ENTERPRISE RISK MANAGEMENT IN HEALTH CARE. April 27, 2017

Similar documents
Energize Your Enterprise Risk Management

INTERNAL AUDIT AND OPERATIONAL RISK T A C K L I N G T O D A Y S E M E R G I N G R I S K S T O G E T H E R

Applying COSO s Enterprise Risk Management Integrated Framework. September 29, 2004

Applying COSO s Enterprise Risk Management Integrated Framework

Enterprise Risk Management Focusing on the Right Risks

ENTERPRISE RISK MANAGEMENT (ERM) The Conceptual Framework

MEMORANDUM. To: From: Metrolinx Board of Directors Robert Siddall Chief Financial Officer Date: September 14, 2017 ERM Policy and Framework

Risk Management: Principles, Methodologies and Techniques. Peter Getugi Internal Audit Manager ILRI

Business Continuity Management and ERM

ENTERPRISE RISK MANAGEMENT (ERM) POLICY Republic Glass Holdings Corporation. Purpose. Goals

Sections of the ORSA Report

CORPORATE RISK MANAGEMENT POLICY

FIRMA Nashville Tennessee April 21, 2015

Presentation by: Nasumba Kizito Kwatukha CPA,CIA, CISA,CFE,CISSP,CRMA,CISM,IIK 6 th JULY 2017

DRAFT 3/18/14 Financial Analysis Handbook 2014 Annual/2015 Quarterly

Best Practices in ENTERPRISE RISK MANAGEMENT. [ Managing Risks Holistically ]

Journey of a Compliance Officer in ERM Implementation. SCCE Regional Conference September 8, Introduction

GACC MIDWEST LUNCHEON SERIES

Certified Enterprise Risk Professional (CERP) Test Content Outline

BERGRIVIER MUNICIPALITY. Risk Management Risk Appetite Framework

Supervisor of Banks: Proper Conduct of Banking Business (12/12) Operational Risk Management Page Operational Risk Management

Excellence in Risk Management via Enterprise Risk Management. Presentation to: Audit Committee Ashok K. Roy, Ph.D., CIA, CFSA, CBA September 18, 2015

Delivering Clarity to Credit Unions Through Expertise and Experience

Introduction. The Assessment consists of: A checklist of best, good and leading practices A rating system to rank your company s current practices.

Risk Management. Policy No. 14. Document uncontrolled when printed DOCUMENT CONTROL. SSAA Vic

ENTERPRISE RISK MANAGEMENT (ERM) GOVERNANCE POLICY PEDERNALES ELECTRIC COOPERATIVE, INC.

Risk Management. Webinar - July 2017

Risk Management. Seminar June Compiled by: Raaghieb Najjaar, Yaeesh Yasseen & Rashied Small

2018 THE STATE OF RISK OVERSIGHT

UNITED NATIONS JOINT STAFF PENSION FUND. Enterprise-wide Risk Management Policy

Understanding Enterprise Risk Management: An Overview

GOV : Enterprise Risk Management Policy

Navigating the New Normal Enterprise Risk Management After e-risk Identification and Assessment

Enterprise Risk Management

Perpetual s Risk Management Framework

Enhanced Cyber Risk Management Standards. Advance Notice of Proposed Rulemaking

1st Capacity Building Seminar on Enterprise Risk Management

Introduction. The Assessment consists of: Evaluation questions that assess best practices. A rating system to rank your board s current practices.

Practical aspects of determining and applying a risk appetite for SMEs

Three Lines of Defense: Working Together to Enhance Business Performance

ENTERPRISE RISK MANAGEMENT Framework

Fraud Risk Management

The OCEG Open Risk Classification using XBRL

The Components of a Sound Emerging Risk Management Framework

M_o_R (2011) Foundation EN exam prep questions

Business Auditing - Enterprise Risk Management. October, 2018

Agenda. Agenda (cont.) Risk Management Association. Loss Data in an Organization s DNA

360 Degrees of Enterprise Risk Management

Construction projects: manage risk to achieve success

Draft Guideline. Corporate Governance. Category: Sound Business and Financial Practices. I. Purpose and Scope of the Guideline. Date: November 2017

American Academy of Actuaries Webinar: The Practice of ERM in the Insurance Industry. Enterprise Risk Management Committee November 19, 2013

Critical Reflection of Two State-of-the-Art Risk Management Frameworks (SRM004)

