2026 Compliance Risk Assessments
Key Points:
- Ten-Phase Process for Compliance Risk Assessments
- Risk assessments are commonly conducted in the first quarter of the year
- Initial assessments are often performed by consultants, with subsequent assessments conducted internally
Most Compliance Officers schedule Compliance Risk Assessments in the first quarter of the year in order to incorporate risk mitigation strategies into the Annual Workplan. The assessments are a structured process designed to identify, evaluate, and prioritize regulatory and enforcement risks specific to an organization’s operations. The purpose is to demonstrate that the organization understands where its risks exist and is actively managing them. Once an initial assessment is conducted, the process can be repeated over time using the same methodology. The Department of Justice (DOJ) and the Office of Inspector General (OIG) assess whether the risk assessment is tailored to the organization’s operations, risks are logically prioritized, results drive real compliance activity, leadership is informed and engaged, and the process is documented and repeatable. When done properly, the risk assessment directly informs the compliance work plan and demonstrates program effectiveness under DOJ and OIG guidance. Examples of ineffective risk assessments include the use of generic risk lists copied from templates, limited input from operational managers, poor risk scoring or prioritization, failure to link results to the Compliance Workplan, and lack of follow-up on identified issues.
The following are the ten phases for conducting risk assessments:
Phase 1: Define Scope and Objectives. Begin by determining (a) business units, service lines, and functions to be included in the assessment; (b) the regulatory framework against which the assessment will be made (e.g., Medicare, Medicaid, Stark, AKS, HIPAA, CMS Rules); (c) the time period to be covered; and (d) whether the assessment will be conducted internally or by independent third party. It is common for the initial assessment to be conducted by consultants, with subsequent assessments performed internally using the same format and process.
Phase 2: Identify Applicable Risk Areas. Risks are identified using multiple sources, including DOJ, OIG, OCR, CMS, and state enforcement trends; False Claims Act settlements; OIG Compliance Program Guidance and Workplan priorities; prior internal monitoring and auditing results; billing, coding, and payment data; hotline complaints and investigation trends; and external factors such as new service lines, telehealth, mergers and acquisitions, and organizational growth. The desired outcome is a comprehensive list of organization-specific compliance risks that can be addressed and mitigated.
Phase 3: Gather Operational and Compliance Data. This phase tests how work is actually performed, not just what policies require. Information is collected through structured interviews with leadership, operations, clinical, finance, and IT personnel; review of written guidance (policies, procedures); review of contracts and arrangements with referral sources; assessment of training coverage and effectiveness; evaluation of auditing and monitoring activities; and review of vendor and third-party oversight processes.
Phase 4: Evaluate Existing Controls. Internal controls need to be evaluated for both design and effectiveness, not just their existence. For each identified risk area, it is important to assess preventive controls (e.g., policies, approvals, contract review); prevention controls (e.g., audits, monitoring, data analytics); and corrective controls (e.g., discipline, remediation, repayment).
Phase 5: Score and Prioritize Risks. Each risk should be scored using consistent criteria, typically including (a) likelihood of occurrence; (b) financial impact; (c) regulatory exposure; and (d) operational and reputational impact. The results can then be ranked in a risk inventory or heat map highlighting high-likelihood/high-impact risks, emerging risks requiring attention, and lower-priority risks that can be monitored.
Phase 6: Identify Gaps and Root Causes. For high-priority risks, the assessment should identify gaps in controls or weaknesses, root causes (process, staffing, training, technology), and areas of inconsistent implementation. This phase distinguishes true risk from theoretical exposure.
Phase 7: Develop Mitigation Strategies. Each high-priority risk needs to be linked to targeted mitigation actions, including audits or monitoring activities, policy or contract revisions, focused training, operational changes, and technology or data analytics enhancements. Mitigation actions should be assigned to owners with timelines for completion.
Phase 8: Align to the Compliance Work Plan. Risk assessment results should be incorporated into annual audit and monitoring plans, training priorities, policy review schedules, and board reporting focus areas.
Phase 9: Report Results to Leadership and the Board. Results need to be summarized using “heat maps” and board-level summaries, with clear explanations of top risks and the response from management. Documentation should evidence oversight, engagement, and follow-through.
Phase 10: Update and Repeat. Risk assessments should be updated annually and after significant changes such as growth, mergers and acquisitions, and enforcement shifts, as well as when new risks emerge (e.g., telehealth, AI, value-based care). If the initial assessment is conducted by a consultant, the same process and tools should be used to continue the process internally. Risk assessment should be a living process, not a static report.
Interested in working with Strategic Management to support your organization? Contact Steve Forman, CPA at [email protected], who has been conducting Compliance Risk Assessments for over thirty years.
