Risk Profile: Regulatory – Regulations/legislation

Risk Profile: Regulatory – Regulations/legislation (PDF version)

Risk of not meeting regulatory and legislative requirements, internal policies and procedures, directives and legal agreements. This may result from insufficient resources, increased complexity and intensity of requirements, as well a rapid and continuous evolution of legislative landscape. Impacts could include: reputational loss, significant use of resources, financial implications, or litigation. This document contains information entered by your peers in the Risk Register application to help you manage this risk.


  • Likelihood – average score 2.65
  • Impact – average score 3.13

The Risk Register allows for risks to be assessed on a five-point likelihood and impact scale, with five being the highest.

Key controls/mitigation strategies

  • Compliance management
    • Consult with legal counsel on appropriate application of legislation to help proactively adjust to changing legislative environment
    • Establish a Compliance Framework that defines, documents, and continuously updates regulatory requirements/responsibilities
    • Develop registries of applicable legislation, regulations and corporate policies. Designate leads (e.g. by portfolio) to ensure integration of changes and updates in legislation
    • Continuous communication as new laws, regulations and standards are developed
    • Active participation in working groups, advisory committees, and expert panels to monitor progress of recommendations and determine impact of legislative, regulatory and policy changes
    • Partner with other healthcare organizations for best practices, policy and regulatory requirements/interpretations. Share lessons learned with peer organizations.
  • Policy and procedure management
    • Develop a formal process to review established policies and procedures
    • Develop and/or update policies and procedure to adhere to government and regulatory requirements
    • Allocate dedicated resources for policy management to review current process and identify recommendations for improvement
    • Develop electronic database to track policies and procedures due for revision
    • Develop policy writing toolkit to ensure process consistency
    • Add title pages to policies and highlight key messages in order to assist managers with education and rollout
    • Establish cataloging system for corporate policies and align to operations (e.g. Finance, Human Resources, patient care, etc.)
    • Develop audit process to monitor high impact and high risk policies
    • Develop formal education and rollout strategy of new or updated policies and procedures. Ensure a process is in place to require users to confirm understanding and acceptance.
    • Put a search engine in place to allow for quick and easy location of policies


  • Media monitoring
  • Audit and Monitoring Program, including regular external and internal audits
  • Training completion rates (e.g. privacy and confidentiality, information security)
  • Decreased number of employees stating they were not aware of policies
  • Decreased number of outdated corporate policies and procedures
  • Metrics for policies where process auditing is in place (e.g. fall risk reduction, hand hygiene)
  • Annual attestation of compliance with relevant policies

[1] As of January 1, 2018

Note: information presented in this document has been taken from the shared repository of risks captured by HIROC subscribers participating in the Integrated Risk Management program.

© 2018 HIROC. For quality assurance purposes.