Compliance and the Board: Challenges and Best Practices

December 13, 2023

By Brian D. Annulis, JD, MHA, CHC, CHPC; Sarah M. Couture, RN, CHC, CHRC; and Kayla M. Teune, CHC

Originally Posted on: Compliance Cosmos

Chief compliance officers (CCOs) understand the importance of creating a culture that identifies and mitigates risks. In fact, not having a culture that timely identifies risks and escalates them was in the top 10 risks according to “Executive Perspectives on Top Risks in 2019.”[1] One of the first steps in establishing a compliant culture is educating and involving the governing body/board in compliance. Guidance documents from both the U.S. Department of Justice (DOJ)[2] and the U.S. Department of Health & Human Services Office of Inspector General (OIG)[3] discuss the importance of a culture of compliance being driven by organizational leaders, or “tone at the top,” and creating and fostering a culture of ethics and compliance with the law.[4] Additionally, the U.S. Federal Sentencing Guidelines indicate that the company’s “governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight.”[5]

Although it is clear that board needs to be involved, it is common for CCOs to struggle with what the compliance–board relationship should look like in their organization. The reasons a CCO may have difficulty fostering a meaningful board relationship may include:

  • The CCO having limited access to the board in general;
  • Not knowing the best way to engage the board and help board members understand their compliance oversight responsibility;
  • Being unsure of the balance between information overload and not enough information when reporting to the board on the compliance program;
  • Being unsure of the best way to educate the board on compliance and which compliance topics should be included;
  • Lack of certainty as to whom to engage with on the board and how frequently;
  • Compliance may not be a priority in the organization, so the CCO may not get adequate time with the board; and
  • Compliance being looked at as a regulatory necessity to check the box vs. a valuable business partner that reinforces a positive corporate culture.

This article is intended to share a road map on how to effectively create and manage board engagement and interactions to strengthen your compliance program and overall corporate culture.

Understanding challenges to effective board management

When it comes to board engagement and management, the CCO must navigate how to effectively spend time with the board and how to make sure board members are educated about the compliance program and compliance activities happening in the organization. However, this may be easier said than done. There are several challenges that the CCO must overcome to effectively communicate with the board.

First, the CCO must have access to the board. Lack of access can be caused by several reasons, including lack of precedent access to board, senior leadership preventing board access or wanting to be the in-between, or the organization being concerned about reporting compliance information in meeting notes that are required to be publicly available because of various states’ Open Meetings acts. Additionally, access may be further complicated if a central board oversees multiple entities and it is unclear how the CCO should interact with the central board. Whatever the challenge the organization may face, the DOJ emphasizes the importance of a compliance officer having direct access to the board and that this access is key to effectively communicating with the board members.[6] So, access must be the first challenge to overcome to establish a meaningful board relationship.

A second challenge a CCO may face is having an unengaged or uneducated board. According to Society of Corporate Compliance and Ethics & Health Care Compliance Association’s September 2017 survey, only 18% of board members are highly satisfied with the amount of compliance training they receive to the extent they receive training at all.[7] Common challenges the CCO may face regarding board education and engagement include:

  • The board has had inconsistent past interaction with or education about compliance;
  • Board members have a lack of understanding of their compliance and oversight responsibility;
  • They have insufficient awareness of what compliance risks exist and the benefits of an effective compliance program;
  • They view compliance as a checklist rather than a dynamic tool to prevent and detect fraud, waste, and abuse;
  • Members do not understand that they set the tone for compliance and culture in the organization; and
  • They are more focused on financial performance and lack focus and attention on compliance.

A third challenge for the compliance officer is knowing what to report to the board or how detailed the reported content should be. It is important for the CCO to understand what kind of information and level of detail the board prefers and ensure the compliance report (and compliance program) is aligned to the risks in the organization. Some boards want only high-level details, while other boards would like the compliance officer to share some information that is more “in the weeds.” What type of information and level of detail does the board request to aid in its oversight responsibility? As the CCO’s communication with the board evolves, the CCO should have ongoing conversation with board members about their desired depth and breadth of compliance reporting. This will allow the CCO to be the most efficient and effective in communicating with the board.

Once a compliance officer understands and identifies their challenges regarding board participation in compliance, then they can strategically plan how to overcome and manage these challenges.

Communicating with the board: Education and reporting

OIG discusses not only the importance of the compliance officer communicating with the board, but also the board being sufficiently informed to be able to ask questions regarding the adequacy and effectiveness of the organization’s compliance program.[8] The members of the board should be able to ask questions to demonstrate that they are fully engaged in their oversight responsibility. The OIG guidance for healthcare governing boards outlines the following questions:

  • What plan is in place to keep the board updated on the regulatory landscape?
  • If a reporting system exists, is it adequate and is it working?
  • Is the scope and adequacy of the compliance program relative to the size and complexity of the organization?
  • What benchmarks are being used as assessment tools to measure compliance program effectiveness?
  • Are annual compliance resolutions required by the board?

To be able to answer the above questions, it is important that the members of the governing body be educated about compliance during their onboarding. Be sure to include board compliance education in the compliance education and training plan. The board compliance training plan should include details regarding what topics/content should be covered, the frequency of training, current industry developments, and discussion of its responsibilities for compliance oversight. The board compliance training plan should also include a formal method to orient new board members to the organization’s compliance program. Consideration should also be given to whether board attestations should be implemented.

The trainings should ideally be live, either in-person or virtual, considering pandemic limitations. There should also be printed materials for the board to reference later if needed. The ongoing general compliance training should occur at least annually, with intermittent and topic-focused/risk-focused training throughout the year. Topics can become more detailed as the board’s understanding of compliance progresses.

It is also important that the CCO be able to answer questions about the compliance program to the board directly rather than through a member of senior leadership. According to the DOJ’s Evaluation of Corporate Compliance Programs,[9] the organization must have a reporting line in place where the compliance officer can have access to the governing authority or an appropriate subgroup of the governing authority. The board should also consider having a regular executive session with the CCO to ensure the ability to speak freely and have an open line of communication if something troublesome were to occur. The CCO could also establish a standing meeting with the board chairperson to prepare for meetings and further discuss any questions or other compliance information.

The CCO should also plan how they intend to report to the board. This should include how often the CCO will meet with the board, the depth of reporting, and the content that should be included. OIG recommends compliance meetings with and reporting to the board, or board subcommittee, at least once a quarter.[10] From a survey of compliance guidance documents, including documents previously mentioned from the Federal Sentencing Guidelines, OIG, and DOJ, the authors recommend including the following in compliance reports to the board.

  1. Discussion of oversight responsibility, including:
    • Assessment and approval of the compliance budget, staffing, and resources based on identified risk in risk assessment.
    • Assessment, whether internal self-assessment or outside assessment by a third party, of compliance program effectiveness.
    • Elements of the compliance program that need improvement.
    • Process for escalation and accountability, including reporting and resolution. OIG advises that the organization should have a written process in place to determine at what point a matter must be reported to the board.
  2. Presentation of risk assessment and work plans, including:
    • Updates on risk assessment efforts and outcomes.
    • Approval of the compliance work plan based on assessed risk, including risk mitigation plans.
    • Regular reporting to the board on work plan projects and progress.
    • Update the board if there are changes to the work plan.
    • Inform the board when the work plan activity is complete.
  3. Review of code of conduct, including obtaining approval of the initial code of conduct and subsequent edits.
  4. Review of policies and procedures, including receiving approval of compliance policies and ensuring the board understands policies currently in place.
  5. High-level presentation of reports made to compliance, including categorized and trended data. The data could include:
    • Method of report (phone call, anonymous hotline, email, or other means of reporting).
    • Presenting benchmarked data, such as days open.
    • Topic of report and trended volumes (e.g., number of reports on billing, privacy, research compliance).
    • Resolution or reported issues/evidence of follow-up.
  6. Discussion of investigations, including:
    • Categorized and trended data on investigations.
    • Details of significant investigations.
    • Outcomes of investigations and resulting corrective actions.
  7. Discussion of audits, including:
    • A periodic review of the audit plan by the board to make sure it is still fit for purpose and focused on the high-risk areas.
    • Audit results and remediation/actions in response to results.
    • Concerns with corrective action plans, which may include follow-up audits or untimely corrective action plan/operations response.
  8. Reporting on external activity, including government investigations and external audits (e.g., OIG or payer audits).
  9. Compliance training statistics, including rate of completion, compliance program reach, and the topics included.
  10. Discussion of exclusion screening, including process, data, and resolution of potential “hits.”
  11. Discussion of discipline for compliance violations, including evidence of discipline, trending areas of noncompliance, reporting details for significant violations, and fairness and consistency across alike violations.
  12. Compliance incentives and recognition of those exhibiting compliant and ethical behaviors and actions. Discussion of how to incentivize compliant behavior.
  13. Results of culture survey and action plan to address culture concerns.

