Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Enterprise Risk Management

699 views

Published on

PYA Principal Shannon Sumner co-presented “Enterprise Risk Management” at the HCCA Board Audit Committee Compliance Conference, February 27-28, 2017, in Scottsdale, Arizona.

The presentation covered:

The role of the governing Board of an organization in enterprise risk management (ERM)
Effective ERM in today’s healthcare setting
When ERM fails: “The perfect storm”

Published in: Healthcare
  • Be the first to comment

Enterprise Risk Management

  1. 1. HCCA Board Audit Committee Compliance Conference February 27 – 28, 2017 Presented by: Kimberly Lansford, RN, BSN, MHL, CHC® Shannon Sumner, CPA, CHC® ASSESSING THE EFFECTIVENESS OF ERM Enterprise Risk Management
  2. 2. Prepared for Health Care Compliance Association Page 1 SPEAKERS Kimberly A. Lansford RN, BSN, MHL, CHC ® Chief Compliance Officer PennState Health Shannon Sumner CPA, CHC ® Principal/Shareholder Pershing Yoakley & Associates, P.C. ssumner@pyapc.com PERSHING YOAKLEY & ASSOCIATES, P.C. 800.270.9629 | www.pyapc.com
  3. 3. Prepared for Health Care Compliance Association Page 2 What Is Enterprise Risk Management (ERM)?  A process that engages all in the practice of identifying, managing, monitoring, and communicating risks across an organization  Main objective is to help management and the board understand and manage those events most likely to impact the organization’s strategic objectives  Its aim is to function in a proactive and efficient manner and as a key enabler of the organization’s strategic objectives  It seeks to orchestrate the harmonization, synchronization, and rationalization of areas managing risks by moving beyond organizational barriers to open transparent communications across disciplines
  4. 4. Prepared for Health Care Compliance Association Page 3 Definitions  Risk Culture: "The values, beliefs, knowledge, attitudes and understanding about risk shared by a group of people with a common purpose, in particular the employees of an organization" (Institute of Risk Management)  Risk Appetite: Relates to the amount of risk that an organization is willing to seek or accept in the pursuit of its long-term objectives Source: The Institute of Risk Management https://www.theirm.org/
  5. 5. Prepared for Health Care Compliance Association Page 4 ERM Provides a Process that Allows the Organization to:  Present governance and management with a comprehensive picture of interdependent risks across the entire enterprise  Break down the department silos that tend to exist in assessing risk  Create cross-functional teams evaluating risk using a common framework  Communicate information about risks in a consistent manner
  6. 6. Prepared for Health Care Compliance Association Page 5 Traditional Healthcare RM vs. ERM Traditional Risk Management  Reactive, incident-based, clinically focused program  May use different processes, controls, metrics, language, and frameworks for discussing risks and risk mitigation strategies  Considers impact of risks to specific departments or issues in isolation  Focus on adverse events most likely to impact operations and finances  Examines risks individually, with limited communication between disciplines to consider the impact of their actions on other parts of the organization  Defines risks in terms of the probability that adverse events will occur and result in financial losses  Tendency to be a bottom-up approach Enterprise Risk Management  Proactive, holistic, multi-disciplinary approach focused on anticipating and managing both internal and external risks  Provides a common framework, processes, metrics, and language for discussing risks and risk mitigation strategies  Considers impact of risks across the organization  Focus on events most likely to impact strategic objectives  Emphasis on synergistic relationship among and between risks that span across the organization  Recognizes that risk does not solely mean something negative has or could occur – something good not happening as a result of not acting is also a risk  Top-down and bottom-up approach
  7. 7. Prepared for Health Care Compliance Association Page 6 ERM Benefits  Helps identify and understand key risks impacting achievement of strategies and objectives  Invites broad participation and perspectives of senior leaders and governance  Helps avoid a “functional silo” approach that often fails to consider the interconnective nature of risks across large, complex organizations  Provides a common framework for discussing risks and risk management or “treatment” strategies  Assists in establishing accountabilities for risk management activities  Integrates risk planning with strategic and tactical planning  Over time, more effective and cost-efficient management of risks increases enterprise value
