Risk Assessments: Why, What, When, How

December 7, 2023

By Christopher Tonellato, JD, CHC, and Sarah Couture, RN, CHC, CHRC

Originally Posted on: Compliance Cosmos

A compliance program can only be truly effective at accomplishing its goal of preventing and detecting fraud, waste, and abuse when the program, its infrastructure (i.e., the seven elements), and the work the program does (i.e., the compliance work plan) are oriented around the organization’s compliance risk profile.[1] To best prevent fraud, waste, and abuse, it’s logical to focus on those issues where fraud, waste, and abuse are most likely and where the consequences of noncompliance are the most significant. Why would a compliance program spend its, oftentimes, small number of resources on issues that are not as crucial to get right? Nevertheless, compliance programs have not always understood, nor prioritized, risk assessment, leading to ineffective and inefficient efforts not oriented around the organization’s most significant compliance risks.

Implementing an effective compliance risk assessment approach is beneficial in multiple ways. It is the most efficient and effective way to ensure that the compliance program spends its time and resources on the appropriate issues (to best prevent and detect fraud, waste, and abuse). It also helps ensure that operations leaders and managers understand compliance risk and the importance of operations’ responsibility for compliance. Effective compliance risk assessment, management, and mitigation promote an engaged and aware culture throughout an organization and is a best practice that has become a requirement in recent corporate integrity agreements (CIAs). Risk-based compliance programs promote the highest level of service for employees and patients and help ensure proactive compliance programs. Perhaps the most compelling reason to provide an exceptional risk assessment approach is that it can be protective in cases of wrongdoing. The Department of Justice Evaluation of Corporate Compliance Programs states, “Prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction.”[2]

While every organization’s risk profile is unique, there are certain common healthcare-specific industry risks, especially when narrowed to healthcare providers, that these organizations have in common. These shared industry risks include, but are not limited to, state and federal statutes and regulations, matters seen in recent enforcement actions, Department of Health & Human Services Office of Inspector General (OIG) reports and work plan items, government audit priorities, changing regulatory priorities, and certain broader state and national issues such as “the great resignation” and pandemic-related concerns, among others. An organization’s risk profile becomes further customized when adding internal risks or those particularly applicable to the organization. These may include, but are not limited to, organizational structure and legal relationships, the control environment, the culture of compliance and accountability, operations’ engagement with compliance, specific issues reported to management or compliance, specific investigation outcomes, and specific audit findings.

Essential concepts in compliance risk assessment

There are several essential concepts to consider when developing an approach for compliance risk assessment.

Maintenance of an ongoing, dynamic compliance risk profile

For practical and logistical purposes, it is essential to designate a specific time during the year to perform the risk assessment (see further discussion later). However, it is also necessary to establish processes to ensure the risk assessment is kept up to date throughout the year. Both the regulatory landscape and healthcare organizations themselves are dynamic, constantly changing, and need to adapt to those changes when needed. Therefore, risk assessments must be able to reflect changes in the risks themselves and their prioritization. This can be accomplished by staying abreast of external activity (e.g., new enforcement actions and regulatory changes), responding to internal changes (e.g., reports to compliance, audit findings, or investigation results), and considering the concerns of risk area/operations leaders and managers, etc. Operational leaders and managers, as well as the compliance program team, should be involved in these ongoing discussions, perhaps through a compliance committee, whether monthly or quarterly. Also, keep senior leadership and oversight committees or the board updated on developments and changes made to the risk assessment.

Operations engagement

Just like the compliance program cannot be successful in a silo, the compliance risk assessment process will not be as effective without the input and collaboration of operations partners. Leaders and managers in operational risk areas, such as privacy, billing and coding, physician practice, clinical research, human resources, supply chain/procurement, etc., are (or should be) experts in that subject matter and should have significant, productive, and essential perspectives to consider in the compliance risk assessment. If the compliance program staff performs the risk assessment without this input, it is likely that certain risks will not be considered or that the prioritization will not be as accurate.

