Expert Advice Regarding Compliance Risk Assessments

Several national surveys indicate that most health care organizations perform periodic compliance risk assessments, which is a cornerstone for any effective compliance program. However, results from the 2018 Compliance Benchmark Survey conducted by SAI Global and Strategic Management Services indicate that organizations have considerable confusion and misunderstanding as to what constitutes a risk assessment or how it should be conducted. Like other elements of a compliance program, there is no single method for risk assessments as they must account for the differences between various health care sectors. Each sector has its own unique compliance risk areas where the organization may be vulnerable. Many risk area assessments are performed internally by the risk management department, internal auditors, the compliance office, or some combination of those groups. Others are conducted by outside consultants or audit experts.  Regardless, practical methods should be employed to identify, measure, and manage those risks. Some of those methods are part of an enterprise-wide risk management review, while others are focused on regulatory compliance risk management.

Carrie Kusserow, CHC, CHPC, CCEP, has over 15 years of experience as a compliance officer and as a consultant conducting compliance risk assessments. Ms. Kusserow has explained that a robust compliance risk management program is vital to identifying weaknesses in internal controls and systems that could give rise to potential liability. Issues continually arise for health care organizations that operate under complex requirements and corporate structures; however, Ms. Kusserow points out that a proper risk management program provides organizations with ways to mitigate these risks before they lead to greater liability. She notes that an effective Compliance Risk Assessment Program includes:

1. Compliance high-risk identification, assisted by program managers;
2. Scoring and prioritizing areas by vulnerability and risk;
3. Implementing a risk assessment audit plan;
4. Reporting risk assessment results to executive leadership/Boards of Directors;
5. Tracking remediation of identified weaknesses; and
6. Verifying remediation and validating effectiveness.

Tom Herrmann, JD, has over 30 years of experience with the Department of Health and Human Services Office of Inspector General (OIG) and as a compliance consultant. He notes that the OIG, in a variety of compliance guidance documents, recommends conducting a baseline identification of risk areas to be used in subsequent reevaluation. The objective for each risk area is to determine how susceptible it is to mismanagement, violation of laws or regulations, and potential liability. Compliance risk management needs to be a continuous, dynamic process of gathering, analyzing, and updating information to ensure ongoing compliance with government rules and regulations. This process begins with identifying, analyzing, and prioritizing regulatory risks associated with the daily operations, and continues with the implementation, monitoring, auditing, and routine reporting of control strategies.

Steve Forman, CPA, who has conducted compliance risk assessments for over 35 years, believes that a risk assessment process should outline the areas to be addressed, the approach to be followed, who should follow the approach, and the time period for the assessment. For any health care sector, one can expect to identify far more risk areas than can be addressed in detail by any annual work plan. This makes prioritizing the process very important. The first step is to identify all the risk areas that should undergo assessment. Then, a process for rating and ranking the risk areas in terms of vulnerability and risk should be implemented. Vulnerability is the likelihood of a liability arising from a risk area, and level of risk relates to the liability of a risk incident in terms of cost and reputation. The combination of vulnerability and risk should allow the prioritization of risk areas for full risk assessments. A multi-year risk assessment work plan can be developed from this initial process.

Catie Heindel, JD, CHC, CHPC, is an expert in conducting compliance risk assessments. She believes that compliance professionals should commit to updating and revising their risk assessment processes on a regular, ongoing basis. This involves reviewing past work, verifying that remedial actions have taken place, and validating that the remedial actions have in fact mitigated risks. A key factor in that effort is ensuring the adequacy of policies and procedures that guard against events that could give rise to liability. However, the critical indicator of risk management is evaluating how a compliance program performs during the provider’s day-to-day operations. Furthermore, any risk assessment report should (a) explain how the assessment was conducted; (b) define the risk and why it is significant; (c) provide a summary of findings, gaps, and opportunities for improvement; and (d) include a proposed plan of action to mitigate the identified risks.

Strategic Management has been helping health care organizations maintain effective compliance programs for over 25 years. We can help you assess and manage compliance program risks to ensure your program remains effective. Contact us today to find out more: (703) 683-9600, strategicmanag.wpengine.com/contact-us/

About the Author

Richard P. Kusserow established Strategic Management Services, LLC, after retiring from being the DHHS Inspector General, and has assisted over 2,000 health care organizations and entities in developing, implementing and assessing compliance programs.