Trust the numbers: Risk-based work prioritization for compliance programs

By Chris A. Gideon and Jessica A. Luna, MHRD, CCEP

Chris A. Gideon (chris.gideon@coniferhealth.com) is Compliance Manager, Risk & Oversight, and Jessica A. Luna (jessica.luna@coniferhealth.com) is Senior Director, Compliance Programs and Strategy, at Conifer Health Solutions in Frisco, TX.

The role of compliance in overall company risk management is expanding now more than ever. We are being asked to do more, know more, and help with more; the line of what our role is as compliance versus the role of operations is blurring. Simultaneously, we are expected to deliver on government and industry guidance by creating a compliance program that is, by all accounts, effective at protecting the business, ensuring compliance with applicable laws and regulations, and setting the business up for success.

To do more with less, having a defined and strategic work-planning process is vital. Think of a to-do list but better, divided into meaningful categories and considering criteria that matter the most from your environment, whether that be regulatory, business related, or other. Work planning looks different at every organization, so there are no wrong or right ways to do it. The main idea here is to have a process. There are, however, some things we’ve learned along the way that have helped us address industry and regulatory risk, emerging business risk, and compliance program enhancements and efficiencies and have a leg to stand on when answering to our compliance committee. Strategic work planning also allows compliance to be flexible and responsive in dynamic situations—like this year’s pandemic—and shift our support where the business needs it most.

So where do you start? Depending on the size of your organization and compliance program, the work-planning process can be quite an undertaking. To simplify this idea, we will break it down into two big buckets of work: work plan development and work plan calibration.

To kick off work plan development, you will need to identify your program’s key functions, get organized, and ensure alignment on process with all of your functional compliance leaders you need to engage throughout this process; a good place to start is defining a work-planning methodology. This methodology should include all of the inputs your compliance team will consider when deciding what should go on the annual work plan and the phases your work plan will flow through.

For phase one—our preliminary work plan—we gather all of the relevant inputs for our company’s unique compliance risk profile. Inputs for us include industry regulatory risks, Department of Justice/Office of Inspector General guidance and work plan, external program assessments and/or audit results, enterprise and compliance risk assessment results, hotline trends, and client feedback (we are a service provider). We ask our functional compliance leaders to consider all inputs and start compiling initial work plan items. We then formulate our initial work plan draft, organized by functional area. Functional leaders are also required to risk-score their work plan items using our prioritization tool (we’ll dig into this soon) to ensure all of their work plan items are medium to high risk. This exercise allows us to hold our functional leaders accountable and challenges them to think through the risk drivers of an initiative before adding it to the work plan.

For phase two—risk calibration—we engage the compliance leadership team in multiple discussions (each session has a one-hour maximum to hold attention) to calibrate the work plan. During these sessions we refine the work plan by thinking about the big picture: How do we shape the work plan so that we are leveraging our resources to the fullest, addressing our company’s highest risks, adding value to the business, and balancing the expectations of the compliance committee and executive leadership? We also consider business constraints (system conversions, outsourcing or offshoring, etc.) and residual risk (process governance controls), where applicable.

Finally, for phase three, our work plan is presented to the compliance committee for approval. All of the work that leads up to this point allows us to be ready to defend work plan items as needed if questioned by the compliance committee, educate them on the “why” behind a particular item, and allow them to make an informed decision on the risk appetite of the organization in relation to key initiatives.

To break down the risk-scoring step within phase one in more detail, below are the steps to build a prioritization tool to fit your organization.

Designing your prioritization tool

By the nature of the work compliance professionals do, we’ve become quite skilled at defining the risks that face our organizations. Because of this, it can be easy to listen to our gut and prioritize work based on our own expertise. But this practice can prove to be quite subjective and can lead to overcommitting on our work plan or failing to properly mitigate a critical organizational risk. When we set out to design an objective tool for scoring risk and prioritizing work, we identified six categories that would provide holistic insight into the actual and true level of risk associated with a given process:

  1. Source: Where is the initiative coming from?

  2. Exposure: What is the volume of work the organization does related to this initiative?

  3. Financial impact: If no action is taken, what is the maximum potential financial loss for the business?

  4. Budgetary impact: What will undertaking the initiative cost the business?

  5. Legal/compliance impact: If no action is taken, what regulatory or contractual risk does the business face?

  6. Reputational impact: If no action is taken, what risk is there to the reputation of the business? 

When these risk drivers are compiled for a total impact score, the potential impact of a risk can be viewed in relation to other scored risks of the organization, which allows for those risks with elevated potential impact to rise above the others in a meaningful way.

For each risk driver detailed below, we started with asking a question, attempting to determine all the potential answers to that question, and assigning a score to each answer based on the potential impact it could have to the organization.

