Rebecca Lowell

Risk Management and Corporate Compliance are both integral components of effective administration and both are necessary within the healthcare setting. Each serves very different purposes, including adherence to regulatory compliance, improved operational efficiencies, and increased quality of care. Often, however, Risk Management and Corporate Compliance serve different masters.

Risk Management is the tool used by management to:

  • Identify the risks that exist in the provision of health care services;
  • Understand the scope of those risks; and
  • Make decisions on how best to address and reduce the risks to a level that the organization can tolerate.

The Risk Management Department often reports to the organization’s legal team so that information may be protected and decisions made under the umbrella of that protection.

Corporate Compliance, on the other hand:

  • Identifies the laws and regulations that govern the provision of healthcare services;
  • Ensures that the healthcare provider demonstrates substantial compliance with those laws and regulations;
  • Implements policies, procedures and protocols to facilitate compliance;
  • Provides training to affected individuals on the policies, procedures and protocols;
  • Implements disciplinary actions for breaches; and
  • Reports non-compliance, as necessary, to the authorities.

The Corporate Compliance Department is obligated to report to the governing body, often the Board of Directors, or at least a person with sufficient authority to implement the necessary changes.

Despite these differences, Risk Management and Corporate Compliance share many similarities.

  • Both are charged with the identification of problems and potential problems.
  • Both must develop protocols for investigating the root cause of a problem, discerning where the beak down occurred, who or what mechanism(s) failed, etc.
  • Both must identify how to correct the problem and/or reduce the risk of reoccurrence.
  • Finally, with the failure of any of the above, both may have disastrous effects for the organization.

In the healthcare setting, the risks are readily apparent.

As a service industry, there are always potential problems related to simple human error. Additionally, technological and pharmaceutical advances pose the very real potential of “device” failures that may prove disastrous. And, with billions of dollars spent annually on health care, there is significant risk of criminal activity, not to mention the possibility of salacious events or individuals that pose the risk of privacy violations.

With so many potentials risks, it is incumbent upon healthcare providers to create an evaluation and auditing system that analyzes both subjective and objective data. This data may be gleaned from a wide variety of sources, such as admissions records, billing/accounting records, state and national survey trends compared to an organization’s trends/indicators, state and/or federal survey results, patient and visitor satisfaction surveys, employee exit interviews and individual incidents. Trends will emerge by analyzing this information over a period of time and these trends will provide further clues as to where problems or potential problems exist.

Once the problems are identified, Risk Management and Corporate Compliance exchange key information and then difficult decisions must be made. Through the decision making process, one of the primary issues is what, if anything, must be reported and to whom. This is a challenge because a failure to properly and timely report, may result in significant penalties for the organization.

Meanwhile, smaller organizations have an even more difficult time addressing risk management and corporate compliance issues. Often, these organizations lack the resources and/or the staff power to implement either a risk management or corporate compliance program. Moreover, remaining on top of the changing landscape of healthcare is challenging enough, much less identifying and implementing the necessary tools and training sufficient to reduce these risks. In these circumstances, it is incumbent upon smaller organizations to develop systems where department heads and managers meet at least weekly to discuss recent incidents or system breakdowns and immediately enact an audit or “case study” to determine the root cause of the problem. There must be a Corporate Compliance Officer/Risk Management Officer assigned who will oversee the audit and it is recommended that there be access to outside counsel and/or the Board of Directors, or appropriate governing body, to advise on how best to respond to the event and whether reporting to the authorities is necessary.

So, are both Corporate Compliance and Risk Management necessary in the healthcare setting?

While there are definitely overlaps, it is critical for healthcare providers to understand that each of these entities is crucial and each has their place within the organization. Those companies that truly understand this and invest in an active Corporate Compliance and Risk Management Program will see a reduction in their risks, including fewer events/incidents, lawsuits and deficiencies/citations. 

Rebecca Lowell is principal of Lowell Law Center in California, a boutique law firm specializing in legal services for healthcare providers.