Get answers to the most frequently asked questions about compliance risk management, a foundational component of a well-designed healthcare compliance program.


Compliance Risk Management is a continuous process for identifying, assessing and mitigating potential losses that may arise from an organization’s noncompliance with laws, regulations, standards, and both internal and external policies and procedures; and involves tracking changes in the regulatory environment to ensure an organization’s compliance is up to date. Management practices are intended to help organizations maintain compliance with various regulations and laws with risk management related policies and procedures providing the framework and mechanisms for risk control.  They, along with training related to them should be reviewed and updated on a regulatory basis.


Risk Assessments are the foundation of a well-designed compliance program is the company’s performance of a periodic risk assessment, identifying the company and industry-specific risk areas and using the risk assessment results to tailor the compliance work plan around high-risk areas.  It begins with a commitment on the part of the organization to engage in the risk assessment process on a continuous basis. Risk assessments are not a static activity but rather dynamic processes that constantly seek to identify, prioritize and re-prioritize an organization’s major risk factors. Risk assessments are roadmaps that provide an organization with valuable insight into an organization’s major activities and the risks posed by those activities from a legal and regulatory perspective. An outdated risk assessment can lead to the misallocation of an organization’s scarce resources—and valuable time and attention—to risks that may be immaterial to the organization. It is crucial, therefore, that organizations periodically ‘refresh’ their risk assessments at least annually or more frequently when major changes impacting the business overall occur. These changes include, but are not limited to, merger and acquisition activity; expansion into new markets and territories; and changes to an organization’s overall risk tolerance. In each of these circumstances, organizations are strongly advised to revisit the risk assessment process with a view towards determining whether the previous assessment remains relevant or if novel risk factors previously unaccounted for must now be ranked and addressed.  


Compliance Surveys are anonymous questionnaires to obtain compliance employee feedback based upon their experience; and can be used to assist in evidencing Compliance Program effectiveness.  The OIG in their compliance guidance documents encourage the use of employee compliance surveys to evidence employee compliance understanding and the DOJ “Evaluation of Corporate Compliance Program Effectiveness Evaluation Guidelines” ask if the company surveyed employees to gauge the compliance culture.  The OIG published “Measuring Compliance Program Effectiveness: A Resource Guide” that cited using surveys in evidencing Compliance Program Effectiveness over 60 places. There are two types: (a) a compliance knowledge surveys that uses dichotomous (yes-no) questions to measure employee knowledge, awareness and (b) a compliance culture survey that employs a Likert Scale (degree of agreement questions) questions to measures employee attitudes and perceptions about the compliance environment of an organization.   Critical to obtaining credible and reliable results is having a professionally developed, tested and validated survey instrument that has been employed with many organizations that permit benchmarking results against the universe of users. Independent deployment and analysis are also important to ensure responses are anonymous. Results from the surveys should not just be a set of statistical tables but include detailed analysis that includes suggestions for improvements, along with benchmarking results against the universe of users.


Compliance culture has increased in importance with the DOJ Guidelines placing a heavy focus on determining whether an organization adequate promoted and develop it or not.  An organization with a strong compliance culture has a general awareness of compliance best practices and the risks associated with non-compliance. A good compliance culture encourages and potentially even incentives good behavior through bonuses or requires it as a prerequisite to promotions. A culture of compliance starts with an organization that is true to its mission and core values, where senior managers lead the way by expressing their commitment to compliance policies and encourage open communication and honest feedback. Creating a culture of healthcare compliance should be a major objective for compliance officers.  doesn’t happen overnight. It takes time, training, and a series of trial-and-error steps to get it right. And getting it right requires an ongoing effort with the help of a compliance officer and a department dedicated to healthcare compliance. It also requires executive leadership buy-in to set the tone and encourage ethical behavior, from the top down. It also involves educating and involving employees at time of hiring and reinforced thereafter on the importance of compliance, integrity and values.


Compliance Arrangement Reviews involve ensuring that agreements with physician and other potential referral sources comply with Federal and State laws and regulations. Reviewing arrangements with physician and other referral sources is the best means by which to avoid implicating the Anti-Kickback Statute and Stark Laws, the number one enforcement priority for the DOJ and OIG. It involves evaluating whether the systems, controls and policies effectively manage the legal and regulatory compliance risks for health care organizations. Determining compensation for any party in a position to influence referral of business requires ensuring avoiding potential violations of laws.


The program manager is responsible for monitoring high risks related to their program, including identified regulatory risks, providing compliance written guidance to their staff, training staff on the guidance, and monitoring they are following it. As such, the Compliance Officer is responsible for monitoring the compliance program.


Regulatory Due Diligence Reviews is a vital part of risk management in any M&A deal and is complicated in the health care sector due to the high level of regulations that create a significant purchaser risk in acquiring serious regulatory liabilities. It involves the systematic review of an organization’s regulatory compliance status to confirm facts or details by which an acquirer can properly understand and identify the compliance risks related to the target, including potential legal and regulatory violations, corrupt arrangements with referral sources, data privacy and security issues. It differs from financial and legal reviews with the former using accounting firms to focus on financial accountability and reporting; and the latter using law firms to focus on examining the entity’s structure, licenses, contractual rights and obligations, tax exposure risks, previous and/or current litigation, etc.


Conducting a CRA is important for addressing a variety of business risks in the healthcare sector resulting from failure to act in accordance with laws, regulations, industry standards, internal policies/controls, or best practices; and analyzes the consequences should they occur. The threat of non-compliance may involve penalties (fines), reputation damage, legal repercussions, or the inability to continue the business. CRAs include documenting the current state of compliance oversight, management and related compliance risks and can identify any deficiencies, inefficiencies, and risk exposure; and enhance compliance program effectiveness. There are several different types of risk assessments, but the compliance risk is a specific one focusing on the compliance of the business with applicable laws, which can protect a business from reputational exposures and fines. However, CRAs represents only part of an enterprise-wide risk assessment and is limited to the regulatory compliance that specifically identifies, prioritizes, and controls risks associated with the threat of non-compliance.