Beyond risk identification Evolving provider ERM programs

Transcription

1 Beyond risk identification Evolving provider ERM programs March 2016 At a glance PwC conducted research to assess the state of enterprise risk management (ERM) within healthcare providers and found many are operating at comparable levels to their peers, in that they have established risk identification and assessment processes. However, given the increasingly complex and risk saturated environment providers operate in, there s an urgency to continuously enhance and improve ERM programs beyond their current capabilities.

2 The top priority of every healthcare organization is patient quality. Yet new forms of competition, changing regulatory requirements, technology advances, and rapidly evolving patient expectations are driving immense change in the healthcare landscape and introducing risks to both patient quality and provider long-term prosperity. Recognizing the risks associated with managing change, healthcare providers have invested in ERM. However, in today s environment, ERM programs must continuously evolve and seek new ways to bring relevant information to their key stakeholders. Through in-depth interviews with leading U.S. healthcare providers we found that, while many provider programs are comparable to their peers, there are additional opportunities to further enhance the risk management investments healthcare providers have made. If providers are going to effectively manage risks and meet their stakeholders risk management expectations, they must evolve their ERM programs to do so. PwC 1

3 Change, complexity and intensified risk Numerous changes are amplifying the complexity of the healthcare landscape and driving the risk profile of provider organizations to expand significantly (Figure 1). The underlying economics of healthcare delivery are transforming as health initiatives target specific populations and health conditions, driving a move away from volume-based service to value-based outcomes via bundled and performance-based payment models. Government program reimbursement changes are also impacting healthcare providers bottom line. As overall expenditures on the Medicare and Medicaid eligible population increases, reimbursement rates paid to providers is decreasing. New market entrants into healthcare, such as traditional retailers and technology companies, are pushing healthcare companies toward new competitive strategies, while the consumerism of healthcare is driving demand for pricing and service transparency and support of care consumption decision-making. In this tumultuous environment, CEOs definitely see more opportunities for their organizations, however, they also see significantly more risk arising from the transformation their sector is undergoing. While 60% of CEOs participating in PwC s 19th Annual Global CEO Survey 1 see more opportunities for their business today, 66% see more risk. As opportunities arise, so do risks. Understanding and responding to the impact of these risk, requires organizations to increasingly invest in capabilities that allow them to proactively identify and manage known and unknown risks to take advantage of opportunities. Thus, to embrace the new health economy, maintain a focus on patient quality, and achieve objectives beyond incremental growth, providers strategic decision-making should be inclusive of comprehensive risk identification, assessment, prioritization, and management. In situations similar to those facing the provider sector, effective risk management has become a competitive advantage, enabling the achievement of strategic objectives. This makes risk management increasingly important to the organization as it navigates both the upside and downside risks associated with their strategies. Top risks identified by healthcare providers 1. Security and privacy 2. Revenue cycle management/icd Payer reimbursement 4. IT infrastructure 5. Third party risk 6. Regulatory environment 7. Patient quality/safety 8. Talent management, clinical labor shortage (nurses primarily), and physician alignment strategy 9. Business sustainability and resiliency/pandemics 10. Mergers, acquisitions and divestitures (including international) 11. Strategic initiatives to address new entrants 1 PwC s 19 th Annual Global CEO Survey ( PwC 2

4 Figure 1: A snapshot of major trends impacting healthcare providers Reimbursement models being redefined Shifting from volume to value as population health initiatives drive a move toward bundled and global payment models Declines in overall Medicare and Medicaid payments New entrants changing the competitive landscape Retailers becoming healthcare providers Companies with new technologies such as wearables and tele-health Mergers and acquisitions Consumerism Consumers, forced to make more of their own care decisions, demanding transparency and enablement of consumer care decision-making Protecting patient privacy and information security while providing transparency and convenience Technology underpinning healthcare is rapidly transforming Increasing use of data to inform decision-making Adoption of electronic medical records Regulatory changes such as ICD-10 coding See PwC s Top health industry issues of for a more complete review of trends. 2 PwC s Top health industry issues of 2015 ( PwC 3

