Check out the full compliance risk assessment series here:

1. Integrating basics into your compliance plan
2. Integrating tools into your compliance plan
3. How reliable data improves your compliance plan
4. Preparation and use of action plans


This is the third in the “Compliance Risk Assessments” series. The first blog addressed basic definitions and considerations in conducting risk assessments for healthcare providers and organizations. The second blog addressed different types of tools, their pros and cons and methods that can be used in risk assessments.

This blog addresses what to do with the information obtained from risk assessments, including reporting results of risk assessments and mitigating identified risks. When risk assessments are done thoroughly, the use of the data derived from them can improve the effectiveness of your overall OIG compliance program and demonstrate your organization’s commitment to healthcare compliance.

The clarity and thoroughness of any risk assessment report is essential. Reports may be tailored to the audience who will be reviewing it and to the purpose for which the report findings will be used. Your organization’s Board of Directors should be given a clear and concise report, with much less detail than reports prepared for an organization’s leadership and other staff who will develop and implement needed action plans which may be implemented based on the Board’s approval.

When creating a comprehensive report to be reviewed with staff, the following guidelines may be helpful:

– Use a spreadsheet or similar document format to separate categories of information/headings
– Organize the report based on the Sources of Concern (SOCs) that you originally identified (per the compliance risk management discussed in the first blog)

– Separate the categories of information/headings to include:

  • Specific (SOCs) – subcategories
  • Risks identified, if any
  • Applicable rules or regulations (with specific requirements addressed (if possible)
  • Any existing organization policies that address each issue/identified risk area
  • Organizational Department/Functional Area Responsible (include names or titles for specific tasks identified)
  • Previous action plans addressing the SOCs
  • Risk Ranking/”Heat” level (i.e., green, yellow or red)assigned to the risk (addressed below)

– Leadership/Management should review the report for input on “ranking” the risks based on the following:

  • Immediacy of concern
  • Financial impact / Reputational Impact
  • Likelihood of occurrence
  • “Worst case” if risk is not addressed

The final category heading of the spreadsheet should be “Board of Directors and Corporate Compliance Committee recommendations” (this will not be filled in until after the Board has made recommendations after its review of the report prepared for the Board). As noted above, the Board’s report should be much more concise, specifically addressing:

  • the SOCs,
  • the risks identified
  • leadership/management rankings (including the immediacy of concern/financial, impact/reputational Impact and likelihood of occurrence)
  • “Worst case scenario” if risk is not addressed

This report is intended to educate the Board on specific operational compliance risks and to assist the Board in making informed recommendations for actions, including additional audit plans, that may be needed to ameliorate those risks.

When presenting this report to the Board:

  • Explain how leadership/management has ranked/rated the risks.
  • Have operational leadership present.
  • Explain resources needed by Compliance, Audit and Operations to address and remediate.

It is good practice to have the Board approve recommended audit plans/action plans with “ranked” risks. Such Board approval is critical to demonstrating Board awareness and oversight of compliance matters. This is an essential piece to demonstrate an effective corporate compliance program

How does your organization assess the data gathered from risk assessments?

We Recommend:
What to do with all of those Exclusion Lists?
5 Things you should know about OIG Exclusions
Sanction Screening Deep-Dive – what is it and why it matters?
OIG exclusion vs. termination

Guest Author, ALLISON K. LUKE, JD, CHC
Allison has more than 22 years of Healthcare Law and Compliance Experience. She received her Juris Doctor in 1990 from University of Georgia School of 
Law, Athens, Georgia. She has been certified in healthcare compliance (CHC) since 2009.Ms. Luke has served as a Corporate Compliance Officer, in-house Legal Counsel and a Privacy Officer and has provided healthcare compliance consulting services for many healthcare providers, large and small. 

Ms. Luke’s experience includes representation of hospitals, healthcare systems, home health agencies, mental health organizations, dental practices, physician practices, rehabilitation service providers, long-term care facilities, MCOs, and other healthcare providers in compliance matters, including, but not limited to, investigations before federal and state authorities. Some of Ms. Luke’s strengths include risk assessments, corporate compliance program development, policy review and development, external compliance investigations, privacy and security process review, and compliance audit program development.