How not to inadvertently sabotage your Compliance program: three pitfalls the smart Compliance Officer avoids

Posted by Mary Shirley on July 18, 2023 in Uncategorized,

Compliance Officers have the purest hearts and truly want Ethics and Compliance programs to be embraced by colleagues.  It is however easy to lose sight of the greater goal at times and accidentally subvert them.  This article identifies some of the most common ways Compliance Officers inadvertently sabotage their own programs and how to avoid these blind spots.

Lack of Data Hygiene

I’m a big fan of providing Compliance advice to the business by way of a call or meeting.  It really helps to remind colleagues of our human side, compared with emails back and forth.  It’s important however to remember to back up any verbal advice or decision making with a written summary afterwards to document that the conversation has occurred.  This also serves as an alignment tool which allows for any misunderstandings in the conversation to be clarified if the summary does not represent the understanding of takeaways that everyone in the room had.  

We should be thinking about the personal data of colleagues and other stakeholders that was collected, especially during the earlier days of the pandemic, when many companies started a practice of recording Teams or Zoom meetings for gathering business information, they may not have considered that there is an intermingling of personal and business data in these videos.  So take a moment to consider what recordings may no longer be required now, perhaps they were done for the purpose of catching up colleagues who were out of the office and now the recordings are superfluous to requirements today.  It’s important to think about purging personal data that you hold onto that is no longer necessary to refer to for the purposes for which it was collected.  This is especially important to remind colleagues about who sit in jurisdictions with strong data privacy laws (and enforcement) but even if it’s not a regulatory requirement, it’s the ethical and respectful thing to do – role modeling that we in Ethics and Compliance should be proud to display.

We also ought to consider the data that third parties retain and use that ultimately impact us.  For example if you’re a healthcare provider or perform services for a healthcare provider, when it comes to exclusion OIG checks on contractors, you may be relying on staffing agencies to administer the checks and they’re using data that they themselves have collected.  What assurances do you have that they have collected data that is of the quality (fulsome, up to date and relevant) that you would compile for internal checks?

Pro tip: I’ve noticed phone calls seem to be less utilized by newcomers to the workforce.  Perhaps it’s because they’re a little daunting.  I used to feel very nervous before phone conversations in the business context but that tends to go away the more you do them.  I have found them to be one of the most ground-breaking ways to establish a connection and relationships with the business.  If you predominantly rely on instant messaging and emails, I would strongly encourage you to set a goal of having 5 phone conversations this coming week and reflect upon any wins, especially efficiencies gained as a result of communicating in this forum.  Honing your phone manner is a business skill in and of itself!

Compliance Officer Content vs Business Compliance Content

Training is one of the most fundamental areas of our Compliance program that helps to align business understanding and approach with what we espouse in Compliance. It is also an area where we will be mercilessly criticized if colleagues feel that we are wasting their time unnecessarily.  A pitfall that those who identify as Compliance nerds in particular need to keep watch for, is including content in training for the business that is interesting to you as a Compliance Officer but not relevant to the jobs of our colleagues that are the target audience.  Remember, we’re not trying to create a workforce of baby Compliance Officers or lawyers – way to run yourself out of a job if you successfully do that!  Rather we need to keep the learning objectives for the specific audience we’ve identified in mind.  So that means we need to ask ourselves:

– What is necessary for this group of staff to know?

– How does it affect their daily duties?

– What red flags apply to their daily duties?

– Where should they go if they are stuck?  

We should avoid additional content that shows off our extensive Compliance knowledge and prowess and save them for chatting with other Compliance folks.  The same goes for educational opportunities in more light hearted forums such as quizzes during Compliance Week.  Is it really necessary for someone to explain what year HIPAA was enacted vs what responsibilities the Act conveys on organizations, or that the Stark Law is officially entitled The Physician Self-Referral Law vs discussing what can constitute a referral?