5 The need to move beyond risk identification Risk management within healthcare providers can drive greater relevance and value by expanding its focus, moving from a historical scope of risk identification and avoidance, to helping the organization assure it takes the right risks to succeed and manages them effectively. In its whitepaper, Leveraging COSO Across the Three Lines of Defense 3, the Institute of Internal Auditors notes that risk management is strongest when there is distinct responsibility for monitoring risk as well as for ownership and assurance. In many industries these responsibilities fall to three lines of defense that effectively coordinate the management of risk, share information across the organization and maintain the control environment. The lines of defense work together to comprise an enterprise s risk management capability. In many organizations there is an opportunity for the ERM function to coordinate and lead these efforts. In the last three to five years, healthcare providers have invested in risk management and made progress toward building and formalizing their ERM programs. Most have built an infrastructure to identify and assess risk. In some instances, Chief Compliance Officers are in place, and compliance program structures and focus are being continuously evaluated to align with changing regulatory requirements and the expectations of regulatory agencies. Yet, to drive greater relevance and help their organizations better understand and manage risk, risk management with healthcare providers needs to continuously evolve An effective ERM program for providers would not only address compliance-related risk, but also existing strategic, operational, technological, and financial risks and emerging risks that are derived from organizational and industry changes. In some cases capacity is limiting current ERM program effectiveness. In others, the lack of integration across the organization is driving tremendous inefficiency in managing the organization s risk profile. A siloed view of risk creates inertia across the organization and a negative perception of risk. At the same time, an aggregated, summary view of risk tends to make organizations overly cautious about their strategies, such as getting into new markets or care delivery. In most provider organizations more sophisticated ERM programs are needed to manage the risks associated with their growth strategies versus avoiding them. Understanding the correlation and interdependencies of risks will help drive organizations toward making better strategic decisions. As stated earlier, ERM programs focus on risk identification and assessment and are underserving their stakeholders. These stakeholders, who support the programs, have yet to experience the full potential that ERM can provide. Below we characterize where the industry stands in ERM maturity, identify common attributes of ERM in healthcare today and highlight opportunities for the industry to evolve ERM to improve value and performance. 3 Leveraging COSO Across the Three Lines of Defense ( PDF.pdf) PwC 4

6 Where healthcare providers are today Despite the growing importance of effective risk management, our interviews confirmed that many healthcare providers are slow to adapt a more sophisticated approach to ERM. The current state of healthcare providers risk management capabilities can best be described by the maturity model in Figure 2. Basic: Organizations classified as basic recognize the implications of risk to achieving the organization s financial, operational, compliance, technology and strategic objectives and are increasing discussions accordingly. Risks are typically defined as hazards and considered only in the context of their consequences. There is an understanding of the need to conduct an enterprise risk assessment, risks are identified on a periodic basis and risk reporting is provided to the Audit Committee and senior leadership on an annual basis. A separate risk management process exists outside of the organization s normal management process or cadence. The ERM risk assessment is not coordinated with any other risk assessments conducted in the organization. The ERM risk assessment is focused primarily on the identification and avoidance of risk. Risk rating criteria may be defined, but the assessment lacks any substantive data or analysis and is typically financial in nature. Risk appetites and other risk metrics are not used to measure or monitor risk performance. Risks are not directly linked to the strategic goals or performance initiatives or objectives, and are typically viewed in the aggregate with no correlation of risks or portfolio point of view. Risk information is typically collected and reported up the organization chain of command with no reciprocal information used to enhance management s effectiveness. Evolving: Organizations classified as evolving conduct risk assessments across the second line of defense, but do so with limited coordination or alignment (usually two to three groups). At the enterprise level, the risk assessment is supported by the board and the risk evaluation and rating criteria have been defined with limited use of risk data and metrics. During the evolving phase, the organization s risk universe expands in size and complexity, forcing a narrowing down of risks to the top 10 to 15 enterprise risks. Risk owners are identified for mitigation of risks and are responsible for the development of risk action plans to mitigate risks, but little rigor or discipline is provided to support the monitoring. Alignment between the risk management process and the business management process starts to form, but is limited (usually involving Strategy, Planning or Finance). A Risk appetite statement may exist, but is formulated at the enterprise versus the risk level. Some risks may be directly linked to strategic or performance initiatives and objectives. Established: Organizations with established risk management capabilities have elevated their risk management to incorporate all of the capabilities deficient in basic and evolving functions, including the collection and use of risk data and full use of technology enablement. Established risk management organizations perform risk assessments in a coordinated manner and risk information is integrated into key business processes such as the development of new services, mergers and acquisitions. The results of the risk assessment as well as on going risk data is considered in senior management decision making. Risk owners report the status of risk action plans, and trends in risk activity, to the board. Metrics are used to monitor risk, risk response is tracked and changes are incorporated into the risk profile on a continuous basis. Risk is monitored across a classic three lines of defense structure, with coordination of responsibilities and definition of roles and responsibilities working more in unison. A process and structure is in place to govern across all risks that are relevant and appropriate. PwC 556

