Collaboration Between Compliance and Risk: What is Permissible?

Compliance departments, generally speaking, guide staff and boards of directors to comply with the requirements, laws and regulations that govern the organization’s business. They also monitor for compliance via internal audits.  Risk departments, on the other hand, address ways to mitigate risk to an organization through such activities as the evaluation and purchase of insurance policies.  Given the broad nature of the scope of these two departments within the organization, when is compliance and risk collaboration permissible?

Possible collaborations

  1. Strategic planning: Collaboration here should include not only compliance and risk but the entire organization and the board of directors, if applicable.
  2. Disaster response and business continuity: As with strategic planning, disaster response and business continuity planning should also involve input and collaboration from all departments in the organization.
  3. General security and privacy : Here the compliance/privacy officer, information technology/security officer, and risk management director should all be included in the planning.
  4. Known security threat and/or breach incident: Compliance, information technology (IT), and risk management would all participate in mitigating a security threat or breach incident on the organization. Each would provide input and guidance on their respective areas of knowledge.
  5. Risk assessments, gap analysis and mitigation plans: Again, the development of these plans should include leaders from the entire organization; moreover, compliance and risk would specifically collaborate on the assessment, analysis and mitigation activities.
  6. General policy development: Compliance and risk staff can collaborate and provide feedback and input for all organization policies.
  7. Record and document retention schedule: Here compliance and risk can collaborate with legal counsel to ensure record and document retention policies comply with state and federal laws.
  8. Staff education: This is an area where compliance and risk can collaborate to provide training, whether it is done in person, virtually, by email or via online course.

Collaborations to vet and evaluate permissibility

  1. Security breach: As noted above, compliance, IT, and risk will work together once a security breach has been identified. It is important to ensure compliance addresses HIPAA related information and potential reporting requirements; IT evaluates the technical aspects of the breach; and risk focuses on reporting to the insurance carrier and mitigation strategies in conjunction with compliance and IT. These collaborative activities will usually take place under a breach coach or law firm to protect the confidential nature of the breach.
  2. Shared work areas: Depending on the confidential nature of discussions, say a lawsuit against the organization, it may or may not be appropriate for compliance staff to be privy to such information. So shared work areas should be closely evaluated.
  3. Shared staff: As with shared work areas, if a staff member such as a registered nurse (RN) is shared between the compliance and risk department, both leaders and the RN must remain in the scope of the job role in which they are working at the time.
  4. Reporting to the board: Typically, compliance reports to the organization’s leader (such as a CEO) but also has direct or dotted line reporting to the board of directors. Make sure any collaborations with other departments do not create potential conflicts of interest with reporting up this chain of command.
  5. Committee membership: As with the analysis discussed above, make sure to vet compliance staff member membership on the risk committee and vice versa to avoid any actual or potential conflicts of interest.


All organizations should work to develop a culture where permissible collaborations between compliance and risk occur. They should also make certain that staff feel comfortable calling the compliance or risk department with potential concerns while ensuring the staff not crossing any lines when it comes to compliance or risk department confidential matters or conflicts of interest.


  1. Evaluate opportunities for the compliance department to collaborate with the risk management team, as noted above.
  2. Access youCompli to find resources which address required document and record retention requirements.

Denise Atwood, RN, JD, CPHRM

District Medical Group (DMG), Inc., Chief Risk Officer and Denise Atwood, PLLC

Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.

See YouCompli in Action

Easier, faster, more effective compliance is possible

Improving Your Reputation: How to Help Your Healthcare Organization See the Compliance Department in a Positive Light

When the compliance team visits another department, staff responses are usually the same: we must have done something wrong.

This isn’t the response that you want. The compliance department and staff should be seen as approachable, working in a collaborative fashion to make the organization more successful. If the compliance department only comes in to run audits and give “constructive” feedback, then compliance will quickly become known for negativity and criticism.


It is important to collaborate with other departments and incorporate a holistic organizational approach. This means valuing what other team members have to offer with regards to compliance in the organization. It can be easy for compliance professionals to make black or white statements regarding compliance with a specific regulation or policy. After all, it’s there in writing — in black and white.

But, other teams can sometimes bring to light another perspective. There may be gray areas in the written requirements or overall process and addressing these could benefit the organization without compromising compliance.

Or, compliance professionals could demonstrate openness to evaluating how requirements and regulations are impacting specific operational workflows. For example, when evaluating a compliance process for telehealth visits related to obtaining consent, the operations leader should be given an opportunity to work with compliance in developing the process.

In-Person Education

One approach to improving collaboration with other departments is to conduct in-person education and question and answer (Q&A) sessions. Ask all department leaders if you can have ten (but no more than fifteen) minutes at their next staff meeting to introduce the compliance team and to solicit compliance-related topics and questions. Before the meeting, make sure to get the department leader to provide two to three compliance-related topics that would be of interest to their team. Prepare a short slide presentation to use in the meeting — typically, one slide per topic and one Q&A slide at the end.

During the meeting, make sure to leave at least five minutes for compliance Q&A. Listen to the staff questions and solicit information on challenges or knowledge gaps related to compliance, so follow up can be done with the that department or team.

Follow-Up Education

Follow up should be timely (within three to four weeks) and can be done a few different ways: short videos, posts on the internal intranet or website, email education, or additional in-person follow up education. There are several excellent (and free) applications available online where you can create short, two- to three-minute compliance videos that can then be distributed to staff.

Follow-up education could also be done by email if the topic and question and answer lends itself to an email response. For example, if staff ask a question about HIPAA’s application to texts or emails, it would be fairly easy to find a one-page summary on the application of HIPAA to texts and emails and attach that to an email.


Another way to improve collaboration would be to have compliance staff volunteer to participate in organization committees not directly related to compliance. For example, compliance professionals could join the policy committee or the activities committee. In this way, the compliance team can develop positive relationships with others in the organization, in an open and approachable way.

Practice Tip:

  1. Reach out to at least 3-4 departments before the end of the year to schedule and conduct in-person meet and greets with a focus on compliance education.
  2. Utilize services such as youCompli to stay current on compliance topics and regulations to present during your meet and greet meetings.

Denise Atwood, RN, JD, CPHRM
District Medical Group (DMG), Inc., Chief Risk Officer and owner of Denise Atwood, PLLC
Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.

See YouCompli in Action

Easier, faster, more effective compliance is possible