Transcription vs. translation: A framework for compliance program development by Jared B. Gaynor

View all articles | Read the next article

 

Through years of participating in training and ongoing compliance education, I have observed that newly appointed compliance officers most frequently ask how to effectively implement the various laws, regulations, and guidelines that govern modern corporate compliance programs.

The history of corporate compliance programs in the United States reflects a gradual shift in business ethics, regulation, and corporate responsibility over the past 50-plus years, beginning when high-profile corporate scandals and increased federal regulation compelled companies to formalize their internal controls and ethical standards. The emergence of compliance programs was not merely a response to regulatory pressures, but a recognition that ethical lapses and unchecked misconduct could result in disastrous reputational and financial consequences. Beginning in 1991, the federal government, through the United States Sentencing Guidelines (USSG), established a framework to define and encourage effective compliance programs, transforming the landscape of corporate governance.1 The USSG outlined, for the first time, a set of criteria for judging the effectiveness of a corporate compliance and ethics program in federal criminal sentencing. These defined criteria — commonly referred to as the “seven pillars” or “seven elements of an effective compliance program” — became the gold standard against which corporate compliance efforts would be measured and incentivized.

Of course, these “clear and detailed” government directives are directionless when designing a compliance program. The entirety of USSG § 8B2.1, which details the requirements for an effectivecompliance and ethics program, is printed on just a few pages. I can think of several single policies I have written that take up more paper than that!

No, the seven elements of an effective compliance program are not directions but are outcomes requirements. In most compliance operations decisions, there is no single “right” way to implement an element — so long as the implemented process fulfills the legally specified outcome requirement, it is “right” for your organization.

Translation as a compliance implementation framework

So, how does one utilize these outcomes requirements to fashion an effective compliance program? As previously stated, there is no “right” answer. The question, then, should really be “how does one build a framework supporting compliance program outcome requirements relative to your organization?” A useful model for operational decision-making in corporate compliance may exist within cellular biology.

So back to high school biology!

Transcription is the process by which cells synthesize mRNA from DNA — copying the “code” contained in DNA. Translation is the process by which cells read mRNA to synthesize proteins.2 Without translation of the code into proteins, the chemical processes our cells need to survive will not occur.

Similarly, we can think of transcription as understanding the legal, regulatory, or guidance requirement at issue, which must then be translated into operational structures and implemented processes to be useful. The key here is that the result of translating these requirements can create vastly different operational processes depending on your organization and circumstances. Put slightly differently, the processes and operations that work effectively for a major healthcare system compliance program are likely to be very different from those that might be implemented in a small primary care group — even though the legal requirements are the same.

The translation implementation framework in action

This following presents two examples that demonstrate the practical implementation of this approach.

Exclusions checks

First, let us consider 42 U.S.C. §1320a–7a(a)(1)(D), the Civil Monetary Penalties Act (CMP) prohibition on submitting claims for services provided by a person excluded from participation in federal healthcare programs.3 We can read the CMP and understand that as healthcare organizations that submit claims to federal healthcare programs, we must check the appropriate government exclusion lists to ensure we are not submitting claims inappropriately under the law. That is transcription (knowledge).

Now, we must translate that knowledge by determining how we will put that requirement into practice, which requires taking into consideration resources, culture, and the organization itself. For larger organizations, it is customary practice to contract a vendor to conduct monthly exclusion checks on their behalf. This approach is more cost-effective and efficient than assigning an in-house team to perform potentially tens of thousands of individual monthly exclusion checks. For smaller healthcare practices with limited compliance resources and fewer required checks, implementing an in-house solution may be more appropriate.

Both solutions are compliant with the law, but the requirement has been translated into disparate operational processes to be “right” for each organization.

The question, then, should really be ‘how does one build a framework supporting compliance program outcome requirements relative to your organization?’

Compliance risk assessments

Second, let us look at a more complicated scenario. USSG § 8B2.1(c) requires organizations to periodically assess the risk of criminal conduct and take steps to design, implement, or modify each of the seven elements to reduce the risk of criminal conduct identified through this process.4 In other words, compliance programs must conduct periodic risk assessments and then act to mitigate those risks.

The translation of this requirement may lead to significantly more variation in operational outcomes than the prior example, but we must trust that the translation implementation framework will help us arrive at

March 2026 | Compliance Today 37

an appropriate decision for our organization.

Look at your resources, the organizational culture, and your own organizational risk history to determine a solution that “fits.” There are numerous commercial and industry-specific risk assessment frameworks to ponder, but what is right for your organization? Is the Committee of Sponsoring Organizations of the Treadway Commission’s enterprise risk assessment framework right for your needs?5 Perhaps the Institute of Internal Auditors Enterprise and Business Process Risks tool meets your needs more directly?6 Even more specialized risk assessment frameworks, such as the National Institute of Science and Technology Risk Management Framework (tailored to privacy and security risks),7 can be useful in developing your own program.

