Whitepaper: Healthcare Risk Management Takes a Broader Perspective


Published on

Published in: Business, Economy & Finance
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Whitepaper: Healthcare Risk Management Takes a Broader Perspective

  1. 1. Whitepaper Healthcare Risk Management Takes a Broader Perspective Using a comprehensive incident management system increases efficiency and insight, reducing risk in the healthcare industry.
  2. 2. Executive Summary The heart of the matter: Healthcare needs an enterprise perspective on risk From fraud and theft to the challenge of meeting government regulations, businesses are at risk to numerous factors that can have a negative financial and reputational impact. Keeping up with corporate governance, risk management and legal compliance mandates promises to become relentlessly more complex in 2009 as turbulent economic conditions continue to impact the business world. Employee misconduct is one compel- ling example. Strikingly, nearly 75 percent of healthcare industry employees reported having witnessed misconduct at work in the past 12 months, according to the KPMG Integrity Survey 2008-2009. More alarmingly, 57 per- cent indicated that the observed misconduct was serious enough to cause a significant loss of public trust if discovered. This is just one of a myriad of risks that are increasing both in complexity and severity. What can be done to more effectively detect, manage and prevent these issues? Currently, many healthcare organizations attempt to manage risks on a reactive basis, with each department or business area trying to resolve issues in its own way. In reality, however, risk presents an overarching chal- lenge that an organization is best equipped to face by taking a comprehensive, proactive approach. Taking a broader perspective on risk management yields numerous, critical efficiencies. Specifically, using a centralized incident management system – one that multiple departments can use to compile information and collaborate among themselves – can help improve communication and insight, reduce and contain risk, cut costs and add process consistency. Then, the availability of company-wide trending and analysis keeps organizations a step ahead of the issues they face. The healthcare organizations that take a broader perspec- tive on risk management will be the best equipped to navigate these turbulent economic conditions. Rising Risks In the wake of the global economic crisis, risk in the healthcare industry is changing at an accelerated pace. The most important financial and reputational risks in the healthcare industry in 2009 include compliance with government mandates – including the Stark laws, anti-kickback statute, Healthcare Insurance Portabil- ity and Accountability Act (HIPAA), the federal False Claims Act and Medicare/Medicaid regulation – along with data privacy and employee misconduct or fraud. Each of these factors has grown in significance and will become more severe in the coming years. Legal compliance is especially complex in the heavily-regulated healthcare industry. With the government and public demand ever-higher corporate ethics standards, Forrester Research predicts that “looming regulatory mandates and oversight will mean greater strain on businesses already hurting from a weak economy,” ac- cording to Trends 2009: Governance, Risk and Compliance Hit the Big Time. (Forrester, 2008) Compliance with regulations is a costly endeavor, as are the penalties for failing to comply, but other risks can be just as important. On average, companies lost seven percent of revenue to fraud in 2008, according to the Association of Certi- fied Fraud Examiners (ACFE) 2008 Report to the Nation on Occupational Fraud and Abuse. In healthcare, the median fraud loss was among the highest of any industry at $150,000 per incident – and most experts expect the risk of fraud to rise in 2009 due to the pressures of a down economy.
  3. 3. Another major challenge for healthcare organizations is the responsibility to protect personally identifiable information for patients and employees. HIPAA requirements were designed to protect patient privacy, and severe penalties can be imposed if the rules are violated. That risk is on the rise as the number of data breach- es in 2008 climbed almost 50 percent over 2007, according to the Identity Theft Resource Center (ITRC)’s Security Breaches 2008 report. The Ponemon Institute found that the average data breach in 2008 cost organizations $6.65 million per breach; however, financial damage is only part of the equation. The annual study, Cost of a Data Breach: Understanding Financial Impact, Customer Turnover, and Preventative Solutions found that the healthcare industry experiences the highest customer loss rate after suffering a data breach (Ponemon, 2009). Together, these risks threaten a loss of revenue and public trust that extends beyond the challenges posed by the turbulent economy. Alone, each department and business area is ill equipped to manage the risks that effect the organization as a whole. The traditional response to risk is too narrow to be effective anymore. The Traditional Response The healthcare community is well aware of these risks, and numerous others not mentioned. Every organiza- tion has some set of policies and processes to address them. Historically, each area of risk was addressed where the most impact was felt, so when Sarbanes-Oxley became a factor, accounting took responsibility for complying with the rules; Stark laws were addressed by internal audit and security protected against data breaches. It made sense for most risk management processes to begin in individual departments, such as legal, finance, security, ethics and compliance, internal audit, human resources and any other department involved in risk management. But over time the lack of a centralized starting point has led to disparate, duplicative effort and unnecessary spending. Now, in some cases the same issue may be investigated by two departments using different terminology and processes. Relevant trends and patterns can be easily overlooked because it never occurred to one department to share certain information with another, making it difficult to study overall data. While no issues are the direct responsibility of every part of the business, they are rarely limited to one, or even two departments - especially when those issues involve financial and reputational risk to the company. Yet current strategies keep information isolated among business areas. All departments share a common starting point: most issues are discovered by employees, either through policies, procedures and controls that are already in place, or when someone observes a potential problem and reports it. And whether the issue is reported directly to a manager through the open door policy or anon- ymously submitted via the phone or web, the ability to report incidents is an invaluable source of information. In fact, nearly half of detected frauds are discovered through employee tips, which “…continue to be the most effective means of detecting fraud” (ACFE, 2008). Once these reports come in, they are traditionally filed in a local database and tracked in a spreadsheet. As a result, the wrong people may be involved in the investigation and resolution process. More importantly, the organization misses the opportunity to see overarching trends and to minimize risk before issues become critical.