7 Figure 2: ERM maturity model Based on these definitions, PwC s assessment of the ERM attributes identified in our interviews places healthcare providers primarily in the basic or evolving maturity level. For example, in most healthcare organizations, a governance, risk, and compliance (GRC) structure to coordinate and simplify the various risk functions and processes does not exist. We found that ERM may coordinate with either internal audit or compliance, but the coordination is primarily around the risk assessment process and does not extend into the other activities of ERM. In the majority (approximately 70%) of study participants, responsibility for ERM-related activities falls under internal audit. ERM-focused resources are limited to less than a single FTE in most cases. Where strong CEO sponsorship exists it has not cascaded down through management levels with, for instance, risk identification and reporting remaining at the leadership team level. Further, our research found that, at virtually 100% of study participants, ERM performs an annual risk assessment that stands alone, outside the normal management process, typically including a survey or management interviews. The ERM process focuses primarily on collecting information from the business, and reporting through a governance process. It is not integrated into existing management processes (such as the planning and reporting cycle or regular leadership meetings) on a consistent basis and information does not typically flow back to help manage the business. Risk functions within the second line of defense create disparate risk management processes and taxonomy that are not integrated into risk discussions across the three lines of defense. PwC 6

8 Most healthcare providers use different GRC technologies such as Open Pages and Archer to support SOX and IT security. However, our research found that there are opportunities to utilize GRC technologies to support ERM or integrate risk management processes. Healthcare providers primarily use Excel, PowerPoint and other desktop applications to execute and capture ERM processes. When a GRC technology is used, it is primarily used as a single risk solution versus an integrated risk management capability. Across healthcare organizations, the scope of risk assessment is typically limited to the identification and assessment of the top risks from a risk avoidance perspective, primarily using likelihood and impact (and sometimes velocity) as evaluation criteria. Even though the evaluation criteria may be well defined, a robust methodology or data to accurately calculate such risk measures lack substance. Management capabilities, risk intersections (linkage to one another or to strategies), risk consequences and risk appetite and tolerances are not considered in the assessment, evaluation or management plans. Risk appetite, if used, is only considered at the enterprise level not at the individual risk level during the risk evaluation or mitigation process. Risk reporting is focused on the most significant risks (usually the top 10 to 15 risks). The study participants, share that beyond the risks, the most frequent risk attributes reported include risk definitions, risk ratings, risk owners, and mitigation plans. Study participants also stated that monitoring of risk and in some cases mitigation plans were limited, with a small group citing risk owners provide annual risk mitigation plan progress updates to the board. Monitoring primarily focuses on the development of remediation plans and high level tracking of progress. Risk metrics, analysis and risk indicators are not routinely used to monitor or report on the risks. None of the study participants cited that testing of management s risk action or mitigation plan progression was incorporated into the ERM program capabilities. With this assessment as context, there is progress occurring in advancing ERM within the healthcare provider sector. ERM teams are starting to educate management that the role of ERM is to assist them in seeking ways to build an understanding of the organization s risk, how those risks are to be managed, and tracking the management and progression of the risks. The objective is to generate a dialog around the business objective and associated risks, create a more detailed understanding and better information about the risk, and provide input on how to manage it to accomplish the business goals. PwC 7

9 Evolving ERM to help achieve growth Given the state of ERM represented by our research, healthcare providers have the opportunity to evolve their ERM program to drive greater relevance, performance and value. Where a company focuses its efforts, of course, is determined by its existing position: Basic functions would focus on building the foundational elements of a risk management framework, while established functions would concentrate on broadening organizational support and embedding and sustaining risk management throughout the enterprise. From PwC s experience, the best programs have a continuous improvement approach where even those doing well are finding ways to enhance their program and drive value to the organization. For all organizations, an important starting point to evolve the ERM program is to clearly define or review the ERM program purpose and value proposition to the program s key stakeholders. Based upon the input gathered from the study participants, the ERM program s purpose and value proposition in the sector is underserving their organizations and stakeholder group. This is demonstrated through the focus of activities in the risk assessment while the activities in the management, monitoring and testing and reporting activities are less robust and in some cases absent all together. Overall, ERM should be well positioned to drive the level of change needed for organizations to reach their goals while managing risk in a dynamic and complex environment. To do so, it must see its role as more than performing an enterprise risk assessment and tracking its status. This requires change, from creating the risk culture and governance in alignment with the organization s strategic planning process to building out the risk processes that are supported by GRC technologies. Key components and behaviors needed to establish an effective ERM program include: Build a risk culture When a strong risk culture exists, a focus on risk has been embedded in the culture through the code of conduct and performance measurements. There are ongoing awareness and training programs designed to explain and reinforce employee roles and responsibilities. Identifying, understanding and managing risk is a priority and responsibility of all members of the management team. To evolve the risk culture: Create the vision for ERM for the organization and embed risk management activities into business, operational and clinical processes. Define risks more broadly than an event that results in challenges and issues that must be avoided. Understand both the opportunity presented as well as the uncertainty that needs to be discussed and effectively managed. Ensure the ERM program is institutionalized such that it is sustainable across the organization and not reliant on any one individual. Build buy-in across the organization. Demonstrate the value that can be derived from ERM through a pilot or proof of concept. Communicate success stories telling how ERM actions have contributed to the achievement of business goals such as managing the increasing cost of providing healthcare by focusing on those areas presenting the most significant risks. One of the nation s largest health systems operationalized ERM by embedding discussions on risk topics into day-to-day operations including quarterly performance reporting, existing committee meetings and discussions with the executive team on specific topics and the implications of risk. PwC 8

10 Formalize risk governance When risk governance is well-defined the board and senior management have specific roles and the three lines of defense are established, with ERM coordinating and driving consistency across the various risk assessment, monitoring and testing activities that occur across the three lines. Actions to formalize risk governance include: Clearly articulate, define, and communicate the roles and responsibilities of the three lines of defense for all key stakeholders from board members through senior leadership and functional management. Educate and train both the board and management on the ERM program s objectives and activities, as well as alignment with strategic and business goals. Provide each of the three lines of defense the means to fulfill those roles, ensuring proper knowledge and staffing of resources including GRC technology to facilitate information sharing, and coordination of risk management activities such as risk assessment, monitoring, and reporting. Create a community among the existing second line risk management functions to break down traditional silos. Develop accountability and escalation guidelines so that it is clear when and to whom issues will escalate. At a national healthcare provider operating in over 20 states, risk owners are responsible for developing and monitoring risk response plans as well as updating, identifying, and analyzing new and emerging risks. This information is used to update the risk profile on a periodic basis. Align to strategic planning Alignment of ERM to the strategic planning process enables ERM capabilities to be used to support the implementation of strategic initiatives. In other words, risk management becomes a strategic enabler. For example, acquisitions are an increasing focus among healthcare providers. Beyond risk identification during the due diligence process, ERM when embedded in the acquisition continuum, provides tools that can help with the successful integration and achievement of synergies by applying the foundational elements to monitor and track progress against risk factors and proactively trigger corrective action if needed. Across strategic initiatives, ERM can enable better business decision making by providing a broader understanding of risks that includes identifying the challenges and opportunities they present and facilitating deeper analysis and management discussion. Actions to take to achieve greater alignment to the organization s strategic planning process include: Leverage the results of the risk assessment to promote a discussion around the implications of the risk profile on the achievement of the operational and financial priorities of the institution. Champion the use of ERM capabilities to support the implementation of strategic initiatives. Integrate ERM processes within key functions such as, planning, mergers and acquisitions, and program management for strategic initiatives. Position the role of ERM as a core management capability relied upon to make key business decisions related to planned initiatives or unanticipated business events. Periodically update the risk profile based on changes in the business environment and emerging risks to help mitigate or anticipate the impact of uncertainties that could change the course on strategy. Use data analytics to help the business better understand the implications of risk and define the correlation between risks. PwC 10 9