It’s important to note that, like with most tools, there isn’t a one-size-fits-all solution. Using our tool as a model, look for the potential inputs for each question and develop your scale based on the risk tolerance of your organization. You may have to use a bit of creativity and professional judgment to piece together a tool using our model that works for your industry, organization, and department.

Keep in mind, we use this tool for prioritizing our work plan and our compliance testing plans, so you’ll see reference to “project,” which typically refers to annual work plan initiatives, and “review,” which typically refers to a testing activity.

Source

The source of each project or testing initiative is an integral component of scoring the associated risk. The prioritization of each potential input will ultimately depend on the structure of your organization—as a third-party billing provider, we prioritized the source of each item based on the following general hierarchy.

What is the source of this project or review?

  • 5 – Regulatory action such as a consent order, nonprosecution agreement, corporate integrity agreement or external corrective action plan, regulatory change (final rule), or accreditation requirements

  • 4 – Request of executive leadership or client, enterprise risk assessment/compliance risk assessment results, Department of Justice Office of Inspector General compliance program guidance, or Federal Sentencing Guidelines

  • 3 – Awareness of regulatory enforcement action in the industry that did not involve the organization, Office of Inspector General Work Plan, or Centers for Medicare & Medicaid Services audits

  • 2 – Compliance or audit services-based mitigation plans/corrective action plans (including annual compliance program effectiveness review)

  • 1 – Ethics & compliance work plan

Exposure

Defining the exposure of a risk will help you better understand how pervasive it is in your organization. It will be important to understand your organization’s operational areas and the work they perform. If you’re unsure of the volume of work that’s performed, reach out to your operational partner and get an estimate. Accuracy will ensure each score is not needlessly inflated.

When scoring the exposure, factor in both the total amount of work performed in a particular business line (e.g., revenue generated, full-time equivalents supporting the work) and the frequency with which it is performed. We took both of these into account when we developed our exposure scale. Processes performed in high volumes on a more frequent basis will require more intentional testing and mitigation efforts than those performed at lower volumes.

Does the organization or functional compliance area have significant exposure to this concern?

  • 5 – Organization performs a large volume of this work on a daily basis

  • 4 – Organization has exposure to this activity through its work for a client

  • 3 – Organization has exposure to this activity at least quarterly

  • 2 – Organization has exposure to this activity daily but does not have a large volume of work

  • 1 – Organization does not currently have exposure to this activity

Financial impact

Financial impact depends on the exposure of the work your organization performs for the risk area being scored and the potential regulatory penalties or lost revenue if mitigation efforts are not undertaken. When we determine the financial impact of a particular process, we generally think about the potential regulatory penalties associated with the process. You’ll notice that this metric doesn’t look at the process in its entirety; rather, it’s measuring the potential financial impact of a sample of accounts. The reason for this difference is to avoid overexaggerating the potential impact of regulatory penalties.

What is the potential financial impact related to the project or of noncompliance for the universe of accounts within scope (for reviews)?

  • 5 – Potential regulatory penalties or lost revenue greater than $1,000,000

  • 4 – Potential regulatory penalties or lost revenue from $999,999 to $750,000

  • 3 – Potential regulatory penalties or lost revenue from $749,999 to $500,000

  • 2 – Potential regulatory penalties or lost revenue from $499,999 to $250,000

  • 1 – Potential regulatory penalties or lost revenue less than $250,000

  • 0 – Not applicable

Budgetary impact

A unique component of this tool is its ability to be used for different purposes. As already mentioned, we leverage it to prioritize work plan items, program enhancements, and compliance testing activities. This section won’t be necessary for all scoring, which is why we’ve included a “Not applicable” answer. The potential budgetary impact was added to define the immediate cost of a project before initiation. This section will look different for each organization based on size, financial health, and spending tolerance. The budgetary impact of each project will help determine the breadth of resources that the initiative will consume and should always be factored into deciding whether to undertake an initiative, particularly in the cost-conscious environment we are currently working in.

What is the potential budgetary impact for this project?

  • 5 – Potential budgetary impact more than $50,000

  • 4 – Potential budgetary impact from $49,999 to $30,000

  • 3 – Potential budgetary impact from $29,999 to $15,000

  • 2 – Potential budgetary impact from $14,999 to $5,000

  • 1 – Potential budgetary impact less than $5,000

  • 0 – Not applicable

Legal/compliance impact

The legal and compliance section of the tool serves to help identify the severity of the potential impact from a regulatory or contractual standpoint. The scoring hierarchy of this section will largely be based on the risk tolerance of your organization. (Notice a theme here?) Because we are a service provider in a highly regulated industry, we have potential regulatory enforcement or litigation action at the top of our list, but just below that is breach of contractual obligations, which is a large portion of our work in our compliance department.

What is the potential legal or regulatory impact associated with the project or review?

