I recently facilitated a CRA readiness meeting with a mid-size medical technology company. Present: the CISO, the VP of Engineering, the Chief Product Officer, the General Counsel, and the VP of Quality Assurance. I asked a simple question: "Who owns CRA compliance for your flagship monitoring platform?" Forty-five seconds of silence. Then the CISO said, "I assumed Product owned it." The CPO said, "We thought it was a security matter." The VP of Engineering said, "Legal never told us it was our responsibility." The General Counsel said, "We've been waiting for someone to tell us what Legal's role should be." That platform ships to thirty-two EU countries. Nobody owns its compliance. In This Episode: The Accountability Diffusion ProblemCRA compliance touches eight functions—when everyone owns it, no one owns itEach function optimizes for its own objectives; no function optimizes for CRA specificallyCompetent functional performance producing collective compliance failureThe Four Accountability GapsProduct lifecycle ownership discontinuity: who owns the product across 5+ years of support?Cross-functional requirement translation: who converts CRA language into engineering specs, test cases, documentation requirements?Evidence aggregation: who integrates outputs from multiple functions into examination-ready packages?Conformity declaration authority: who signs, and do they have visibility into actual compliance status?The Three-Level Accountability SolutionExecutive Sponsor: Named executive accountable for compliance outcomes—resolves resource conflicts, ensures priority, provides board visibilityCRA Program Owner: Operational coordination, roadmap management, cross-functional alignment, consolidated status reportingProduct Compliance Owners: Named individual accountable for each product's conformity, documentation completeness, evidence maintenanceThe Steering Committee ModelCross-functional decision-making body, not a status meetingResolves conflicts individual functions cannot resolve aloneWeekly during implementation, bi-weekly during steady stateChaired by Program Owner, executive sponsor attends monthlyThe RACI FrameworkProduct inventory: Product Management (R), Program Owner (A)Risk assessment: IT Security (R), Product Compliance Owner (A)SBOM generation: Engineering (R), Product Compliance Owner (A)Technical documentation: Engineering/Tech Writing (R), Product Compliance Owner (A)Conformity testing: Quality Assurance (R), Product Compliance Owner (A)EU Declaration of Conformity: Legal (R), Executive Sponsor (A)Five Governance Pitfalls to AvoidAssigning ownership without authorityOver-centralizing execution (creates bottlenecks)Treating CISO as default owner (CRA is product safety, not just security)Failing to define product-level ownersGovernance without executive commitmentYour Fourteen-Day Action Plan: Days 1-3: Confirm executive sponsorship with explicit CEO/executive team discussion Days 4-6: Identify/appoint CRA Program Owner with defined authority Days 7-9: Form Steering Committee, define membership and meeting cadence Days 10-12: Assign Product Compliance Owners for every in-scope product Days 13-14: Develop RACI matrix for key CRA activities Deliverables: Documented executive sponsorshipAppointed Program Owner with defined authorityFormed Steering Committee with scheduled meetingsAssigned Product Compliance Owners for all in-scope productsRACI matrix defining cross-functional accountabilityReady to establish CRA governance? The First Witness Stress Test includes governance assessment—identifying accountability gaps, mapping current ownership patterns, and recommending structures that convert functional activity into compliance outcomes. Stop assuming someone owns it. Start documenting who does. CRA governance, CRA accountability, compliance ownership, CRA program owner, executive sponsorship compliance, RACI matrix CRA, CRA steering committee, product compliance owner, regulatory accountability, cross-functional compliance, CRA organizational structure, compliance governance framework
