From Risk Controls to Culture - Implementation and Maintenance

Read time: 4 minutes You've built a comprehensive controls framework. Congratulations! Now comes the hard truth: A framework sitting unused on a shared drive provides zero value. According to the ECI's 2025 U.S. Trends Report, only 56% of employees perceive a strong ethical culture—down from previous years. The gap between documented controls and lived culture is where most compliance programs fail. This blog shows how to implement controls effectively, measure their impact, and maintain relevance over time. This is where the control framework transforms into culture.

Creating Implementation Roadmaps

Attempting to implement all controls simultaneously can overwhelm organizations and result in ineffective implementation across the board.

Start with Quick Wins

Begin with controls that address high-priority risks and are relatively straightforward to implement. Quick win examples:

• Monthly sanctions screening
• Annual disclosure campaigns
• Pre-employment exclusion checks (integrate into existing HR onboarding)

These provide immediate risk reduction with modest resources and demonstrate early value to leadership.

Group Related Controls Together

When implementing physician compensation disclosure controls, it is recommended to simultaneously implement review workflows and monitoring procedures, rather than spacing them across multiple phases. This integrated approach:

• Reduces repeated training and change management
• Shows stakeholders complete solutions, not partial fixes
• Builds momentum through visible progress

Value driver: Grouping controls demonstrates operational fluidity to stakeholders. Instead of monthly compliance requests for disconnected initiatives, you present integrated solutions that fit naturally into workflows.

Build Realistic Timelines

The White & Case/KPMG survey found that only 31% of organizations increased compliance budgets in 2023, while 13% decreased them. Resources continue to become more constrained. Your timeline must accommodate operational demands while maintaining momentum. Break implementation into phases: Phase 1 (Months 1-3): High-priority regulatory-required controls Phase 2 (Months 4-6): Preventive controls for top 3 risks Phase 3 (Months 7-9): Detective controls and monitoring programs Phase 4 (Months 10-12): Best practice controls and program enhancements Pro tip for small teams: Choose 3-5 controls per quarter. Master those before adding more. Doing 5 controls well beats attempting 20 poorly.

Assigning Control Ownership

Every control needs a clearly assigned owner accountable for implementation, maintenance, and monitoring. Without clear ownership, controls become organizational orphans that deteriorate over time.

Place Ownership with Operations

Control ownership should reside with operational leaders who have the authority and resources to implement changes effectively, not just compliance observers from the sidelines. Examples:

• Billing controls: Revenue cycle leadership owns implementation; compliance provides oversight
• Credentialing controls: Medical staff services leadership owns; compliance provides the policy framework
• Vendor controls: Procurement/supply chain owns; compliance monitors

Value driver: This approach activates your compliance team by distributing implementation work across the organization. Compliance provides guidance and monitoring rather than trying to implement everything alone—impossible in resource-constrained environments.

Document Responsibilities Clearly

Ensure owners understand not just that they own controls, but what ownership entails:

• Implementation: Establishing the control initially
• Maintenance: Keeping it operating as designed
• Monitoring: Verifying ongoing effectiveness
• Escalation: Reporting issues to compliance

The ECI 2023 survey found that 72% of employees who observe misconduct report it, but 46% experience retaliation. Clear ownership with accountability helps prevent controls from being undermined by cultures resistant to compliance.

Create Escalation Paths

Compliance committees or executive leadership must intervene when control implementation stalls due to resource constraints, competing priorities, or organizational resistance. Red flag: If the same control appears "in progress" quarter after quarter, escalation is needed.

Measuring Control Effectiveness

Implementation is necessary but not sufficient. You must systematically monitor whether controls operate as intended and achieve risk reduction objectives.

Define Specific Metrics

For each control, establish objective metrics demonstrating effectiveness. Examples: Sanctions screening control:

• % of employees screened monthly (target: 100%)
• Average time from positive hit identification to resolution (target: <48 hours)
• of exclusions identified before they cause violations (target: track trend)

Disclosure control:

• Campaign participation rate (target: >95%)
• % of disclosures requiring detailed review (target: track trend)
• Time from disclosure submission to approval/prohibition (target: <10 business days)

Value driver: These metrics demonstrate audit readiness by showing regulators you're not just running controls—you're measuring their effectiveness and using data to drive improvements. According to the DOJ's 2024 guidance update, data-driven effectiveness measurement is now explicitly expected. Generic statements like "we have a disclosure program" are insufficient. You need metrics proving the program works.

Establish Monitoring Cadences

Tailor monitoring frequency to risk level:

• High-priority preventive controls: Monthly review
• Medium-priority detective controls: Quarterly review
• Lower-priority controls: Annual review

Monitor trends over time to identify emerging issues before they escalate into serious problems. Warning sign: If control effectiveness metrics consistently miss targets, the control may be poorly designed or resourced. Don't just accept failure—investigate root causes.

