3. Project risks
Legal & Regulatory risks
Reputation risks
Corporate Governance risks
Business continuity risks
People risks
Supply chain risks
Technology risks
Economic risks
Social risks
MAJOR
CATEGORIES OF
RISK IN
HEALTHCARE
a KONNECTORS
presentation
A list of audit universe areas where
applications are present to better assess the IT
risks of health-care providers. Risk areas
identified* include:
â˘Accounts payable.
â˘Admissions, discharges, and transfers.
â˘Ancillaries.
â˘Billing and accounts receivable.
â˘Cardiology.
â˘Core clinical activities.
â˘Cost accounting.
â˘Decision support.
â˘Emergency department.
â˘General ledger.
â˘Health information management.
â˘Human resources.
â˘Laboratory.
â˘Materials management.
â˘Payroll.
â˘Pharmacy.
â˘Physician practice management.
â˘Radiology.
â˘Scheduling.
â˘Surgery.
The audit universe also identified general
control areas that should be examined during
the assessment. These areas include:
â˘Application change controls.
â˘Backup and recovery processes.
â˘Compliance initiatives.
â˘Disaster recovery planning efforts.
â˘Infrastructure configuration management
activities.
â˘IT management processes.
â˘Network infrastructure, security
administration, and server infrastructure
activities.
â˘System development and acquisition life
cycle initiatives.
â˘Third-party services.
â˘Data center environmental controls.
Finally, besides identifying
general control areas, the audit
universe pinpoints a number of
common IT security high-risk
areas, including Web
applications, medical devices
connected to the network,
wireless networks, and
application interfaces. Below is a
description of each high risk and
its associated audit universe
area.
Risk assessment of IT
risks in Healthcare
4. AssessingITRisksinthe
HealthcareIndustry
While the adoption of new technology offers a number of benefits and gives health-care providers the opportunity to
gain a competitive advantage, it also introduces new risks into the environment that must be managed appropriately.
Health-care providers are rapidly deploying IT systems to dramatically change business processes, create new
opportunities, and reduce costs. Because failures in health-care technology can be life threatening, internal auditors
need to become aware of the different technology-related risks in the health-care field and learn about potential audit
approaches to address identified problem areas.
As part of their work, health-care providers collect and maintain non-clinical personal information that could be used
for identity theft purposes, such as Social Security numbers and credit card and insurance account information. In
addition, many organizations are adopting automated health information systems, thus highlighting the importance of
continuous system availability and decreased downtime. Hence, data integrity remains a critical factor that is necessary
to ensure better patient care and is an area that is regulated more and more through different national and industry-
specific regulations.
Considering the different IT security risks that are affecting organizations and the technologies used in the health-care
field, where should internal auditors and organizations focus their audit activities? A good starting point is to conduct an
IT enterprise risk assessment. Ideally, this risk assessment should be revisited and updated as necessary on a continuous
basis. The Health Information and Management System Society's (HIMSS's) 18th Annual Leadership Survey provided
insight into the priorities of CIOs in the health-care sector, their areas of perceived risks, and the tools used to mitigate
those risks (refer to the 3 charts below).
a KONNECTORS presentation
5. Charge Description Master (CDM): Is the hospital reviewing this area on a regular basis to
make sure they capture charges correctly? Coding and charge information can change frequently
and if a procedure is recorded incorrectly, a hospital may not receive the correct reimbursement
amount.
Pharmacy: What system does the hospital use for medications? How are medications controlled?
How are patient accounts charged?
One day stays: What is the criterion for admissions? How is the criteria applied for medical
observation? Is the billing corrected if the criteria are not met?
Managing cash activities: How is cash accounted for? How are receipts given out? What types
of receipts are utilized? How is this information recorded into a patientâs account? Is a lock box
used to hold onto cash until deposited to a central location? How often is cash collected and
deposited? What controls are in place for cash handling and who handles the cash?
Admitting and registration of patients: When a procedure has been scheduled in advance,
how does the hospital register the patient? Does the admitting area ask for identification and
insurance information upon arrival at the hospital? Are any co-payments and deductibles discussed
prior to the procedure taking place? How are co-payments and deductibles collected?
