Enterprise Risk Management

HCCA Board Audit Committee Compliance
Conference
February 27 – 28, 2017
Presented by:
Kimberly Lansford, RN, BSN, MHL, CHC®
Shannon Sumner, CPA, CHC®
ASSESSING THE EFFECTIVENESS OF ERM
Enterprise Risk Management

Prepared for Health Care Compliance Association Page 1
SPEAKERS
Kimberly A. Lansford
RN, BSN, MHL, CHC ®
Chief Compliance Officer
PennState Health
Shannon Sumner
CPA, CHC ®
Principal/Shareholder
Pershing Yoakley & Associates, P.C.
ssumner@pyapc.com
PERSHING YOAKLEY & ASSOCIATES, P.C.
800.270.9629 | www.pyapc.com

What Is Enterprise Risk Management (ERM)?
 A process that engages all in the practice of identifying, managing,
monitoring, and communicating risks across an organization
 Main objective is to help management and the board understand and
manage those events most likely to impact the organization’s
strategic objectives
 Its aim is to function in a proactive and efficient manner and as a key
enabler of the organization’s strategic objectives
 It seeks to orchestrate the harmonization, synchronization, and
rationalization of areas managing risks by moving beyond
organizational barriers to open transparent communications across
disciplines

Definitions
 Risk Culture: "The values, beliefs, knowledge, attitudes and
understanding about risk shared by a group of people with a common
purpose, in particular the employees of an organization" (Institute of
Risk Management)
 Risk Appetite: Relates to the amount of risk that an organization is
willing to seek or accept in the pursuit of its long-term objectives
Source: The Institute of Risk Management https://www.theirm.org/

ERM Provides a Process that Allows the Organization to:
 Present governance and management with a comprehensive picture
of interdependent risks across the entire enterprise
 Break down the department silos that tend to exist in assessing risk
 Create cross-functional teams evaluating risk using a common
framework
 Communicate information about risks in a consistent manner

Traditional Healthcare RM vs. ERM
Traditional Risk Management
 Reactive, incident-based, clinically focused
program
 May use different processes, controls,
metrics, language, and frameworks for
discussing risks and risk mitigation strategies
 Considers impact of risks to specific
departments or issues in isolation
 Focus on adverse events most likely to
impact operations and finances
 Examines risks individually, with limited
communication between disciplines to
consider the impact of their actions on other
parts of the organization
 Defines risks in terms of the probability that
adverse events will occur and result in
financial losses
 Tendency to be a bottom-up approach
Enterprise Risk Management
 Proactive, holistic, multi-disciplinary approach
focused on anticipating and managing both
internal and external risks
 Provides a common framework, processes,
metrics, and language for discussing risks
and risk mitigation strategies
 Considers impact of risks across the
organization
 Focus on events most likely to impact
strategic objectives
 Emphasis on synergistic relationship among
and between risks that span across the
organization
 Recognizes that risk does not solely mean
something negative has or could occur –
something good not happening as a result of
not acting is also a risk
 Top-down and bottom-up approach

ERM Benefits
 Helps identify and understand key risks impacting achievement of
strategies and objectives
 Invites broad participation and perspectives of senior leaders and
governance
 Helps avoid a “functional silo” approach that often fails to consider the
interconnective nature of risks across large, complex organizations
 Provides a common framework for discussing risks and risk
management or “treatment” strategies
 Assists in establishing accountabilities for risk management activities
 Integrates risk planning with strategic and tactical planning
 Over time, more effective and cost-efficient management of risks
increases enterprise value

Why Is an ERM Approach Important?
 The United States Federal Sentencing Guidelines are clear that
standards and procedures should provide sufficient and effective
controls that take into account the highest risk areas, given an
organization’s business
 The Office of Inspector General (OIG) recommends a risk-based
approach in its guidance, and recent Corporate Integrity Agreement
templates require a provider’s compliance program to include a
comprehensive risk assessment and internal review process
 The OIG is clear that a comprehensive risk assessment cannot be
pursued by the Compliance Department alone, and involvement from key
business leaders (including legal) is critical to the effectiveness of the risk
assessment process