Create Response Protocols

When monitoring reveals control failures: Minor issues: Control owner addresses through process refinement Significant failures: Trigger a comprehensive investigation with actionable remediation; thi may require escalation to the compliance committee or executive leadership, which can be done through simple workflow automation inside your case management system. Systematic patterns: Signal needs to redesign control or underlying processes as soon as patterns emerge

Maintaining and Evolving Your Framework

According to Gartner, unsettled regulatory and legal environments now top emerging risks, with increasing compliance complexity and costs. Your framework must evolve in response to this changing landscape.

Regular Review Cycles

Annual reviews assess:

• Whether existing controls remain appropriate for current risks
• Gaps where new controls are needed
• Controls that no longer provide value and should be retired

Trigger immediate reviews for:

• New regulations or regulatory guidance
• Significant operational changes (M&A, new service lines, major technology implementations, organizational restructuring)
• Major compliance incidents or near-misses

Value driver: Systematic reviews demonstrate a defensible approach to program management to auditors. You're not reactive—you're proactively adapting to change.

Incorporate Lessons Learned

Real-world experience provides invaluable insights for improvement. When issues occur despite controls:

• Conduct thorough root cause analysis
• Determine why controls failed
• Update control design to address gaps
• Document lessons learned for future reference

When controls successfully prevent/detect problems:

• Document successes
• Consider whether similar approaches could apply to other risk areas
• Share wins with leadership to demonstrate program value

The ECI survey found that organizations with a strong ethical culture have lower rates of misconduct and retaliation, while Ethisphere highlights the importance of ethical culture to organizational ROI. Part of building that culture is learning from both successes and failures in a public setting.

Share and Socialize Your framework

A framework used by 3 people in compliance provides minimal value. Make it accessible and actively promote use across the organization. Multiple access points:

• Compliance professionals: GRC platform and compliance employee portals/digital code of conduct
• Operational leaders: Intranet
• Medical staff: Medical staff portal

Integration with other processes:

• Reference framework controls when developing policies
• Include relevant controls in role-based training
• Connect risks in assessments to specific framework controls

Provide training on framework use:

• Compliance committee members
• Department managers
• Medical staff leaders
• Audit personnel

Value driver: When risk owners can easily access clear guidance on controls for risks they encounter, they take ownership of risk management rather than deferring everything to compliance. This reinforces risk culture through engagement and empowerment.

From Reactive to Proactive

The journey from a control framework to a compliance culture requires patience and persistent effort. Organizations shouldn't expect immediate transformation but should commit to systematic implementation, monitoring, and refinement over time. Year 1 achievements (realistic targets):

• Controls framework established for the top 10 risks
• High-priority regulatory-required controls implemented
• Monitoring frameworks are in place with baseline metrics
• Quarterly reviews identifying trends and issues
• Control owners assigned and accountable

Year 2+ evolution:

• Expanded framework covering additional risk areas
• Mature monitoring programs with trend analysis
• Proactive control design based on emerging risks
• Integration of controls into daily operations (embedded, not bolted-on)
• Data-driven program improvements

According to PwC's 2025 Global Compliance Survey, 85% of respondents experienced increased regulatory complexity in recent years. Organizations with systematic control programs handle this complexity better because they have frameworks for evaluating new requirements and deploying consistent responses.

Getting Started This Week

Action 1: Create Your 90-Day Implementation Plan Choose 3-5 controls to implement in the next quarter. Assign owners, establish timelines, and identify resource needs. Action 2: Design Your Metrics Dashboard For controls being implemented, define 2-3 metrics per control. Set up simple tracking (even a spreadsheet works initially). Action 3: Schedule Quarterly Reviews Put recurring calendar invites for framework review meetings. Include the compliance team and key control owners.

The Bottom Line

Your controls framework is a tool—not a trophy. Its value comes from driving systematic, consistent risk management that scales across your organization. When operational leaders have ready access to clear guidance on managing compliance risks, they become partners in program success rather than obstacles to overcome. The organizations that commit to this journey find their investment pays dividends through reduced violations, enhanced operational efficiency, stronger stakeholder confidence, and ultimately, the compliance culture every program aspires to build. You've built the foundation. Now activate it, measure it, refine it, and watch it transform from documents into lived practice.

Risk Assessment

Ethico's Risk Assessment tool empowers organizations to implement and maintain effective compliance controls with customizable implementation roadmaps, clear ownership assignments, and performance metrics that transform documented frameworks into living compliance cultures. Our solution helps you prioritize controls based on regulatory requirements, monitor effectiveness through data-driven metrics, and evolve your program as risks change—supporting the journey from reactive compliance to proactive risk management that satisfies DOJ expectations. Request a demo today! About This Series: Building Risk and Controls Foundations for New Enterprise Risk Programs. This concludes our 5-part series. For more resources on building effective compliance programs, visit the Ethicsverse homepage for access to their masterclasses. Referenced Materials "World's Most Ethical Companies 2025." Ethisphere, Ethisphere Institute, ethisphere.com/worlds-most-ethical-companies/. Accessed 8 Oct. 2025.