response and help the organization weather any storm that comes.

It is in this evolved and advanced view of ERM that we see several lessons emerging out of the COVID-19 crisis. These lessons are being learned even as we write this article, and they deserve additional exploration by healthcare leaders and developing ERM programs. To that end, we briefly introduce these ideas and provide resources for further exploration by risk professionals.

Lesson one: Using decision science to make decisions in hyper-uncertain situations

Unfortunately, healthcare organizations have had to make countless challenging decisions in the face of uncertain situations and uncertain outcomes created by the pandemic. Decision science helps organizations take what data they have available—though potentially limited—and other decision-making tools to help predict the best possible outcomes for decision-making in the face of uncertainty. Managers of risk are directed to Peter McNamee and John Celona’s seminal work: Decision Analysis for the Professional: Fourth Edition.

Lesson two: ‘Sensemaking’

The pandemic saga has resulted in scientific, social, and political information coming from multiple directions, resulting in what some have coined as an “infodemic.” The challenge has been that the information and reported data do not always align or point an organization in a consistent direction. Sensemaking, as introduced by Karl Weick in the 1970s, helps an organization take in data and then make sense of them.[4] This is especially important in new situations and as circumstances rapidly change. ERM programs have the benefit of bringing groups of leaders together, so sensemaking can occur not only on the individual level but on the collective level as a group.

Lesson three: Antifragility

Antifragile organizations are more than just resilient and do more than merely stay afloat during crisis; they actually grow stronger in crisis situations.[5] ERM programs can evolve to help position organizations to not just survive in extremely challenging times but actually thrive.

Lesson four: The Cynefin framework

The Cynefin framework is a type of sensemaking device. Developed by Dave Snowden in 1999 while working at IBM, this framework allows leaders and managers of risk to make risk-management decisions based on the situation in which the decision takes place.[6] The Cynefin framework helps with decision-making by first classifying the situation, whether clear, complicated, complex, chaotic, or disorderly, to help the decision maker know how to better respond.

Value-driven ERM

Along with these emerging lessons to help challenge ERM programs to evolve to the next level has been an increased focus on the value creation, or the upside of ERM. While ERM has traditionally been viewed purely as a value-protection function, it has been recently redefined as a function that can create value as well. And now more than ever, healthcare organizations need both sides of the ERM coin. Instead of relegating value protection to compliance, risk management, and internal audit and assigning value creation responsibility to strategy and finance, modern ERM brings together both the downside and upside of risk as it helps organizations creatively identify solutions for risk treatment. Among the many potentially devastating effects of the pandemic have been the financial ramifications experienced by our nation’s healthcare providers. Actions taken to help limit the spread of the virus, including prohibitions on many types of nonemergent medical care, have resulted in poor financial situations for the lucky, and bankruptcy and closure for others. As such, attention has turned to ERM to not only protect value but create value by providing financially beneficial risk mitigation innovations. By quantifying and monetizing risk mitigation with decision analysis based on data, cutting-edge ERM programs marry value protection and value creation. The resulting ERM message communicates how a risk treatment plan can both protect value and create value by calculating the monetary benefits of addressing the risk.

Making the case for ERM

We do not yet know what the post–COVID-19 healthcare landscape will look like, but one could guess that the current financial, compliance, and other risk challenges will continue to abound. Considering the collective benefits of risk protection, collaboration between silos, advanced decision analysis, and value creation, one could argue there has never been a better time for healthcare organizations to pursue ERM. So, if your organization has no ERM function, where can you start? While board and C-suite support is the ultimate goal, ERM efforts frequently start from grassroots efforts of those who are already managing the organization’s department-specific micro risks. Compliance officers can help get the ERM conversation started. A great place to start is self-education. Begin reading about ERM, including thought leadership and details around the Committee of Sponsoring Organizations of the Treadway Commission and International Organization for Standardization frameworks. Research different professional organizations that are talking about ERM; many have great articles and thought leadership available on their websites. Then begin having conversations about ERM, risk collaboration, and the upside of risk management with other operational risk managers. It could be that your peers in other departments are having similar thoughts on the value of a big-picture risk management strategy. Because many of the operational managers of risk should already be on the compliance committee, early ERM conversations, planning, and strategy could begin there. Begin discussing the why and how of ERM with the CEO and other executive leaders and provide them with education not only about the value protection aspect of ERM, with which they are probably already familiar, but also the value creation, collaboration, and decision analysis features of modern ERM. As these ERM ideas begin to take shape and take off, be sure the board is introduced to the ERM strategy, as ERM should ultimately be overseen by the board and aligned with corporate strategy overall.

Practical next steps in pursuing ERM

An ERM plan and program is a worthy investment not only in light of the COVID-19 pandemic, but also to help future risk mitigation and decision analysis for whatever storms come next. Whether your organization needs to start an ERM program or tune up a current program to help it be more effective, take advantage of this interesting time in history to focus on and pursue ERM. There are multiple ERM resources available to help in the journey. A few publicly available resources to get started include:


1 Investopedia Staff, “Black Swan,” Investopedia, updated August 17, 2020, https://bit.ly/36xfNP4.

2 International Organization for Standardization, ISO 31000:2018: Risk management — Guidelines, February 2018, https://bit.ly/38DvcQs.

3 Committee of Sponsoring Organizations of the Treadway Commission, ​​​​​​​​​​​​Enterprise Risk Management—Integrating with Strategy and Performance, June 2017, https://bit.ly/3nhQOG9.

4 Sally Maitlis and Scott Sonenshein, “Sensemaking in Crisis and Change: Inspiration and Insights From Weick (1988),” Journal of Management Studies 47, no. 3 (May 2010), 551–580, https://bit.ly/36xXvgv.

5 Nassim Nicholas Taleb, Antifragile: Things That Gain from Disorder (New York: Random House, 2016).

6 “Cynefin framework,” Wikipedia, last edited September 2, 2020, at 05:37 (UTC), https://bit.ly/38BWpTL.

7 Richard J. Anderson and Mark L. Frigo, “Creating and Protecting Value: Understanding and Implementing Enterprise Risk Management,” Committee of Sponsoring Organizations of the Treadway Commission, January 2020, https://bit.ly/2GTXOcO.

