How to Measure Compliance Program Effectiveness: Reporting Lines, Risk Assessments & More
Expectations for Compliance Officers continue to rise as they assume new areas of oversight, such as privacy compliance, internal audit, and compliance risk management. Given their wide range of responsibilities, not to mention the dynamic and demanding nature of their jobs, a number of important questions arise:
- How do you prove your compliance program is effective?
- Where should your Compliance Officer sit in the org chart?
- When should you tap outside expertise?
In the Q&A below, Hon. Richard Kusserow, CEO of Strategic Management Services, offers his perspective.
Q: Why is the discussion on program assessment methods so important?
A: In our 2025 Healthcare Compliance Benchmark Report, most survey respondents said they rely on internally generated data to assess their programs. Examples include the number of employees trained, hotline complaints received, sanctions screenings performed, etc. It is important to note that this data relates to outputs, whereas program effectiveness needs to be outcome-oriented. Use of internal assessments, gap analyses, and other tools controlled by compliance officers is entirely appropriate for program monitoring. However, these tools do not provide the independent verification that oversight agencies consider critical for credibility. By definition, independent evidence from reviews and audits must come from parties outside the function being reviewed.
Q: Do you see many organizations continuing to have their Compliance Officer report through Legal Counsel?
A: The short answer is yes, though the practice is declining. Today, about one in six healthcare organizations still combine the roles. Both the DOJ and OIG discourage legal and compliance under one authority as a conflict of interest, and OIG settlement agreements mandate that compliance must not report through Legal Counsel. The new OIG “General Compliance Program Guidance” doubles down on this argument and may prompt more organizations to separate the functions. Notwithstanding, there may be circumstances where combining makes sense—but the burden lies with the organization to justify why.
Q: Why do you believe compliance officers will continue to engage part‑time consulting support?
A: The roles, responsibilities, and burdens of compliance officers keep increasing in an ever‑changing legal, regulatory, and business environment. New responsibilities—such as privacy—add to the workload. As a result, many compliance officers turn to expert consultants for help. Recent upheavals in the labor market have created staffing gaps that can be temporarily addressed by engaging consulting firms.
Q: What should compliance officers use to identify their high‑risk areas of compliance, if not just following the OIG GCPG?
A: There is no short or easy answer. Identifying and addressing compliance risks requires far more than a checklist review against the GCPG. It involves conducting a healthcare Compliance Risk Assessment to identify, evaluate, and address potential risks related to laws, regulations, policies, and ethical standards. Objectives include preventing violations, protecting patient data, avoiding fines and reputational damage, and promoting a culture of compliance.
This process generally involves a systematic effort to identify risks, evaluate the likelihood of violations, and assess their potential impact. The outcome is a prioritized list of risk areas, guiding resource allocation for mitigation. Ongoing monitoring and auditing are then used to verify that corrective measures are taken and validate their effectiveness.
Q: Which department is most appropriate to manage or facilitate the ERM function—the Board or senior leadership? Does it differ for healthcare vs. non‑healthcare organizations?
A: Effective ERM requires collaboration across all levels to ensure patient safety, regulatory compliance, and organizational sustainability. In healthcare, the CEO sets the tone and is ultimately responsible for risk management. Many larger organizations appoint a Chief Risk Officer to oversee ERM assessments and mitigation, and charter a Risk Management Committee of program leaders. The Board of Directors should oversee risk management to ensure alignment with organizational goals and compliance requirements. The Compliance Officer focuses on regulatory adherence, while program managers handle risks specific to their areas.
Q: Should HIPAA Security/Cybersecurity be handled by a HIPAA Security Officer who has robust IT knowledge?
A: Yes. HIPAA Security is best housed within IT under a dedicated Security Officer. HIPAA Privacy, on the other hand, most often resides under the Compliance function.
