Research Compliance Risk Assessments - Huron Consulting Group

Research Compliance Risk Assessments- 

Using the Risk Assessment to Build a Workplan 

July 18, 2012 

Huron Life Sciences Summer Webinar 

Series

About Our Speakers 

Leah Guidry 

Managing Director 

Huron Consulting Group 

202-585-6845 

lguidry@huronconsultinggroup.com 

Leah has over 20 years of experience working with healthcare systems, hospitals, academic medical centers, and 

physician groups. She advises clients on the development and enhancement of corporate compliance programs, 

resolving complex compliance issues, assisting with government disclosure determinations and investigations. 

Kris West 

Associate Vice President and Director 

Office of Research Compliance 

Senior Associate General Counsel, Office of General Counsel 

Emory University 

404-727-2398 

kwest02@emory.edu 

Kris provides guidance on regulatory requirements for research involving human and animal subjects, as well as basic 

research. She works closely with committees that provide regulatory oversight, including the Institutional Review Board, 

Institutional Animal Care and Use Committee and Institutional Biosafety Committee. She serves as Emory’s Research 

Integrity Officer and Privacy Officer for matters concerning clinical research. Ms. West has a J.D. degree from Mercer 

University and a M.S. in drug regulatory affairs from the University of Florida. Ms. West is a frequent speaker for the Health 

Care Compliance Association (HCCA), and regularly participates as an instructor for HCCA’s Research Compliance 

Academies. 

2

Polling Question #1: Does your institution have 

a separate research compliance department? 

• 99 responses 

• Yes – 57% 

• No, and research compliance is part of the healthcare compliance 

department – 26% 

• No, and research compliance is not part of the healthcare 

compliance department – 13% 

• Don’t know – 4% 

© 2012 Huron Consulting Group. All rights reserved. Proprietary & Confidential. 

3

Research Compliance Risk Assessments 

AGENDA 

• Overview of risk assessments as a precursor to the 

compliance workplan 

• Similarities and differences between research risk 

assessments (and research compliance programs) and 

general healthcare risk assessments (and general 

healthcare compliance programs) 

• Internal and external data points 

• Determining priorities 

• Options for conducting risk assessments 


4

Overview


OVERVIEW 

• Risk Assessment – what is it? 

• Risk assessment is the determination of quantitative or qualitative 

value of risk related to a concrete situation and a recognized threat 

(also called hazard). Quantitative risk assessment requires 

calculations of two components of risk: the magnitude of the 

potential loss, and the probability that the loss will occur.* 

• Qualitative aspects of the risk assessment are defined by the 

institution based on its needs, areas of focus, tolerance for risk, etc. 

* Wikipedia 


6


OVERVIEW 

• Risk Assessment – why do it? 

• Thoughtful, methodical approach to resource management 

• Enables wise and defensible approach to resource planning 

• Expected of OIG and US Sentencing Commission 

• Organizes and prioritizes the work flow 


7

Polling Question #2: Does your institution 

conduct an annual risk assessment? 


• Yes – 58% 

• No – 42% 


8

Similarities and Differences


SIMILARITIES AND DIFFERENCES 

• Program Similarities 

• 7 elements 

• Risk Assessment Similarities 

• Same or similar processes used for healthcare compliance risk 

assessments can be used for research risk assessments 


10


SIMILARITIES AND DIFFERENCES 

• Program Differences 

• Regulatory structure is greater and requires more knowledge and 

varied knowledge 

• Potential for greater specialization (IRB, IACUC, CRB, etc.) 

• Risk Assessment Differences 

• Some area of Research carry significantly more risk than general 

healthcare 

– Bio-medical research using unapproved drugs/devices is inherently risky in 

that care delivered to human subjects has not been proven safe and effective 

– Need to provide enhanced protections as a result 

• Informed consent 

• Institutional Review Boards 

• Research Protection Programs (AAHRPP accreditation = gold star) 


11

Research: What are the Risks? 

HIGHLY REGULATED ENVIRONMENT 

For most research, there are multiple HHS agencies/offices that may have separate regulatory 

and policy requirements related to conducting clinical research. Compliance with all of these 

different requirements requires a strong research support infrastructure and educated research 

community. 

Department of Health and 

Human Services (DHHS) 

Office for Human 

Research 

Protections 

(OHRP) 

Office of the 

Inspector 

General (OIG) 

The Centers for 

Medicare and 

Medicaid 

Services (CMS) 

National 

Institutes of 

Health (NIH) 

The Food and 

Drug 

Administration 

(FDA) 

Office of 

Research 

Integrity 

(ORI) 

Office for 

Civil Rights 

(OCR) 

Agencies that oversee research* 

*In addition, non-HHS research sponsors may 

impose requirement, eg. VA, DOD, EPA. 

Agencies that oversee healthcare and research 

© 2012 Huron Consulting Group. All Rights Reserved. Proprietary & Confidential. 