Before engaging risk area partners in the risk assessment, ensure they have a strong understanding of compliance, why risk assessment matters, and how their perspective is necessary for the organization and the effectiveness of the compliance program. Educate these operational partners on why compliance risk matters, the risk assessment process, how compliance work needs to be based on the entire organization’s compliance risk profile, and their role in the process. This collaboration works best when operations leaders and managers are engaged in compliance and understand their compliance responsibilities.

Once operations partners are educated on the background and engaged in the process, solicit their input for the most impactful risk assessment. Seek operational risk area perspectives on what risks should be considered in the risk assessment. Collect their responses via in-person interviews, surveys, and/or compliance committee meeting discussions. In addition to ensuring input into what risks should be considered, compliance should collaborate with operations on risk ranking and prioritization. Seeking risk area leaders’ and managers’ perspectives on the risks’ impact, likelihood, controls, etc., helps ensure a well-balanced and more accurate prioritization, and also promotes operations’ engagement with the compliance program and their compliance responsibility. Partnering on ranking prioritization can occur with a smaller group of operations partners, perhaps each working independently on ranking, and/or in a larger group discussion setting such as with a compliance committee.

Once risks have been gathered and prioritized, ensure senior leaders are informed and engaged with the process, and seek their input on the completeness of the risks considered as well as their perspectives on appropriate prioritization.

Tie program activity to prioritized risks

As discussed in the introduction, compliance priorities should be tied to prioritized risks to most effectively prevent and detect fraud, waste, and abuse. The risk assessment should drive where compliance focuses time and resources, where compliance seeks to understand the control environment, where audits are performed, where and how operations are engaged, etc. The most straightforward way to accomplish this is to translate the highest-ranked risk areas, per the risk prioritization, into the compliance work plan. The compliance work plan maps out compliance program areas of focus and audits for the year, often by quarter, and should be oriented around the organization’s most significantly ranked risks. Furthermore, the compliance officer should ensure that the development and implementation of the seven elements themselves consider the organization’s risk profile.

Staffing and resources

While compliance professionals often know that the compliance work plan should be oriented around the risk profile, not all compliance programs think to tie the compliance program staffing and resources to the risk profile. While we have staffing and resource benchmarks, such as the HCCA’s Healthcare Industry Compliance Staffing and Budget Benchmarking and Guidance Survey,[3] to evaluate program resources, these reports consider only employee count and revenue, so they are relatively risk-agnostic. A savvy compliance program will consider both the benchmarking reports as well as the organization’s specific risk profile to ensure the compliance program is adequate for the size and complexity of the compliance program, as well as the best skill sets to include on the compliance program team. Practical Guidance for Health Care Governing Boards on Compliance Oversight states, “the complexity of the organization will likely dictate the nature and magnitude of regulatory impact and thereby the nature and skill set of resources needed to manage and monitor compliance.”[4] Program resources including staff quantity and expertise, time allocation, budget needed, and other resources should be appropriately prioritized and allocated based on the compliance risk profile. In other words, organizations should be able to explain what resources are necessary to best prevent and detect fraud, waste, and abuse specific to their risk profile.

Scope of the risk assessment

While this discussion is specific to compliance risk assessment, it is important to understand what other risk assessment activities may be taking place in your organization. Many organizations have adopted an enterprise risk management (ERM) approach to assessing, prioritizing, and mitigating organizational risk, with compliance risk being a domain of the overall organizational risk profile. In organizations with a mature approach to ERM, compliance should work within the ERM risk assessment and framework to best understand and prioritize compliance risk. Alignment across the organization of risk assessment activities can increase effectiveness and reduce redundancies.

Communication

Compliance program communication to the organization should be oriented around the risk profile. Focusing communication on the most significant risk areas will help prevent fraud, waste, and abuse.

The compliance officer should ensure that both leadership and the board of directors understand the organization’s risk profile and how the compliance program is oriented to address prioritized risks. Additionally, the compliance officer can use the framework of the risk profile to help determine what information is most important to share with leadership and the board of directors. Compliance officers sometimes struggle with what types of information and what level of detail should be shared in leadership and board reports. Orienting communications around the risk profile can both aid the compliance officer in prioritizing what and how to report and help with leadership engagement and the board’s oversight responsibility.

Sensible steps for a compliance risk assessment

There are a variety of tools and approaches to compliance risk assessment that have been tailored to the needs of specific organizations, but all are based on common concepts. Any approach used should consider what risks should be included and should have a framework for ranking and prioritizing the risk.

We encourage compliance officers to review and consider the approaches discussed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in the recently published Compliance Risk Management: Applying the COSO ERM Framework. This publication can help with a baseline that can be further tailored to a specific organization.[5] Below are some suggestions for those who are newer to compliance or those looking for a reset of their compliance risk assessment approach.

Start small and simple, don’t overcomplicate

A robust compliance program, like Rome, cannot be built in a day. Instead of letting perfection be the enemy of progress, start small and simple. Work with operations partners to understand the risks in your organization, develop an approach to prioritize them, and base compliance program priorities on these assessed risks. Over time, the risk assessment process can evolve and become more robust, but when starting out, start simple. Use easily available tools and resources and tailor them to your organization.

Develop a list of risks—literally, a list

Develop a list of likely or potential compliance risks from the various inputs that have been discussed, including operations interviews or surveys, concerns observed in compliance reports, investigations or audits, issues noted in recent enforcement actions, regulatory requirements and changes, external audit activity, etc. Evaluating available organizational and compliance program data can also help in identifying risks.

Prioritize risks

Risk should be prioritized, considering, at a minimum, the likelihood of the risk occurring, the expected impact if it occurs, and the presence and strength of existing internal controls. Questions to consider:

  • How likely is this issue to occur?
  • Does it already occur regularly, such as monthly or yearly, or is there a remote chance of it occurring?
  • What would be the impact if it occurred?
  • Would there be significant penalties, financial fallout, or other ramifications such as reputational damage?
  • Are there currently internal controls in place around the risk? If so, are they well-designed and working? Are they regularly tested?

A risk that has a high likelihood of occurring and could have significant impact may be very well controlled, or it may not have sufficient controls. Weighing these considerations, through ranking, which is often numerical, is how the list of risks is ordered by priority. The organization will need to develop a consistent and defined approach to ranking the risks. There are example rubrics in past HCCA presentations and other HCCA materials, as well as other internet-searchable resources, that can serve as a starting point to be tailored to the organization’s desired approach. As discussed, compliance should collaborate with appropriate operations personnel and senior leaders during the process and ensure appropriate documentation of support and decision-making so that the organization can support why the highest-risk areas were identified as such.

Once the rankings are assigned, the organization will sort the list of risks by ranking from highest to lowest risk. It is helpful to depict the prioritization on a risk map that shows relative ranking and often identifies risk by defined colors, such as red, yellow, and green for high, medium, and low-risk rankings, respectively. A risk map is a good tool to communicate about risk to the organization, display risk rankings, and display the effects of risk mitigation efforts on the rankings.

Designate compliance priorities based on risk

Once the compliance risks are ranked and ordered by priority from highest to lowest, the compliance program, based on staffing and resources, will determine how many risks the program can address in the upcoming year and develop this into the compliance work plan. Depending on the size of the compliance program and risk profile of the organization, the number of risks that can be evaluated will be different. Smaller organizations with smaller compliance programs may only address two, three, or four of the risks, while larger compliance programs with multiple resources may address significantly more risks during the year, as mapped out in the work plan.

Develop the compliance work plan

A compliance work plan organizes the risk areas and what the compliance program will do to evaluate operations relative to that risk. To develop an appropriate work plan, it is important to remember that compliance is not operations and does not perform operation’s work, but rather is independent and objective of operations. Instead, the compliance program identifies areas of risk and determines if the risk is well controlled, or if there are gaps or noncompliance occurring regarding the risk. The work plan is often divided into quarters so that the compliance program can schedule its work, priorities, and audits. Each of the prioritized risk areas is evaluated for gaps, noncompliance, and for how to best test compliance within that risk area. This can be accomplished through a controls assessment, testing, a probe audit, or some other way that makes sense based on the risk.

To evaluate each prioritized risk, compliance can consider presence and sufficiency of controls in place within operations to manage the risk. This can include operations’ understanding of the risk and that it is their leadership/management’s responsibility to stay informed about the risk, stay updated about regulations and industry best practices around the risk, and have controls in place to address the risk. A controls assessment should also consider what policies and procedures are in place, how staff are trained, and any monitoring performed by operations or auditing occurring around the risk.

For all work performed as part of the work plan, compliance should ensure consistent and thorough documentation, and ensure it is organized and retained in a way that can be easily found in the future.

Keep the risk assessment current

Even after the work plan is in place and implemented by the compliance team, the risk assessment needs regular discussion and review as the risk profile changes. Ensure collaboration and conversation with compliance staff, a compliance committee, and leadership to update the risk assessment as new risks emerge or as certain risks become more or less likely or impactful. Then ensure alignment with the rest of the risk profile. It is important to stay up to date with new OIG work plan items, highlighted enforcement activity, and other industry trends. Consider whether addressed risks should be re-ranked based on compliance findings. Some risks may be ranked lower based on mitigation that is put in place by operations as part of the corrective action plan, but some may stay higher, even with favorable findings, because of the nature of the risk.

Reporting

Ensure ongoing discussions with leadership about the risk profile and compliance work to address risks, as well as findings, and any concerns about operation’s involvement. Also ensure reporting to the board includes the risks and compliance’s work to assess and address them.

Continue improving the process

As your organization becomes more experienced with the compliance risk assessment process, the approach will likely evolve as the organization and compliance program mature. Seek feedback from partners, implement lessons learned through experience, and continue pursuing more effective risk assessment and compliance programming.

Conclusion

Risk assessment and prioritization are essential for a compliance program to be effective at preventing and detecting fraud, waste, and abuse. Without a comprehensive risk assessment process, certain risks can easily be missed or dismissed as insignificant. Risk prioritization is especially important when trying to manage a compliance program’s resources. The collaboration and considerations that go into a risk assessment can be complex and daunting, but the approach can be simplified into manageable steps.

Start small, collaborate with partners, seek resources and tools that are available through HCCA and other sources, tailor the approach to your organization, and ensure good documentation. Abiding by these will ensure the risk assessment captures a broad range of risks as possible and will focus appropriate responses to the most significant risks.

Takeaways

  • Appropriate risk assessment is essential for compliance program effectiveness.
  • Compliance risk assessment should include not only inputs from the compliance team but also inputs from operational risk area leaders and managers.
  • Risk assessments should not be a snapshot in time but should be updated throughout the year as the risk profile changes.
  • Ensure thorough documentation of compliance risk assessment activities.
  • Ensure the board of directors and senior leaders are updated about the compliance risk assessment and resulting compliance program work.

1 Sarah Couture and Debbie Troklus, “Chasing the goal: How do you know if your compliance program is truly effective?” Compliance Today, April 2022, https://compliancecosmos.org/chasing-goal-how-do-you-know-if-your-compliance-program-truly-effective?authkey=dfbe5b852b3cb2154f158651f849422f2739290d422a34082eb8833167967b21.

2 U.S. Department of Justice, Criminal Division, Evaluation of Corporate Compliance Programs, June 2020, https://www.justice.gov/criminal-fraud/page/file/937501/download.

3 Society of Corporate Compliance and Ethics & Health Care Compliance Association, Healthcare Industry Compliance Staffing and Budget Benchmarking and Guidance Survey, March 2020, https://www.hcca-info.org/publications/surveys/hccas-2020-staffing-and-budget-benchmarking-survey-report.

4 U.S. Department of Health & Human Services, Association of Healthcare Internal Auditors, American Health Lawyers Association, and the Health Care Compliance Association, Practical Guidance for Health Care Governing Boards on Compliance Oversight, April 20, 2015, https://oig.hhs.gov/documents/root/162/Practical-Guidance-for-Health-Care-Boards-on-Compliance-Oversight.pdf.

5 Society of Corporate Compliance and Ethics & Health Care Compliance Association, Compliance Risk Management: Applying the COSO ERM Framework, Committee of Sponsoring Organizations of the Treadway Commission, November 2020, https://www.coso.org/Shared%20Documents/Compliance-Risk-Management-Applying-the-COSO-ERM-Framework.pdf.

Connect with me!

I’d love to hear your thoughts on this Perspectives or discover if I’m the right fit for your compliance advisory needs!
GET STARTED
crossmenu