8 Roberta L. Carroll et al., “Enterprise Risk Management: A Framework For Success,” American Society for Healthcare Risk Management, 2014, https://bit.ly/32EAJCI.

9 John Celona, Jeff Driver, and Ed Hall, “Value-Driven ERM: Making ERM an Engine for Simultaneous Value Creation and Value Protection,” Monograph, American Society for Healthcare Risk Management, 2010, https://bit.ly/36wfyUl.

10 “Enterprise Risk Management: Part One: Defining the concept, recognizing its value,” Monograph, American Society for Health Care Risk Management, January 2006, https://bit.ly/2UoPHbv.

11 “RIMS Risk Maturity Model (RMM),” RIMS, last accessed November 12, 2020, https://bit.ly/38zbuWd.

Copyright 2023 Compliance Today, a publication of the Health Care Compliance Association (HCCA)

Compliance and the Board: Challenges and Best Practices

By Brian D. Annulis, JD, MHA, CHC, CHPC; Sarah M. Couture, RN, CHC, CHRC; and Kayla M. Teune, CHC

Originally Posted on: Compliance Cosmos

Chief compliance officers (CCOs) understand the importance of creating a culture that identifies and mitigates risks. In fact, not having a culture that timely identifies risks and escalates them was in the top 10 risks according to “Executive Perspectives on Top Risks in 2019.”[1] One of the first steps in establishing a compliant culture is educating and involving the governing body/board in compliance. Guidance documents from both the U.S. Department of Justice (DOJ)[2] and the U.S. Department of Health & Human Services Office of Inspector General (OIG)[3] discuss the importance of a culture of compliance being driven by organizational leaders, or “tone at the top,” and creating and fostering a culture of ethics and compliance with the law.[4] Additionally, the U.S. Federal Sentencing Guidelines indicate that the company’s “governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight.”[5]

Although it is clear that board needs to be involved, it is common for CCOs to struggle with what the compliance–board relationship should look like in their organization. The reasons a CCO may have difficulty fostering a meaningful board relationship may include:

This article is intended to share a road map on how to effectively create and manage board engagement and interactions to strengthen your compliance program and overall corporate culture.

Understanding challenges to effective board management

When it comes to board engagement and management, the CCO must navigate how to effectively spend time with the board and how to make sure board members are educated about the compliance program and compliance activities happening in the organization. However, this may be easier said than done. There are several challenges that the CCO must overcome to effectively communicate with the board.

First, the CCO must have access to the board. Lack of access can be caused by several reasons, including lack of precedent access to board, senior leadership preventing board access or wanting to be the in-between, or the organization being concerned about reporting compliance information in meeting notes that are required to be publicly available because of various states’ Open Meetings acts. Additionally, access may be further complicated if a central board oversees multiple entities and it is unclear how the CCO should interact with the central board. Whatever the challenge the organization may face, the DOJ emphasizes the importance of a compliance officer having direct access to the board and that this access is key to effectively communicating with the board members.[6] So, access must be the first challenge to overcome to establish a meaningful board relationship.

A second challenge a CCO may face is having an unengaged or uneducated board. According to Society of Corporate Compliance and Ethics & Health Care Compliance Association’s September 2017 survey, only 18% of board members are highly satisfied with the amount of compliance training they receive to the extent they receive training at all.[7] Common challenges the CCO may face regarding board education and engagement include:

A third challenge for the compliance officer is knowing what to report to the board or how detailed the reported content should be. It is important for the CCO to understand what kind of information and level of detail the board prefers and ensure the compliance report (and compliance program) is aligned to the risks in the organization. Some boards want only high-level details, while other boards would like the compliance officer to share some information that is more “in the weeds.” What type of information and level of detail does the board request to aid in its oversight responsibility? As the CCO’s communication with the board evolves, the CCO should have ongoing conversation with board members about their desired depth and breadth of compliance reporting. This will allow the CCO to be the most efficient and effective in communicating with the board.

Once a compliance officer understands and identifies their challenges regarding board participation in compliance, then they can strategically plan how to overcome and manage these challenges.

Communicating with the board: Education and reporting

OIG discusses not only the importance of the compliance officer communicating with the board, but also the board being sufficiently informed to be able to ask questions regarding the adequacy and effectiveness of the organization’s compliance program.[8] The members of the board should be able to ask questions to demonstrate that they are fully engaged in their oversight responsibility. The OIG guidance for healthcare governing boards outlines the following questions:

To be able to answer the above questions, it is important that the members of the governing body be educated about compliance during their onboarding. Be sure to include board compliance education in the compliance education and training plan. The board compliance training plan should include details regarding what topics/content should be covered, the frequency of training, current industry developments, and discussion of its responsibilities for compliance oversight. The board compliance training plan should also include a formal method to orient new board members to the organization’s compliance program. Consideration should also be given to whether board attestations should be implemented.

The trainings should ideally be live, either in-person or virtual, considering pandemic limitations. There should also be printed materials for the board to reference later if needed. The ongoing general compliance training should occur at least annually, with intermittent and topic-focused/risk-focused training throughout the year. Topics can become more detailed as the board’s understanding of compliance progresses.

It is also important that the CCO be able to answer questions about the compliance program to the board directly rather than through a member of senior leadership. According to the DOJ’s Evaluation of Corporate Compliance Programs,[9] the organization must have a reporting line in place where the compliance officer can have access to the governing authority or an appropriate subgroup of the governing authority. The board should also consider having a regular executive session with the CCO to ensure the ability to speak freely and have an open line of communication if something troublesome were to occur. The CCO could also establish a standing meeting with the board chairperson to prepare for meetings and further discuss any questions or other compliance information.

The CCO should also plan how they intend to report to the board. This should include how often the CCO will meet with the board, the depth of reporting, and the content that should be included. OIG recommends compliance meetings with and reporting to the board, or board subcommittee, at least once a quarter.[10] From a survey of compliance guidance documents, including documents previously mentioned from the Federal Sentencing Guidelines, OIG, and DOJ, the authors recommend including the following in compliance reports to the board.