Why Is an ERM approach important? (cont.)
 All major rating agencies include ERM in their evaluation of credit
ratings
 Critical component of financial and insurance
industry evaluations
 Healthcare auditing entities, such as those that
have oversight for HIPAA, may inquire into the
process when auditing areas that require a
risk-based approach (e.g., information security)

Why Is the Compliance Department Well Situated
to Facilitate an ERM Approach?
 An ERM approach engages all workforce members in the practice of
identifying, managing, monitoring, and communicating risks across
the organization
 We are already doing this with regard to our compliance risks in our
compliance programs

Components of a Successful ERM Approach
Step One: Know the Business Climate
 Understand which business factors have the
ability to impact operations or cause potential
compliance concerns
 Benchmark both inside and outside the
organization, and possibly even outside the
healthcare industry

Components of a Successful ERM Approach (cont.)
Step Two: Understand and Prioritize Risks and
Opportunities
 Ensure colleagues understand how to identify and report risks and
opportunities
 Two key activities:
 Deploy a comprehensive Education and Awareness program
 Perform an Enterprise Risk Assessment, with focused reviews of an
organization’s most significant risks, on an ongoing basis
 Leverage existing strategies used by colleagues to report events,
such as those utilized in Privacy, Information Security, Insurance/Risk
Management, Compliance, Clinical/Nursing, and other departments

Step Three: Manage the Identified Risks and Opportunities
 Create a centralized process or have a collaborative process to
analyze and manage risk and opportunity information
 Some common risk management (“treatment”) techniques:
 Avoidance (eliminate, withdraw from, or not become involved)
 Reduction (optimize – mitigate)
 Sharing (transfer – outsource or insure)
 Retention (accept and budget)

Step Four: Reporting and Metrics
 Reports and metrics can be used by operations, budgeting, strategy,
audit, compliance, and many other departments for strategy and
decision-making, where the consideration of risk can influence the
outcome
 Dashboards, risk monitoring reports,
qualitative, and quantitative analysis
can be used to measure the effectiveness
of risk treatment activities and to understand
any implications for an organization’s overall
business strategy

Step Five: Risk “Alert” Culture and Risk Control
 A risk alert culture is the intrinsic understanding and assessment of
risk embedded in day-to-day operations. It fosters the integration of
enterprise risk principles throughout every layer of the organization
 Risk Controls are measures to limit vulnerabilities and manage risks
to an acceptable level
 A risk alert culture and risk control are created by:
 Adhering to policies and procedures, laws, and regulations
 Educating and holding colleagues accountable for evaluating risk
holistically in strategic initiatives
 Creating and utilizing a common language
 Effectively using preemptive risk concepts within business units

ERM Is Everyone’s Responsibility…
• ERM engages everyone at the organization in the management of
those risks for which they are responsible
• Risk ownership does not reside in a single department
• The compliance department can easily
facilitate an ERM approach to managing
risks across the organization

ERM Is a Journey…It Is Not a Destination!

Board Accountability for Risk
 Greater Scrutiny from OIG and DOJ
 Recent CIA Risk Assessment Requirements
 Three Lines of Defense Theory
 Quality of Risk Assessment Process
 Ongoing Risk Assessment Process
 Connecting the Dots

Greater Scrutiny Emerges

DOJ Hires Compliance Expert
Source: http://www.corpcounsel.com/id=1202737784530/Report-Justice-Dept-Names-Chen-to-Controversial-Compliance-Counsel-Post?slreturn=20150923095150
“…the person will be assessing the
company’s claims about their compliance
program – i.e., if a company seeks to
claim that it deserves credit for
implementing a state of the art
compliance program, which is a metric
under the Sentencing Guidelines for a
break on a fine. The counsel will help
subject that to a rigorous analysis,
something that a federal prosecutor does
not have a lot of expertise in carrying out.”