Leveraging an organization s current risk management to create a sustainable ERM program. Thursday, January 15, 2015

ERM Sample Flashcards

The Country Risk Manager as Chief Risk Officer for the Government. Swiss Re, 3 June 2014

The ORSA opportunity:

Enterprise Risk Management Integrated Framework

INTEGRATING RISK MANAGEMENT AND BUSINESS CONTINUITY

RISK COMMITTEE CHARTER THE CHARLES SCHWAB CORPORATION

ก ก Tools and Techniques for Enterprise Risk Management (ERM)

CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK MANAGEMENT POLICY

Cyber Risk Enlightenment through information risk management

7/25/2013. Presented by: Erike Young, MPPA, CSP, ARM. Chapter 2. Root Cause Analysis

Enterprise Risk Management Policy Adopted by the AMP Limited Board on 2 February 2017

SCCE 2012 COMPLIANCE & ETHICS INSTITUTE. Workshop Agenda

Risk Management Policy and Framework

Global Enterprise Risk Management in Insurance

Managing risk appetite for operational and non-financial risks

THE BERMUDA MONETARY AUTHORITY BANKS AND DEPOSIT COMPANIES ACT 1999: The Management of Operational Risk

Working through Risk Appetite

Right Sizing Your Reserves: A Better Way

ERM and ORSA Assuring a Necessary Level of Risk Control

The Proactive Quality Guide to. Embracing Risk

Approved Models to Align Incentives between Hospitals and their Physicians

Fiduciary Risk Range of Practice - April 2012

OWN RISK AND SOLVENCY ASSESSMENT. ERM Seminar Compliance All Dealing from the same deck now

Statement of Guidance for Licensees seeking approval to use an Internal Capital Model ( ICM ) to calculate the Prescribed Capital Requirement ( PCR )

2014 Own Risk and Solvency Assessment (ORSA) Feedback Pilot Project Observations of the Group Solvency Issues (E) Working Group

AIA Group Limited. Terms of Reference for the Board Risk Committee

Auditor s Letter. Timothy M. O Brien, CPA Denver Auditor Annual Audit Plan

What does the WEF Global Risks Report have to do with my Risk Management program? GRM016 Speakers:

Why your board should take a fresh look at risk oversight: a practical guide for getting started

Israeli off-shore exploration and development. How to manage the risks?

USF System Compliance & Ethics Program. Risk Assessment Process. Enterprise-Wide Risk Assessment

RISK MANAGEMENT FRAMEWORK OVERVIEW

Summary Enterprise Risk Management Framework

OMB Update Enterprise Risk Management. April, 2018

Thirty-Second Board Meeting Risk Management Policy

Risk Management Strategy

Enterprise Risk Management Sources. Universe. Tolerance. Appetite

Enterprise Risk Management

General questions 1. Are there areas not addressed in the Guidance that should be considered in assessing risk culture?

Risk Evaluation, Treatment and Reporting

Risk management policy

Product Recall Risk Assessment By Tony Munns. Product recall is a key area of risk for today s company. With greater focus

Executive Board Annual Session Rome, May 2015 POLICY ISSUES ENTERPRISE RISK For approval MANAGEMENT POLICY WFP/EB.A/2015/5-B

Amex Bank of Canada. Basel III Pillar III Disclosures December 31, AXP Internal Page 1 of 15

Basics of Liquidity Risk Management For Community Financial Institutions under $3 Billion in Assets

Exploring the New Era of ORSA Enterprise Risk Management (ERM)/ Own Risk and Solvency Assessment (ORSA) Committee

Risk Management Policy. Apollo Hospitals. Risk Management Policy

Transcription:

ENTERPRISE RISK MANAGEMENT IN HEALTH CARE April 27, 2017

Presenters Adam Marshall Director, Risk Advisory Services Jessika Garis Manager, Risk Advisory Services RSM US LLP Adam.Marshall@rsmus.com +1 410 246 9251 RSM US LLP Jessika.Garis@rsmus.com +1 813 316 2247

Agenda Overview of Enterprise Risk Management Risk Assessments and Key Areas of Risk Management Strategies for Specific Health Care Risks Risk Management Best Practices for Healthcare

OVERVIEW Enterprise Risk Management

What is Business Risk?? The threat that an event or action/inaction will adversely affect an organization s ability to achieve its business and strategic objectives OR Something bad will happen Something good won t happen

