View all articles | Read the next article
For most corporate executives, the question “Who owns corporate compliance?” seems simple: the chief compliance officer (CCO). That’s why that role exists: to keep the organization on the right side of ever-shifting regulatory demands.
But the realities of corporate compliance programs are more complex. Compliance isn’t a centralized function; it’s a governance system, a system of shared accountability requiring deliberate checks and balances across programs, leaders, and the board.
This deliberate architecture elevates the CCO from compliance technician to compliance governor, from individual contributor to strategic executive. This approach is necessary for a corporate compliance program to function optimally.
The checklist had gaps, and so did we
I work in healthcare. When the 2024 final rule on Section 1557 (Affordable Care Act) nondiscrimination requirements was issued, most healthcare compliance teams received checklists that helpfully laid out what we needed to do. I received different versions of this checklist from multiple organizations attempting to offer supportive resources to organizations, and we followed a well-organized one from a national healthcare professional association that focused on grievance procedures, coordinator designations, required notices, training, and policy updates. I led implementation with quality and risk leaders, which is standard procedure.
But the regulation had further-reaching dimensions that I was not aware of. Requirements related to language assistance for patients with limited English proficiency — qualified translators, qualified interpreters, and rules for assessing bilingual staff use — were equally critical components of Section 1557. Yet, those mandates were not plainly conveyed in the initial compliance checklist that we followed. In fact, in the wake of discussions about errors occasionally made by our interpreters and even multilingual staff in Spanish-language communication, our director of nursing passed along information about these new language-assistance requirements under Section 1557.
While coming to understand the new requirements, I asked for coordination with leaders across multiple departments within administration (including the executive team and human resources (HR)), quality and risk, and operations. To understand and implement these changes for everyone to come into compliance, team leaders needed to work together but also “own” specific components, such as document translation, interpretation, and linguistic proficiency assessment.
In other words, we navigated these waters collaboratively and accountably. It wasn’t a compliance failure: It was a governance design success. Operational leaders owned execution, corporate compliance coordinated, and the system caught the gap. This is often what good compliance work looks like: Yes, a bit complicated, but also effective.
After all, our director of ancillary services “owns” management of our interpreting services, an HR manager “owns” management of language proficiency testing of multilingual personnel, and our CEO’s executive assistant “owns” coordination of much of the document translation that occurs at CVCH — with too many caveats and exceptions to name here. Potential gaps and blind spots that we also need to address are part of the work.
This pattern repeats across Health Insurance Portability and Accountability Act business associate oversight, 340B program integrity, digital accessibility under Section 504 and the Americans with Disabilities Act, and Federally Qualified Health Center sliding-fee-scale rules. Compliance touches every operational corner. And no CCO can be an expert on all of them.
Ownership versus oversight
The core insight is this: compliance expertise and execution belong with program leaders. The CCO’s job is oversight, coordination, and verification — not ownership.
The chief financial officer owns financial controls, subject to an independent audit. The pharmacy director owns 340B compliance (a federal drug-pricing program for eligible healthcare organizations), verified through periodic reviews. The information security officer owns cybersecurity, monitored via incident reporting frameworks. HR owns workforce language validation and provides reporting for compliance monitoring. And so on. This distributed ownership model is not unique to healthcare; it reflects a governance principle that applies across industries.
Sometimes, as with Section 1557, the corporate compliance team steps in temporarily to educate and coordinate. Yes, we may even need to facilitate a reassessment of our compliance strategy for language access or, in other industries, for emerging environmental, social, and governance reporting requirements. But long-term, operational leaders own execution. The compliance program owns the accountability infrastructure.
This model of decentralized compliance ownership does not displace the compliance office but positions it as a balancing force. The corporate compliance program provides the infrastructure for independent oversight, coordination, and verification, thus serving a governance role that upholds the integrity of the organization’s operations, rather than replacing operational leadership expertise.
The core insight is this: compliance expertise and execution belong with program leaders. The CCO’s job is oversight, coordination, and verification — not ownership.
In the end, the idea that best defines this reality is checks and balances. Organizational compliance is not the burden of a single leader or office; it is a shared system in which programmatic leaders carry functional accountability, while corporate compliance personnel ensure that execution aligns with legal and regulatory frameworks.
The CCO is not necessarily an expert in 340B, cybersecurity, or language access. The CCO is the chief governance officer of risk — designing monitoring frameworks, auditing accountability, and reporting to the board. Watching over the system as it functions. This strategic elevation frees operational leaders to execute while ensuring no domain operates in a vacuum.
In other words, the CCO doesn’t own compliance; the CCO governs it.
The board’s role in verification
For executives, the balance of compliance ownership also takes shape within the larger framework of corporate governance. Compliance is not simply a function; it is a fiduciary responsibility tied directly to the board of directors’ oversight obligations. Boards are charged with ensuring effective compliance programs exist, extending well beyond a superficial policy sign-off.
Under the U.S. Sentencing Guidelines1 and U.S. Department of Health and Human Services Office of Inspector General guidance,2 governing bodies must receive regular, data-driven compliance reports, ensure direct CCO reporting lines, and confirm adequate resources and training.
Regulatory failures in areas such as 340B or complex billing obligations — and, in other industries, anti-bribery controls or inaccurate financial reporting — can expose organizations to repayment obligations, penalties, exclusion, or loss of program eligibility. A single deficiency in documentation or controls may create material financial exposures. Boards thus require robust reporting mechanisms to verify that proper internal controls and risk mitigation strategies are in place.
Compliance breaches, particularly those tied to conflicts of interest; kickbacks; false claims in healthcare or financial misstatements in other sectors; other forms of fraud, waste, or abuse; anti-trust violations; civil rights; digital accessibility; cybersecurity; privacy; or nonretaliation protections have outsized reputational implications. Negative findings by the Office for Civil Rights, U.S. Department of Justice (DOJ), or state regulators can erode community trust, threaten philanthropic funding, and affect recruiting and retention of both patients and workforce talent. Boards must understand this reputational lens as integral to compliance oversight.
Corporate compliance is increasingly tied to individual accountability at the executive level. Examples include DOJ’s use of individual liability in corporate healthcare fraud cases and regulatory guidance linking accountability directly to senior leaders who knew or should have known of oversight failings.3 Boards bear fiduciary responsibility in setting the tone from the top and ensuring executive leaders maintain not only operational ownership but also a demonstrable commitment to compliance integrity.
From a governance perspective, an effective compliance partnership between the board, the CEO, and the CCO hinges on transparency. Boards should receive regular compliance reports that go beyond mere anecdotes, focusing on audit findings or metrics that indicate significant risk, investigations, reports asserting noncompliance, corrective action status, and risk assessments. The board’s role is not to “do” compliance but to verify it has been meaningfully embedded into organizational operations.
In other words, boards don’t audit policies; they govern the governance.
Building resilient governance
Effective compliance runs on three tiers: operational leaders’ own execution in their domains; corporate compliance provides independent monitoring and auditing; and the board verifies accountability, culture, and risk mitigation.
This balanced model, with distributed ownership, centralized oversight, and board verification, is what DOJ now expects in corporate compliance program evaluations.
Organizational resiliency depends on how well these tiers work in concert. At one extreme, fragmentation creates “compliance silos” vulnerable to failure. At the other end, overcentralization burdens compliance offices with unrealistic expertise and operational duties, diluting their effectiveness. But balanced alignment, anchored in distributed ownership, independent oversight, and board-level verification, protects the organization.
For organizations in today’s regulatory environment, corporate compliance is not simply about avoiding fines. Executives and boards who cultivate a culture of checks and balances involving robust systems of governance and accountability position their organizations not only for successful compliance with laws and regulations, but also for building trust, resilience, and long-term credibility.
Compliance is not primarily a program to be managed but a governance system to be led.
Endnotes
1. U.S. Sent’g Comm’n, United States Sentencing Commission Guidelines Manual 2025, § 8, https://www.ussc.gov/sites/default/files/pdf/guidelines-manual/2025/GLMFull.pdf .2. U.S. Department of Health and Human Services, Office of Inspector General, General Compliance Program Guidance , November 2023, https://oig.hhs.gov/ documents/compliance-guidance/1135/HHS-OIG-GCPG-2023.pdf .
3. U.S. Department of Justice, Criminal Division, Evaluation of Corporate Compliance Programs , updated September 2024, https://www.justice.gov/criminal/criminal fraud/page/file/937501/dl?inline= .
Takeaways
- Compliance is a governance system — not just a department. Governance principles apply across industries, even when examples differ.
- Operational and business leaders must own execution; compliance ensures oversight.
- Effective compliance requires proactive identification and resolution of regulatory gaps through collaborative leadership and shared accountability.
- Boards play a critical role in verifying compliance integrity.
- Distributed ownership builds resilience and institutional trust.
View all articles Read the next article