One of these risk assessment frameworks may be exactly what your organization needs to fulfill this requirement. Alternatively, each framework may have specific elements that, when combined, provide a more thorough solution for your organization’s risk assessment needs. Collaborating with your team and other leaders in your organization, you can tailor your risk assessment process to produce actionable data, fulfilling the necessary outcomes of the USSG requirement.

Critical self-assessment for continued effectiveness

Most compliance-related laws and regulations frequently include the words “effective” and “effectiveness.” This element of compliance operations is an essential consideration that is frequently overlooked. Given the broad scope of these authorities, a key component of the outcome requirement is ensuring that the compliance program’s operations or processes demonstrate effectiveness. The challenge lies in the fact that our methods for critically evaluating processes are not specified by any statute or regulation.

Your own analysis of the effectiveness of your chosen processes will depend on the subject matter of the process and the required outcome. For example, in the context of risk assessments, one question I have learned to ask is whether our risk assessments tend to identify novel risks each year. If you are not identifying new risks, you cannot “take steps to design, implement, or modify each of the seven elements” to mitigate the risks, as required by the USSG, and, by definition, your risk assessment process is not effective.8

For a more detailed look at program/process self-assessment methods, I suggest reviewing Measuring Compliance Program Effectiveness: A Resource Guide — a wonderful resource developed by HCCA along with the U.S. Department of Health and Human Services Office of Inspector General; it identifies effectiveness measures for each of the seven USSG compliance program pillars.9

Final thoughts

The most important thing to remember is that in most operational compliance program decisions, there are no singular right answers. The right answer is one that considers the legal or regulatory requirements, your organization’s resources and culture, and post-implementation stands up to ongoing critical assessment of its effectiveness over time. Taking the time to collaborate with your organizational peers in the strategic design of compliance processes will pay dividends in the efficiency and effectiveness of your program and help organically build your culture of compliance.

Endnotes

1. U.S. Sent’g Comm’n, Guidelines Manual § 3E1.1, (U.S. Sent’g Comm’n 1991), https://www.ussc.gov/guidelines/archive/1991-federal-sentencing-guidelines-manual . 

2. Scitable, “Ribosomes, Transcription, and Translation,” accessed February 12, 2026, https://www.nature.com/scitable/topicpage/ribosomes-transcription-and translation-14120660/ . 

3. 42 U.S.C. §1320a–7a(a)(1)(D), https://www.law.cornell.edu/uscode/text/42/1320a-7a.

4. U.S. Sent’g Comm’n, Guidelines Manual § 8B2.1, (U.S. Sent’g Comm’n 2025), https://guidelines.ussc.gov/apex/r/ussc_apex/guidelinesapp/guidelines?app_gl_ id=%C2%A78B2.1 . 

5. Committee on Sponsoring Organizations, “COSO ERM Framework,” 2023, https://www.coso.org/erm-framework . 

6. Institute of Internal Auditors, “Enterprise and Business Process Risks,” June 6, 2025, https://www.theiia.org/en/standards/2024-standards/standards-knowledge-center/tools -resources/enterprise-and-business-process-risks/ . 

7. National Institute of Science and Technology, Computer Security Resource Center, “NIST Risk Management Framework,” updated February 10, 2026, https://csrc.nist.gov/projects/risk-management . 

8. U.S. Sent’g Comm’n, Guidelines Manual § 3E1.1, (U.S. Sent’g Comm’n 2025). 

9. HCCA–OIG Compliance Effectiveness Roundtable, Measuring Compliance Program Effectiveness: A Resource Guide , March 27, 2017, https://oig.hhs.gov/documents/ toolkits/928/HCCA-OIG-Resource-Guide.pdf . 

 

Takeaways

  • Government regulatory agencies rarely promulgate regulations that mandate specific processes to occur for compliance. 
  • This lack of specificity in regulatory writing is intentional; it allows organizations to tailor processes and operational decisions to their unique circumstances, given the wide variation in organizational structures and needs. 
  • In most cases, there are several operational pathways or processes available to become compliant with a particular law, regulation, or guideline. 
  • Think of compliance program operational development like translation: how can we make a useful process to fulfill the requirement, given our organizational circumstances? 
  • Periodic critical self-assessment and evaluation of your program’s processes and operations ensure you maintain effective controls to meet compliance requirements.

March 2026 | Compliance Today 

 

View all articles          Read the next article 

 

Copyright © 2025 Health Care Compliance Association (HCCA). All rights reserved. All information provided through this site, including without limitation all information such as the "look and feel" of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms of Use and Privacy Statement.