ENTERPRISE RISK MANAGEMENT IN HEALTH CARE April 27, 2017
Presenters Adam Marshall Director, Risk Advisory Services Jessika Garis Manager, Risk Advisory Services RSM US LLP Adam.Marshall@rsmus.com +1 410 246 9251 RSM US LLP Jessika.Garis@rsmus.com +1 813 316 2247
Agenda Overview of Enterprise Risk Management Risk Assessments and Key Areas of Risk Management Strategies for Specific Health Care Risks Risk Management Best Practices for Healthcare
OVERVIEW Enterprise Risk Management
What is Business Risk?? The threat that an event or action/inaction will adversely affect an organization s ability to achieve its business and strategic objectives OR Something bad will happen Something good won t happen
What types of companies assume risk? The question isn t whether your organization has assumed business risk assuming risk in the pursuit of your objective is the essence of a business The question is whether you fully understand the risk your organization has assumed and whether it s monitored, managed and aligned with your risk tolerance
Risk management everybody does it how they do it varies greatly Informal We ve got it covered VS Structured Let me explain the underlying risk, what our exposure is and how we re managing it
When resources are tight, why dedicate more effort to risk management? Historically, investments in structured risk management programs were driven by two primary factors: Regulatory requirements Management priority Increasingly, risk management programs are more necessary due to additional pressures: Protection of market value Expectations of counterparties and the associated risks Management s need to demonstrate reasonable awareness and management of risks
Value-destroying events can come from anywhere Dispersing the management and visibility of risks throughout the organization doesn t minimize the threat. It makes it harder for senior management to monitor and address emerging risks before they become significant events. Value-destroying events can come from anywhere: Strategic Technology Regulatory Reporting Operational Challenges Security Finance
Background: Why ERM Organization s take a more strategic perspective of risk from the top-down Benefits: Strategies and solutions that support mission, vision and values Better anticipate the unexpected Efficiency/ effectiveness in treatment of risks Improve decision making Allocation of resources Risk interdependencies Identify strategic competitive advantages Patient safety and the delivery of care that is effective, efficient and safe
Traditional Risk Management vs. ERM Traditional Risk Management Tactical, compliance focused Silo-based processes Program or risk type view Looks at risks individually Business decisions not closely linked to risks Driven by risk management and internal audit Supported by rules ERM Strategic, performance focused Consistent risk management approach across the enterprise Holistic view of key risks Considers risk interactions Business decisions based on a clear understanding of risks Driven by the board and owned by the business Supported by a risk culture
A Holistic View of Risk What is a holistic view of risk? Aggregated risk exposures across the enterprise Consideration of all types of risk, including interactions between risks Consideration of alternative, forward-looking scenarios Risk types vary by industry and may include: Operational Clinical/ Patient Safety Strategic Market Compliance Reputational Legal Environmental Security
Range of ERM Practices Small organization ERM practices Policies for each risk type Decisions based primarily on management judgment CFO or other executive responsible for risk oversight Less board involvement / reliance on Audit Committee Manual aggregation processes Tactical risk management training Large organization ERM practices Formally documented ERM framework Decisions based on complex, datadriven analysis ERM function and CRO Active board and risk committee involvement Highly automated aggregation and reporting processes ERM training based on a common risk language
A Practical Approach to Implementing ERM Start with the basics: Understand what you already have Using a framework, determine where you want to go Why are we doing this? What do we want to get out of it upside vs. downside risk How will your organization s culture react to ERM adoption? Who in your organization (or outside)will be involved at each phase what are the skill sets necessary Determine your time horizon while there are near term benefits that can be achieved, most ERM frameworks take 18 months or longer before they take root
COSO ERM Framework (In Exposure Draft)
Our ERM Framework An ERM Framework should include: Risk governance Risk appetite setting Enterprise-wide risk management processes Identification of risks Assessment / measurement of risks Monitoring of risks and actions to address risks Management of risk through controls/risk responses Reporting of risks and the status of action plans Integration with business decisionmaking Establishment of a strong risk culture
Integrating ERM into decision-making To be effective, risk management must be integrated into day-to-day business line activities and corporate decisions Risk Managers must be involved at the onset of strategy setting processes Risks associated with new products/services should be considered and communicated to the board Analysis of emerging risks and stress tests should influence business decisions Risk information should be shared across the organization to avoid the same event recurring
Risk Governance Reviews and approves risk strategies, frameworks, and policies Reviews risk reports and recommends/monitors risk limits and action plans Board oversight ERM committee Risk committees Oversees the implementation of the ERM framework/controls ERM function Risk policies Risk appetite Incentives ERM training Capital adequacy Product/strategy review
Risk Culture Development of a risk culture is critical to effective ERM Ways to establish a risk culture that is supportive of risk management: Tone at the top Reference the importance of risk management in organization s objectives Incorporate risk management into ongoing executive management communications Exhibit the desired risk management behaviors Code of Conduct or Ethics Risk management factors included in incentive and performance evaluation plans Clearly defined roles and responsibilities that are consistent with three lines of defense
Risk Appetite An effective ERM program relies on the establishment and communication of the organization s risk appetite Helps employees to understand the specific risks that the organization is willing and not willing to take Provides a means for ensuring that actual risk-taking is consistent with the organization s risk-taking capacity
Risk Appetite There are many ways to define risk appetite: Statements, such as a zero tolerance for compliance risk Specific program's, markets and/or groups that are outside of the organization s risk tolerance Metrics that define risk thresholds, such as financial measures (e.g., ROI target) or limits (e.g., % of total risk exposure) Are you able to articulate your organization s appetite or tolerance for risk?