Laboratory: Is the laboratory in compliance with OIG guidelines? Do reference forms contain all
needed diagnostic information? Is there a maximum time limit for standing orders? How does the
laboratory charge? On result only?
Charity care: Is there a process in place to maintain charity applications? Are logs maintained?
Who approves charity write-offs? Who reviews write-off codes for compliance with hospital-level
services defined by HCAP?
Miscellaneous: Are the discounts (in case of multiple services availed by a patient and available
at that time under Hospitalâs policy) properly adjusted at the time of billing ?
Revenue
Assurance
in a
Hospital
a KONNECTORS presentation
On an average,
companies lost seven
percent of revenue to
fraud in 2008,
according to the
Association of
Certified
Fraud Examiners
(ACFE) 2008 Report to
the Nation on
Occupational Fraud
and Abuse.
6. PRIORITY B
Processes with significant
but less likely risks will
receive audit focus,
if they relate to or can be
efficiently audited with
other 'A' processes.
PRIORITY A
Processes with risks that
are both significant and
likely. Unless risks are well
managed, they should be
a key focus of
the audit plan.
PRIORITY C
Processes with likely but
low significant risks.
Minimal audit focus.
PRIORITY D
Minimal or no audit focus.
Human Resources;
Patient Satisfaction
Legal & Regulatory;
Contracts;
Information Systems;
Treasury
PatientServices;
RevenueCycle
Supply Chain
Management
Grant
Administration
a KONNECTORS
presentation
For the
evolving
hospital
industry,
managing
risk is
a high-stakes
business
issue.
7. Some
associated
risks
Healthcare providers & Others consists of Sample risk(s) associated with the healthcare provider & Others
Hospitals (Private/ Government) Not enough beds to accommodate all patients; whether proper billing
charged to the patients.
Nursing Homes Running without license; Either short on some medicines/ injections or a
doctor not available on duty (for any reason, in an emergency)
Testing Laboratories Personnel not available to do the testing & hence further delay in patientsâ
treatment.
Pharmaceutical Companies Some medicinesâ supply not frequently available or very highly priced;
regulation risks.
Diagnostic Centers Some machines not working properly.
Medical Equipment (X-ray machines, BP
testing machines, CT scan machines, etc)
Manufacturers
Not able to meet the demand for the various machines from all the
customers (including hospitals/ R&D centres, etc).
Health Insurance companies/ Third Party
Administrators (TPAs)
Claim settlements; forged documents; Hospitals charging higher rates
(where mediclaim is applicable)
Colleges/ Universities/ Institutes teaching
medicine
Not able to meet the demand of the medical professionals as required.
Specialised R&D centres Breach of agreement vis-Ă -vis technology transfer; failure of research
resulting in writing off of expenditure incurred.
a KONNECTORS
presentation
8. Risks that
were
identified
in 2010,
were
present in
surveys of
2005 & 2007
too
Top 10 Risks 2010 *
(5 risks were present earlier too)
Level of risk
in 2007
Level of
risk in 2005
Percent of respondents
who believe that passage
of healthcare reform will
increase this risk
Estimate of an
organizationâs
ability to control
this risk
Payment increases consistently below medical inflation:
potential for precipitous reductions in reimbursement as
a result of state and federal regulatory changes Top-Level Top-Level 92% Limited or none
Physician relationships: ability to control the direction
and level of alignment of physicians and institutions Top-Level Top-Level 96% Reasonable
Increased enforcement initiatives and governmental
challenge of overpayment for services (e.g. RAC, MIC,
and ZPIC audits, Stark anti-kickback statutes, false claims
laws, antitrust, etc.) Low-Level Mid-Level 89% Some
Unfunded mandates for the provision of healthcare
services Top-Level Top-Level 66% Limited or none
Increasing cost of capital and significant gap between
capital needs and capital available from all sources Low-Level Low-Level 66% Some
Top 10 Risks 2010 *
(5 new risks in 2010)
