PYA Principal Shannon Sumner co-presented “Enterprise Risk Management” at the HCCA Board Audit Committee Compliance Conference, February 27-28, 2017, in Scottsdale, Arizona.
The presentation covered:
The role of the governing Board of an organization in enterprise risk management (ERM)
Effective ERM in today’s healthcare setting
When ERM fails: “The perfect storm”
2. Prepared for Health Care Compliance Association Page 1
SPEAKERS
Kimberly A. Lansford
RN, BSN, MHL, CHC ®
Chief Compliance Officer
PennState Health
Shannon Sumner
CPA, CHC ®
Principal/Shareholder
Pershing Yoakley & Associates, P.C.
ssumner@pyapc.com
PERSHING YOAKLEY & ASSOCIATES, P.C.
800.270.9629 | www.pyapc.com
3. Prepared for Health Care Compliance Association Page 2
What Is Enterprise Risk Management (ERM)?
A process that engages all in the practice of identifying, managing,
monitoring, and communicating risks across an organization
Main objective is to help management and the board understand and
manage those events most likely to impact the organization’s
strategic objectives
Its aim is to function in a proactive and efficient manner and as a key
enabler of the organization’s strategic objectives
It seeks to orchestrate the harmonization, synchronization, and
rationalization of areas managing risks by moving beyond
organizational barriers to open transparent communications across
disciplines
4. Prepared for Health Care Compliance Association Page 3
Definitions
Risk Culture: "The values, beliefs, knowledge, attitudes and
understanding about risk shared by a group of people with a common
purpose, in particular the employees of an organization" (Institute of
Risk Management)
Risk Appetite: Relates to the amount of risk that an organization is
willing to seek or accept in the pursuit of its long-term objectives
Source: The Institute of Risk Management https://www.theirm.org/
5. Prepared for Health Care Compliance Association Page 4
ERM Provides a Process that Allows the Organization to:
Present governance and management with a comprehensive picture
of interdependent risks across the entire enterprise
Break down the department silos that tend to exist in assessing risk
Create cross-functional teams evaluating risk using a common
framework
Communicate information about risks in a consistent manner
6. Prepared for Health Care Compliance Association Page 5
Traditional Healthcare RM vs. ERM
Traditional Risk Management
Reactive, incident-based, clinically focused
program
May use different processes, controls,
metrics, language, and frameworks for
discussing risks and risk mitigation strategies
Considers impact of risks to specific
departments or issues in isolation
Focus on adverse events most likely to
impact operations and finances
Examines risks individually, with limited
communication between disciplines to
consider the impact of their actions on other
parts of the organization
Defines risks in terms of the probability that
adverse events will occur and result in
financial losses
Tendency to be a bottom-up approach
Enterprise Risk Management
Proactive, holistic, multi-disciplinary approach
focused on anticipating and managing both
internal and external risks
Provides a common framework, processes,
metrics, and language for discussing risks
and risk mitigation strategies
Considers impact of risks across the
organization
Focus on events most likely to impact
strategic objectives
Emphasis on synergistic relationship among
and between risks that span across the
organization
Recognizes that risk does not solely mean
something negative has or could occur –
something good not happening as a result of
not acting is also a risk
Top-down and bottom-up approach
7. Prepared for Health Care Compliance Association Page 6
ERM Benefits
Helps identify and understand key risks impacting achievement of
strategies and objectives
Invites broad participation and perspectives of senior leaders and
governance
Helps avoid a “functional silo” approach that often fails to consider the
interconnective nature of risks across large, complex organizations
Provides a common framework for discussing risks and risk
management or “treatment” strategies
Assists in establishing accountabilities for risk management activities
Integrates risk planning with strategic and tactical planning
Over time, more effective and cost-efficient management of risks
increases enterprise value
8. Prepared for Health Care Compliance Association Page 7
Why Is an ERM Approach Important?
The United States Federal Sentencing Guidelines are clear that
standards and procedures should provide sufficient and effective
controls that take into account the highest risk areas, given an
organization’s business
The Office of Inspector General (OIG) recommends a risk-based
approach in its guidance, and recent Corporate Integrity Agreement
templates require a provider’s compliance program to include a
comprehensive risk assessment and internal review process
The OIG is clear that a comprehensive risk assessment cannot be
pursued by the Compliance Department alone, and involvement from key
business leaders (including legal) is critical to the effectiveness of the risk
assessment process
9. Prepared for Health Care Compliance Association Page 8
Why Is an ERM approach important? (cont.)
