Evaluation of Corporate Compliance Programs: Operational Integration and Risk Assessment

Dear friends,

The following article is about new guidance from the Department of Justice
regarding the evaluation of compliance plans, specifically with regard to
operational integration and risk assessment. Feel free to share this
information. If you decide to use this material, please include our
copyright designation that is shown at the end of the article and send us a
copy of any publication in which the material appears.

Please do not hesitate to contact us with comments, questions, or requests
for additional information.


Elizabeth E. Hogue, Esq.

Office: (877) 871-4062

Fax: (877) 871-9739

Twitter: @HogueHomecare


Part 5 - Evaluation of Corporate Compliance Programs: Operational
Integration and Risk Assessment

Fraud enforcers recently declared that their expectation is that every
provider has a Compliance Program. Consequently, enforcers will now focus
on implementation of quality Compliance Programs. As part of this new
focus, the U. S. Department of Justice (DOJ) issued additional guidance on
February 8, 2017, entitled "Evaluation of Corporate Compliance Programs."
This new guidance provides a "road map" for providers to use to evaluate
their Compliance Programs, including the factors that regulators are likely
to take into account.

Specifically, the U.S. DOJ provided sample topics and questions it is likely
to use to evaluate providers' Compliance Programs. These factors include
operational integration and risk assessment.

Operational integration will be evaluated based on the following:

- Responsibility for Integration - Who is responsible for integrating
policies and procedures? With whom have they consulted, including officers,
various business segments, etc.? How have policies and procedures been
implemented? Do compliance staff members assess, for example, whether
employees understand policies and procedures?

- Controls - What controls failed or were altogether absent that
would have detected or prevented misconduct? Have appropriate controls been
implemented after the fact?

- Payment Systems - How was the misconduct in question funded,
including purchase orders, employee reimbursements, discounts, claims
submissions, etc.? What processes may have prevented or detected improper
conduct? How have these processes been improved?

- Approval/Certification Process - Have staff members with approval
authority or certification responsibilities in processes relevant to
misconduct known what to look for and when and how to escalate concerns?
What steps have been taken to remedy any failures identified in these

- Vendor Management - If vendors were involved in the misconduct,
what were the processes for selection of vendors? Did the vendors in
question participate in these processes?

Risk Assessment will be considered based upon the following:

- Risk Management Process - What methodology did providers use to
identify, analyze and address the particular risks they faced?

- Information Gathering and Analysis - What information or metrics
did providers collect and use to help detect the misconduct in question?
How has the information collected informed providers' compliance programs?

- Manifested Risks - How have providers' risk management processes
accounted for manifested risks?

It's a brand new day in the world of fraud and abuse compliance! Up-to-date
Compliance Programs that are fully implemented are now essential.

C2017 Elizabeth E. Hogue, Esq. All rights reserved.

No portion of this material may be reproduced in any form without the
advance written permission of the author.
Sign In or Register to comment.