  1. Discussion of oversight responsibility, including:
    • Assessment and approval of the compliance budget, staffing, and resources based on identified risk in risk assessment.
    • Assessment, whether internal self-assessment or outside assessment by a third party, of compliance program effectiveness.
    • Elements of the compliance program that need improvement.
    • Process for escalation and accountability, including reporting and resolution. OIG advises that the organization should have a written process in place to determine at what point a matter must be reported to the board.
  2. Presentation of risk assessment and work plans, including:
    • Updates on risk assessment efforts and outcomes.
    • Approval of the compliance work plan based on assessed risk, including risk mitigation plans.
    • Regular reporting to the board on work plan projects and progress.
    • Update the board if there are changes to the work plan.
    • Inform the board when the work plan activity is complete.
  3. Review of code of conduct, including obtaining approval of the initial code of conduct and subsequent edits.
  4. Review of policies and procedures, including receiving approval of compliance policies and ensuring the board understands policies currently in place.
  5. High-level presentation of reports made to compliance, including categorized and trended data. The data could include:
    • Method of report (phone call, anonymous hotline, email, or other means of reporting).
    • Presenting benchmarked data, such as days open.
    • Topic of report and trended volumes (e.g., number of reports on billing, privacy, research compliance).
    • Resolution or reported issues/evidence of follow-up.
  6. Discussion of investigations, including:
    • Categorized and trended data on investigations.
    • Details of significant investigations.
    • Outcomes of investigations and resulting corrective actions.
  7. Discussion of audits, including:
    • A periodic review of the audit plan by the board to make sure it is still fit for purpose and focused on the high-risk areas.
    • Audit results and remediation/actions in response to results.
    • Concerns with corrective action plans, which may include follow-up audits or untimely corrective action plan/operations response.
  8. Reporting on external activity, including government investigations and external audits (e.g., OIG or payer audits).
  9. Compliance training statistics, including rate of completion, compliance program reach, and the topics included.
  10. Discussion of exclusion screening, including process, data, and resolution of potential “hits.”
  11. Discussion of discipline for compliance violations, including evidence of discipline, trending areas of noncompliance, reporting details for significant violations, and fairness and consistency across alike violations.
  12. Compliance incentives and recognition of those exhibiting compliant and ethical behaviors and actions. Discussion of how to incentivize compliant behavior.
  13. Results of culture survey and action plan to address culture concerns.

Other topics can be considered based on board requests and needs. Although the number of topics that could be discussed may seem like a lot, these topics taken together point to compliance program effectiveness. Many of these topics will be presented using data that can be turned into a dashboard. Presenting data in a dashboard can make the information more digestible and can allow for better trending over time.

Continuing improvement: Further developing the compliance–board connection

Once a CCO has an established relationship with the governing body/board, there are ways to help ensure the interaction with the board goes to the next level. One way to strengthen the level of collaboration is to have interactions with the board chair or other members in addition to/outside of board meetings. This could be on a quarterly or monthly basis and could be outside of the office (for example, over a coffee). This is an opportunity to not only develop a stronger rapport with select members, but also to be able to talk in more detail about the compliance program.

Another great way for the board to become more engaged in compliance is by expanding its exposure to compliance. This could be accomplished in several ways. One way is to pursue finding an incoming board member with compliance experience and/or experience in an organization under a corporate integrity agreement. The CCO can also consider inviting an outside compliance expert to speak to the board about its compliance oversight responsibility or about specific compliance risks. Additionally, the CCO should inform the board about outside board compliance training opportunities.

The more the board is educated and engaged with compliance, the more questions and perspectives members may have on various issues and business decisions. Business strategy can be positively affected as the board becomes more aware of compliance. It may be helpful to track types of questions board members ask after education or compliance reporting, as this may provide the CCO cues for enhanced future communication. The CCO should also look for ways that board members view things and tailor the approach to improve understanding of compliance.

When the board prioritizes a compliant culture and stays involved in the organization’s compliance activities, the employees of the organization are encouraged to take a level of compliance accountability they may not otherwise have taken. The board is ultimately responsible for ensuring that the organization complies with relevant laws. The CCO can help with this goal by intentional engagement and interaction with the board.

This article does not provide any legal advice or recommendations.


1 North Carolina State University’s ERM Initiative and Protiviti, “Executive Perspectives on Top Risks 2019: Key issues being discussed in the boardroom and C-suite,” accessed April 15, 2021, https://bit.ly/3djFQxW.

2 U.S. Dep’t of Justice, Criminal Div., Evaluation of Corporate Compliance Programs (Updated June 2020), http://bit.ly/2Z2Dp8R.

3 HCCA‐OIG Compliance Effectiveness Roundtable, Measuring Compliance Program Effectiveness: A Resource Guide, March 27, 2017, http://bit.ly/2V8dajN.

4 OIG, Association of Healthcare Internal Auditors, American Health Lawyers Association, and Health Care Compliance Association, Practical Guidance for Health Care Governing Boards on Compliance Oversight, April 20, 2015, https://bit.ly/3ahysOP.

5 USSG § 8B2.1 (U.S. Sentencing Comm’n).

6 U.S. Dep’t of Justice, Criminal Div., Evaluation of Corporate Compliance Programs.

7 Society of Corporate Compliance and Ethics & Health Care Compliance Association, “Compliance Training and the Board,” September 2017, https://bit.ly/3wU2Awl.

8 OIG, Association of Healthcare Internal Auditors, American Health Lawyers Association, and Health Care Compliance Association, Practical Guidance for Health Care Governing Boards on Compliance Oversight.

9 U.S. Dep’t of Justice, Criminal Div., Evaluation of Corporate Compliance Programs.

10 HCCA‐OIG Compliance Effectiveness Roundtable, Measuring Compliance Program Effectiveness: A Resource Guide.

Copyright 2023 Compliance Today, a publication of the Health Care Compliance Association (HCCA)

Solid as a ROC: Strengthening Your Research Operations Core

By Sarah M. Couture, RN, CHC, CHRC, and Brian D. Annulis, JD, MHA, CHC, CHPC

Originally Posted on: Compliance Cosmos

Since the inception of ClinicalTrials.gov, “a database of privately and publicly funded clinical studies conducted around the world,” in 2000,[1] the volume of registered clinical trials in the United States has skyrocketed. As of August 9, 2020, there were 115,883 active clinical trials in the United States.[2] Commensurate with the growth in registered clinical trials, there has been increased oversight and regulatory focus on clinical trials, including Common Rule updates,[3] billing compliance enforcement, scientific misconduct investigations, conflict of interest inquiries, and kickbacks and related enforcement actions, to name a few. As institutions pursue clinical research opportunities, whether industry sponsored or investigator initiated, it has never been more important for institutions to have solid administrative and operations processes to support their clinical research billing—what the authors of this article call research operations core (ROC) workstreams. Well-grounded processes not only help mitigate billing compliance risks, but also support efficient clinical research and contribute to the overall research strategy and financial success of the institution.