RISK ASSESSMENTS AND KEY AREAS OF RISK Health Care
Risk Management Processes Risk management processes are grouped in different ways but generally include the following: Report Identify Ideally, each of these processes should be ongoing rather than, for example, annual. Monitor Manage/ Assess/ measure respond
Risk Identification Risk identification processes should begin with appropriate planning: Mapping of the organization s programs and processes Determination of the risk types to be included in the process (e.g., operational, legal, reputational) Identification of resources responsible for each area in the process Risks can be identified through various methods, such as interviews, surveys and/or facilitated workshops Different levels of the organization may have different perspectives on risks Include emerging risks Be wary of risks that are really the absence of controls Report Identify Assess/ Monitor measure Manage/ respond
Risk Identification Sample identification methods: Documentation such as: strategic plan, adverse event reporting, consultant reports and inspections, committee reports, peer review/quality metrics Risk questionnaires/surveys Facilitated working sessions, brainstorming, focus groups, interviews The Joint Commission Sentinel Event Alerts Patient satisfaction surveys Report Identify Monitor Assess/ measure Manage/ respond
Identification of Strategic Risks Strategic risks are risks that are material to a organization s ability to execute its strategy and achieve its business objectives. Sources of strategic risk to consider: External Competitors Brand Partnering Customers Regulators Suppliers Internal Planning Execution Employee engagement Access to funding Infrastructure Readiness
Health Care Risk Model Strategic / External Operational Human Capital Financial Legal & Compliance Technology Hazard - Competition - Affiliation, Mergers & Acquisitions - Variability in Patient-Related Volume - Research Grant / Funding Availability - New Models for Care Delivery - Diminished Market - Regulatory Change / Healthcare Reform - Conflict of Interest - Decreased Capital Spending - Hospital / Physician Relationship - Availability of Public Data - Business Management Discipline / Cost Management - Equipment Maintenance - Failure to Identify & Follow EBM - Facility Maintenance - Timely Access to Care - Failure to Refer - Failure to Diagnosis - Clinical Continuity - Insufficient Discharge Planning - Inconsistent Clinical Competency - Hiring & Retention - Organizational Structure, Alignment & Direction - Succession Planning - Unionization - Turnover - Recruitment - Aging Workforce - Disruptive Behavior - Flex Staffing - Workers Compensation - Physician Shortage - Credit / Collections - Financial Performance - Billing Accuracy / Compliance - Payer Mix / Reimbursements - Pension / Retirement Obligations - Philanthropy / Fundraising / Capital Campaign - Failure to Meet Margin - Uncompensated Care - Access to Capital - Contract Management - Revenue Enhancement - Conflicts of Interest - Fraud, Theft and Embezzlement - Governance, Compliance and Oversight - ACO - HIPAA Privacy & Security - Health Reform - Employment Practices - Multiple Vendors - Social Networking - Information Breach - Bar Coding - Hybrid EMR - IT Infrastructure & Security - Paucity of IT Professionals - Failure to Act in a Timely Manner - Incompatible Programs - Natural Disaster - Failure to Plan - Failure to Act Timely - Inability to Manage a Crisis - No Backup Systems or Appropriate Duplicate
Risk Assessment Risk assessment should begin with clarification of the objectives Program and internal audit risk assessments have different purposes (e.g., prioritization of risks vs. basis for audit plans) Common definitions, including inherent vs. residual risk, risk levels, and the adequacy of controls, should be clearly communicated. For example: A risk with a high likelihood may result in losses on a daily basis; A risk with a high impact may result in a loss equal to X, or significant harm to the organization s reputation. Report Identify Assess/ Monitor measure Manage/ respond
Risk Assessment Best practices in risk assessment include: Identification of risks against key business objectives Coordination of risk assessments through interviews, surveys or facilitated workshops to ensure consistency Use of available information, such as Key Risk Indicators (KRIs), to ensure objectivity Assessments of the adequacy of internal controls must also be objective Oversight and use of information, such as the results of quality control reviews, are critical
Using Risk Assessments Internal Audit assessments are generally used to: Determine the scope and frequency of audits Compare to business line assessments Program assessments are used to: Prioritize risks across the organization Identify the top risks to the organization Identify appropriate responses to risks, as well as areas where the adequacy of controls is too low for the level of risk Drive risk-based monitoring processes Avoid the black hole of risk assessment data!