11 At one Midwestern healthcare system, key risks are linked to strategic initiatives when evaluating cost and return on investment to determine whether or not the initiative falls within the organization s risk tolerance. One leading healthcare provider incorporates the process of linking all of its top risks to the stated company strategy and underlying strategic objectives, while also tying them back to risks identified in the company s 10K. Standardize risk management processes As ERM matures, the three lines of defense need to evolve to leverage a common risk framework and standardized set of processes. Consistent definition and application of risk rating criteria (impact, likelihood, management effectiveness, velocity) and a standard approach and format for monitoring and reporting risk management activities used across risk functions facilitate a coordinated process. To evolve risk management processes: Establish ERM foundational elements to standardize and create consistency in approach and weed out unnecessary uniqueness and areas of duplicate effort across the various risk management functions or capabilities in the organization. Foundational elements include risk identification, risk appetite, management of risk, testing and monitoring, and reporting. Use of GRC technology drives unification of the risk management processes as well as provides a platform to sustain them over time. Leverage GRC technology to improve existing ERM practices and processes. For example, GRC capabilities facilitate the ability to aggregate risk information across the organization; reduce redundancies resulting from duplication in the identification and assessment of risk occurring in other parts of the organization; improve coordination between control functions and ERM to focus on the most significant risk areas; and enhance the ability to respond to regulatory expectations and identify emerging risks and control issues through better visibility and understanding of risks. Enhance key processes within ERM to fully realize their intent and value. For example, incorporate key metrics in risk action plans and actively monitor the impact of risk and the controls in place to manage them. Identifying changes to key business processes not only improves the control environment, it drives performance improvement for the organization. Apply analytics to further define the qualitative and quantitative impact of risk on the achievement of strategic initiatives and day-today business decisions. Leverage risk information to monitor business activities. Consider risk scenarios to understand the implications of changing business models, industry events and trends, and the interrelatedness and combined impact of risk. Apply risk limits, appetite, and tolerances to measure and monitor the results of risk mitigation activities. Embrace the concept that tolerance changes over time and can drive resource allocation discussions. To maintain currency in risk management processes, the ERM organization at one leading provider meets with risk owners one-on-one on a quarterly basis. The meetings are used to capture changes in risk activity and discuss the effectiveness of risk action plans. Key risk indicators are applied. PwC 1 10

12 Leverage GRC technology to better capture and coordinate risk management activities As the risk environment evolves, enhanced and more sophisticated tools help to support and sustain an advancing risk management process. GRC technologies improve coordination of core risk management activities such as risk assessment, testing and reporting across risk functions that include compliance, internal audit, billing, quality, policy management, privacy, business continuity management and ERM. In addition, it provided greater access to shared data and information across the organization and improved resiliency. To better leverage GRC technologies: Identify existing tools being used across the organization by risk functions and obtain an understanding of how these tools are being used and their capabilities Obtain feedback from users of the existing tools to determine their effectiveness and applicability for use across risk functions to achieve efficiencies by streamlining the risk management process, improving coordination and facilitating risk information sharing Evaluate the capabilities not being used and determine which tools will support an integrated risk management program Develop a GRC technology roadmap that aligns current and future ERM processes and organization level goals or objectives Define a common framework, structure, and taxonomy to implement a GRC technology solution that will support the integration of risk functions with the intent of aligning compliance, risk management and operational initiatives Develop a foundational data model to categorize existing control and risk information to support the current initiatives and possible future initiatives Consider application interconnectivity to other GRC technologies and with other applications in the organization where linkage is required, such as human resources information system. Create a governance structure and high-level responsibility assignment matrix for future GRC technology-enabled risk management processes such as business continuity and ensure stakeholders are involved in future design and implementation activities Conduct a thoughtful and thorough selection process that includes a cross-functional GRC team PwC 111

13 Capitalizing on the upside of risk When benchmarking against peers, most healthcare providers can be confident they are comparable or perhaps even best in class. But, as other industries have demonstrated, there is an opportunity to move beyond current performance and evolve provider ERM programs to add greater value. This is a journey based on continuous improvement and enhancement of the program. As healthcare providers progress along this journey, they can shift ERM from a focus on avoiding risk to one of successfully managing risk. They can link risk management with the strategic objectives of the organization to assure they take the right risks to succeed and manage them effectively. And, they can demonstrate greater relevance and create value for management as they operate in an increasingly complex and risk-filled environment. Contact information For a deeper discussion on where your organization s ERM capabilities stand and how to evolve them, please contact: Stephen V. Zawoyski Enterprise Risk Management Leader stephen.v.zawoyski@pwc.com (612) LaVern Miles Managing Director lavern.a.miles@pwc.com (678) Chris Toppi Director chris.toppi@pwc.com (630) PwC. All rights reserved. PwC refers to the US member firm or one of its subsidiaries or affiliates, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see for further details.