Our country is replete with world-class clinical research programs and brilliant scientists pursuing novel clinical discoveries and innovative treatments such as new drugs and medical devices. Behind the names and even potential fame and glory of these clinical research programs and investigators are the necessary administrative functions and staff that support them. While these ROC workstreams and staff may be far less flashy or recognized than the science or the scientists, they are the essential backbone of successful clinical research programs.

Clinical research billing and revenue cycle support operations

In many ways, the overall success of a clinical research enterprise rises and falls on the strength of its administrative support functions, including the research revenue cycle. While research leadership support, investigator commitment and passion, staff engagement, and patient participation are all essential, a clinical research program cannot realize its full potential—or ensure its regulatory compliance—without intentional focus; collaboration across silos; and active pursuit of excellence in clinical research operations, administration, and the revenue cycle. This article discusses some common pitfalls across the various ROC workstreams and identifies best practices to ensure billing compliance and to strengthen the efficiency and value of research operations. We organize those workstreams into pre-trial and post-study categories.

Title 1: The workstream cycle flow

Pre-trial workstreams

Many of the ROC workstreams, from feasibility analysis through document harmonization, occur primarily before the trial begins. In order to ensure appropriate billing and the best contract terms from sponsors, it is essential that these workstreams are coordinated and completed prior to enrolling the first subject. There will also be times during the trial that some of these workstreams may need to be revisited and updated to ensure continued accurate billing. For example, when the protocol or the budget is amended, the coverage analysis (CA), coding, and document harmonization would need to be updated to reflect the new protocol items or new payment terms.

Feasibility analysis

While sponsors typically conduct a feasibility assessment for a proposed clinical study, research institutions do not always do so. As the clinical research landscape changes and financial margins decrease, research institutions should also consider whether the trial will be beneficial and aligned with its research portfolio and strategy.

A missing or insufficient feasibility assessment could lead to misalignment between the principal investigator (PI) and the institution, financial strain, stressed organizational resources and capabilities, and additional risk for the institution based on an insufficient study support structure.

Institutions with best practices have a documented and consistent feasibility analysis process that engages both the PI and research administration.

Compliance tips

Study intake

Study intake is the process of determining whether the study will proceed through the research revenue cycle processes (i.e., whether the study has any protocol-required items or services that could generate a charge). Successful study intake also entails gathering and reviewing all of the study documents (e.g., protocol, draft informed consent form [ICF], draft clinical trial agreement [CTA]/budget offer, any Food and Drug Administration or Medicare administrative contractor documents, etc.) and storing them in a consistent way.

Inadequate study intake processes can result in disorganized communication and missing study documents and can put the institution at risk of not identifying a study that requires a billing CA, which could lead to improper billing.

Institutions with best practices have a centralized process for collecting and storing study documents and evaluating whether the study has any items or services that could generate a charge.

Compliance tips

Grid development

Grid development is the first step in the CA and budget negotiation processes. A grid captures all protocol-required items and services and their frequency and timing. The finalized grid provides a framework of all items and services that will occur during the trial—critical for the CA and budget negotiations. Most grids are built either in Excel or a clinical trial management system.

An inaccurate or inadequate grid could result in erroneous billing or missed sponsor invoice opportunities. If not all items and services are captured, the missed items/services could either be billed to the payer/patient when they should not have been, or the institution could miss out on the opportunity to negotiate payment for that item/service from the sponsor.

Institutions with best practices devote sufficient resources and develop standard processes in order to develop grids that accurately capture all study activities and their frequency.

Compliance tips

Coverage analysis

A CA is a systematic approachto determine what, if any, charges in a study may be billable to a third-party payer according to National Coverage Determination (NCD) 310.1 and various regulations for device studies. The CA is built on the billing grid. The NCD 310.1 allows billing for certain items and services that meet the definition of “routine costs” that occur during a “qualifying clinical trial” when no other Medicare rule precludes billing.[4] Medicare standards are typically used when determining research study coverage, as Medicare has the most developed framework, most payers follow the lead of Medicare, and the consequences for billing errors are the most significant with Medicare.

An inadequate CA can lead to billing risks, including potential False Claims Act liability. The risks include:

Institutions with best practices develop consistent processes for determining what items and services in a clinical research study may be billable to the patient or third-party payer. The CA not only guides billing during the study, but also helps the institution negotiate a budget with the sponsor by requesting the sponsor pay for items/services for which the institution cannot bill.

Compliance tips


Once the CA is performed, the next step in the clinical research billing process is coding the items and services on the calendar grid for future billing purposes. The coding workstream involves having certified outpatient coders apply Current Procedural Terminology and Healthcare Common Procedure Coding System codes to the service lines on the calendar grid.

Compliance tips

CA upload and delivery

Once the draft CA is complete, it is uploaded to the clinical trial management system, if used by the institution, and provided to the PI and study team for review and approval. Delivery should involve collaboration between the research revenue cycle and the PI/study team, as the PI can lend expertise and provide supporting documentation that the analysis team may not have been able to locate.

If the CA is finalized without collaboration with the study team, it is at risk of inaccuracy, as the PI is often the subject matter expert and can shed light on areas of the CA that may seem vague to the research revenue cycle.

Institutions with best practices have a collaborative CA delivery process that involves an open and ongoing dialogue between the CA and the study teams.

Compliance tips

Internal budget development

Internal budget development helps the institution estimate the total costs involved with participating in the study. The internal budget includes not only the cost of all the protocol-required items and services, as outlined in the CA, but also the various administrative costs incurred in the pursuit of the research. An internal clinical trial budget helps ensure the financial viability of the study. It also serves as the basis for sponsor negotiations, since it captures all study costs and can serve as a future audit tool. A consistent process for internal budget development can also help the institution negotiate acceptable budgets across other studies with the same sponsor and can ensure documentation and justification of costs in case of future audit.