  4. 4. Time for a New Approach How can an organization begin to cut excess costs and increase the effectiveness of its overall risk manage- ment program? An ideal approach to ethics and compliance would include not only a phone and web-based reporting feature and efficient incident management system, but a commitment to encouraging a business culture of good conduct, along with analysis tools, policies, procedures and protocols for responding to any incidents when they happen. Such a comprehensive ethics and compliance commitment may not be feasible for every organization, but there are benefits to taking first steps. According to a study by Saugatuck Technology, SaaS vs. On-Premise Solutions: The ROI of Proactive Case Management, “coordinating risk management across legal, HR, finance, IT, and business operations requires a centralized and systematic approach - with defined roles and respon- sibilities by organizational unit and in cooperation with a centralized risk management function.” (Saugatuck, 2009). In practice, a centralized incident management system is one part of a comprehensive plan, and it can keep the entire organization involved in how relevant issues are handled. However, this does not require excessive additional meetings and planning because relevant departments can rapidly communicate through the sys- tem, determine case assignments and goals, and report results consistently to senior management. Taking the first step toward coordinating risk management across the organization will lead to measurable results. > Cut Excess Spending As the situation now stands, resources and attention tend to be divided between separate risk management strategies in various functional business units. The effect is duplicated effort and inefficiency when depart- ments purchase separate systems despite having related goals and overlapping objectives. To cut those unnecessary costs and boost productivity, the Ethics Resource Center’s 2007 National Business Ethics Survey advises that businesses “streamline escalating compliance and risk management costs and gain insight for better strategic decision-making.” (ERC, 2007). These escalating costs and inadequate insight derive from an overall lack of coordination in risk management programs. Embracing collaboration eliminates spending excesses and can dramatically in- crease efficiency. Organizations can experience time savings of between 25 and 75 percent due to increased productivity (Saugatuck, 2009). Overall, streamlining these processes helps multiple departments commu- nicate and collaborate among themselves more efficiently. > Communicate and collaborate Enterprise-wide communication about risk issues is currently limited. However, every risk matters to orga- nizations as a whole even if individual issues do not seem relevant to certain business functions. Coopera- tion may be facilitated through a centralized, comprehensive incident management system that facilitates consistency and communication on relevant issues. The resulting “tone from the top” can have a significant impact: “Ethics risk is significantly minimized when a concerted enterprise-wide commitment to the highest ethical standards and culture is in place.” (ERC, 2007). The result is a 75 percent reduction in misconduct, which has direct financial implications. A centralized incident management system facilitates automated communication and case routing. When any incident is reported a notification can be sent, based on the nature of the report, to appropriate depart-
  5. 5. ment leaders who then use the system to communicate and determine the appropriate next steps. This re- sults in increased transparency and oversight, as well as consistent incident resolution across the business. > Reduce and Contain Risk Successfully implemented, a comprehensive strategy can lead to clear benefits through cost avoidance, cost containment and time savings. While some analysts’ estimates of over 1300% return on investment (ROI) may seem exaggerated, it is clear that preventing one data breach and detecting one fraud would more than pay for the investment in a comprehensive risk management system – on the basis of cost avoidance and preservation of public confidence alone. If a data breach does occur, a coordinated response plan is the most measurably effective way to reduce negative effects (Ponemon, 2008). The Ponemon Institute concludes that organizations should “take a holis- tic approach to data protection.” Post-breach response processes and procedures can be established within the incident management system, keeping the organization prepared for quick, coordinated action. When a data breach is recorded, communicated and managed effectively, companies can save 75 percent per event. (Saugatuck, 2009). In addition to cost avoidance and containment savings, a comprehensive system can help avoid or contain shrinkage, theft, discriminatory lawsuits, product liability and other class actions, and physical damages to property and equipment through negligence or sabotage. Although risk reduction and containment are fi- nancial boons for healthcare organizations, efficiencies can also be gained in how the organization’s risk management functions can begin operating on a proactive basis. Conclusion What can be done to more effectively detect, manage and prevent risk issues? The traditional, reactive ap- proach is obsolete. Today’s increasingly challenging risk environment demands collaboration – standardized policies, procedures, processes and terminology. Supported by a comprehensive incident management sys- tem, this will help take a proactive approach to the issues healthcare organizations face. Trends and patterns begin to appear when company-wide metrics are tracked with consistency and col- laboration. In particular, if the company is analyzed by functional unit and location there is a deeper level of insight that can keep the organization a step ahead of regulatory requirements. Then, when incidents do oc- cur, each step is tracked and recorded in the safe, centralized database of the incident management system, demonstrating investigative due diligence if necessary. A shared incident management system is a strong first step toward a comprehensive risk strategy. It takes a broader perspective for healthcare organizations to streamline disparate spending, facilitate collaboration and consistency, and become proactive in the face of a challenging regulatory environment – but in return, those organizations with a proactive approach will be best equipped to manage risk in the midst of economic turmoil. Questions? Comments? Contact our healthcare industry representative: sales@ethicspoint.com