Conducting a Compliance Risk Assessment (CRA)
Key Points:
- CRAs are critical for effective Compliance Programs
- 11 steps in conducting CRAs
- Common to use experts to assist with the initial CRA
Conducting a Compliance Risk Assessment (CRA) is a systematic process that identifies and evaluates legal and regulatory risks that may impact a business’s operations, finances, reputation, and ability to comply with the law. It is critical to an effective compliance program, as it helps identify and assess the likelihood and potential impact of compliance risks to a health care organization, while also determining the steps and measures necessary to mitigate them. A CRA proactively analyzes the gaps and required actions to meet regulatory compliance obligations and avert legal, financial, or reputational harm. It enhances understanding of how well the organization is meeting current standards and provides evidence of an effective compliance program. By systematically uncovering vulnerabilities, organizations can proactively address risks, eliminate silos, and ensure business continuity. It enables prioritization of resources to address the most significant risks and supports a step-back assessment of how well the mitigation strategies have worked, while identifying new or emerging risks not previously considered. Compliance Officers should ensure that the risk assessment process is continuously updated and revised, and that it is integrated into compliance monitoring and auditing programs.
The CRA process includes: (1) establishing the scope and universe of programs; (2) surveying program managers on compliance risks within their areas of responsibility; (3) identifying applicable laws, regulations, and standards; (4) reviewing policies, procedures, controls, and practices for compliance with applicable laws and regulations; (5) assessing potential risk outcomes and the likelihood of risk events occurring; (6) metric scoring of identified risks to prioritize them by severity; (7) determining what actions are needed to address and mitigate risks: (8) implementing controls and corrective action measures; (9) ongoing monitoring to verify and validate effectiveness of mitigating risks; (10) tracking and assessing corrective actions taken; and (11) re-evaluating risks regularly.
These efforts can be tracked, and their effect on the risk rating reported as part of regular compliance program updates to senior management and the board. It is important that the CRA be integrated into ongoing monitoring by program managers, including regular reporting on mitigation activities. Risk ratings can be adjusted over time. Since compliance risks affect many areas of the enterprise, it is advisable to integrate the CRA into an existing Enterprise Risk Management process.
For more information on this subject, contact Richard Kusserow ([email protected]).