The success of the internal budget is based on its attention to detail and its ability to capture all potential costs associated with the study. The primary pitfall of internal budget development is failure to account for all costs. Failing to or inaccurately capturing study-related costs will hamper the success of external budget development and sponsor negotiations and can result in decreased financial solvency of the study and the institution’s research program.

Institutions with best practices understand the importance of capturing all study-related costs and building a foundation for external budget negotiations. These institutions also use consistent processes and templates to establish a precedent for future study negotiations and help the organization anticipate research revenue, instead of accepting initial sponsor offers or sacrificing future negotiations to gain approval for the study at hand.

Compliance tips

External budget negotiations

The goal of external budget negotiations is to get the maximum amount of financial support from the sponsor for the institution’s participation in the study. Favorable negotiations result in research programs that are positive contributors to the institution’s financial well-being.

Without solid external budget negotiations processes, the institution will likely not get maximum financial support from the sponsor, resulting in lower research revenues and an overall weaker research infrastructure.

Institutions with best practices have mature external budget negotiation processes that work toward maximizing the remuneration associated with the cost per patient, as well as the administrative, start-up, and overhead fees for which the sponsor should be expected to pay.

Compliance tips

CTA negotiation

CTAs are the contracts that bind parties in the context of a clinical trial. The parties involved include the institution(s) and the sponsor, and sometimes the PI.

An uninformed CTA negotiations process leads to unfavorable assignment of risks and disadvantageous delegation of costs and responsibilities.

Institutions with best practices understand their risk profile, consider obligations to their stakeholders, and examine all relevant issues, but they focus primarily on high-risk issues to balance the clinical trial risks and costs with the timeline constraints of contract negotiations.

Compliance tips

Document harmonization

Document harmonization is the process of harmonizing or syncing the final study documents, including the approved ICF and executed CTA or grant (and associated budget) with the draft CA. This prepares the CA to be used for billing and ensures that the CA accounts for any items or services promised free to the patient or paid by the sponsor or grant.

Institutions with no such harmonization expose themselves to risk, as the CA that will be used to guide billing may not incorporate the final financial terms described in the final study documents. Accurate interpretation of the final study documents’ billing language is also essential, as billing a service promised free or where sponsor/grant payment is promised can result in False Claims Act violations and subject the institution to penalties and sanctions.

Institutions with best practices have a workflow that ensures the draft CA is finalized by syncing it with the final study documents before it is used for billing.

Compliance tips

Post-study commencement workstreams

The following ROC workstreams occur after the trial has commenced and continue throughout the life of the trial. Recouping the institution’s labor and financial investment in the pre-trial workstreams requires the institution to ensure that the post-study commencement workstreams are also properly attended to.

Research claims scrubbing

Research claims scrubbing is the process of ensuring charges for items and services performed for study purposes are routed to the accurate party (e.g., payer or sponsor).

Inconsistent research claims scrubbing can result in charges being routed incorrectly to the wrong party, resulting in double billing or other billing errors.

Institutions with best practices develop methods to review research charges and confirm accuracy before billing.

Compliance tips

Sponsor invoicing

Hand in hand with research claims scrubbing is sponsor invoicing. Sponsor invoicing is the process by which the institution bills the sponsor for study-related services as reflected in the negotiated budget. Sponsor invoicing unifies the business and clinical sides of study services by coupling administrative data, such as the subject’s name, insurance provider for non-study–related services, and other personal information, with the treatment the subject receives.

If charges cannot be appropriately identified, segregated, and then billed, items and services that will be paid by the sponsor may be billed instead to Medicare, resulting in double billing and putting the institution at risk for False Claims Act violations.

Institutions with best practices have tight processes across the research revenue cycle to ensure the right charges and administrative fees are billed to the sponsor in a timely manner.

Compliance tips

Accounts receivable management

Accounts receivable (AR) management reflects the money owed to the provider for services rendered, billed, and not yet collected. This addresses both research claims scrubbing and sponsor invoicing. Payments due from patients, payers, sponsors, or other guarantors are considered AR. Efficient AR management maximizes revenue potential, ensuring cash flow is sufficient for effective study department management.

Without appropriate AR management, study departments may not have enough cash to operate or may have negative credit balances. This would diminish the long-term viability of the department’s research operation and may affect the overall sustainability of the institution’s research program.

Institutions with best practices have processes in place to manage AR and ensure it gets paid correctly and in a timely manner.

Compliance tips


The ROC workstream issues, pitfalls, and compliance tips described above should provide the reader a road map for developing sound and compliant clinical research billing processes. Other factors will influence an institution’s research program success, including leadership’s understanding and commitment of resources, research strategy, centralization or decentralization of research operations, the relationship between research administration and study teams, engagement of research operations with PIs, data and technical infrastructure, experiences of team, culture, etc. That said, with collaboration and communication, engagement of PIs and study teams, development of consistent processes, and accountability and auditing, your research operations core can be ROC-solid and operate efficiently, contributing to an industry-best and vibrant clinical research program.


1 “Home,” ClinicalTrials.gov, United States National Library of Medicine, National Institutes of Health, last accessed August 6, 2020, https://bit.ly/3kfTO5v.

2 “Trends, Charts, and Maps,” ClinicalTrials.gov, United States National Library of Medicine, National Institutes of Health, last accessed August 6, 2020, https://bit.ly/33yOZhB.

3 “Revised Common Rule,” Office for Human Research Protections, U.S. Department of Health & Human Services, last reviewed January 19, 2017, https://bit.ly/3ictMy7.

4 “National Coverage Determination (NCD) for Routine Costs in Clinical Trials (310.1),” Centers for Medicare & Medicaid Services, last accessed August 6, 2020, https://go.cms.gov/3cDQqx7.

Copyright 2023 Compliance Today, a publication of the Health Care Compliance Association (HCCA)

Chasing the Goal: How Do You Know if Your Compliance Program is Truly Effective?

