How to handle healthcare organization risk management

By Don McAnelly, CPA/ABV, CGMA


In an increasingly complex and competitive industry, demands placed on healthcare administration are ever-growing, with risks seemingly around every corner. Legislation and regulations, operational and financial concerns – these issues can make it hard to remain aware of new risks while keeping your organization focused on its mission, strategy, and patient care. The impact of COVID-19 has further complicated this situation. How do you identify, prioritize, and evaluate risks to your healthcare organization? Through an internal audit and robust risk assessment process.

A holistic view of risk assessment

A risk assessment looks at your organization, making it easier to understand issues with objectives, goals, processes, and structure. It allows you to systemically identify certain aspects of your healthcare organization and the risks those areas pose. By managing risk, you’re lowering the chances that something can go wrong.

Start by looking at potentially significant risks relating to areas of your operations such as: compliance; finance; environmental; clinical; and reputation. Performing a risk assessment and setting up internal controls helps you manage risk across the entire organization.

Common risks to consider

Though all healthcare organizations are different, there are several areas that are common to almost all. Though these are a small sample, you can ask similar questions about other areas of your organization to identify risk.


Is your lab complying with U.S. Office of Inspector General guidelines, along with Occupational Safety and Health Administration (OSHA) and state OSHA guidelines? Do your reference forms include all necessary diagnostic details? Do you have a maximum time for standing orders? How are lab charges created, on test or on result?

The charge description master

Are you correctly capturing charges? Does one person coordinate the process to make sure it happens? Because codes and charge data change frequently, an incorrectly recorded procedure can result in improper reimbursements.


How are your pharmacy medications controlled? What system does your organization use? Who orders for the pharmacy? Is there separation between pharmacy and receiving inventory? How do you charge patient accounts? How are unused or returned medications credited?

Admitting and registering patients

How are patients registered when a procedure is scheduled in advance? Is it over phone or fax for insurance details? Does admissions get identification and insurance details upon arrival? Are co-pays or deductibles discussed prior to the procedures? How are payments collected?

Charity care

Is there a process for charity applications? Who approves your charitable write-offs? Who reviews the write-off codes to stay in compliance with HCAP and Medicaid UB 92 revenue codes for hospital-level services? Who monitors collections accounts to verify if the patient qualifies for charity later? How do you record charity care on general ledger and financial statements?

Other areas of risk can include brand and industry reputation, shared services such as human resources, your revenue cycle, tech support, and supply chain logistics. If the health system doesn’t have an audit process, it must be decided whether to accept all risk identified, to develop an internal audit team, or to bring in outside auditors.

What's the role of the internal audit?

Internal audits are assessments to ensure the organization’s financial and operational controls are appropriate. It compares organizational procedures compared to compliance requirements. Auditors do not execute organization activities, but rather provide advice to management to improve operations.

Annual audit plan development

After you've finished a risk assessment, the auditors, managers, and oversight boards create and agree on a yearly audit plan, which includes brief overviews of areas being reviewed and how quickly the audit should be completed. Prior to the start of the audit, management will develop and review the scope and objectives.

Findings and recommendations

The audit then moves into practice, including management interviews and testing, based on the audit’s scope. It will evaluate the organization’s current controls, consider current risk and compliance needs, and then concludes if updates to those controls are necessary. A final report of audit findings is provided to the organization so corrective actions are developed. Once the finalized report is approved by management, it’s presented to the audit committee.

Though this process can seem complicated, once you’ve developed an initial annual audit plan, you can move through the process much more easily, year after year. This process helps you keep your healthcare organization’s risks the lowest they possibly can be without putting a stranglehold on your operations. Taking the time to put a solid risk assessment and annual audit plan in place can help take your business to the next level, allowing for strong growth and options for new opportunities.

If you have any questions or need help getting started on your healthcare risk assessment and audit plan, please connect with your Rehmann advisor or contact us here.

Published in Healthcare

Meet The Rehmann Team

Start typing a name ...
Searching for "{{nameQuery}}"...
Start typing an experience ...
Searching for "{{experienceQuery}}"...
Start typing a location ...
Searching for "{{locationQuery}}"...
Or view a list of team members

get rehmann expertise to drive your business in your inbox every week