Chapter 6. Risk Assessment

Printer Friendly, PDF & Email

Chapter 6. Risk Assessment

Risk assessments must be dynamic and ongoing: dynamic, to address the changing risks of the organization, and ongoing, to continually review and prioritize the existing risks and assess emerging risks of the organization. After your initial focus on infrastructure (the framework of the seven elements), conducting a risk assessment assists you in understanding the cultural variables related to risk. These include risk tolerance and risk appetite within the organization. Understanding your cultural norms and expectations related to management accountability to resolve or mitigate risk is critical to know before conducting a risk assessment. If the culture is unprepared to own and resolve risks, it is a priority focus for your program to address that issue before conducting a risk assessment.

Risk assessments help identify priority risk areas to target when building the compliance program’s education, auditing, monitoring, and communication plans. This is an essential process for launching an effective compliance program. A baseline risk assessment forms the foundation of a new compliance program. The dynamic nature of an organization and its risk portfolio requires an ongoing look at priority risks to keep the program aware of real, potential, and emerging risk areas that need to be monitored and addressed.

Chapter eight of the Federal Sentencing Guidelines suggests that organizations conduct ongoing risk assessments.[1] Additionally, the HHS OIG reinforces the need for a dynamic risk assessment process in its enforcement agreements with organizations. This process involves ongoing risk area reviews, with results incorporated into its compliance prioritization of organizational risks.

This document is only available to subscribers. Please log in or purchase access.