Home > Insights > Blog > Building Your Controls Framework – A Three-Phase Approach

Building Your Controls Framework – A Three-Phase Approach

Building Your Controls Framework – A Three-Phase Approach

RISK ASSESSMENT TOOLKIT

ACCESS NOW

Read time: 4 minutes

Creating a comprehensive controls framework feels overwhelming when you’re starting from scratch. Where do you begin? How do you know you’re not missing critical controls? How do you avoid analysis paralysis?

The 2023 White & Case/KPMG survey found that 59% of organizations view third-party relationships as their greatest compliance risk, yet many lack systematic approaches to identifying the controls needed to manage these risks.

This blog breaks down framework development into three manageable phases that ensure completeness without drowning you in complexity.

Phase 1: Risk Assessment Integration (Weeks 1-2)

Your risk assessments aren’t theoretical exercises—they form the foundation of your control framework. Start by mining what you already know.

Review Historical Risk Assessments

Pull every risk assessment from the past 2-3 years. Look for:

  • Recurring themes: Risks that appear repeatedly signal where controls are essential
  • Materialized risks: Issues that became actual compliance problems show where controls failed or were absent
  • Near-miss incidents: Close calls reveal vulnerabilities

According to ECI research, 30% of employees report feeling pressure to compromise ethical standards—up from 20% in previous years. Your historical assessments likely captured moments when this pressure led to problems. Those are your starting points.

Outline Past Compliance Issues

Review audit findings, payer denials, accreditation survey citations, and internal investigations from the past 3 years. Each represents an area where controls are demonstrably necessary.

Value driver: By automating risk assessments with data from historical issues, you engage risk owners with targeted requests rather than generic surveys. They see immediate relevance because you’re addressing known problems.

Map Regulatory Requirements

Review applicable regulations, DOJ guidance, and enforcement actions to identify specific control requirements that must be met. The DOJ’s 2024 update to its Evaluation of Corporate Compliance Programs explicitly emphasizes:

  • Data-driven risk detection
  • Measurement of compliance effectiveness
  • Speak-up culture and anti-retaliation
  • AI and emerging technology governance

These aren’t suggestions—they’re expectations regulators will evaluate.

Quick Win: Start with high-priority, regulatory-required controls. These are non-negotiable and demonstrate baseline program maturity.

Phase 2: Control Identification and Documentation (Weeks 3-6)

Now comes the systematic work of identifying controls for each risk area.

Document Existing Controls First

Many organizations discover they have more controls than they realized—they’re just informal, undocumented, or inconsistently applied. Survey your organization:

Questions to ask:

  • What checks happen before decisions are made?
  • What monitoring occurs regularly?
  • What reports get reviewed?
  • What approvals are required?
  • What screening is performed?

Bring these informal practices into your formal framework. Documenting them provides opportunities to standardize and strengthen them.

Value driver: This inventory demonstrates to auditors that you have a targeted, risk-based approach—not just theoretical controls but actual practices tied to real risks.

Develop New Controls Through Collaboration

For risks lacking adequate existing controls, convene cross-functional working groups to address these gaps. Include representatives from:

  • Compliance
  • Operations
  • Finance
  • Clinical departments
  • IT
  • Legal

Why? According to PwC’s 2025 Global Compliance Survey, 47% of compliance professionals cite organizational complexity as a key factor limiting compliance effectiveness. Cross-functional input ensures controls are both effective and feasible.

Pro tip for small teams: You can’t do this alone. But you don’t need 20-person committees. Start with 3-4 key stakeholders per control area who understand operations and can spot implementation barriers.

Use Your Template Consistently

Remember the six-element template from Blog 2? Use it for every single control:

  1. Control Objective
  2. Detailed Description
  3. Implementation Requirements
  4. Monitoring Procedures
  5. Responsibility Assignments
  6. Documentation Requirements

Consistency is critical. Compliance professionals and auditors must be able to trust that every control entry contains complete and accurate information.

Phase 3: Control Classification and Prioritization (Weeks 7-8)

Not all controls are created equal. Classification helps you focus resources on what matters most.

Classify by Function

Preventive Controls: Stop problems before they occur (approval requirements, pre-employment screening)

Detective Controls: Identify problems that occurred (monthly pattern analysis, audit programs)

Corrective Controls: Respond to identified problems (investigation protocols, self-disclosure procedures)

Most effective programs emphasize preventive controls for the highest-priority risks. It’s cheaper and less painful to prevent violations than to detect and remediate them.

Distinguish Required vs. Best Practice

Regulatory-Required Controls: Must be implemented regardless of cost (monthly exclusion screening, annual risk assessments)

Best Practice Controls: Exceed minimum requirements but significantly reduce risk (quarterly disclosure campaigns for middle management)

This distinction is particularly important when resource constraints necessitate difficult prioritization decisions. Required controls are non-negotiable.