  • 5 – Potential regulatory enforcement or litigation action

  • 3 – Breach of contractual obligations

  • 1 – No potential legal or regulatory impact

Reputational impact

While reputational impact is important for every company, for a service provider focused on growth, reputation is an area of utmost importance. Credibility in our industry allows us to innovate and expand our market footprint, further strengthening our business. When looking at reputational impact, we are, of course, thinking strategically about the consequences that noncompliance would have on our organization, but we also look at the compilation of the areas mentioned above and consider how the severity of the consequences resulting from noncompliance might affect our clients. Additionally, since we’re a relatively new organization, growth is vital, so we must assess the impact on our ability to attract new clients.

What is the potential reputational impact associated with the project or review?

  • 5 – Project noncompletion or noncompliance of this issue would have impact on the organization’s ability to maintain and land new business

  • 4 – Project noncompletion or noncompliance of this issue could damage the organization’s or a client’s standing in the market

  • 3 – Project noncompletion or noncompliance of this issue could damage our reputation with one or more clients

  • 2 – Project noncompletion or noncompliance of this issue would have minimal reputational impact

  • 1 – No reputational impact

Socializing the prioritization tool

After you and your team have developed a new prioritization tool for your organization, you will want to socialize internally, within your department, to let everyone know of the new approach to developing work plans and scoring potential compliance testing activities. So, how do you do that? The best answer is that it will be different for each organization, the structure of the compliance department, and your place in that structure. However, from our perspective, executive leadership support is crucial to the success of this new tool and its implementation. So, we initially walked our chief compliance officer through each use case. Our chief compliance officer provided some feedback, along with her support, and asked us to schedule a meeting with our department’s functional leaders to share the tool further and solicit feedback. In advance of this meeting, we sent the tool to each leader, requesting that they assess the tool to provide for more substantive discussion. We felt including the functional leaders and making the design of the tool a shared endeavor would give us a more successful implementation of the tool from the outset.

Now that your tool has been vetted and tested, it’s time to implement it. Successful adoption of the tool will be based, in part, on timing of the implementation. We timed ours to coincide with our annual work plan development meetings. We sat down with each leader individually and discussed their provisional plan for the coming year. This provided the perfect framework to train each leader on how the tool works, using examples that are specific to the work they perform or will perform in the coming year. Additionally, we took special care to educate each leader about the value this tool provides. By taking each initiative and scoring the risk, it allows the leader to strategically plan work based on the criticality of mitigating the associated risk. This method has minimized additional questions and lost time reviewing the tool multiple times with each initiative.

Using the prioritization tool to respond to crisis

Now that you have this comprehensive, risk-based annual work plan, life throws a pandemic at you. Not to worry! Now, you just need to regroup, using similar steps to those just outlined, in the three phases we talked about at the beginning of this article. Here’s what we did. To get organized, we again created a work (re)planning methodology considering the current environment. We prioritized critical work plan items, factored in new and emerging risk (e.g., telehealth, a dynamic regulatory landscape, anticipated Department of Justice enforcement actions related to fraud, and telecommuting), and pressed pause on certain programmatic enhancement initiatives and work plan initiatives that involved heavy stakeholder interaction (Figure 1).

Figure 1: The prioritization tool

We wanted to be sensitive to how much we were interacting with operational leaders and colleagues as they were on the front lines of the pandemic response or, in some cases, furloughed. We engaged the compliance leadership team in calibration discussions to adjust our work plan using the new methodology. We also switched to performing calibration quarterly instead of annually. This allowed us to revisit and assess the work plan more frequently, in line with how quickly the pandemic response was evolving and how fast the business was changing, and address emerging risk (e.g., regulatory guidance, Centers for Medicare & Medicaid Services exceptions). Finally, we presented our new methodology and work plan to our compliance committee to educate them on the steps we were taking to appropriately respond to the pandemic and adapt our support accordingly.

Key takeaways

As our profession and role within our respective industries continues to evolve within business and society, it is important to keep a risk-based mindset. Having objective tools and a systematic way to prioritize and plan organizes your day-to-day work and allows you to use your often-limited resources to their fullest. This way of strategic thinking and planning is paramount to your ongoing effectiveness and success as a compliance professional.

Takeaways

  • Ensuring you are focused on risk in work planning is crucial, and the government expects it.

  • Building a strategic work-planning framework ensures your leadership team is on the same page every year.

  • Creating a custom scoring methodology allows you to objectively score the risk impact of a given work plan initiative or testing activity for your business.

  • Having a defined scoring methodology prepares you for defending initiatives and resource needs before your compliance committee.

  • Pivoting work planning and reallocating resources during a crisis is easier when you’re prepared.

This publication is only available to members. To view all documents, please log in or become a member.
Become a Member Login

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings