RevSpring is publishing a series of articles that looks at each of the eight elements that comprise an effective compliance program.  As stated in August, “Knowing you need to create an effective compliance program is one thing. Knowing HOW is entirely another.”


Risk assessment refers to finding and evaluating operational and organizational risks and taking steps to minimize those risk areas. More than ever, the need to incorporate Enterprise Risk Management (ERM) is imperative to creating an effective compliance system.   Why?  Because organizations CANNOT possibly address every new issue simultaneously without negatively impacting potentially more important matters.

All federal agencies concur that organizations need to show a system of proactive planning and ongoing consistent responses. This all starts with prioritization of risks which reinforces strategic alignment with overall business goals instead of non-value added activity.   Effective ERM is iterative and dynamic in its effort to identify potential areas of compliance risk or vulnerability.

The Office of Inspector General, U.S. Department of Health and Human Services and the American Health Lawyers Association all recommend key questions Board Governance asks of the organization’s management team including:

  • Does the compliance program address the significant risks of the organization?
  • How were those risks determined?
  • How are new compliance risks identified and incorporated into the program?

Furthermore, the US Sentencing Guidelines (commentary) as amended in November 1, 2004 states:

  • The organization shall…..(A) Assess periodically the risk that criminal conduct will occur, including assessing the following:
    • (i) The nature and seriousness of such criminal conduct…
    • (ii) The likelihood that certain criminal conduct may occur because of the nature of the organization’s business…
    • (iii) The prior history of the organization…

As you begin the risk assessment process, there are several tools or frameworks you can use to assess risks not only in compliance and ethics but across the enterprise. One widely recognized framework was updated and released by the Commission of Sponsoring Organizations (COSO) in 2013. It outlines 17 principles dealing with internal controls – four are related to assessing risks. Clearly, strong internal controls are part of an effective compliance and ethics program.

There are many factors that impact every organization’s risks including:

  • Organizational ethics
  • Financial demands
  • Technology
  • Innovation
  • Competition
  • Joint ventures/mergers and acquisitions
  • Laws/rules/regulations
  • Recent settlements
  • Existence and sufficiency of policies covering an area
  • Audit results
  • Employee claims – hotline calls

Remember, ultimately your organization’s ERM can be as sophisticated and comprehensive as the business model demands.  The point is to tailor the risk assessment template to your operations.  In order to manage current prioritized risks and prevent scope creep while simultaneously addressing new risks, documenting the process is essential to effective compliance management.

Effective risk assessment is a critical element of any compliance initiative to ensure you are focusing your effort where it will have the greatest impact.

What is Risk?
Risks are things that might prevent an organization from meeting an objective.

What is Risk Assessment?
The identification, measurement and prioritization of likely relevant events or risks that may have a material consequence on an organization’s ability to achieve its objective.

Emerge CF

5 steps to collecting more payments online

Compliance Audit Services

IWS Video