By Sarah M. Couture, RN, CHC, CHRC, and Debbie Troklus, CHC-F, CCEP-F, CCEP-I, CHRC, CHPC

Originally Posted on: Compliance Cosmos

If you are new to compliance, you may have noticed that compliance officers talk a lot about compliance program effectiveness. That is for good reason. According to the Federal Sentencing Guidelines, which provide the reasoning and framework for compliance programs, effectiveness is the expectation.[1] That’s the goal! An effective compliance program can help to “mitigate the ultimate punishment of an organization.” It is not enough to simply have a compliance program. That compliance program must be effective. So, what does that mean? According to Merriam-Webster, when something is effective, it produces “a decided, decisive, or desired effect.”[2] In a compliance program, the desired outcome is preventing and detecting fraud, waste, and abuse. That is the whole purpose of a compliance program. If a compliance program is not effective, that is, it does not effectively prevent and detect fraud, waste, and abuse; it will not meaningfully decrease organizational culpability as outlined in the Federal Sentencing Guidelines. In other words, your compliance program must work!

So, how do you know your compliance program is effective? Before 2017, there was plenty of discussion in the compliance profession about effectiveness, and it was obvious what ineffective compliance programs looked like. But what the government thought about compliance, how it viewed and defined it, and what it should look like in practice were a little more amorphous. Since compliance program effectiveness is the expectation of the government and the measurement against which a compliance program will be judged, it was challenging to know whether a compliance program would be up to par with the seemingly subjective goal. But in 2017, the U.S. Department of Health & Human Services Office of Inspector General (OIG), in collaboration with the Health Care Compliance Association (HCCA),[3] as well as the U.S. Department of Justice (DOJ)[4] published guidance documents that gave us insights into how the government viewed effectiveness. Since then, the DOJ guidance has been updated twice, in 2019 and in 2020, and the compliance profession has had more of a glimpse into how the government views effectiveness. While these guidance documents provide insights into compliance program effectiveness expectations, determining whether a program works is not a simple or one-dimensional endeavor. True effectiveness cannot be confirmed with just a checklist.

The OIG guidance specifically states: “This is not a ‘checklist’ to be applied wholesale to assess a compliance program. An organization may choose to use only a small number of these in any given year. Using them all or even a large number of these is impractical and not recommended. The utility of any suggested measure listed in this report will be dependent on the organization’s individual needs. Some of these suggestions might be used frequently and others only occasionally. The frequency of use of any measurement should be based on the organization’s risk areas, size, resources, industry segment, etc. Each organization’s compliance program and effectiveness measurementprocess will be different” (emphasis added).[5]

We must use the guidance documents and other government insights and perspectives, while also adding “soft” elements—including, but not limited to, perceptions, progress toward goals, program evolution, risk prioritization, and culture—that cannot be measured merely by a checklist. Instead, and in the spirit of the OIG’s admonition, we must tailor and prioritize measuring our program’s effectiveness and progress toward that goal in a way that is appropriate and customized according to our organization’s size, resources, areas of business, risk profile, and other company specifics.

This article discusses why effectiveness is important, why it can be challenging to achieve, the hallmarks of effective compliance programs, methods and tools to help gauge effectiveness, and practical pointers as you continue chasing the goal of compliance program effectiveness.

Why does prioritizing and pursuing compliance program effectiveness matter?

Aside from the obvious answer—mitigating the ultimate punishment of an organization (e.g., potentially lower fines, potentially avoiding a corporate integrity agreement)—there are numerous benefits for an organization that has an effective compliance program. Effective compliance programs can find, address, and fix issues before they grow too large or out of control. The longer the issue exists, the more difficult it is to fix it. Effective compliance programs have educated and informed staff that know how to do their jobs in a compliant and effective way and how to spot and report concerns so they can be addressed. Effective compliance programs have cultures of transparency, where team members are comfortable reporting concerns, and managers and leaders appreciate and act on the reports. Organizations with effective compliance programs are more likely to bill correctly and keep reimbursement dollars, instead of paying back reimbursements when future audits identify overpayments. Evidence of an effective compliance program can help result in favorable business deals, such as in mergers and acquisitions or helping secure better insurance rates. Organizations with effective compliance programs have better communication and better cultures, run more efficiently, provide higher-quality care, and are more likely to protect their brand and reputation by preventing front-page news stories about wrongdoing.

Why can compliance program effectiveness be so hard to achieve?

If compliance program effectiveness is the expectation, and it is what compliance programs are pursuing and compliance professionals are talking about, and if it is so beneficial to organizations in multiple ways, why does it sometimes seem so hard, and at times even elusive, to attain? The simplest answer is that program effectiveness is multifaceted, that there is no formula for attaining it or evaluating, and that an effective program looks a little different at every organization because every compliance program is—or should be—tailored and unique to the specific organization (e.g., size, risk profile, scope, nature of services, geography). Because of the seeming subjectivity of compliance program effectiveness, it can be challenging to paint a picture of exactly what it looks like, how to evaluate it, and how to pursue it. For this reason, this article does not offer a flat, one-dimensional approach to effectiveness, but rather offers a multidimensional perspective on effectiveness; we offer building blocks that can be considered as your unique organization seeks to pursue effectiveness.

On the road to evaluating and pursuing effectiveness, there can be multiple obstacles that prevent it. In our years of compliance program effectiveness assessment work with a variety of clients, we have seen multiple challenges that can short-circuit such attempts.

Board and senior leadership understanding, engagement, and buy-in

In many ways, the ultimate success of your program rises and falls on the compliance commitment of the board and senior leadership. This support helps to build the strong foundation that is needed for a compliance program to be effective. If the board and CEO do not understand or care about compliance, and therefore do not prioritize compliance, there cannot be program effectiveness. The compliance program may exist in some weak form but will likely be a paper program with lame-duck authority and minimal ability to truly prevent and detect fraud, waste, and abuse.


A fearful or toxic culture will prevent compliance program effectiveness. Without widespread organizational commitment to doing the right thing or transparency that results in reporting and addressing issues, the compliance program cannot be effective.

