Examining a Top-Down Approach to Enterprise Risk Management

Transcription

1 Examining a Top-Down Approach to Enterprise Risk Management June 25, :30 ET Monique Allen Associate General Counsel, Clinical Operations and Privacy Memorial Hermann Health System Houston, Texas Kimarie R. Stratos Senior Vice President, General Counsel, and Chief Privacy Officer Memorial Healthcare System Hollywood, Florida This luncheon is hosted by Business Law & Governance, Hospitals & Health Systems and Health Care Liability & Litigation PGs and Enterprise Risk Management and Behavioral Health TFs 1

2 Making the Case to the C-Suite Unprecedented external scrutiny Competitive advantage Can navigate quicker than competitors

3 Defining ERM for the C-Suite Identify, assess, & manage enterprise-wide risk potentially affecting attainment of strategic goals Department decisions vs. enterprise decisions Proactive vs. reactive

4 Obtaining C-Suite Engagement/Approval Demonstrate importance of C-Suite advocate Align C-Suite perceived risks with stakeholder perceived risks Demonstrate disparity Focus on strategic goals Communicate risk transfer in business terms Financial impact

5 MHS Case Study Obtaining CEO support Engaging C-Suite Laying framework/process in advance Implementing ERM Program

6 Why MHS Began the ERM Journey An effective ERM program allows an organization to: Agree on risk management goals, objectives and metrics Assign roles and responsibilities for managing risk Effectively communicate risk issues up and down organization Develop consistent and continuous approach to identify/evaluate risk Provide efficient structure to embed risk awareness, processes and terminology

7 MHS ERM Steps Define Scope of Assessment Document Review & Research Survey Risk Assessment Workshop Risk Improveme nt Planning Critical Risks Assessed / Improvement Plans Created

8 Impact Score Impact & Likelihood Ratings Impact Description Financial Impact 5 Catastrophic 4 Significant 3 Moderate 2 Low If this risk were to materialize, ABC Co. would find it almost impossible to recover financially. Reputational impact would almost certainly occur. The consequences of the risk materializing are severe but could be managed to some extent. The consequences of the risk materializing are less severe and can be managed to a large extent. The consequences of the risk materializing are considered relatively unimportant. 1 Negligible There are no meaningful consequences if this risk materializes. Financial impact greater than $100M Financial impact of more than $50M but less than $100M Financial impact of more than $25M but less than $50M Financial impact of more than $10M but less than $25M Financial impact of less than $10M Rating Likelihood Description Frequency 5 Expected Occurs often / is to be expected Annual or 2 year to 3 year type event 4 Probable Known to occur / would not be surprising 5 year to 10 year event 3 Moderate Could occur but infrequently 10 year to 25 year event 2 Unusual Could possibly occur but would be rare 25 year to 50 year event 1 Remote Could conceivably occur but would be extremely remote 50+ year event

9 Risk # Impact (I) Likelihood / Impact Risk Likelihood (L) Distribution* With Current Controls Risk Description Gross Risk Score (GRS) Unable to Attract Qualified Personnel Complexity of Data Structure & Environment Inadequate Breadth / Depth of Clinical Services Cyber Risks Reduction in Quality of Care (Actual or Perceived) Regulatory Compliance / Legal Environment Mismatch Between Planned and Actual Workforce Needs Resource Management / Allocation Patient Satisfaction / Patient Complaints Brain Drain: Loss / Unexpected Departure of Key Individuals Uncertainty in Clinical Enterprise Significant Negative Media / Publicity Event Catastrophic Natural Disaster Mistakes in Financial Processes / Fraud IT System Crash / Breakdown Terrorist Event / Violence on Campus Scientific Misconduct Loss of Tax Exempt Status 5

10 Top 10 Risks Assessment Output Summary

11 Improvement Plan

12 Top 10 Risks Immediate Improvement Recommendations

13 Risk # Impact (I) Likelihood / Impact Risk Distribution With Risk Improvements Implemented Likelihood (L) Risk Description Gross Risk Score (GRS) Unable to Attract Qualified Personnel Complexity of Data Structure & Environment Inadequate Breadth / Depth of Clinical Services Cyber Risks Reduction in Quality of Care (Actual or Perceived) Regulatory Compliance / Legal Environment Mismatch Between Planned and Actual Workforce Needs Resource Management / Allocation Patient Satisfaction / Patient Complaints Brain Drain: Loss / Unexpected Departure of Key Individuals Uncertainty in Clinical Enterprise Significant Negative Media / Publicity Event Catastrophic Natural Disaster Mistakes in Financial Processes / Fraud IT System Crash / Breakdown Terrorist Event / Violence on Campus Scientific Misconduct Loss of Tax Exempt Status 4

14 Risk Matrix Before Risk Improvements Implemented Risk Matrix - Before Improvement 5 4 7, 8, 9, 10, 11 1, 2, 3 Likelihood 3 5, , 18 14, 15, 16 12, Impact

15 Source of Risk Analysis by Source of Risk and Stratified by Risk Rank (Before Improvements) Strategic Legal / Regulatory Products / Services Quality Financial Human Capital Information Technology Operational GRS>=15 15>GRS>=10 10>GRS>=7 7>GRS>=3 GRS<3

16 Risk Profile With Current Controls & Improvements Implemented 6 Risk Distribution With Current Controls 6 Risk Distribution After Improvements 5 5 Likelihood Likelihood Impact Impact Gross Risk Score = 135 Gross Risk Score = 94

17 Thank You Monique Allen Associate General Counsel, Clinical Operations and Privacy Memorial Hermann Health System Houston, Texas Kimarie R. Stratos Senior Vice President, General Counsel, and Chief Privacy Officer Memorial Healthcare System Hollywood, Florida

18 Title 2018 is published by the American Health Lawyers Association. All rights reserved. No part of this publication may be reproduced in any form except by prior written permission from the publisher. Printed in the United States of America. Any views or advice offered in this publication are those of its authors and should not be construed as the position of the American Health Lawyers Association. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering legal or other professional services. If legal advice or other expert assistance is required, the services of a competent professional person should be sought from a declaration of the American Bar Association.