Loyola University Chicago School of Law, JD 2019
In the graphic novel and film “The Watchmen,” there is a reoccurring phrase: “Who watches the watchmen?” In context, it’s an indictment of the comic book world’s broken justice system. However, in a compliance context, the concept can be just as important. In a recent discussion with a hospital system’s compliance officer, he raised the point that a company’s compliance department is seen as the ultimate authority and expertise in laws and regulations, monitoring compliance and noncompliance, and implementing corrective and disciplinary actions. Yet while many compliance professionals may assume that their actions are always compliant, who oversees those who are overseeing systems and organizations? Who ensures that compliance is compliant?
Federal efforts to encourage oversight
The U.S. Federal Sentencing Guidelines state that an “organization’s governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.”
In April 2015, HHS released comprehensive guidelines in the “Practical Guidance for Health Care Governing Boards on Compliance Oversight.” That summer, NAVEX Global opined that the guidance, drawing from the Federal Sentencing Guidelines, OIG compliance program documents, and trends in Corporate Integrity Agreements, was a landmark document that signaled a potential global trend in compliance and ethics oversight even beyond the healthcare industry.
Under the guidance section “Expectations for Board Oversight of Compliance Program Functions” HHS states:
A Board must act in good faith in the exercise of its oversight responsibility for its organization, including making inquiries to ensure: (1) a corporate information and reporting system exists and (2) the reporting system is adequate to assure the Board that appropriate information relating to compliance with applicable laws will come to its attention timely and as a matter of course.
NAVEX further encouraged compliance and ethics officers to answer specific questions posed by their Board of directors based on the guidelines. However, having the compliance department be the only source of information about the adequacy of a compliance program still keeps compliance officers in control, despite board “oversight.”
Compliance departments are still encouraged to evaluate from within
In 2017, OIG and HCCA collaborated to create a list of measurements for each of the seven elements of compliance. The resulting “Measuring Compliance Program Effectiveness – A Resource Guide,” provides approximately fifty pages of measures for compliance programs to evaluate their own effectiveness. Compliance departments use this guide to create evaluations and measuring tools that help compliance officials reflect on the organization, as well as their own performance. However, there is still no external oversight or interpreter of the measures.
Compliance is a complex field in which many governing Board members, within and beyond healthcare, defer to the expertise of compliance professionals within their organizations. Despite the negative financial or reputational impact their reports may have, most compliance professionals see themselves as “the good guys” working to ensure compliance within an organization. In every profession however, there are people more interested in personal gain than acting in the best interest of their organizations. In compliance operations, deferring to the judgment of one such person, assuming they are acting in-line with the behaviors expected of compliance professionals, is not sufficient oversight.
Board members looking for oversight over their compliance departments should begin by asking the questions. Those questions should be extracted from the NAVEX guidance and other authorities. By understanding how a compliance program should operate and maintain its own internal compliance, Board members will be better situated to identify potential issues within the department of their own organization. Internal information is a valuable tool when measuring effectiveness and compliance; however, with objective, third-party information, Board members may be better prepared to ask probing questions and look deeper into potentially suspicious confirmations of compliance. As the named responsible parties for compliance department oversight, Board members should feel autonomously empowered and obligated to know about compliance activities within their organizations. By not completely deferring to the expertise within their own organizations, potential and existing noncompliance can be identified and corrected.
Organizations themselves should also structure compliance departments to perform their own internal checks and balances. OIG encourages, and mandates under Corrective Action Plans, that compliance departments not report to an organization’s general counsel and legal department. However, maintaining an open connection between the often-overlapping departments can aid in the discovery of noncompliant compliance actions. Within a compliance department, ensuring that no one person reigns supreme over all compliance actions can help distribute authority. Ensuring that even the actions of the Chief Compliance Officer can be checked and limited when necessary can significantly assist organization leaders outside of the compliance department to identify potential problems and conduct inquires and investigations as appropriate.
The compliance watchmen (and women) are generally acting in the best interests of their organizations. However, implementing proper and informed oversight will ensure they continue to serve us well and organizations remain strong, ethical, and successful.