What makes a great compliance professional? There’s no one clear path, but the right experience combined with a passion for perfection can make for a specialist who sees what others don’t. We sat down with Kenda Graham-Paulk, Compliance Program Advisor at Compliancy Group, to learn a bit about her approach to building successful compliance programs across a wide variety of organizations, and how she nailed down this functional, repeatable process for healthcare compliance.
Question 1:
Your career has spanned Managed Care, PBM, Health Technology, and Clinical Research. That’s an unusually broad arc in healthcare compliance. What pulled you into this field originally, and what’s kept you here for 15+ years across so many different corners of it?
Kendra: It’s funny, I didn’t actually go to school with the goal of becoming a compliance professional—this line of work really found me. My focus was entirely on the clinical side; I majored in exercise science and sport medicine, and was on the track to become a physical therapist. But what I didn’t realize at the time was that my innate ‘follow the book’ persona, and the way I naturally gave guidance and recommendations to my family, friends, and even strangers, were truly the underlying building blocks for a career in compliance.
That inherent desire to help people navigate the right path is what set the foundation. What keeps me here, even after all this time, is the ever-changing landscape of compliance and its regulations. I genuinely love being challenged at every turn; it keeps the work dynamic and ensures there is always something new to master.
Question 2:
At Elevance Health (Carelon Rx) you built a third-party PBM audit program from the ground up, and at HealthPlan Services your team secured SOC, ISO, HITRUST, and PCI certifications. For organizations just starting to think about multi-framework readiness, what’s the single most important thing to get right in the first 90 days, and what’s the most common mistake you see teams make?
Kendra: The biggest mistake I see teams make, especially when preparing for multi-framework readiness, is jumping straight to policy drafting. I always stress that policies are just the output—they’re not the actual compliance program. The single most important thing to get right in the first 90 days is establishing a strong, unified infrastructure based on a comprehensive risk assessment. This means having clear, risk-based priorities, standardized escalation and disclosure procedures, a defined audit rhythm aligned with enforcement standards, and a robust governance structure to clearly map out risks.
If you start with policies and neglect these foundational elements, you end up with a superficial program that looks good on paper but lacks real depth. Compliance is truly tested when it’s under stress. The efficacy isn’t measured by a stack of documents, but by the program’s resilience and ability to bounce back when an inevitable failure occurs.
Question 3:
You’ve consistently anchored your work to the OIG’s Seven Elements of an Effective Compliance Program. For someone who’s heard the term but couldn’t name all seven, which element do you think is most often underestimated — and what does it actually look like when an organization gets it right?
Kendra: When we talk about the OIG’s Seven Elements, I’d argue that Auditing and Monitoring is the one that is most consistently underestimated—and it’s the key differentiator between a program that’s real and one that’s just window dressing. Too often, organizations treat auditing like an annual “check the box” activity, running small samples and filing the results away. But in compliance, auditing is your vital feedback loop. It’s the concrete evidence and proof that your program is actually functioning—or, more importantly, the early warning system that it’s failing.
This element is crucial because it’s the only one that generates objective evidence of what is actually happening operationally, not just what your policies claim will happen. Think about it, when state and federal regulators eventually audit you, they are going to look at your real-world operational activities like billing/claims patterns, referral arrangements, and documentation. If your robust internal auditing program has already found and remediated those issues, your position is defensible.
If you never look, you are completely exposed. As I’ve said, compliance is infrastructure under stress. Auditing and monitoring is the ultimate stress test.
Question 4:
You’re known as a culture champion in compliance — which is a phrase you don’t hear every day in this field. What does it actually mean to lead compliance through culture rather than mandates, and can you share a moment where you saw that shift happen on a team you led?
Kendra: To lead compliance through culture means transforming the function from a purely defensive mechanism driven by fear of mandates into an offensive tool rooted in shared values and purpose. It shifts the compliance team from being “police officers or hall monitors” to becoming strategic partners and trusted advisors, focused on enablement rather than enforcement. When culture leads, compliance is an inherent part of how the business operates—a self-governing mindset where every individual owns the risk.
This shift is most evident when compliance moves from being a “check-the-box” exercise to a foundational element that allows a business to move faster and scale with confidence. By embedding these values, organizations move beyond superficial policy drafting and instead build a resilient infrastructure capable of maintaining integrity even under stress.
Question 5:
A lot of healthcare leaders still think of compliance as a cost center or a defensive function. What’s the most underrated way a strong compliance program actually creates business value—something you wish more executives understood?
Kendra: While most leaders view compliance through the lens of “avoiding fines,” I find that perspective defensive and uninspiring. Instead, I see a strong compliance infrastructure as a powerful offensive tool. When built correctly, it becomes a strategic asset that drives enterprise value—opening doors to new markets, offerings and enabling the organization to scale rapidly because risks are proactively managed. It is about creating a foundation that allows a business to move faster, not slower.
Question 6:
Outside of compliance frameworks and audit programs, what does a good weekend look like for you? And if you weren’t in compliance, what would you be doing instead?
Kendra: A good weekend for me is all about hitting the reset button—which usually means spending quality time with my family and definitely carving out a day for the beach. If I wasn’t in compliance, my path would likely be in the clinical care/allied health field; I would be a physical therapist for a sports team.
