Blog Post

Compliance Risk Assessment Framework (RAF)

Richard P. Kusserow | October 2022

Register for a complimentary CEU credited webinar “Building Blocks for Effective Compliance Programs (,” November 10, 2022, at 2 PM Eastern. The Compliance Certification Board (CCB)® has approved this event for up to 1.2 Live CCB CEUs.

Key Points:

  • RAF is a means by which risk exposure can be assessed and addressed
  • A compliance risk assessment is necessary to identify risks needing mitigation

The Compliance Risk Assessment Framework (RAF) includes an inventory of compliance risks with respect to applicable laws, regulations, rules, standards, and guidelines by providing a structure for assessing compliance with them. Consequences of risk failure can result in fines, penalties, or other costs regulators might impose. However, there are other potential consequences, such as exposure to tort liability from civil lawsuits, loss of reputation and standing in the community, negative impacts on business relationships, weakening of employee confidence, financial impact, etc. On the other hand, evidence of effective risk management often results in more favorable treatment by government regulators.

The compliance risk assessment process should include analyzing where regulatory compliance obligations are weak or not being adequately addressed. This process is primarily a program manager function who should identify, address, and then manage risks within their program operations. This function involves evaluating and specifically identifying, prioritizing, and controlling risks associated with the threat of non-compliance.

Risk Assessment Framework Elements

  1. Identify risks affecting the operational areas.
  2. Analyze risks in terms of vulnerability, likelihood, and consequences.
  3. Rank risks from high to low as to probability and negative consequences for failure.
  4. Begin with the highest risk exposure; review existing controls.
  5. Determine adequacy of policies and procedures to control risks.
  6. Plan steps to reduce or mitigate risk levels with new or modified policies and procedures.
  7. Train staff on following the compliance guidance.
  8. Conduct ongoing monitoring to ensure staff is adhering to the compliance risk guidance.
  9. Conduct internal audit review to test and validate controls are effective.
  10. Routinely repeat the process to test controls and adjust as needed.

Noteworthy is that there are other areas of risk assessment in addition to compliance (e.g., strategic planning, mergers/acquisitions, clinical, financial, etc.).

Keep up-to-date with Strategic Management Services by following us on LinkedIn.

For related FAQs, see

About the Author

Richard P. Kusserow established Strategic Management Services, LLC, after retiring from being the DHHS Inspector General, and has assisted over 3,000 health care organizations and entities in developing, implementing and assessing compliance programs.

Subscribe to blog