Is Your Compliance Risk Assessment and Work Plan Ready for 2023?


Compliance & Risk Management

As Compliance Officers well know, a CCRC’s compliance program is not a “set it and forget it” proposition. Because they serve as a safeguard of quality and safety for residents and to reduce financial and legal risk for the organization, compliance programs need to be adaptable to account for new areas of risk or enforcement focus. 

That’s where compliance risk assessments and work plans come in. An organization-wide risk assessment should be conducted at least every year, and additionally in response to any changes that affect risk factors specific to your CCRC.


After identifying potential risks, a work plan can be developed. A CCRC’s Board of Directors or Governing Body should approve the work plan at the beginning of each year and be updated on progress throughout the year.

Read on for pointers on what to include, and how to use the Office of Inspector General’s (OIG) annual Work Plan as a tool.

What Elements Should the Work Plan Address?

The Work Plan should prioritize how the CCRC will mitigate risks through systems of monitoring and auditing. Remember, Work Plans guide the focus of the compliance program. That means they need to be flexible and evolve to encompass new priorities identified outside of an annual risk assessment (e.g., through new regulations, survey citations, compliance problems reported by staff).

Organization-Specific Risks

The most important risk areas to consider are those that most strongly impact your individual organization. For example, maybe your annual risk assessment has identified a high level of IT vulnerability, or staff turnover.

You can also look at past surveys and quality ratings to illuminate areas of risk that need to be addressed. Other sources to check include credentialing records, safety records, staff training records, and conflict-of-interest documentation.   

Common High-Risk Areas

There are also risks that OIG says all healthcare organizations should address, such as:

  • Medicare billing
  • Physician billing
  • Additional or new lines of business or affiliations
  • Personnel changes
  • Human resources, financial management, and compliance issues identified through internal reporting systems

Risks Related to Current Developments

Another area involves keeping up with current issues based on enforcement activity, OIG fraud alerts, and new laws and regulations. The COVID-19 pandemic is a good example of a fluctuating situation that spawned changing guidelines and requirements, necessitating frequent risk assessments and compliance plan updates. 

Auditing and Monitoring Systems (1, 2)

Systems of auditing and monitoring included in the Work Plan represent an organization’s intention to achieve compliance with standards, policies and procedures. They should identify violations of laws and regulations, as well as non-adherence to compliance policies and procedures. The results of auditing and monitoring should be analyzed with tracking, trending and benchmarking. To ensure objectivity, the results should be evaluated by external entities. Any problem areas identified should be addressed through the implementation of a plan of correction. 

Organizations also should have internal reporting systems for staff to report any concerns or suspected misconduct. Reporting options might include:

  • The employee’s supervisor or leadership
  • Human Resources
  • The Compliance Officer
  • The organization’s Compliance Hotline

It is important that employees feel that they can report concerns without fear of retaliation.

New Area of Focus: SNF Compliance and Ethics Programs

Heads up: For the first time, state surveyors are being asked to review skilled nursing facility (SNF) compliance and ethics plans. Communities that include SNFs should make sure those facilities have a compliance plan in place that:

  • Is designed to prevent violations and promote quality of care for residents
  • Has oversight by an individual with the right experience and background
  • Includes written policies and procedures that are communicated to all staff
  • Includes disciplinary measures to respond to violations
  • Is reviewed at least annually

Make sure that the Compliance Officer responsible for SNF compliance has easy access to documents supporting the compliance and ethics plan.

How the OIG Work Plan Impacts Compliance Risk Assessments and Planning

The OIG’s annual Work Plan lays out the audits, inspections, and evaluations that OIG intends to carry out in an effort to protect the integrity of federal programs, including CMS. It can be useful as a compliance resource in guiding development of your own work plan.

Staying on top of new or revised items in the OIG is a good practice for Compliance Officers. You can subscribe to the HHS OIG newsletter for updates. Be sure to keep your Board informed of any changes that could be a potential area of risk for your facility and will be added to the Compliance Work Plan.

OIG Work Plan 2023: New Items Related to Nursing Homes

These recent additions to OIG’s 2023 work plan could impact compliance surveys for CCRCs:

Assessment of the Special Focus Facility Program for Nursing Homes. The Special Focus Facility (SFF) Program is intended to improve care in the poorest performing nursing homes by surveying these facilities two times per year (twice as often as required for other nursing homes). In October 2022, CMS shortened the amount of time a facility spends as an SFF with the goal of increasing the number of nursing homes that can go through the program. State surveyors are being instructed to assess SFF program implementation in 2023. OIG hopes to identify factors that help nursing homes sustain quality improvements after they leave the program.

Assessment of CMS’s Early Use of Payroll-Based Journal Data to Improve Enforcement of Nursing Home Staffing Standards. In October 2022, CMS began providing state surveyors with facilities’ payroll-based journal (PBJ) data and instructed them to review it to determine whether nursing homes have sufficient staffing to meet hourly staffing standards. OIG plans to review how effective this strategy is in improving enforcement of federal staffing standards.


  1. Measuring Compliance Program Effectiveness: A Resource Guide. HCCA-OIG Compliance Effectiveness Roundtable Meeting, January 17, 2017, Washington D.C.
  2. Insider’s Guide to Compliance, S. Walberg, 2018, Compliance Ala Carte

Friends Services Alliance (FSA) is a national professional association of values-aligned organizations that serve seniors. Our support services include a team of Compliance and Risk Management experts who have supported organizations in developing and maintaining effective Compliance and Ethics Programs for more than 20 years.