Percent of respondents
who believe that passage of
healthcare reform will
increase this risk
Estimate of an organizationâs ability
to control this risk
Preparedness for clinical automation: inadequate
information technology requiring investment in more
sophisticated information systems 83% Reasonable
An extended economic recovery or a return to a
significant recessionary environment; unemployment
increases and continues to remain high No additional impact None
Improving performance in the midst of accelerating
regulatory and marketplace change 85% Reasonable
Rebuilding the organizationâs balance sheet 73% Reasonable
Significant reduction in employer-based insurance 77% None
Risks that
were
identified as
new in 2010
a KONNECTORS
presentation
9. Important auditable functions/ areas from an Hospitalâs perspective:
SERVICE DELIVERY Medical strategy &
service excellence
Patient reception &
admission
Diagnosis & Patient
treatment
Patient discharge &
rehabilitation
services
Medical record
maintenance
Corporate
Governance
Business Planning M & As and Projects
Marketing & Sales
Stakeholder
perspective
Cost perspective Procurement -
Medical supplies
Procurement - Capex HR & Payroll
Some other enablers
Insurance including
TPA
Housekeeping
Operating systems
& IT
Miscellaneous
Blood Bank
management
Waste & Energy
management
F&B
Legal & Taxation
Inventory
management
Customer service
a KONNECTORS presentation
10. Process/sub-process
withHighrisk
criticality
i Hospital Governance
ii Medical & Quality Audit
iii Operations Support Audit
iv People Audit
v Finance & Accounts
vi Compliance Management
Mergers & Acquisition â
Internal Control DDR
Medical Strategy & Quality
Capacity Management
Quality Compliance
Management â
NABH/ JCI
New Projects
Corporate Governance
Marketing
Hospital Governance
Compliance
Management
Medical Records
Secretarial
EHS
Other enactments
JCI standards
NABH standards
Medical & Quality Audit
Stress Care Centres
Operation Theatreâs
ICU, MICU, ICCU & PICU
Imaging Centres &
Laboratoryâs
Vascular Rooms
Cardiac Recovery rooms
Preparatory room
Recovery room
Ambulance services
Surgical Services
Blood bank management
Functional audit
areas of focus
(High risk) Admissions
Procurement including CPC
Inventory Management
Discharge & Billing
Patient Safety â Incident
Management
Insurance including TPA
Bio / Non Bio Medical equipment
IT Support â FOS, ITGC, ERP,
Business Continuity & DRP
Operations Support
Audit
HR Planning & Recruitment
Employee training
Roster management
Leadership Development Initiatives
Performance Appraisal process
Employee Satisfaction Survey
People Audit
Budgeting
Accounts Receivable
Accounts Payable
Fixed Assets Management
Capital Expenditure
Taxation
Financial Reporting
Share Capital And Funds
Utilization
Finance & Accounts
a KONNECTORS presentation
11. Process/ sub-
process with
Medium risk
criticality
Medical & Quality Audit
Allied Health operations
Medical Psyh Units
Progressive Care Unit
Nurse/ Doctors bay
Pediatrics/ Ortho/ Neuro Unit
Foods & Beverages
Laundry & Housekeeping
Centre for Community Service
Autopsy & Mortuary management
Pharmacy
Energy & Water consumption
Operations Support
Audit
Hospital and clinician
relationship management
Employee Records
Payroll end to end
Salary benchmarking
People Audit
Cash & Bank Management
Treasury
Stock Options
Foreign Exchange
Investments
Share Capital And Funds Utilization
Finance & Accounts
a KONNECTORS
presentation
Risk Levels*
1. Top-Level Enterprise Risks
These risks were identified by all or virtually all of the respondents and are seen as meeting the
following parameters:
a. A current risk or one that is on the short-term horizon
b. A risk that has a high likelihood of occurring
c. A risk that is seen as having a significant impact on the healthcare system.
2. Mid-Level Enterprise Risks
These are essentially âaround the cornerâ risks as identified by the executives. They are generally
viewed as having a lower likelihood of happening or a longer lead time. However, if the risk becomes
a reality, it is viewed as having a significant impact on the organization.
3. Lower-Level Enterprise Risks
These risks meet one or more of the following parameters:
a. Much lower likelihood of occurring or a longer timeframe for a healthcare organization to adjust
b. Less impact on the system and/or a more manageable level of risk
It may happen that low
level risks of today might
become/ shift to medium
or high category of risks,
if left uncontrolled. So,
risk management has to
be a continuous & all-
pervasive exercise.
12. 1. Does increasing
volatility and growing
complexity make risk
management central and
strategic to your entity ?
2. Do you see the risk
management capabilities
as
important to future
profitability and long-
term growth.
3. Are you implementing
comprehensive
enterprise risk
management programs?
4. Executives expect their
investments in risk
management to increase
over the next two years.
1. How active is your company
in influencing risk regulation in
your industry or geography
(e.g. establishing direction for
future industry reform)?
2. How is healthcare reform
addressed within your risk
management program?
3. How are pricing issues
addressed within the risk
management program?
4. How is capital adequacy or
the risk-bearing capacity of the
balance sheet addressed within
your risk management
program?
1. Balance risk appetite
with risk capacity.
2. Focus on supply chain
risk.
3. Improve governance
of risk & compliance.
4. Use a more holistic
approach.
Action to
achieve risk
mastery
Handling of primary
concerns for a
healthcare entity
How do you view
risk management
capabilities ?
a KONNECTORS
presentation
â With more hospitals now hiring physicians and
acquiring physician groups, they need to rethink both
the duration and magnitude of their risk exposures.â
13. A. Look to create shareholder value from risk
management.
B. Involve the risk organization in key decision-
making processes.
C. Improve the sophistication of measurement,
modeling and
analytics to anticipate risks in an increasingly
complex environment.
D. Go beyond a compliance mindset of risk
management to deliver more complete business
solutions that drive competitive differentiation.
E. Integrate risk management capabilities across
business units and organizational structures.
F. Establish a dedicated, C-level risk executive
with oversight and
visibility across the business.
G. Infuse risk awareness across the
organizational culture.
H. Invest in continuous improvement.
a KONNECTORS
presentation
Critical Success Factors
for Effective Strategic
Risk Management
⢠Align your strategy with the risks most relevant to
your ability to achieve your near- and long-term
strategic objectives.
⢠Create an efficient organizational structure with
clear roles and responsibilities for everyone on the
team. Leverage existing functions and teams, rather
than creating more bureaucracy or overburdening
leadership with decisions and tasks that can be
handled by the rest of the team.
⢠Put a transparent, repeatable process in place.
Where possible, make use of existing processes to
ensure minimal disruption, and provide clear direction
and well-defined deliverables. Where new approaches
are needed, deploy strong change management
disciplines to optimize workforce involvement and
acceptance.
⢠Determine appropriate risk metrics and meaningful
reporting formats, and establish a process for
monitoring risk metrics to make sure information is
relevant, reliable and provided on a regular,
established basis.
⢠Develop and implement those tools and templates
needed to efficiently standardize and sustain the risk
management process, emphasizing practicality and
cost/benefit optimization.
14. Internal audit is a 5-step
process @ KONNECTORS.
Risk Assessment
Annual Internal Audit
Plan Development
Audit Program
Development &
Execution
Findings &
Recommendations
Monitoring of
Implementations
Step 1
Step 2
Step 4
Step 3
Step 5
a KONNECTORS presentation
1. We donât have any risks.
2. Hopefully nothing bad happens today.
3. Everybody needs to be careful all the
time.
4. If you make a mistake, weâll
fine/discipline/fire you!
5. We had a meeting and discussed the
chance that if a particular risk could
happen, we would communicate to
everyone.
6. We brainstormed what could happen,
and we took some actions to minimize the
chance.
7. We developed a risk assessment of our
process, and have an ongoing action plan
and cadence to address the highest
prioritized risks.
Some businesses manage
risks by the
following ways today:
15. a KONNECTORS presentation
Please Contact:
Founder Adarsh Saxena, CA
@
KONNECTORS
RMT
Solutions
konnectorsrmts.2012@gmail.com
+91-9873016166.
New Delhi - 110018.
India.
R S
K
I