All major rating agencies include ERM in their evaluation of credit
ratings
Critical component of financial and insurance
industry evaluations
Healthcare auditing entities, such as those that
have oversight for HIPAA, may inquire into the
process when auditing areas that require a
risk-based approach (e.g., information security)
10. Prepared for Health Care Compliance Association Page 9
Why Is the Compliance Department Well Situated
to Facilitate an ERM Approach?
An ERM approach engages all workforce members in the practice of
identifying, managing, monitoring, and communicating risks across
the organization
We are already doing this with regard to our compliance risks in our
compliance programs
11. Prepared for Health Care Compliance Association Page 10
Components of a Successful ERM Approach
Step One: Know the Business Climate
Understand which business factors have the
ability to impact operations or cause potential
compliance concerns
Benchmark both inside and outside the
organization, and possibly even outside the
healthcare industry
12. Prepared for Health Care Compliance Association Page 11
Components of a Successful ERM Approach (cont.)
Step Two: Understand and Prioritize Risks and
Opportunities
Ensure colleagues understand how to identify and report risks and
opportunities
Two key activities:
Deploy a comprehensive Education and Awareness program
Perform an Enterprise Risk Assessment, with focused reviews of an
organization’s most significant risks, on an ongoing basis
Leverage existing strategies used by colleagues to report events,
such as those utilized in Privacy, Information Security, Insurance/Risk
Management, Compliance, Clinical/Nursing, and other departments
13. Prepared for Health Care Compliance Association Page 12
Step Three: Manage the Identified Risks and Opportunities
Create a centralized process or have a collaborative process to
analyze and manage risk and opportunity information
Some common risk management (“treatment”) techniques:
Avoidance (eliminate, withdraw from, or not become involved)
Reduction (optimize – mitigate)
Sharing (transfer – outsource or insure)
Retention (accept and budget)
Components of a Successful ERM Approach (cont.)
14. Prepared for Health Care Compliance Association Page 13
Step Four: Reporting and Metrics
Reports and metrics can be used by operations, budgeting, strategy,
audit, compliance, and many other departments for strategy and
decision-making, where the consideration of risk can influence the
outcome
Dashboards, risk monitoring reports,
qualitative, and quantitative analysis
can be used to measure the effectiveness
of risk treatment activities and to understand
any implications for an organization’s overall
business strategy
Components of a Successful ERM Approach (cont.)
15. Prepared for Health Care Compliance Association Page 14
Step Five: Risk “Alert” Culture and Risk Control
A risk alert culture is the intrinsic understanding and assessment of
risk embedded in day-to-day operations. It fosters the integration of
enterprise risk principles throughout every layer of the organization
Risk Controls are measures to limit vulnerabilities and manage risks
to an acceptable level
A risk alert culture and risk control are created by:
Adhering to policies and procedures, laws, and regulations
Educating and holding colleagues accountable for evaluating risk
holistically in strategic initiatives
Creating and utilizing a common language
Effectively using preemptive risk concepts within business units
Components of a Successful ERM Approach (cont.)
16. Prepared for Health Care Compliance Association Page 15
ERM Is Everyone’s Responsibility…
• ERM engages everyone at the organization in the management of
those risks for which they are responsible
• Risk ownership does not reside in a single department
• The compliance department can easily
facilitate an ERM approach to managing
risks across the organization
17. Prepared for Health Care Compliance Association Page 16
ERM Is a Journey…It Is Not a Destination!
18. Prepared for Health Care Compliance Association Page 17
Board Accountability for Risk
Greater Scrutiny from OIG and DOJ
Recent CIA Risk Assessment Requirements
Three Lines of Defense Theory
Quality of Risk Assessment Process
Ongoing Risk Assessment Process
Connecting the Dots
19. Prepared for Health Care Compliance Association Page 18
Greater Scrutiny Emerges
20. Prepared for Health Care Compliance Association Page 19
DOJ Hires Compliance Expert
Source: http://www.corpcounsel.com/id=1202737784530/Report-Justice-Dept-Names-Chen-to-Controversial-Compliance-Counsel-Post?slreturn=20150923095150
“…the person will be assessing the
company’s claims about their compliance
program – i.e., if a company seeks to
claim that it deserves credit for
implementing a state of the art
compliance program, which is a metric
under the Sentencing Guidelines for a
break on a fine. The counsel will help
subject that to a rigorous analysis,
something that a federal prosecutor does
not have a lot of expertise in carrying out.”
