Practical Questions for Boards to Ask about their Compliance Program.
Effective Corporate Compliance Programs require the Board of Directors (Board) commitment to oversee the program’s implementation and operations. Ideally, the Board should have a sub-committee to focus on these responsibilities. The Department of Health and Human Services (HHS) Office of Inspector General (OIG) compliance guidance calls for a Board level committee to oversee the Compliance Program. The HHS Inspector General Dan Levinson notes that the best Boards are active, inquisitive, and exercise constructive skepticism in their oversight. Mr. Levinson states that Boards have a duty to ask probing questions about the Compliance Program operation. For example, the Board should ask questions about how the company’s compliance reporting processes work. Further, the Board has a duty to ask probing questions about the Compliance Program’s goals and objectives. For health care Boards, the main challenge is asking the correct questions. To that end, the OIG and American Health Lawyers Association (AHLA) have suggested specific questions that Boards should be asking about their Compliance Programs in two joint publications: “Corporate Responsibility and Corporate Compliance: A Resource for Health Care Boards of Directors” and “Corporate Responsibility and Health Care Quality (2007): A Resource for Health Care Boards of Directors”. Compliance Officers should assist Boards in developing these questions and be prepared to provide comprehensive answers to their questions.
A sample of suggested Compliance Program questions from the joint OIG and AHLA publications include the following:
- Does the Compliance Officer have adequate authority to implement the Compliance Program?
- What resources are required to properly implement and operate the program?
- Does the Compliance Officer have sufficient resources to carry out the compliance mission?
- Are compliance-related responsibilities delegated across all management levels?
- Is there evidence to support the contention that all employees are held equally accountable for compliance?
- How is the company’s Code of Conduct (Code) incorporated into policies across the organization?
- Does the evidence demonstrate that the Code is understood and accepted across the organization?
- Does management widely convey the Code’s importance to all employees?
- Are there compliance-related policies that address operational compliance risk areas?
- Are there policies and procedures that address Compliance Program operations?
- How often are compliance-related policies reviewed and updated?
- What is the scope of compliance-related education and training?
- Is there evidence to support the effectiveness of compliance training?
- How are training mandates enforced?
- Does evidence reveal that employees understand their compliance responsibilities?
- How does the company identify compliance risks?
- Is there evidence to show that identified compliance risks are being addressed?
- How is the Compliance Program structured to address such compliance risks?
- Does the Compliance Program undergo periodic independent effectiveness evaluations?
- Does the company have a process for the evaluation of and response to suspected compliance violations?
- What training does the company provide to internal compliance investigators?
- How do the compliance, human resources and legal counsel departments coordinate their roles in resolving compliance issues?
- Does the company have policies to ensure preservation of relevant Compliance Program documents and information?
- What company policies address “whistleblower” protections and those accused of misconduct?
- What are the results of program manager’s ongoing compliance monitoring?
- How is ongoing compliance auditing being performed and by whom?
- How often does the company conduct sanction-screening?
- What results arise from sanction-screening and are they certified by responsible parties?
- Does the Compliance Program undergo effectiveness evaluation by a qualified independent reviewer?
- Does the company maintain evidence regarding hotline operation and follow-up investigations?
- What metrics does the company use to evidence Compliance Program effectiveness?
- What are the results of an independent review and assessment of the company’s Compliance Program?