Other topics can be considered based on board requests and needs. Although the number of topics that could be discussed may seem like a lot, these topics taken together point to compliance program effectiveness. Many of these topics will be presented using data that can be turned into a dashboard. Presenting data in a dashboard can make the information more digestible and can allow for better trending over time.

Continuing improvement: Further developing the compliance–board connection

Once a CCO has an established relationship with the governing body/board, there are ways to help ensure the interaction with the board goes to the next level. One way to strengthen the level of collaboration is to have interactions with the board chair or other members in addition to/outside of board meetings. This could be on a quarterly or monthly basis and could be outside of the office (for example, over a coffee). This is an opportunity to not only develop a stronger rapport with select members, but also to be able to talk in more detail about the compliance program.

Another great way for the board to become more engaged in compliance is by expanding its exposure to compliance. This could be accomplished in several ways. One way is to pursue finding an incoming board member with compliance experience and/or experience in an organization under a corporate integrity agreement. The CCO can also consider inviting an outside compliance expert to speak to the board about its compliance oversight responsibility or about specific compliance risks. Additionally, the CCO should inform the board about outside board compliance training opportunities.

The more the board is educated and engaged with compliance, the more questions and perspectives members may have on various issues and business decisions. Business strategy can be positively affected as the board becomes more aware of compliance. It may be helpful to track types of questions board members ask after education or compliance reporting, as this may provide the CCO cues for enhanced future communication. The CCO should also look for ways that board members view things and tailor the approach to improve understanding of compliance.

When the board prioritizes a compliant culture and stays involved in the organization’s compliance activities, the employees of the organization are encouraged to take a level of compliance accountability they may not otherwise have taken. The board is ultimately responsible for ensuring that the organization complies with relevant laws. The CCO can help with this goal by intentional engagement and interaction with the board.

This article does not provide any legal advice or recommendations.


  • Identify challenges that prevent access to the governing body. Having access to the board is essential to educating its members about the compliance program in the organization.
  • Plan on how to get the board involved. From reporting data to external compliance activities, board members need to stay up to date on compliance inside and outside the organization.
  • Encourage board members to ask questions. Be willing to adjust communication and reporting based on what they would like to know.
  • Remain consistent. Consistency in frequency of board meetings, communication, and compliance education can positively affect the board’s engagement.
  • Tone at the top is important. When your board prioritizes compliance, it encourages a compliant culture throughout the organization.

1 North Carolina State University’s ERM Initiative and Protiviti, “Executive Perspectives on Top Risks 2019: Key issues being discussed in the boardroom and C-suite,” accessed April 15, 2021,

2 U.S. Dep’t of Justice, Criminal Div., Evaluation of Corporate Compliance Programs (Updated June 2020),

3 HCCA‐OIG Compliance Effectiveness Roundtable, Measuring Compliance Program Effectiveness: A Resource Guide, March 27, 2017,

4 OIG, Association of Healthcare Internal Auditors, American Health Lawyers Association, and Health Care Compliance Association, Practical Guidance for Health Care Governing Boards on Compliance Oversight, April 20, 2015,

5 USSG § 8B2.1 (U.S. Sentencing Comm’n).

6 U.S. Dep’t of Justice, Criminal Div., Evaluation of Corporate Compliance Programs.

7 Society of Corporate Compliance and Ethics & Health Care Compliance Association, “Compliance Training and the Board,” September 2017,

8 OIG, Association of Healthcare Internal Auditors, American Health Lawyers Association, and Health Care Compliance Association, Practical Guidance for Health Care Governing Boards on Compliance Oversight.

9 U.S. Dep’t of Justice, Criminal Div., Evaluation of Corporate Compliance Programs.

10 HCCA‐OIG Compliance Effectiveness Roundtable, Measuring Compliance Program Effectiveness: A Resource Guide.

Copyright 2023 Compliance Today, a publication of the Health Care Compliance Association (HCCA)

Connect with me!

I’d love to hear your thoughts on this Perspectives or discover if I’m the right fit for your compliance advisory needs!