Check out the full compliance risk assessment series here:

1. Integrating basics into your compliance plan
2. Integrating tools into your compliance plan
3. How reliable data improves your compliance plan
4. Preparation and use of action plans


You probably have heard it said in healthcare compliance seminars or read it in compliance articles that risk assessment is the “8th element” in addition to the 7 fundamental elements of an effective healthcare compliance plan as identified in OIG Compliance Program Guidance (published by the OIG for specific categories of healthcare providers). And I strongly believe that.

However, I have noticed there are many questions about compliance risk assessments, such as:

What is a compliance risk assessment?

It is an analysis of the level of risk of a specific occurrence transpiring and measuring the effect of such potential circumstance. It is also the analysis on how to mitigate the likelihood and effect of such occurrence.

How does a risk assessment differ from compliance risk management?

Risk assessments precede compliance risk management. One can only manage risks that are anticipated.

How does one go about conducting a risk assessment?

Risk assessments can be conducted in many ways and on various scopes within an organization.

Although essential to your organization’s healthcare compliance strategies, risk assessments can seem difficult to grasp conceptually. The first question you need to ask is “what risk, or risks, do I want to know about my organization?” This depends on whether there is a specific issue, or area, within your organization (which you may already have concerns with). Like, if your organization as a whole or by department needs a large or small scale risk assessment, or other factors.

Therefore, defining the area or subject for the assessment of potential risk is a good first step. You may want to begin by outlining the questions that would like asked (and answered) in this process. The questions may naturally lead you to a specific department or function or to a broader scope. It is helpful to work with others within the compliance department, the compliance committee or within a particular department in order to make certain that the assessment will discover what it is intended to discover.


There are a number of different ways to create risk assessment tools and to obtain responses to ascertain potential risks. Some methods may include written surveys, group discussions, individual interviews, etc. Future articles will address the pros and cons of using different types of tools and methods. Other topics to be addressed in this series of articles are: what to do with the information you obtain, and how to use the data to improve the effectiveness of your compliance program.

What other questions do you have concerning risk assessment? Comment Below!

You might also enjoy:
Human Resource Compliance – one and the same
What is the Process for TN Heathcare License Verification?
The Differences Between the OIG-LEIE and the GSA Exclusion List
How to get off the OIG exclusion list

Guest Author, ALLISON K. LUKE, JD, CHC
Allison has more than 22 years of Healthcare Law and Compliance Experience. She received her Juris Doctor in 1990 from University of Georgia School of
Law, Athens, Georgia. She has been certified in healthcare compliance (CHC) since 2009.Ms. Luke has served as a Corporate Compliance Officer, in-house Legal Counsel and a Privacy Officer and has provided healthcare compliance consulting services for many healthcare providers, large and small.

Ms. Luke’s experience includes representation of hospitals, healthcare systems, home health agencies, mental health organizations, dental practices, physician practices, rehabilitation service providers, long-term care facilities, MCOs, and other healthcare providers in compliance matters, including, but not limited to, investigations before federal and state authorities. Some of Ms. Luke’s strengths include risk assessments, corporate compliance program development, policy review and development, external compliance investigations, privacy and security process review, and compliance audit program development.