Risk assessments: Why, what, when, how

A compliance program can only be truly effective at accomplishing its goal of preventing and detecting fraud, waste, and abuse when the program, its infrastructure (i.e., the seven elements), and the work the program does (i.e., the compliance work plan) are oriented around the organization’s compliance risk profile.[1] To best prevent fraud, waste, and abuse, it’s logical to focus on those issues where fraud, waste, and abuse are most likely and where the consequences of noncompliance are the most significant. Why would a compliance program spend its, oftentimes, small number of resources on issues that are not as crucial to get right? Nevertheless, compliance programs have not always understood, nor prioritized, risk assessment, leading to ineffective and inefficient efforts not oriented around the organization’s most significant compliance risks.

Implementing an effective compliance risk assessment approach is beneficial in multiple ways. It is the most efficient and effective way to ensure that the compliance program spends its time and resources on the appropriate issues (to best prevent and detect fraud, waste, and abuse). It also helps ensure that operations leaders and managers understand compliance risk and the importance of operations’ responsibility for compliance. Effective compliance risk assessment, management, and mitigation promote an engaged and aware culture throughout an organization and is a best practice that has become a requirement in recent corporate integrity agreements (CIAs). Risk-based compliance programs promote the highest level of service for employees and patients and help ensure proactive compliance programs. Perhaps the most compelling reason to provide an exceptional risk assessment approach is that it can be protective in cases of wrongdoing. The Department of Justice Evaluation of Corporate Compliance Programs states, “Prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction.”[2]

While every organization’s risk profile is unique, there are certain common healthcare-specific industry risks, especially when narrowed to healthcare providers, that these organizations have in common. These shared industry risks include, but are not limited to, state and federal statutes and regulations, matters seen in recent enforcement actions, Department of Health & Human Services Office of Inspector General (OIG) reports and work plan items, government audit priorities, changing regulatory priorities, and certain broader state and national issues such as “the great resignation” and pandemic-related concerns, among others. An organization’s risk profile becomes further customized when adding internal risks or those particularly applicable to the organization. These may include, but are not limited to, organizational structure and legal relationships, the control environment, the culture of compliance and accountability, operations’ engagement with compliance, specific issues reported to management or compliance, specific investigation outcomes, and specific audit findings.

This document is only available to members. Please log in or become a member.

Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field