12

Internal and External Data Points


INTERNAL AND EXTERNAL DATA POINTS 

• External 

• OIG Work Plan 

• Enforcement History 

• Internal 

• Previous experience with external drivers 

• Previous experience with internal issues not identified in the 

external drivers 

• Issues remaining from prior work plans 


14


HOW TO USE THE WORK PLAN IN COMPLIANCE AND INTERNAL AUDIT PROGRAMS 

• OIG Work Plan 

– Assess the Work Plan through institutional lens 

• Identify all areas in the OIG Work Plan that the institution is involved in 

• What is the awareness in the institution of the compliance and internal 

controls in these area? 

• Determine the level of risk for that area in the institution 

• Prioritize the area to determine if it needs to be on the institution’s work 

plan 

© 2012 Huron Consulting Group. All rights reserved. Proprietary & Confidential. 15



• Government Enforcement history and trending 

– Review the trends of government enforcement 

• First, monitor the government’s enforcement trends 

• Assess those trends for applicability to your services 

– Identify areas that apply to the institution and assess their relevance 

• Similar to the OIG Work Plan slide, assess the awareness in the 

institution of the compliance and internal controls in these areas 

• Determine the level of risk for that area in the institution 

• Prioritize the area to determine if it needs to be on the institution’s work 

plan 




• Previous institutional experience 

– Review of previous year’s external inspections/reviews 

– Review of previous year’s compliance and internal audit work plans 

• Are there areas that were not addressed? 

• Are there areas that were not addressed adequately? 

• Are there areas that remain unresolved? 

– Assessment of Current State 

• What issues have arisen that were not on the work plan? 

» Have these issues been adequately addressed? 




Emory Approach to Research Risk Assessments: Setting up 

the Governance 

• Impetus for a New Approach – Merging of the healthcare 

and university audit and compliance committees 

• Revise charters to encompass new roles/responsibilities 

• Division of the “compliance universe” into 3 broad 

domains: Healthcare, Research, Other 


Pre-Risk Assessment: Who’s doing what? 

• So many laws, so many units – determining who has 

responsibility for compliance with major regulatory 

requirements 

• Develop a grid listing major regulatory requirements 

• Add units that currently have compliance responsibilities 

• Helps in gap-spotting 


19

Who’s in the Compliance Universe? 

• Formation of comprehensive compliance coordinating 

committee with point person for each domain: Healthcare, 

Research, Other 

• Point person is responsible for organizing units within 

each domain and engaging them in risk assessment 

process 


20

Drilling Down 

SELECTING A RISK ASSESSMENT TOOL AND APPLYING IT 

• Research covers a big waterfront 

• Need to coordinate players within all research compliance units – 

IRB, IACUC, OSP, IHBC, COI 

• Development of research compliance liaison committee 

• Getting buy-in on selection of tool 

• Lots of products out there 

• Everyone wants their own tool 

• Training on use of tool 

• Reviewing the results and coming up with the compliance 

plan 


Developing a Plan and 

Determining Priorities


DEVELOPING A PLAN AND DETERMINING PRIORITIES 

• Developing a Plan: 

• Define the scope of the risk assessment 

– Based on departmental jurisdiction 

– Based on areas of institutional research 

– Limited to regulatory areas (ex., OHRP, ORI, OIG, etc.) 

• Determine the approach for assessing risk 

– Data Analysis 

– Review of Prior Work Plans and Current State 

– Interviews (Individual or Group) 

– All of the above 

• Determine the methodology 

– Determine whether to conduct the assessment internally, outsource or 

some hybrid 

• Resource – internal, external, hybrid 


Polling Question #3: What resources are used 

for risk assessments? 

? 


• Solely internal – 23% 

• Solely external – 2% 

• Combination of both – 47% 

• Don’t know – 28% 


24



• Determining Priorities 

• Use a methodology that assesses the quantitative risk of each 

identified risk area 

• Sample methodology used by Huron 

– Impact 

• Reputation 

• Financial 

• Legal 

– Vulnerability 

• Probability 

• Detectability 

– Internal Controls 





26



• Work Plan Development 

• Outline all of the risk areas 

• Honestly assess the bandwidth and expertise of the department to 

handle the risk areas identified 

• Always leave room for unanticipated issues 

• Hire what you don’t have in-house 

• Determine what the work plan tasks need to be 

– Audit, process analysis, policy and procedure review 

• Assign timeframes and staff to assess 

• Make assignments 


Questions? 

Kris West 

AVP & Director Office of Research 

Compliance, Emory University 

kwest02@emory.edu 

404.727.2398 

Leah Guidry 

Managing Director 

Huron Consulting Group 

lguidry@huronconsultinggroup.com 

202.250.4679 


28

Research Compliance Risk Assessments - Huron Consulting Group

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?