What types of companies assume risk? The question isn t whether your organization has assumed business risk assuming risk in the pursuit of your objective is the essence of a business The question is whether you fully understand the risk your organization has assumed and whether it s monitored, managed and aligned with your risk tolerance

Risk management everybody does it how they do it varies greatly Informal We ve got it covered VS Structured Let me explain the underlying risk, what our exposure is and how we re managing it

When resources are tight, why dedicate more effort to risk management? Historically, investments in structured risk management programs were driven by two primary factors: Regulatory requirements Management priority Increasingly, risk management programs are more necessary due to additional pressures: Protection of market value Expectations of counterparties and the associated risks Management s need to demonstrate reasonable awareness and management of risks

Value-destroying events can come from anywhere Dispersing the management and visibility of risks throughout the organization doesn t minimize the threat. It makes it harder for senior management to monitor and address emerging risks before they become significant events. Value-destroying events can come from anywhere: Strategic Technology Regulatory Reporting Operational Challenges Security Finance

Background: Why ERM Organization s take a more strategic perspective of risk from the top-down Benefits: Strategies and solutions that support mission, vision and values Better anticipate the unexpected Efficiency/ effectiveness in treatment of risks Improve decision making Allocation of resources Risk interdependencies Identify strategic competitive advantages Patient safety and the delivery of care that is effective, efficient and safe

Traditional Risk Management vs. ERM Traditional Risk Management Tactical, compliance focused Silo-based processes Program or risk type view Looks at risks individually Business decisions not closely linked to risks Driven by risk management and internal audit Supported by rules ERM Strategic, performance focused Consistent risk management approach across the enterprise Holistic view of key risks Considers risk interactions Business decisions based on a clear understanding of risks Driven by the board and owned by the business Supported by a risk culture

A Holistic View of Risk What is a holistic view of risk? Aggregated risk exposures across the enterprise Consideration of all types of risk, including interactions between risks Consideration of alternative, forward-looking scenarios Risk types vary by industry and may include: Operational Clinical/ Patient Safety Strategic Market Compliance Reputational Legal Environmental Security

Range of ERM Practices Small organization ERM practices Policies for each risk type Decisions based primarily on management judgment CFO or other executive responsible for risk oversight Less board involvement / reliance on Audit Committee Manual aggregation processes Tactical risk management training Large organization ERM practices Formally documented ERM framework Decisions based on complex, datadriven analysis ERM function and CRO Active board and risk committee involvement Highly automated aggregation and reporting processes ERM training based on a common risk language

A Practical Approach to Implementing ERM Start with the basics: Understand what you already have Using a framework, determine where you want to go Why are we doing this? What do we want to get out of it upside vs. downside risk How will your organization s culture react to ERM adoption? Who in your organization (or outside)will be involved at each phase what are the skill sets necessary Determine your time horizon while there are near term benefits that can be achieved, most ERM frameworks take 18 months or longer before they take root

COSO ERM Framework (In Exposure Draft)

Our ERM Framework An ERM Framework should include: Risk governance Risk appetite setting Enterprise-wide risk management processes Identification of risks Assessment / measurement of risks Monitoring of risks and actions to address risks Management of risk through controls/risk responses Reporting of risks and the status of action plans Integration with business decisionmaking Establishment of a strong risk culture

Integrating ERM into decision-making To be effective, risk management must be integrated into day-to-day business line activities and corporate decisions Risk Managers must be involved at the onset of strategy setting processes Risks associated with new products/services should be considered and communicated to the board Analysis of emerging risks and stress tests should influence business decisions Risk information should be shared across the organization to avoid the same event recurring

Risk Governance Reviews and approves risk strategies, frameworks, and policies Reviews risk reports and recommends/monitors risk limits and action plans Board oversight ERM committee Risk committees Oversees the implementation of the ERM framework/controls ERM function Risk policies Risk appetite Incentives ERM training Capital adequacy Product/strategy review

Risk Culture Development of a risk culture is critical to effective ERM Ways to establish a risk culture that is supportive of risk management: Tone at the top Reference the importance of risk management in organization s objectives Incorporate risk management into ongoing executive management communications Exhibit the desired risk management behaviors Code of Conduct or Ethics Risk management factors included in incentive and performance evaluation plans Clearly defined roles and responsibilities that are consistent with three lines of defense

Risk Appetite An effective ERM program relies on the establishment and communication of the organization s risk appetite Helps employees to understand the specific risks that the organization is willing and not willing to take Provides a means for ensuring that actual risk-taking is consistent with the organization s risk-taking capacity

Risk Appetite There are many ways to define risk appetite: Statements, such as a zero tolerance for compliance risk Specific program's, markets and/or groups that are outside of the organization s risk tolerance Metrics that define risk thresholds, such as financial measures (e.g., ROI target) or limits (e.g., % of total risk exposure) Are you able to articulate your organization s appetite or tolerance for risk?

