The framework represents a complete view of an organization’s compliance risk environment; it’s the way an organization structures relevant risks. When likened to house construction, a risk assessment framework is the house blueprint and determining risk categories is similar to choosing building materials and components that will be used to build the house.
Like a house blueprint, the framework generally represents the big picture or structure of the organization, uses the taxonomy that works well with pertinent risks, embodies the risk assessment scope and breadth, and contains calculated and workable divisions.
First, consider how leaders want to organize and visualize the risk assessment. Common frameworks include multi-tiered divisions that allow for different levels of risk scrutiny. Framework utility is maximized when it facilitates high-level reviews and simultaneously enables detailed drill downs of individual risks.
Second, determine how to fit all applicable risks into the desired visual framework. An advanced framework brings together all relevant risks and categories of risks together into suitably organized logical divisions. For example, many auditing firms use the term “domain” for first-level divisions, “category” for second-level divisions, and “subcategory” for third-level divisions, before finally reaching the level of individual risks. The point is to create a structure with an associated taxonomy that makes sense for the particular organization.
Third, determine the scope of the risk assessment; define how comprehensive, detailed, and what capabilities are needed for proper drill-down. Also, establish boundaries; a compliance risk assessment should account for compliance risks, which is different than an enterprise risk assessment.
Fourth, determine how individual risks fit within each level of the risk assessment framework. Consider lumping risks into similar groups by using the organization structure or reporting structure; organize risks by departments or clinical service type; categorize risks based on controlling regulations or regulatory agency; or, group risks according to compliance staff oversight responsibilities.
Fifth, and finally; allow regular framework modifications; a solid framework doesn’t mean it has to be static.
You must conduct a risk assessment for an effective compliance program. Download our free eGuide, Risk Assessment Design: Advanced Frameworks and Methodologies, for a framework template and a clearly developed methodology to do it right.