Assign Priority Levels

Use a simple three-tier system:

High Priority: Addresses risks that could result in significant financial penalties, criminal liability, or patient harm
 Medium Priority: Addresses important but less severe risks
 Low Priority: Provides additional risk reduction but isn’t critical to basic program integrity

Value driver: Risk-based prioritization demonstrates to regulators and auditors that you’re not just checking boxes—you’re strategically managing risk based on real impact.

According to Gartner, compliance leaders are prioritizing data-driven approaches, with 76% focusing on improving risk detection capabilities. Priority classification supports this by directing monitoring resources where they are most needed.

Building Momentum Without Burnout

Here’s reality: You can’t implement everything at once. The 2023 White & Case/KPMG survey found that 31% of organizations increased compliance budgets, while 13% decreased them. Resources are tight.

Sustainable approach:

Month 1: Complete Phase 1 (risk assessment integration)
 Month 2: Document existing controls for your top 3 risk areas
 Month 3: Develop new controls for your top 3 risk areas
 Month 4: Begin Phase 3 classification

This provides a working framework for addressing your highest-priority risks within 4 months—not perfect, but functional and continually improving.

Common Pitfalls to Avoid

🚩 Pitfall 1: Perfectionism paralysis
 Don’t wait until you’ve documented every possible control to start using your framework. Build, deploy, iterate.

🚩 Pitfall 2: Compliance-only perspective
 Controls designed without operational input often fail in practice. Always involve people who’ll actually implement them.

🚩 Pitfall 3: Vague descriptions
 “Perform periodic reviews” isn’t a control—it’s a hope. Be specific: Who reviews what, when, how, and what should they uncover or look for?

🚩 Pitfall 4: Ignoring dependencies
 Some controls depend on others. Document these relationships so that implementation occurs in the correct sequence.

Getting Started This Week

Action 1: Gather Your Inputs
 Collect all risk assessments, audit findings, and regulatory guidance from the past 2-3 years. Create a master list of identified risks.

Action 2: Identify Your Top 5 Risks
 Based on severity, likelihood, and regulatory focus, choose the 5 risks you’ll address first. These become your initial framework focus.

Action 3: Schedule Stakeholder Interviews
 For each of your top 5 risks, identify 2-3 people who understand how work gets done in that area. Schedule 30-minute interviews to document existing controls.

Reinforce Risk Culture Through Operational Fluidity

ECI research shows that 46% of employees who report misconduct experience retaliation. One reason? Clunky systems that make compliance burdensome rather than intuitive.

By building your framework systematically with input from risk owners, you create operational fluidity. Controls become embedded in workflows rather than bolted-on obstacles. This encourages engagement and reinforces the risk culture you’re trying to build.

What’s Next

You’ve built your framework structure and populated it with controls. But what specific controls do healthcare organizations need? In our next blog, we’ll explore five essential control categories, providing concrete examples that you can adapt for your program.

Risk Assessment

Ethico’s Risk Assessment tool provides an intuitive platform for identifying, documenting, and prioritizing controls across your compliance program through a systematic, phased approach. Our solution helps you integrate historical risk data, document existing controls, and classify them by function and priority—transforming overwhelming complexity into a manageable framework aligned with regulatory requirements and organizational needs. Request a demo today!

About This Series: Building Risk and Controls Foundations for new enterprise risk programs. Coming next: “Five Essential Control Categories for Healthcare Compliance Programs.”

Categories:

GRC Software Knowledge Hub

Get E&C industry insights
The Fine Line Between Maintaining Business Relationships and Bribery
Blog, Ethicsverse Masterclasses, Webinars
The Fine Line Between Maintaining Business Relationships and Bribery
Explore More
From Police to Partner: Turning Risk Assessments Into Strategic Clarity
Blog, Ethicsverse Masterclasses, Webinars
From Police to Partner: Turning Risk Assessments Into Strategic Clarity
Explore More
Beyond Carrots and Sticks: Figuring Out Incentives for Better Compliance
Blog, Ethicsverse Masterclasses, Webinars
Beyond Carrots and Sticks: Figuring Out Incentives for Better Compliance
Explore More
The Joint Commission Just Changed Everything: Why Annual License Checks Are Dead
Blog, Screening & Monitoring
The Joint Commission Just Changed Everything: Why Annual License Checks Are Dead
Explore More
How Automated Credential Monitoring Delivers Audit Readiness and Operational Efficiency
Blog, Screening & Monitoring
How Automated Credential Monitoring Delivers Audit Readiness and Operational Efficiency
Explore More
Meeting Joint Commission, CMS, and State Board Requirements: Your Compliance Roadmap
Blog, Screening & Monitoring
Meeting Joint Commission, CMS, and State Board Requirements: Your Compliance Roadmap
Explore More