Pro tip:  Join networking events and LinkedIn groups to enjoy nerding out on Compliance – building a virtual network can be incredibly powerful – I’ve had people go to bat for me that I’ve never met in person and I’ve done the same as a way to send the elevator back down.  You can’t go to bat for strangers, so make sure you’re adding value and helping others as much as you are taking for yourself.

Compliance Officer Humility

It is easy to fall into the trap of assuming that because you’ve communicated something many times and even in various different ways, that you’ve done your job on the topic and everyone in the organization is now well aware of it.  Do I have some disappointing news for you.  I have found that there is no such thing as the lowest common denominator.  Meaning that if you were to pull together the most basic information that you would expect everyone in the company to know, such as:

– Name of the Chief Compliance Officer

– Name of their dedicated business unit/jurisdiction Compliance Officer

– What the Compliance hotline is

– Where on the intranet they can find Compliance policies

– What the non retaliation policy means in their own words

and then quiz colleagues from all throughout the business, you will be horrified at the gaps.  Thankfully many people will know the correct answers, so that’s reassuring.  The horrifying part is that you expect everyone to know this baseline information and so many don’t.  

The key thing is not to take these areas of opportunity personally.  They do not speak to your efforts and effectiveness and are wonderful assurances that you are needed in the organization.  However what they do mean is that basic education and awareness needs to continue on an ongoing basis.  You can check for the extent of these gaps by using your compiled list of critical information every individual should know by including them as quiz questions in your Compliance Week activities.

Pro tip: You can highlight your gaps and action taken to address them as part of the monitoring and review element of your Compliance program.  Take heart, that everybody else has this challenge in some form, know that it exists and work on the information you have to hand to narrow the gaps.

About Mary Shirley

About Mary Shirley

Mary Shirley is a New Zealand-qualified lawyer with 18 years of ethics and compliance experience that includes working for data privacy and antitrust regulators, in-house and private practice/consultancy across five countries and four regions of the world. Most recently she was global Head of Culture of Integrity and Compliance Education at Fresenius Medical Care, assisting the company with an FCPA monitorship, serving both the legal and compliance departments.

Related Articles

Avoid Medicaid Recoupment: Verify Beneficiary Date ...

December 19, 2016

Crisis Concept. Money Flow in Black Hole extreme closeup The CMS requires State Medicaid agencies to use the Social Security Administration’s Death Master File to screen and verify all providers...

Confused about state exclusions? So is ...

August 20, 2015

With state officials still in the dark over applications of the law, healthcare organizations grapple with the risks of single-state exclusion screening. "Yes, you do have to.  No, you don’t.  We...

Powerball and The Compliance Officer

January 13, 2016

The exhilaration of tonight’s $1.5 billion Powerball drawing is attracting even people who don’t typically play the lottery. And, in many organizations, employees are pooling their resources with ...

Understanding OIG Exclusions

OIG Exclusions Screening Process

Exclusion FAQS

Quick OIG Exclusion Basics

Employing Excluded Individuals

Consequences to Employing an Excluded Individual

OIG Compliance Law

Laws and Publications on OIG Compliance

More Compliance Resources

Our Culture

We build the best, so you can perform at your best.

Trusted for Good Reason

  • ✓ Guaranteed accurate
  • ✓ Certified Secure
  • ✓ Audit Proof
  • ✓ Feature-rich reporting
  • ✓ Round the clock real-time-data
  • ✓ Processing fully automated

Security First

  • ✓ Cloud hosted
  • ✓ Encrypted data
  • ✓ Real-time backups

Trusted for Accuracy

  • ✓ Physical security
  • ✓ Restricted access
  • ✓ Single sign-on
  • ✓ Password security
  • ✓ Certified secure
  • ✓ Cross checking




Average workload reduction by implementing the Streamline Verify program



Establishments trust Streamline Verify nationwide



Serving the healthcare industry’s unique compliance needs since 2011



Setting standards with hourly synchronization to primary source data