Chris A. Gideon (email@example.com) is Compliance Manager, Risk & Oversight, and Jessica A. Luna (firstname.lastname@example.org) is Senior Director, Compliance Programs and Strategy, at Conifer Health Solutions in Frisco, TX.
The role of compliance in overall company risk management is expanding now more than ever. We are being asked to do more, know more, and help with more; the line of what our role is as compliance versus the role of operations is blurring. Simultaneously, we are expected to deliver on government and industry guidance by creating a compliance program that is, by all accounts, effective at protecting the business, ensuring compliance with applicable laws and regulations, and setting the business up for success.
To do more with less, having a defined and strategic work-planning process is vital. Think of a to-do list but better, divided into meaningful categories and considering criteria that matter the most from your environment, whether that be regulatory, business related, or other. Work planning looks different at every organization, so there are no wrong or right ways to do it. The main idea here is to have a process. There are, however, some things we’ve learned along the way that have helped us address industry and regulatory risk, emerging business risk, and compliance program enhancements and efficiencies and have a leg to stand on when answering to our compliance committee. Strategic work planning also allows compliance to be flexible and responsive in dynamic situations—like this year’s pandemic—and shift our support where the business needs it most.
So where do you start? Depending on the size of your organization and compliance program, the work-planning process can be quite an undertaking. To simplify this idea, we will break it down into two big buckets of work: work plan development and work plan calibration.
To kick off work plan development, you will need to identify your program’s key functions, get organized, and ensure alignment on process with all of your functional compliance leaders you need to engage throughout this process; a good place to start is defining a work-planning methodology. This methodology should include all of the inputs your compliance team will consider when deciding what should go on the annual work plan and the phases your work plan will flow through.
For phase one—our preliminary work plan—we gather all of the relevant inputs for our company’s unique compliance risk profile. Inputs for us include industry regulatory risks, Department of Justice/Office of Inspector General guidance and work plan, external program assessments and/or audit results, enterprise and compliance risk assessment results, hotline trends, and client feedback (we are a service provider). We ask our functional compliance leaders to consider all inputs and start compiling initial work plan items. We then formulate our initial work plan draft, organized by functional area. Functional leaders are also required to risk-score their work plan items using our prioritization tool (we’ll dig into this soon) to ensure all of their work plan items are medium to high risk. This exercise allows us to hold our functional leaders accountable and challenges them to think through the risk drivers of an initiative before adding it to the work plan.
For phase two—risk calibration—we engage the compliance leadership team in multiple discussions (each session has a one-hour maximum to hold attention) to calibrate the work plan. During these sessions we refine the work plan by thinking about the big picture: How do we shape the work plan so that we are leveraging our resources to the fullest, addressing our company’s highest risks, adding value to the business, and balancing the expectations of the compliance committee and executive leadership? We also consider business constraints (system conversions, outsourcing or offshoring, etc.) and residual risk (process governance controls), where applicable.