Compliance reporting structure: CCO independence and authority

The chief compliance officer (CCO) must be given appropriate independence and authority. Without proper independence and authority, the compliance program cannot be effective at preventing and detecting fraud, waste, and abuse. Seating the CCO with senior leadership and ensuring the CCO directly reports to the CEO and reports to or has a dotted line to the board helps give the CCO the authority needed to fulfill the responsibilities of the program. When a CCO is not seated with senior leadership and does not have direct access to the CEO or board, it sends the signal that compliance is not as important as other functions in the organization (i.e., those that do report to the CEO). It is also essential for compliance to be independent of operations, finance, legal, and other business functions. Ensuring the CCO reports directly to the CEO/board guarantees that compliance is not subordinate to legal, finance, or operations, thus preserving independence. Compliance should also be careful not to be in charge of operations or operations functions, as compliance programs cannot objectively audit that for which they are operationally responsible. Compliance officers should not act as management; it is an operational function.

Adequacy of risk assessment and its impact on the compliance program

Ensuring thorough, collaborative, and ongoing risk assessment and prioritization is key to ensuring compliance program effectiveness. To best prevent and detect fraud, waste, and abuse, a compliance program must understand the highest-risk areas and then devote appropriate resources to those risks. Programs that are not laser-focused on risk can end up spending inordinate resources addressing low-risk concerns instead of effectively addressing high risks. According to the DOJ, “prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction.”[6]

Compliance resource sufficiency and management

To be effective, compliance must be given sufficient resources (i.e., budget, staffing) to be able to carry out the compliance program. The compliance program should base its work on ongoing risk assessment and ensure compliance program resources, including time, are spent appropriately on higher-risk areas. An adequately resourced program is an indicator of an effective program.

Structure and maturity of each of the seven elements

Each of the seven elements of an effective compliance program should be appropriately designed and implemented and should evolve with the compliance program. When one or more of the seven elements is not built well or working like it should, the program may not be as effective as it would otherwise be (see “Hallmarks” section discussing DOJ and OIG guidance for specific elements, discussed later).

Documentation and tracking

Potentially as concerning as a paper/shelf program is a program that has much activity, but that activity is not adequately documented. In the clinical world, a well-known adage is, “If you did not document it, you did not do it.” The same can be said for a compliance program: if you did not track it or document it, you cannot provide evidence that you did it. It is essential to track all compliance program activity (e.g., reports, guidance requests, audits, investigations, education and training, meeting minutes, agendas) and ensure thorough documentation and document retention.

Access to, use of, and integration of data

Compliance must be given access to all company data to appropriately help prevent and detect fraud, waste, and abuse. Additionally, the compliance program must learn to intelligently use data, as data analysis can be used to both assess risk and measure effectiveness of risk mitigation work and compliance program effectiveness itself. A compliance program cannot be effective without access to all company data (and people, for that matter), and program effectiveness can be enhanced with smart data analysis and integration.

Operations engagement in compliance

Compliance cannot be successful in a vacuum or on an island. Compliance must engage operations and help operations understand their compliance responsibilities. Compliance is everyone’s job. It takes a village.

Leveraging risk partners

To be effective, compliance must collaborate with other risk partners when appropriate. This may include legal, risk management, internal audit, human resources, and potentially other internal and external partners. Ineffective compliance departments try to operate alone without bringing in appropriate partners.

Use of outside expertise

There may be times where your compliance program staff do not have sufficient experience or expertise to appropriately handle a certain concern. Whether for a specialized investigation, an audit, or to gain a fresh, objective perspective on a specific issue or your compliance program generally, consider how to best leverage appropriate expertise for the task at hand, whether that expertise is within your department or external. Know when you don’t know.

Hallmarks of compliance program effectiveness

While there are many challenges that can weaken attempts to achieve effectiveness, there are also signs of life and vibrancy that, when taken together, can signal to your organization, the public, and regulators alike that your organization has an effective compliance program.

Engaged board and leadership

Effective programs are those in which board members and organizational leaders understand their compliance obligations, have regular meaningful interactions with the compliance officer around compliance matters, and are clearly committed to doing the right thing no matter what. Compliance officers should have a regular seat at board meetings.

Culture of compliance

Effectiveness can be evidenced when employees know how to function compliantly, identify aberrancies, and report concerns without fear of retaliation, and managers and leaders encourage transparency and then remedy identified issues.

Culture of continuous improvement and evolution

Acknowledge that the compliance program can always become better and more effective. Be intentional in evaluating and planning for program effectiveness and ensure the program evolves over time to best align with the organization’s needs and risk profile.

Ongoing risk awareness, assessment, and prioritization

Ensure that compliance program work, resources, time, audits, work plan, and seven elements are based on prioritized risk that is being continually assessed in collaboration with operations partners.

Root cause analysis and incorporation of lessons learned

When something does go wrong, an effective compliance program analyzes the situation to learn lessons, then adapts the program according to those lessons. This can lead to more effective prevention and detection of noncompliance.

Humility, transparency, and feedback

Acknowledging that there is no perfect organization, no perfect compliance program, and no perfect compliance officer will help ensure humility and flexibility in the program. Facilitate and ask for transparency; ask for feedback from your team, leadership, and operations; and then make appropriate changes based on that feedback.

Intentional compliance program effectiveness plan, including assessment

Develop a plan for ensuring compliance program effectiveness, including how it will be developed, pursued, reported on, and evaluated. Best-practice programs prioritize ongoing, at least annual, documented self-assessments and outside, objective effectiveness assessments every two to three years.

Test and analyze controls that are in place in compliance and in operations

Do the controls that are in place work? Do the things that we think are controlling the risk work? Test the controls, document outcomes, and implement changes if needed.


Ensure corrective action plans are developed by management, implemented, and working over time. Compliance should monitor the corrective action plans.

Data-driven decision-making

Great business intelligence can be found in data analysis. Identify a partner to help you think through leveraging business data to improve compliance program effectiveness and decision-making around risks.

Not operating in a silo

Collaborate with operations, legal, risk, quality, internal audit, human resources, outside agencies/consultants, and professional organizations to ensure appropriate perspectives and expertise.

Well-engaged operations that understand their compliance responsibility

Effective compliance programs empower operations to own compliance. Operations leaders and managers should ensure appropriate internal controls are in place (i.e., policies and procedures, education and training, monitoring of high-risk functions) so that their operational departments and teams can function compliantly.

