Governance
On Wednesday, the Office of Inspector General released the Medicare Advantage Industry-Specific Compliance Program Guidance (ICPG). It had been anticipated for over two years. By Thursday morning, I was revising my entire enterprise assurance plan around it.
The ICPG is not light reading. It is structural. It specifies the architecture of a compliant organization: written policies, leadership oversight, training, communication channels, enforcement mechanisms, risk assessment, auditing, monitoring, corrective action. Each element connects to the others. None is optional.
The rest of the week was gap analysis. Walking each element against what exists, identifying where the program is strong, where it needs reinforcement, where it needs to be built from scratch. This is the work I chose when governance consolidated under me in January. I find it satisfying in a way that surprises people who know me primarily as a designer or a writer. But compliance architecture is design. It is the design of accountability.
The question that kept forming, however, was not about Wider Circle.
I was sitting at my desk on Thursday, reviewing the section on risk assessment and auditing, when it surfaced. Not as an insight. As an observation. Clinical, almost irritating in its clarity.
I would not accept this level of opacity in any system I am responsible for.
At work, I require documented baselines. I require regular assessment cadences. I require that risk be identified, measured, and addressed through structured corrective action. I require that the people responsible for a system actually know what is happening inside it.
I do not require any of this of myself.
I have a blood panel from November. It showed my cholesterol is the best it has been in years. My LDL is actually too low now. That is good news. But a single favorable lab result is not a monitoring program. In compliance terms, one clean audit finding does not mean the organization is compliant. It means one thing was measured once.
I have a familial hypercholesterolemia diagnosis and one data point. I have a body that, while fifty pounds lighter than last year, is still fifty pounds over where I want it and I have no structured plan to address that. I have a congenital foot condition and no longitudinal data on its trajectory. I have no baseline for inflammation markers, hormone levels, or metabolic function beyond the snapshot that happened to come back clean.
I run my body on intermittent spot checks and narrative. On the sense that things are fine because one number came back good.
In compliance, that is not assurance. That is anecdotal evidence dressed up as a program. And the distance between the two is the specific thing I am paid to close.
The parallel is not clever. It is uncomfortable. I am currently spending my professional life building systems that make institutional risk visible, measurable, and actionable. But in my personal life, I tolerate exactly the kind of ambiguity I would flag as a deficiency in any organization I assess.
There is no monitoring cadence. There is no audit schedule. There is no corrective action plan. There is only the story I tell myself about how I feel, which is the least reliable data source available.
I am not going to resolve this in a blog post. But I can name what I now see clearly: the problem is not motivation. It is governance.
I have been treating my health as a discretionary concern. It is not. It is an enterprise risk.
And I do not yet have the controls in place to manage it.
Ken Wake is the author of Thinking Design (forthcoming) and a Professor and Entrepreneur in Residence at Georgetown University. His work explores systems, technology, design, and meaning. Tour de Ken is his weekly log.
