Risk Assessment

Resource: Sample Risk Assessment Policy and Process

By Betsy Wade, MPH, CHC, CNA

Draft Risk Assessment Policy and Process

In accordance with Office of Inspector General (OIG) Compliance Program Guidance, the U.S. Sentencing Guidelines and in support of the eighth element of an effective compliance program, (Insert name of company) has developed and implemented a centralized risk assessment and internal review process to identify and address risks associated with the Company’s participation in Federal health care programs, including but not limited to the risks associated with the submission of claims for items and services furnished to Medicare and Medicaid program beneficiaries. Annually, Compliance, Internal Audit, Legal and Operations conducts a risk assessment and internal review process that:

  • Identifies and prioritizes risks.

  • Develop internal audit and compliance monitoring work plans related to the identified risk areas.

  • Implements the Internal Audit and Compliance Monitoring work plans.

  • Develop corrective action plans in response to the results of any internal audits or compliance monitoring performed, and

  • Track the implementation of the corrective action plans in order to assess the effectiveness of such plans.

The risk assessment process is conducted during the fourth quarter of the fiscal year and includes:

  • Reviewing the OIG Workplan and Workplan updates for audit areas that are applicable to (Insert name of company).

  • Reviewing OIG Audit results, Corporate Integrity Agreements, Department of Justice settlement agreements, advisory opinions, fraud alerts and other government publications for risk areas that may be applicable to (Insert name of company).

  • Reviewing PEPPER Reports, internal risk scorecards, prior audit results, government audit results, exit interviews, hotline call trends, investigation trends, risk management cases, QAPI, for potential areas to review or follow up.

  • Reviewing regulatory changes and emerging legislation/regulations, such as changes in government payment models or implementation of new regulations, that could impact the organization.

  • Presenting summary of government audit focus areas to Senior Leadership and Operations for consideration during development of the annual Internal Audit Plan and Compliance Monitoring Plan.

  • Conducting a survey of the company’s entities to identify gaps in compliance.

  • Conducting interviews with Senior Leadership and Operations to assess risk concerns.

  • Incorporating areas for consideration such as bad debt, billing and coding, clinical, cost reports, credit balances, clinical research, documentation, excluded providers, quality, finance, privacy and security, Information Technology, marketing, physician transactions (Stark Law), licensure, record retention, reimbursement, regulatory, medical necessity, environmental, facilities, policies, and procedures, staffing, education, and mergers, acquisitions and divestitures, among others.

  • Compiling results of the reviews and interviews and prioritizing or ranking the risks for the next fiscal year using the approach in the Compliance Risk Assessment Scoring Matrix, Exhibit A, and tabulating a score using the Risk Prioritization Scorecard, Exhibit B.

  • Using the results to determine the organization’s appetite for compliance risk and finally prioritizing the risks.

  • Developing the annual Internal Audit Plan and Compliance Monitoring Plan and present to the High Risk Team, Executive Management Compliance Committee (EMCC) and Board of Managers for approval.

  • Implementing the annual Internal Audit Plan and Compliance Monitoring Plan, assessing results and working with leadership to implement corrective action plans.

  • Reporting results from the annual Internal Audit Plan and Compliance Monitoring Plan a minimum of quarterly to the High Risk Team, EMCC and the Board.

  • Following up to ensure the corrective action plans resolved any issues identified.

This document is only available to subscribers. Please log in or purchase access.
Purchase Login

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook X LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings