Hospital Risk Assessments: Sources and Techniques

Risk assessments have become an important method for hospitals to establish and prioritize risk areas within their facilities. Specifically, the Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act of 2002 both require risk assessments. Based on these requirements, the US Sentencing Commission Guidelines were amended to include hospitals “periodically assess[ing] the risk of criminal conduct and tak[ing] appropriate steps to design, implement, or modify each requirement set forth … to reduce the risk of criminal conduct identified through this process.”1

The Office of Inspector General (OIG) Supplemental Compliance Program Guidance (CPG) for Hospitals also addresses the use of a risk assessment tool to prioritize and reduce risks, with questions to hospitals such as: “[h]as
the hospital developed a risk assessment tool, which is re-evaluated on a regular basis, to assess and identify weaknesses and risks in operations; and [d]oes the risk assessment tool include an evaluation of Federal health care program requirements, as well as other publications, such as the OIG’s CPGs, work plans, special advisory bulletins, and special fraud alerts?”2

There are many methods and procedures that are useful for hospitals in understanding their risks and how to diminish them. This article will address external resources that can be utilized for risk management, as well as how
these resources can be applied. The focus will first be on sources that the health care environment uses to assist in the identification of risks. Then we will discuss different ways a hospital can determine how these and other
risks specifically affect their operations.

Have Compliance Concerns? We Have Solutions.

Speak with an Expert Today

The Relative Importance of the OIG Work Plan

While the OIG Work Plan is the most frequently cited document about the work of the OIG, and it provides a wealth of information about the OIG priorities for the coming year or two, it is not the only OIG document that
provides clues about the enforcement priorities in the health care community. For more detailed information, see Compliance 101: How to benefit from the OIG’s Work Plan, on page 10 of the June 2006 issue of Compliance Today. For purposes of this current article, let us summarize the five points noted in the previous article.

First, the OIG Work Plan is an annual document that contains some, but not all, of the OIG work. There are four major operating components in the OIG: The Office of Audit Services (OAS), the Office of Evaluation and Inspections (OEI), the Office of Investigations (OI), and the Office of Counsel to the Inspector General (OCIG). The vast majority of the work plan is comprised of the national work of OAS and OEI.

Second, while many OAS audits are included in the national work plan, many single grantee or provider audits are not included. Thus, local provider or single State audits may be conducted without any reference in the work plan.

Third, there are descriptors at the end of every project description in the work plan that tell you something about who is conducting the work and when it might be completed.

Fourth, the amount of work in any given area of the work plan depends on the OIG budget, which comes from a couple of sources. The vast majority of the money is devoted to Medicare and Medicaid.

Fifth, the work plan needs to be considered with other OIG enforcement efforts to understand the importance and priority of a given area. Congressional testimony, OIG Guidance, the Semi-Annual Report and recent results of investigations and settlements need to be tracked to complete the picture.

Additional Resources

The OIG Compliance Program Guidance for Hospitals is a useful source when planning a risk assessment. This document provides many recommendations to identify, and possibly decrease, risks. As noted above, this guidance also addresses the development of a risk assessment tool and further suggests that this tool incorporate federal health care program requirements, work plans, special advisory bulletins, and special fraud alerts, among other documents. Moreover, it suggests that once a risk assessment tool is developed, it should be annually evaluated to ensure that it focuses on the appropriate areas of concern, such as the results of prior years’ audits, risk areas that were identified through the organization’s annual evaluation of risks, and high-volume services. The US Sentencing Commission (USSC) Guidelines are also a valuable tool that can be utilized to identify potential high- risk areas and methods to address them. The USSC and OIG guidelines both recommend utilizing audits, in conjunction with other assessment methods, to examine compliance, aid in decreasing identified areas of concern, and in developing policies and procedures specific to the various high-risk areas.

While these resources are useful in identifying risks, organizations may also want to review health care issues that are being addressed on the state level, including areas being addressed through legislative action. Additionally, internal and external audits are instrumental in establishing risks specific to the organization.

Identify and Prioritize Risks

When the various resources have been reviewed to establish possible areas of risk, this information should be synthesized and communicated to the appropriate departments within the organization. This should help to stimulate thinking within the health care institution about identified risk areas. Department managers should be asked to identify and prioritize risks specific to their department. There are two methods that can be used for this process. The first is a more informal, qualitative method, and the other uses a more systematic, quantitative analysis.
Table 1

AHigh Probability & Low Impact = Moderate RiskBHigh Probability & High Impact = High Risk
CLow Probability & Low Impact = Low RiskDLow Probability & High Impact = Moderate Risk

The qualitative method involves meeting with executive and departmental managers to review various risks. Each person may discuss risks that specifically affect their department or areas of concern that have been identified
in an audit. To assist in the risk identification process, a simple method can be used to establish the risk level by determining probability and impact (Table 1).

The second, quantitative technique uses the Council for Sponsoring Organizations (COSO) procedures to assist in the classification of a hospital’s risks. COSO recommends the use of a process that involves the board of directors, management, and other appropriate personnel to identify potential events that may likely occur. When these events have been identified, a quantitative method should be developed to evaluate the likelihood that
a particular event will occur and the effect it may have on the organization.

After the greatest areas of risk have been established, they should be appropriately ranked, based on an established scoring system, from highest to lowest, with the highest risks being added to the organization’s annual work plan. Methods to assist in the prioritization of risks include:

  • reviewing the annual OIG Work Plan,
  • determining whether the area was a focus of an OIG audit,
  • assessing if the Centers for Medicare and Medicaid Services (CMS) or the Medicare Fiscal Intermediary has targeted the areas, and
  • evaluating information obtained from internal audits.

Of course, a combination of the qualitative and quantitative methods would provide even more robust findings of risks to the health care organization.


Hospitals are increasingly relying on risk assessments to determine potential areas of risks and how to reduce these risks. By evaluating both internal and external sources for overall risks, the hospital can identify and prioritize the areas of greatest concern. When this occurs, internal controls, such as the development of high risk policies and procedures, can be incorporated to better manage risks. This is a topic that will be discussed in a future article. n

1 – United States Sentencing Commission Guidelines, Organizational
Guidelines, Chapter 8, §8B2.1 (November, 2005)

2 – OIG Supplemental Compliance Program Guidance, 70 Fed. Reg. 4858-
4876 (January 31, 2005)