RISK ASSESSMENTS AND KEY AREAS OF RISK Health Care

Risk Management Processes Risk management processes are grouped in different ways but generally include the following: Report Identify Ideally, each of these processes should be ongoing rather than, for example, annual. Monitor Manage/ Assess/ measure respond

Risk Identification Risk identification processes should begin with appropriate planning: Mapping of the organization s programs and processes Determination of the risk types to be included in the process (e.g., operational, legal, reputational) Identification of resources responsible for each area in the process Risks can be identified through various methods, such as interviews, surveys and/or facilitated workshops Different levels of the organization may have different perspectives on risks Include emerging risks Be wary of risks that are really the absence of controls Report Identify Assess/ Monitor measure Manage/ respond

Risk Identification Sample identification methods: Documentation such as: strategic plan, adverse event reporting, consultant reports and inspections, committee reports, peer review/quality metrics Risk questionnaires/surveys Facilitated working sessions, brainstorming, focus groups, interviews The Joint Commission Sentinel Event Alerts Patient satisfaction surveys Report Identify Monitor Assess/ measure Manage/ respond

Identification of Strategic Risks Strategic risks are risks that are material to a organization s ability to execute its strategy and achieve its business objectives. Sources of strategic risk to consider: External Competitors Brand Partnering Customers Regulators Suppliers Internal Planning Execution Employee engagement Access to funding Infrastructure Readiness

Health Care Risk Model Strategic / External Operational Human Capital Financial Legal & Compliance Technology Hazard - Competition - Affiliation, Mergers & Acquisitions - Variability in Patient-Related Volume - Research Grant / Funding Availability - New Models for Care Delivery - Diminished Market - Regulatory Change / Healthcare Reform - Conflict of Interest - Decreased Capital Spending - Hospital / Physician Relationship - Availability of Public Data - Business Management Discipline / Cost Management - Equipment Maintenance - Failure to Identify & Follow EBM - Facility Maintenance - Timely Access to Care - Failure to Refer - Failure to Diagnosis - Clinical Continuity - Insufficient Discharge Planning - Inconsistent Clinical Competency - Hiring & Retention - Organizational Structure, Alignment & Direction - Succession Planning - Unionization - Turnover - Recruitment - Aging Workforce - Disruptive Behavior - Flex Staffing - Workers Compensation - Physician Shortage - Credit / Collections - Financial Performance - Billing Accuracy / Compliance - Payer Mix / Reimbursements - Pension / Retirement Obligations - Philanthropy / Fundraising / Capital Campaign - Failure to Meet Margin - Uncompensated Care - Access to Capital - Contract Management - Revenue Enhancement - Conflicts of Interest - Fraud, Theft and Embezzlement - Governance, Compliance and Oversight - ACO - HIPAA Privacy & Security - Health Reform - Employment Practices - Multiple Vendors - Social Networking - Information Breach - Bar Coding - Hybrid EMR - IT Infrastructure & Security - Paucity of IT Professionals - Failure to Act in a Timely Manner - Incompatible Programs - Natural Disaster - Failure to Plan - Failure to Act Timely - Inability to Manage a Crisis - No Backup Systems or Appropriate Duplicate

Risk Assessment Risk assessment should begin with clarification of the objectives Program and internal audit risk assessments have different purposes (e.g., prioritization of risks vs. basis for audit plans) Common definitions, including inherent vs. residual risk, risk levels, and the adequacy of controls, should be clearly communicated. For example: A risk with a high likelihood may result in losses on a daily basis; A risk with a high impact may result in a loss equal to X, or significant harm to the organization s reputation. Report Identify Assess/ Monitor measure Manage/ respond

Risk Assessment Best practices in risk assessment include: Identification of risks against key business objectives Coordination of risk assessments through interviews, surveys or facilitated workshops to ensure consistency Use of available information, such as Key Risk Indicators (KRIs), to ensure objectivity Assessments of the adequacy of internal controls must also be objective Oversight and use of information, such as the results of quality control reviews, are critical

Using Risk Assessments Internal Audit assessments are generally used to: Determine the scope and frequency of audits Compare to business line assessments Program assessments are used to: Prioritize risks across the organization Identify the top risks to the organization Identify appropriate responses to risks, as well as areas where the adequacy of controls is too low for the level of risk Drive risk-based monitoring processes Avoid the black hole of risk assessment data!

