It seems there is never enough time, and certainly not enough money, to do everything an organization wants to accomplish, especially when it comes to matters of compliance. Operations seems to get “first dibs” on resources because that is where the money is made. This leaves non- revenue departments, such as compliance, in a position where prioritization of work items is an important way of life. So, when resources are limited, how do you decide what should be done first?
I once had a boss who told me he started each day by asking himself, “what could bite me in the butt first?” and that is how he chose the task with which he would start his work day. While his method may not have been very scientific, it actually makes a lot of sense when applied to the world of corporate compliance. Prioritization of the items on the annual compliance program work plan is all about risk.
There is a level of risk in everything a healthcare provider does on a daily basis, and each organization has a risk tolerance, or a level of risk the organization is willing to accept or absorb in order to continue to do business. Each item that has been identified through a risk assessment to be an area of risk for the organization should be evaluated using the following criteria: 1. how likely is it to happen, and 2. if it does happen, how much will it hurt. For example, even in Iowa there is a risk of a terrorist attack, but the likelihood of that happening is pretty darn low. On the other hand, the potential for a ransomware attack that knocks out the computer network is much greater so that is the risk area to address first.
Prioritization from a compliance perspective is all about addressing those items that have the greatest risk of happening and greatest potential for causing damage if they do happen. I guess my boss was right, the things with the highest risk and damage potential are the same things that can bite an organization in the butt first, so that is where the first efforts should be focused.