Impact Risk Heat Map High Extraordinary events often overlooked Strategic imperatives Lower priority focus on efficiency Secondary risks - focus on controls Low Likelihood High
Risk Management / Responses Risk responses should be based on assessment of loss frequency and impact Management actions should be specific to reducing likelihood or impact, depending on which one was assessed as high The most common risk responses include: Avoid (get out) Accept/retain (monitor) Reduce (institute controls) Transfer or share (partner with someone) Report Identify Action plans with assigned owners should be developed and monitored by a risk committee Monitor Manage/ Assess/ measure respond
Risk Monitoring Risk monitoring should follow from risk assessments Higher risks should be monitored more frequently and in more depth Key risk indicators (KRIs) are critical to early identification of risks and, as a result, fewer surprises KRIs should be forward-looking Key Performance Indicators (KPIs), are primarily backward-looking Report Identify Monitor Assess/ measure Manage/ respond
Risk Reporting Reporting should also follow from risk assessments, with higher risks reported in more depth Emphasis of risk reporting should be on highlighting key risks and recommendations for and status of management action Volumes of detail should be avoided, particularly for board reporting Reports should include early indicators and emerging risks Best practices include the development of ERM dashboards that provide a holistic view of risk and thoughtful analysis Report Identify Assess/ Monitor measure Manage/ respond
MANAGEMENT STRATEGIES FOR SPECIFIC HEALTH CARE RISKS Health Care
Cybersecurity Risk Today s Organizations face innumerable threats: Advanced persistent threats (APTs) Social media Social engineering Spear-phishing Ransomware Resulting Risk Patient care Breach and related cost Reputation
Risk Management Cyber threat risks, mitigation plan, and progress documented; residual risk determined Report Identify Technology organization catalogues cyber risk threats Management process for measuring the effectiveness of the procedures; KPI s for the reduction of vulnerabilities Monitor Manage/ respond Assess/ measure To reduce hacking risk: Continuous network scanning performed; periodic 3 rd party network testing Threats ranked and residual risk determined; part of organization risk analysis; Hacking as a specific risk identified as high
Revenue Cycle Charge Capture Risk Charge capture risks include: Missed net revenue opportunities Delayed or denied payments Increase rework and reconciliation on the backend Extended accounts receivable cycles Dissatisfied customers from incorrect billing Potential Medicare inquiries or expensive penalties due to inaccurate billing Inaccurate data for contract negotiation
Risk Management Hold quarterly meetings with department managers to conduct a review and update chargemaster and review third party contracts. Report Identify Qualitative and quantitative assessment of current processes compared to industry best practices to identify opportunities for improvement Performance measurement of the charge capture and clinical documentation functions can be achieved by utilizing various KPIs and benchmarking against industry standards. Monitor Manage/ respond Assess/ measure Analyze all departmental procedure charges to determine if each is inclusive of all supplies and procedures used/performed Establish a formal process that involves the business office and department managers to review existing charge codes and to establish new charge codes
RISK MANAGEMENT BEST PRACTICES Health Care
Obstacles Inadequate support from senior management and/or broad participation Length of time to implement Competition among various units: quality assurance, risk management, compliance, internal audit, operations Cultural challenges Communication Limited use of technology No common risk taxonomy Limited expertise Challenging to demonstrate ROI Inadequate follow-through and refinement
Lessons Learned Tone at the Top Crawl-Walk-Run Build on Tools / Processes in Place Simplicity at the Outset Culture Culture Culture
RSM US LLP One South Wacker Drive Chicago, Illinois +00 (1) 800 274 3978 www.rsmus.com This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not constitute audit, tax, consulting, business, financial, investment, legal or other professional advice, and you should consult a qualified professional advisor before taking any action based on the information herein. RSM US LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. RSM and the RSM logo are registered trademarks of RSM International Association. The power of being understood is a registered trademark of RSM US LLP. 2015 RSM US LLP. All Rights Reserved.