Risk-Specific CIA Requirements
Source: https://oig.hhs.gov/fraud/cia/agreements/Dignity_Health_10302014.pdf
 Risk Assessment and Internal Review Process
“The risk assessment and internal review process shall include: (1) a process
for identifying and prioritizing potential risks; (2) developing an assessment
plan to evaluate and respond to potential risks, including internal auditing
and monitoring of the potential risk areas; (3) developing action plans to
remediate potential risks; and (4) tracking results to assess the effectiveness
of the risk assessment and internal review process, including any
remediation efforts that ABC pursues.”

Three Lines of Defense
Source: Institute of Internal Auditors: The Three Lines of Defense in Effective Risk Management and Control

Quality of Risk Assessment Process
 Risk Assessment Inputs – Questions to Ask
 Is the risk universe inclusive of all significant processes/entities/joint
ventures/outsourced service providers?
 What is the competency of staff performing the risk assessment?
 What risk-ranking criteria and weight factors are used?
 Have risks to the achievement of strategic objectives been included?
 What is the involvement of other “assurance providers”
(e.g., internal audit, legal, compliance, IT, quality, risk management, etc.)?
 Who is the Executive Sponsor (e.g., “Tone at the Top”)?

Quality of Risk Assessment Process (cont.)
 Risk Ranking Example
RISK FACTOR DESCRIPTION/EXAMPLES WEIGHT
Internal Control History
Control environment, risk management process, effectiveness
of Internal Controls
25%
Change
Systems, processes, personnel/turnover, new services, laws
and regulations
20%
Factors External to Process
Industry forces, market forces, national politics, community
needs, degree of exposure to adversity,
governance/management concern
15%
Customer Service (Internal
& External)
Degree of customer service provided, impact on operations,
effect on reputation
15%
Complexity
Multiple systems required, date of technology in use, equipment
and expertise required
15%
Materiality & Resources
Extent that the size of the unit could affect potential loss to the
organization, adequacy of available resources for associated
process
10%

Quality of Risk Assessment Process (cont.)
 Risk Assessment Outputs – Questions to Ask
 Does the prioritization of risks align with risk appetite?
 What is the coverage of risks not able to be audited/monitored?
 Has management accountability been established?
 Are there any significant risks not included?
 Is the resulting work plan risk focused vs. department focused (e.g., risk doesn’t
reside in silos)?
 Centralized governance oversight and reporting?

Ongoing Risk Assessment
 Risk-Trending/Red Flags
 Central themes in internal audit/external audit/compliance reports
 Monitor work plan additions/subtractions
 Monitor deferrals or cancellations (risk is still there!)
 Monitor completeness throughout the year
 Error percentages consistently high (>5%)
 Action plans consistently past due

Ongoing Risk Assessment (cont.)
 Places Where Risks Hide
 Outsourced service providers
 Significant turnover/new management
 New and/or complex service lines
 People, Process, Technology
 Lack of ongoing training/education in
high-risk areas
 Drivers for incentive compensation
 Lack of contract monitoring (e.g.,
physicians, outsourced areas)
?
?
?

Connect the Dots
 Control Environment “Dashboard”
 Management Letter Comments
 Turnover in Key Management Positions
 External Audit Findings
 Internal Audit Findings
 Audit Follow-up Completion (High Risks)

THANK YOU!
Kimberly A. Lansford
RN, BSN, MHL, CHC ®
Chief Compliance Officer
PennState Health
Shannon Sumner
CPA, CHC ®
Principal/Shareholder
Pershing Yoakley & Associates, P.C.
ssumner@pyapc.com
PERSHING YOAKLEY & ASSOCIATES, P.C.
800.270.9629 | www.pyapc.com

Enterprise Risk Management

More Related Content

What's hot

Viewers also liked

Similar to Enterprise Risk Management

More from PYA, P.C.

Recently uploaded

Enterprise Risk Management