21. Prepared for Health Care Compliance Association Page 20
Risk-Specific CIA Requirements
Source: https://oig.hhs.gov/fraud/cia/agreements/Dignity_Health_10302014.pdf
Risk Assessment and Internal Review Process
“The risk assessment and internal review process shall include: (1) a process
for identifying and prioritizing potential risks; (2) developing an assessment
plan to evaluate and respond to potential risks, including internal auditing
and monitoring of the potential risk areas; (3) developing action plans to
remediate potential risks; and (4) tracking results to assess the effectiveness
of the risk assessment and internal review process, including any
remediation efforts that ABC pursues.”
22. Prepared for Health Care Compliance Association Page 21
Three Lines of Defense
Source: Institute of Internal Auditors: The Three Lines of Defense in Effective Risk Management and Control
23. Prepared for Health Care Compliance Association Page 22
Quality of Risk Assessment Process
Risk Assessment Inputs – Questions to Ask
Is the risk universe inclusive of all significant processes/entities/joint
ventures/outsourced service providers?
What is the competency of staff performing the risk assessment?
What risk-ranking criteria and weight factors are used?
Have risks to the achievement of strategic objectives been included?
What is the involvement of other “assurance providers”
(e.g., internal audit, legal, compliance, IT, quality, risk management, etc.)?
Who is the Executive Sponsor (e.g., “Tone at the Top”)?
24. Prepared for Health Care Compliance Association Page 23
Quality of Risk Assessment Process (cont.)
Risk Ranking Example
RISK FACTOR DESCRIPTION/EXAMPLES WEIGHT
Internal Control History
Control environment, risk management process, effectiveness
of Internal Controls
25%
Change
Systems, processes, personnel/turnover, new services, laws
and regulations
20%
Factors External to Process
Industry forces, market forces, national politics, community
needs, degree of exposure to adversity,
governance/management concern
15%
Customer Service (Internal
& External)
Degree of customer service provided, impact on operations,
effect on reputation
15%
Complexity
Multiple systems required, date of technology in use, equipment
and expertise required
15%
Materiality & Resources
Extent that the size of the unit could affect potential loss to the
organization, adequacy of available resources for associated
process
10%
25. Prepared for Health Care Compliance Association Page 24
Quality of Risk Assessment Process (cont.)
Risk Assessment Outputs – Questions to Ask
Does the prioritization of risks align with risk appetite?
What is the coverage of risks not able to be audited/monitored?
Has management accountability been established?
Are there any significant risks not included?
Is the resulting work plan risk focused vs. department focused (e.g., risk doesn’t
reside in silos)?
Centralized governance oversight and reporting?
26. Prepared for Health Care Compliance Association Page 25
Ongoing Risk Assessment
Risk-Trending/Red Flags
Central themes in internal audit/external audit/compliance reports
Monitor work plan additions/subtractions
Monitor deferrals or cancellations (risk is still there!)
Monitor completeness throughout the year
Error percentages consistently high (>5%)
Action plans consistently past due
27. Prepared for Health Care Compliance Association Page 26
Ongoing Risk Assessment (cont.)
Places Where Risks Hide
Outsourced service providers
Significant turnover/new management
New and/or complex service lines
People, Process, Technology
Lack of ongoing training/education in
high-risk areas
Drivers for incentive compensation
Lack of contract monitoring (e.g.,
physicians, outsourced areas)
?
?
?
28. Prepared for Health Care Compliance Association Page 27
Connect the Dots
Control Environment “Dashboard”
Management Letter Comments
Turnover in Key Management Positions
External Audit Findings
Internal Audit Findings
Audit Follow-up Completion (High Risks)
29. Prepared for Health Care Compliance Association Page 28
THANK YOU!
Kimberly A. Lansford
RN, BSN, MHL, CHC ®
Chief Compliance Officer
PennState Health
Shannon Sumner
CPA, CHC ®
Principal/Shareholder
Pershing Yoakley & Associates, P.C.
ssumner@pyapc.com
PERSHING YOAKLEY & ASSOCIATES, P.C.
800.270.9629 | www.pyapc.com