  8. 8. Prepared for Health Care Compliance Association Page 7 Why Is an ERM Approach Important?  The United States Federal Sentencing Guidelines are clear that standards and procedures should provide sufficient and effective controls that take into account the highest risk areas, given an organization’s business  The Office of Inspector General (OIG) recommends a risk-based approach in its guidance, and recent Corporate Integrity Agreement templates require a provider’s compliance program to include a comprehensive risk assessment and internal review process  The OIG is clear that a comprehensive risk assessment cannot be pursued by the Compliance Department alone, and involvement from key business leaders (including legal) is critical to the effectiveness of the risk assessment process
  9. 9. Prepared for Health Care Compliance Association Page 8 Why Is an ERM approach important? (cont.)  All major rating agencies include ERM in their evaluation of credit ratings  Critical component of financial and insurance industry evaluations  Healthcare auditing entities, such as those that have oversight for HIPAA, may inquire into the process when auditing areas that require a risk-based approach (e.g., information security)
  10. 10. Prepared for Health Care Compliance Association Page 9 Why Is the Compliance Department Well Situated to Facilitate an ERM Approach?  An ERM approach engages all workforce members in the practice of identifying, managing, monitoring, and communicating risks across the organization  We are already doing this with regard to our compliance risks in our compliance programs
  11. 11. Prepared for Health Care Compliance Association Page 10 Components of a Successful ERM Approach Step One: Know the Business Climate  Understand which business factors have the ability to impact operations or cause potential compliance concerns  Benchmark both inside and outside the organization, and possibly even outside the healthcare industry
  12. 12. Prepared for Health Care Compliance Association Page 11 Components of a Successful ERM Approach (cont.) Step Two: Understand and Prioritize Risks and Opportunities  Ensure colleagues understand how to identify and report risks and opportunities  Two key activities:  Deploy a comprehensive Education and Awareness program  Perform an Enterprise Risk Assessment, with focused reviews of an organization’s most significant risks, on an ongoing basis  Leverage existing strategies used by colleagues to report events, such as those utilized in Privacy, Information Security, Insurance/Risk Management, Compliance, Clinical/Nursing, and other departments
  13. 13. Prepared for Health Care Compliance Association Page 12 Step Three: Manage the Identified Risks and Opportunities  Create a centralized process or have a collaborative process to analyze and manage risk and opportunity information  Some common risk management (“treatment”) techniques:  Avoidance (eliminate, withdraw from, or not become involved)  Reduction (optimize – mitigate)  Sharing (transfer – outsource or insure)  Retention (accept and budget) Components of a Successful ERM Approach (cont.)
  14. 14. Prepared for Health Care Compliance Association Page 13 Step Four: Reporting and Metrics  Reports and metrics can be used by operations, budgeting, strategy, audit, compliance, and many other departments for strategy and decision-making, where the consideration of risk can influence the outcome  Dashboards, risk monitoring reports, qualitative, and quantitative analysis can be used to measure the effectiveness of risk treatment activities and to understand any implications for an organization’s overall business strategy Components of a Successful ERM Approach (cont.)
  15. 15. Prepared for Health Care Compliance Association Page 14 Step Five: Risk “Alert” Culture and Risk Control  A risk alert culture is the intrinsic understanding and assessment of risk embedded in day-to-day operations. It fosters the integration of enterprise risk principles throughout every layer of the organization  Risk Controls are measures to limit vulnerabilities and manage risks to an acceptable level  A risk alert culture and risk control are created by:  Adhering to policies and procedures, laws, and regulations  Educating and holding colleagues accountable for evaluating risk holistically in strategic initiatives  Creating and utilizing a common language  Effectively using preemptive risk concepts within business units Components of a Successful ERM Approach (cont.)
  16. 16. Prepared for Health Care Compliance Association Page 15 ERM Is Everyone’s Responsibility… • ERM engages everyone at the organization in the management of those risks for which they are responsible • Risk ownership does not reside in a single department • The compliance department can easily facilitate an ERM approach to managing risks across the organization
  17. 17. Prepared for Health Care Compliance Association Page 16 ERM Is a Journey…It Is Not a Destination!
  18. 18. Prepared for Health Care Compliance Association Page 17 Board Accountability for Risk  Greater Scrutiny from OIG and DOJ  Recent CIA Risk Assessment Requirements  Three Lines of Defense Theory  Quality of Risk Assessment Process  Ongoing Risk Assessment Process  Connecting the Dots
  19. 19. Prepared for Health Care Compliance Association Page 18 Greater Scrutiny Emerges