Impact Risk Heat Map High Extraordinary events often overlooked Strategic imperatives Lower priority focus on efficiency Secondary risks - focus on controls Low Likelihood High

Risk Management / Responses Risk responses should be based on assessment of loss frequency and impact Management actions should be specific to reducing likelihood or impact, depending on which one was assessed as high The most common risk responses include: Avoid (get out) Accept/retain (monitor) Reduce (institute controls) Transfer or share (partner with someone) Report Identify Action plans with assigned owners should be developed and monitored by a risk committee Monitor Manage/ Assess/ measure respond

Risk Monitoring Risk monitoring should follow from risk assessments Higher risks should be monitored more frequently and in more depth Key risk indicators (KRIs) are critical to early identification of risks and, as a result, fewer surprises KRIs should be forward-looking Key Performance Indicators (KPIs), are primarily backward-looking Report Identify Monitor Assess/ measure Manage/ respond

Risk Reporting Reporting should also follow from risk assessments, with higher risks reported in more depth Emphasis of risk reporting should be on highlighting key risks and recommendations for and status of management action Volumes of detail should be avoided, particularly for board reporting Reports should include early indicators and emerging risks Best practices include the development of ERM dashboards that provide a holistic view of risk and thoughtful analysis Report Identify Assess/ Monitor measure Manage/ respond

MANAGEMENT STRATEGIES FOR SPECIFIC HEALTH CARE RISKS Health Care

Cybersecurity Risk Today s Organizations face innumerable threats: Advanced persistent threats (APTs) Social media Social engineering Spear-phishing Ransomware Resulting Risk Patient care Breach and related cost Reputation

Risk Management Cyber threat risks, mitigation plan, and progress documented; residual risk determined Report Identify Technology organization catalogues cyber risk threats Management process for measuring the effectiveness of the procedures; KPI s for the reduction of vulnerabilities Monitor Manage/ respond Assess/ measure To reduce hacking risk: Continuous network scanning performed; periodic 3 rd party network testing Threats ranked and residual risk determined; part of organization risk analysis; Hacking as a specific risk identified as high

Revenue Cycle Charge Capture Risk Charge capture risks include: Missed net revenue opportunities Delayed or denied payments Increase rework and reconciliation on the backend Extended accounts receivable cycles Dissatisfied customers from incorrect billing Potential Medicare inquiries or expensive penalties due to inaccurate billing Inaccurate data for contract negotiation

Risk Management Hold quarterly meetings with department managers to conduct a review and update chargemaster and review third party contracts. Report Identify Qualitative and quantitative assessment of current processes compared to industry best practices to identify opportunities for improvement Performance measurement of the charge capture and clinical documentation functions can be achieved by utilizing various KPIs and benchmarking against industry standards. Monitor Manage/ respond Assess/ measure Analyze all departmental procedure charges to determine if each is inclusive of all supplies and procedures used/performed Establish a formal process that involves the business office and department managers to review existing charge codes and to establish new charge codes

RISK MANAGEMENT BEST PRACTICES Health Care

Obstacles Inadequate support from senior management and/or broad participation Length of time to implement Competition among various units: quality assurance, risk management, compliance, internal audit, operations Cultural challenges Communication Limited use of technology No common risk taxonomy Limited expertise Challenging to demonstrate ROI Inadequate follow-through and refinement

Lessons Learned Tone at the Top Crawl-Walk-Run Build on Tools / Processes in Place Simplicity at the Outset Culture Culture Culture

RSM US LLP One South Wacker Drive Chicago, Illinois +00 (1) 800 274 3978 www.rsmus.com This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not constitute audit, tax, consulting, business, financial, investment, legal or other professional advice, and you should consult a qualified professional advisor before taking any action based on the information herein. RSM US LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. RSM and the RSM logo are registered trademarks of RSM International Association. The power of being understood is a registered trademark of RSM US LLP. 2015 RSM US LLP. All Rights Reserved.

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback