Margaret Hambleton (margaret@hambletoncompliance.com) is President of Hambleton Compliance LLC in Valencia, CA.
The risk assessment process includes the following discrete steps: (1) an identification of potential risks (risks are defined as events that could cause harm if realized), (2) an assessment of the severity or impact of the risk, (3) an assessment of how vulnerable the organization is to the risk or how likely the risk is to occur, (4) an evaluation of the current controls in place to prevent the risk, (5) prioritization of the top risks, and (6) development of an action plan to address these top risks. Last month, I discussed the confusion that sometimes occurs when compliance professionals identify a control weakness as a risk event (e.g., lack of training in physician transactions versus failure of a physician transaction to satisfy the Stark Law requirements). This month, I will discuss the confusion around the role of audits as part of a corrective action plan to prevent risks.