  20. 20. Prepared for Health Care Compliance Association Page 19 DOJ Hires Compliance Expert Source: http://www.corpcounsel.com/id=1202737784530/Report-Justice-Dept-Names-Chen-to-Controversial-Compliance-Counsel-Post?slreturn=20150923095150 “…the person will be assessing the company’s claims about their compliance program – i.e., if a company seeks to claim that it deserves credit for implementing a state of the art compliance program, which is a metric under the Sentencing Guidelines for a break on a fine. The counsel will help subject that to a rigorous analysis, something that a federal prosecutor does not have a lot of expertise in carrying out.”
  21. 21. Prepared for Health Care Compliance Association Page 20 Risk-Specific CIA Requirements Source: https://oig.hhs.gov/fraud/cia/agreements/Dignity_Health_10302014.pdf  Risk Assessment and Internal Review Process “The risk assessment and internal review process shall include: (1) a process for identifying and prioritizing potential risks; (2) developing an assessment plan to evaluate and respond to potential risks, including internal auditing and monitoring of the potential risk areas; (3) developing action plans to remediate potential risks; and (4) tracking results to assess the effectiveness of the risk assessment and internal review process, including any remediation efforts that ABC pursues.”
  22. 22. Prepared for Health Care Compliance Association Page 21 Three Lines of Defense Source: Institute of Internal Auditors: The Three Lines of Defense in Effective Risk Management and Control
  23. 23. Prepared for Health Care Compliance Association Page 22 Quality of Risk Assessment Process  Risk Assessment Inputs – Questions to Ask  Is the risk universe inclusive of all significant processes/entities/joint ventures/outsourced service providers?  What is the competency of staff performing the risk assessment?  What risk-ranking criteria and weight factors are used?  Have risks to the achievement of strategic objectives been included?  What is the involvement of other “assurance providers” (e.g., internal audit, legal, compliance, IT, quality, risk management, etc.)?  Who is the Executive Sponsor (e.g., “Tone at the Top”)?
  24. 24. Prepared for Health Care Compliance Association Page 23 Quality of Risk Assessment Process (cont.)  Risk Ranking Example RISK FACTOR DESCRIPTION/EXAMPLES WEIGHT Internal Control History Control environment, risk management process, effectiveness of Internal Controls 25% Change Systems, processes, personnel/turnover, new services, laws and regulations 20% Factors External to Process Industry forces, market forces, national politics, community needs, degree of exposure to adversity, governance/management concern 15% Customer Service (Internal & External) Degree of customer service provided, impact on operations, effect on reputation 15% Complexity Multiple systems required, date of technology in use, equipment and expertise required 15% Materiality & Resources Extent that the size of the unit could affect potential loss to the organization, adequacy of available resources for associated process 10%
  25. 25. Prepared for Health Care Compliance Association Page 24 Quality of Risk Assessment Process (cont.)  Risk Assessment Outputs – Questions to Ask  Does the prioritization of risks align with risk appetite?  What is the coverage of risks not able to be audited/monitored?  Has management accountability been established?  Are there any significant risks not included?  Is the resulting work plan risk focused vs. department focused (e.g., risk doesn’t reside in silos)?  Centralized governance oversight and reporting?
  26. 26. Prepared for Health Care Compliance Association Page 25 Ongoing Risk Assessment  Risk-Trending/Red Flags  Central themes in internal audit/external audit/compliance reports  Monitor work plan additions/subtractions  Monitor deferrals or cancellations (risk is still there!)  Monitor completeness throughout the year  Error percentages consistently high (>5%)  Action plans consistently past due
  27. 27. Prepared for Health Care Compliance Association Page 26 Ongoing Risk Assessment (cont.)  Places Where Risks Hide  Outsourced service providers  Significant turnover/new management  New and/or complex service lines  People, Process, Technology  Lack of ongoing training/education in high-risk areas  Drivers for incentive compensation  Lack of contract monitoring (e.g., physicians, outsourced areas) ? ? ?
  28. 28. Prepared for Health Care Compliance Association Page 27 Connect the Dots  Control Environment “Dashboard”  Management Letter Comments  Turnover in Key Management Positions  External Audit Findings  Internal Audit Findings  Audit Follow-up Completion (High Risks)
  29. 29. Prepared for Health Care Compliance Association Page 28 THANK YOU! Kimberly A. Lansford RN, BSN, MHL, CHC ® Chief Compliance Officer PennState Health Shannon Sumner CPA, CHC ® Principal/Shareholder Pershing Yoakley & Associates, P.C. ssumner@pyapc.com PERSHING YOAKLEY & ASSOCIATES, P.C. 800.270.9629 | www.pyapc.com

×