An effective compliance program requires risk mitigation.
Sharon Parsley, JD, MBA, CHC, CHRC contributes a regular post on compliance officer effectiveness for the YouCompli blog. In this article she discusses risk assessment strategies for success.
Risk assessment has not traditionally been considered a core element of a compliance program. However, regulators have made it increasingly clear that they do consider your ability to address and mitigate business risk to be part of an effective compliance program. This change in perspective is evident in the March 2023 updates to the Department of Justice (DOJ)’s Evaluation of Corporate Compliance Programs guidance. As the DOJ unpacks its expectations about each programmatic element, it keeps coming back to risk and risk assessment. So it’s important for us as compliance officers to take note.
In today’s article, I will discuss risk assessment from a “why, what who, and when” perspective. I will also look at ways that you, as an effective compliance officer, can lead this process with your colleagues.
First, a definition: a “risk assessment” can take a lot of forms. The most common definition is that it is the “systematic process of evaluating the potential risks that may exist in an organization.” Your organizational risk profile will be as unique as your business, but should, in any event, catalog your specific regulatory and legal, privacy, cybersecurity, physician relations, and other compliance risks.
Why conduct a risk assessment?
There are a wide variety of reasons why a comprehensive and well-designed risk assessment should be periodically performed. In terms of benefits, risk assessments:
- Increase the likelihood that misconduct or noncompliance in higher-risk areas will be identified in a timely manner.
- Help you meet the requirement to comply with the Federal Sentencing Guidelines and OIG Compliance Program guidance.
- Increase the likelihood that the DOJ would deem your compliance program effective. That, in turn, decreases the possibility of enforcement actions and the imposition of external monitoring requirements, and reduces exposure to imposed fines and sanctions.
- Position your program more proactively. This is preferable to you having to be reactive or appearing disconnected from the business.
sCompliance to thoughtfully consider how to allocate resources for best outcomes and aids in development of work plan activities.
I have also found that a solid risk assessment program helps a dynamic compliance program get better over time. That’s because risk assessments enable you to incorporate “lessons learned” into your risk mitigation strategies in a timely manner.
The DOJ’s 2023 memo tells us that a compliance program cannot be considered effective unless the company has “identified, assessed, and defined its risk profile.” That guidance goes on to discuss at length various expectations in this arena including that:
- The compliance program is specifically tailored, based on identified risks.
- The company allocates resources to higher risk areas.
- The risk assessment incorporates ongoing review of new risks.
- The risk assessment is dynamic and incorporates lessons learned.
The Office of the Inspector General (OIG) is putting out similar signals.
What is the process for risk assessment in healthcare?
Many organizations take a holistic approach, bringing relevant stakeholders together to identify all the risks that could affect their operations. This includes legal, regulatory, compliance, cyber, reputational, strategic, business, financial, and market risks. Other areas you may need to consider include privacy and handling of protected health information, environmental, disaster recovery and business sustainability issues, corruption, process risks, employee behavior, and patient and workforce safety risks. Risk assessment is often viewed as a process involving the following five stages:
- Development of work plans and mitigation strategies
- Results, action plans, and monitoring of those risk mitigation activities.
Methods of risk identification might include conducting interviews and surveys, mining data, and reviewing salient documents. Ranking and prioritization are, at least in my mind, inter-related concepts. You might create a heatmap wherein you gather input about the likelihood of a risk occurring and the possible impacts to the organization should the risk arise. From there, you will plan to allocate needed resources to specifically tailored activities designed to measure and mitigate the risks deemed most significant to your business.
Regardless of your chosen methodology, make sure that it is well documented. There may be instances where one or more high priority risks are identified but insufficient resources exist to examine every one. In such a case I have found it useful to track each individual risk, even if no action can or will be taken to mitigate it in the current risk assessment cycle. The identified items without current action might warrant being at or near the top of the list for the following year.
Who needs healthcare risk assessments and who conducts them?
Every healthcare provider participating in a federal healthcare program should conduct an enterprise-specific, periodic risk assessment. Obviously, that will look considerably different for a large academic medical center or a health system offering a full spectrum of inpatient and outpatient care than it will look for a small physician practice. The key here is to engage the appropriate stakeholders and to calibrate your risk assessment processes to the risks that are central to your lines of business and geographic footprint.
From an internal perspective, the “who” should also be considered. Is it most logical and effective for Compliance to conduct a stand-alone assessment of compliance risks only? Or would it be more effective to examine risks applicable to your operations from a more holistic enterprise-wide perspective? Presuming your organization requires a holistic approach, which stakeholders should you include in your process? In addition to Compliance, consider including internal audit, legal, operations, risk management, human resources, and sales and marketing.
If it is practical for your organization, using a team-based approach to risk assessment can be very beneficial. Doing so makes it easy to create an inventory of identified risks and the rationale for how and why those risks are ranked and prioritized. More importantly, you can readily articulate the agreed-upon methods to measure and mitigate high ranked risks and to document the lower priority risks that may not receive current year attention.
Worth note is that publicly traded companies will need to comply with Sarbanes-Oxley requirements, so an enterprise risk assessment following COSO (the Committee of Sponsoring Organizations of the Treadway Commission) framework or similar is mandated. For privately held organizations there is no “one size fits all” solution or method for risk assessment. I have seen various approaches over the course of my career, some of which were extremely structured and well-designed. Other risk assessments were conducted in a fairly informal manner but were, nonetheless, largely effective in at least identifying key areas of risk.
When should you conduct a risk assessment?
It is widely considered the best practice to conduct your formal risk assessment annually. With that said, the ideal risk assessment is really an open-ended cycle. By regularly looking at your risks, you are better able to identify all newly arising or emerging risks.
I have frequently seen risk assessments initiated simultaneously with an annual budget cycle. So, for anyone operating on a calendar year basis, your risk assessment would likely commence during the third quarter of the year. Timing would, of course, be adjusted for anyone operating on a fiscal year basis.
Ideally, you will complete your risk assessment prior to the end of your budget cycle in case departments need to request additional resources. Additionally, your annual compliance work plan will at least in part be derived from your risk assessment. As you would traditionally have both your Compliance Committee and your Board approve the annual work plan, you may need to work backward from committee and board meeting dates to develop a calendar for all of the activities that will need to be completed within your risk assessment cycle.
Get Started with a Risk Assessment Process
If you’re trying to decide how to start with risk assessments, remember that, like with exercise, something is better than nothing. Start small to build allies and champions if that’s what it takes. If your colleagues wonder why Compliance is leading the process, you can educate them about the role of compliance. That is, one of your roles is to find and identify areas of misconduct. Without a firm understanding of where misconduct is most likely to occur within your enterprise, you can’t be completely effective in your role. The risk assessment process is the path to understanding your specific areas of risk, the likelihood of each risk arising, and the impacts in and when it does. Remember that you’re helping the organization overall, and you absolutely belong in that process.
YouCompli can help manage risk
YouCompli is the only healthcare compliance management software that includes baked-in legal analysis and expert tools. This combination of regulatory intelligence and simple software helps healthcare organizations manage risk and reduce the impact of regulatory changes.
Get the latest from healthcare compliance experts
We typically send one email a week. We focus on issues that help healthcare compliance professionals today. We do not rent or sell your information.
Sharon Parsley, JD, MBA, CHC, CHRC, is a health law attorney, compliance officer, author, speaker, investigator, and problem solver. She currently serves as the president and managing director of Quest Advisory Group, LLC. She has nearly 20 years of healthcare compliance and legal leadership experience, and she believes that mentorship and on-the-job training are critical to compliance professional success.