The risk of not assessing risk | Health Care Compliance Association (HCCA)

CT magazine (July 2022)

I had planned to devote this month’s column to a discussion of how organizations identify new compliance risks, avoiding the problems associated with simply reassessing the same old risks every year. But something came along that surprised me.

In April, SCCE & HCCA held its first two-day Compliance Risk Assessment & Management workshop aimed at providing a deeper dive into the compliance risk assessment process. I think we hit an important need for the membership, as more than 160 people attended this virtual event, of which almost half were from healthcare organizations. That’s not what surprised me.

As part of the workshop, we took a brief survey of attendees. Just 21% indicated they felt their organizations already had pretty strong risk assessment processes, that they attended the workshop simply looking for any ways in which they might be able to improve their processes. Furthermore, 36% said they perform risk assessments on a regular basis but know that the process needs improvement, and 32% indicated that they have done them, but they have been very basic, with much room for improvement. Of course, some organizations have never even done a risk assessment. In this case, 11% of attendees admitted that their organizations have never done one.

This is not exactly a glowing self-assessment of the risk assessment process. Adding to the problem, only 35% said their organizations had established risk appetite and tolerance, 37% said they hadn’t, and 28% weren’t sure.

Depending on how you break it down, there are seven (or eight, nine, or ten) key elements of a compliance program. All are important. But it’s hard to imagine a better starting point than a risk assessment. After all, most of the other elements are driven by the risk assessment.

By not devoting sufficient resources and attention to establishing and maintaining a strong risk assessment process, the entire program is weakened. The policies, training, monitoring, auditing, and every other element simply cannot be very effective if they are not designed and updated based on a strong risk assessment.

Every program has its weakest link. I would make sure that the risk assessment process is not that link in your program.

[View source.]