Documentation, tracking, analyzing trends, and reporting

Effective compliance programs set expectations through systems, protocols, and templates to ensure compliance program reports and activities are tracked, thoroughly documented, and reported to leadership and the board as appropriate.

Available, approachable, and knowledgeable staff

Effective compliance programs have compliance officers and staff that are personable, collaborative, knowledgeable, and approachable. Effective compliance staff work to build rapport with operations partners, and ensure they always have an open door and are available.

Getting outside help or a fresh perspective when needed

There may be times where your compliance program does not have the necessary expertise or experience to conduct an audit, investigation, assessment, or other project. Seek external help to ensure appropriate expertise or a fresh perspective. This may help ensure effective and thorough audits or investigations.

Seven-element development and implementation

Develop your program elements so they are pragmatic, applicable, and can flex and evolve as the organization evolves (e.g., in size, risk profile). Are your program elements well designed, implemented, and do they work? We recommend reviewing your elements against the specific guidance and suggestions from Evaluation of Corporate Compliance Programs and Measuring Compliance Program Effectiveness: A Resource Guide, as these guidance resources provide perspectives on the effectiveness of specific program elements.

Methods and tools to help evaluate compliance program effectiveness

As we have discussed, every effective compliance program looks different based on the size, complexity, and risk profile of its organization, and there is no one way to assess its effectiveness. In this section, we offer a few methods and tools to help you assess your program’s effectiveness. You cannot rely on just one of these tools, but we encourage you, based on the uniqueness of your organization and program, to use a blend of these methods and tools to help develop a tailored approach to assessing, then pursuing, effectiveness.

Guidance documents

As previously mentioned, government guidance documents offer both specific expectations around compliance programs as well as perspectives and questions to help assess effectiveness. Familiarize yourself with these documents and use them as you develop your own approach to an effectiveness assessment.


Benchmarks are a great way to compare your progress to the progress of peer organizations. While the availability of benchmarks has increased over the years, this is still an area of development for our profession. HCCA has benchmarks for resources like staffing and budgeting, as well as salary benchmarks. Other organizations and some vendors track and provide specific benchmarks that may be relevant to your organization. Research what is available and use benchmarks where you can to understand your program’s effectiveness.


Conducting surveys is an excellent way to gauge knowledge and perceptions of your employees. Consider adding specific compliance survey questions to your regular employee survey to better understand the impact your program is having on your culture and employees. Ensure that you follow up with employees, notifying them of the correct survey responses, where appropriate, as this can be a form of education and training. Measuring Compliance Program Effectiveness: A Resource Guide has many survey ideas for consideration. Also, ensure exit interviews occur to identify risk and opportunities for enhancing program effectiveness.


Spend time in various operations departments getting to know staff, observing work environments and activities, and talking to employees. Consider a simple rounding checklist with a small number of questions that you can ask employees and record as you observe. This will allow you to understand your program’s impact on specific areas, identify areas where your program can enhance communication or consider a review, and will also allow you to benchmark departments against each other and trend progress over time.


Review recent internal and external audit results to identify areas for improvement. Look at auditing as a chance to enhance controls and incorporate lessons learned.

Data analysis

Trend and analyze compliance activity data to look for opportunities to enhance effectiveness and employ data analysis to review risk areas more efficiently.


Dashboards are a great way to not only communicate a large amount of information in a graphic way, but also to trend your progress and effectiveness over time. Develop dashboards to communicate what is going on in your program, track progress, and analyze trends to identify opportunities to enhance effectiveness.

Develop your own!

What other tools or assessment methods can give you insights into the effectiveness of your program? Be creative and collaborate with your staff and compliance committee to develop pragmatic assessment tools.


Just as there is no one-size-fits-all compliance program, there is no-one-size-fits-all way to evaluate or pursue effectiveness. Take the resources and methods described in this article to tailor a custom approach to evaluating your program’s effectiveness. Develop a plan for ongoing effectiveness assessment and pursuit. Be intentional and focused on a culture of continuous program improvement; your organization is evolving and so should your program. Discuss program effectiveness and your ongoing strategy to get there with your board, leadership, compliance committee, and compliance staff. Stay engaged with operations. Be creative with resources, ensuring risks are prioritized. Be flexible and look for lessons learned and incorporate them. Know that the work is never done; your compliance program should always be moving and evolving as you are chasing the goal of compliance program effectiveness.

Note: Ankura is not a law firm and cannot provide legal advice.


1 USSG § 8B2.1 (U.S. Sentencing Comm’n 2018).

2 “Effective,” Merriam-Webster Dictionary, accessed February 4, 2022, https://www.merriam-webster.com/dictionary/effective.

3 HCCA‐OIG Compliance Effectiveness Roundtable, Measuring Compliance Program Effectiveness: A Resource Guide, March 27, 2017, https://oig.hhs.gov/documents/toolkits/928/HCCA-OIG-Resource-Guide.pdf.

4 U.S. Dep’t of Justice, Criminal Div., Evaluation of Corporate Compliance Programs (Updated June 2020), https://www.justice.gov/criminal-fraud/page/file/937501/download.

5 HCCA‐OIG Compliance Effectiveness Roundtable, Measuring Compliance Program Effectiveness.

6 U.S. Dep’t of Justice, Criminal Div., Evaluation of Corporate Compliance Programs.

7 “Compliance Guidance,” Office of Inspector General, U.S. Department of Health & Human Services, accessed February 8, 2022, https://oig.hhs.gov/compliance/compliance-guidance/.

8 U.S. Department of Health and Human Services, Office of Inspector General; Association of Healthcare Internal Auditors; American Health Lawyers Association; Health Care Compliance Association, Practical Guidance for Health Care Governing Boards on Compliance Oversight, April 20, 2015, https://oig.hhs.gov/documents/root/162/Practical-Guidance-for-Health-Care-Boards-on-Compliance-Oversight.pdf.

9 “Surveys,” Health Care Compliance Association, accessed February 8, 2022, https://www.hcca-info.org/publications/surveys.

10 The Institute of Internal Auditors, “Update: The IIA Updates Three Lines Model,” August 5, 2020, https://internalauditor.theiia.org/en/articles/2020/august/update-the-iia-updates-three-lines-model/.

Copyright 2023 Compliance Today, a publication of the Health Care Compliance Association (HCCA)