Risk Assessment & Enterprise Risk Management

Transcription

1 Risk Assessment & Enterprise Risk 1 Healthcare Corporate Governance Today s environment requires building a culture of risk awareness and management of risk across the organization, while formulating less redundancy in human capital, adequate risk mitigation aligned with strategic objectives and the overall mission. Enhancing the organizations risk awareness and focus can assist management in the movement beyond reactionary responses into a proactive risk response. Risk has far reaching impact, various operational risk events will impact the system and incidents of risk will be apparent across the system when the focus is not holistic. Organizations must begin to consider the implications of risk across the entire enterprise, in order to achieve the best performance for its investment and maintain the focus for strategic decision-making, instead of on reacting to a particular event, chasing the competition or reacting to low level incidents. 2 There Is a Compelling Case for Improving Risk Governance for Healthcare An accelerated rate of change in healthcare industry The ascension of new business risks and priorities Increased regulatory pressure and oversight from agencies (including complex technical HIPAA requirements) Need for enhanced governance effectiveness Need for enhanced control reliance driving transparency and accountability Increased consumer pricing pressures, and financial reporting and integrity Data Integrity issues resulting from complex billing and payment models Research & Clinical excellence Capital Investment Constraints Resource Shortages Deficient IT investment Low marketplace tolerance for surprises 3 1

2 Goals of an Effective Internal Control Structure for Healthcare Systems Achieve stated mission and objectives of organization Strengthen risk management performance Implement an Integrated Enterprise Risk Process that includes people, process and technology Promote efficiency in operations, reduce risk of asset losses, ensure reliability of financial data and performance Integrity of overall Financial Reporting/Board Reporting Consider utilization of Sarbanes Oxley Compliance Strategy Improve Revenue Cycle operations and focus on cost containment Promote compliance with established policy, laws and regulations HIPAA, Medicare/Medicaid, Contract Administration, JCAHO Improve Quality of Patient Care Reduce Never/Sentinel Events Reduce Medication ID errors Improve Outcomes 4 Movement from Traditional Risk Assessment to Implementing ERM Requires an integration of risk management with existing management processes, identifying future events that can have both positive and negative effects and evaluating effective strategies for managing the organization s exposure to those future possible events. ERM transforms risk management to a proactive, continuous, value-based, broadly focused and process-driven activity. The Past Risks as individual hazards Risk as danger The Future Risks in the context of business strategy Risk as danger and opportunity Risk Mitigation (protect against downside) Risk Limits Haphazard risk quantification Risk Optimization (exploit upside) Risk Strategy Monitoring & Measurement Emphasis: Financial Function Emphasis: Strategic All Functions 5 Historical Internal Audit Coverage Areas Strategic Risks: Limited or non-existent? Tone at the top? Strategic Planning? Real Estate Ventures? Executive T/E Review? Financial Risks: Revenue Cycle Financial Close/Reporting Process Treasury? Inventory/Fixed Assets? Capital Process? Operational Risks: Procurement Process Information Technology? Clinical Rounding? Contract Administration? Compliance Risks: Applicable Laws Regulatory Environment Legal Risks Physician Contracting? Physician Arrangements? 6 2

3 Implement an Integrated Approach to Risk Traditionally, many organizations have a silo d approach to its Risk efforts;, Internal Audit, Compliance and Corporate Ethics, Risk, Legal, Operational Self Assessment, Clinical Quality Units often operate independently. Opportunity to improve the risk management approach exists in today s systems Identify Opportunities to Improve Performance Enhance operational effectiveness Activities operate within the established risk tolerance levels Protect the system against Surprises Taking maximum advantage of risk opportunities, not just adverse events Ensure the technology investment is providing the right return Consistency in Risk Information Imbed the consideration of cost/benefit analysis, process efficiency Consistent measurement of risk thru common risk language Development of new programs and critical projects Improved resource allocations Integrity of Senior Reporting Technology is aligned with the system Build on Governance Momentum in the Industry Expansion or Implementation of Enterprise Risk (ERM) approach to risk management Early Adopter implementation throughout the system Directly tie risk management to accountability and transparency Enable the establishment of selfsustaining programs to identify, assess, and manage risks IT initiatives support the overall system and controls are automated for continuous monitoring 7 Enterprise Risk Defined Enterprise risk management is a process, effected by an entity s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. Committee of Sponsoring Organizations of the Treadway Commission September Enterprise Risk Provides for a common risk language Creating measurement and understanding across the organization. Enhances the current risk identification process This provides assurance that key risks are identified, assessed, monitored, and communicated in an integrated process across the organization. Prepares the system to react to risk events Managers/Directors and Senior Leadership implement process procedures to address the events timely and effectively. Implements a proactive risk strategy versus a reactive response Provides a formal, yet simple communication vehicle This allows management, staff, legal counsel, staff members, and the Board to manage risk. Applies inherent monetary and human resource availability factors into assessing and prioritizing risk Assesses the various key risks that could stand in the way of attaining the organization s mission Limits being SURPRISED by a risk event 9 3

4 Audit s Revised Corporate Governance Approach Audit Redesign Partnering on Special Projects Risk Assessments: Entity/ Process Level and Fraud Staff Retention/Turnover Business Self Assessment Balancing IA with SOX Compliance, Risk and Consulting Services Co-source SME s As Is Process Control Reviews To Be Process Control Reviews Diagnostic Reviews Consulting/Project Approach Remediation/Impleme ntation Support Ongoing Controls Guidance 10 Clinical Focus and Process Alignment Validate Control Environment Organizational or Process Changes Fraud Risk Assessment SME (IT, Technical/Quality Reviews) Documentation: Continuous Updating and Process Validation Testing/Remediation Partnering with Outside Resources (Risk Mgmt, Legal, Compliance) Technology Risk Assessment IT Project Compliance Assurance Business Continuity Technology Security Integrated Risk Assessment The first goal of our risk assessment methodology, is to identify a universe of business risks, then to assess the likelihood of occurrence and the impact of each risk, thus prioritized in order of importance. Consider risks broadly, addressing the strategic, reporting, operating and regulatory compliance risks of facing the organization/system today and in the future. The objectives for conducting an entity wide risk assessment: Identify all areas of potential risk in the organization; Understand the business model factors impacting the organizations risk profile; Evaluate the functions for managing risk; and current integration opportunities, Establish an integrated plan and resources to ensure effective monitoring of risk. 11 Develop Business Model Utilize a risk framework. Identify the various risk frameworks and select an appropriate framework for the system. COSO (Committee of Sponsoring Organizations) Coco (Canadian framework) ERM (Integrated framework) AU/NZ (Australian framework) ISO Guidelines Establish standard business risk language What is risk? Risk? Enterprise Risk? Understand and define the systems risk appetite 12 4

5 Framework for Enterprise Risk The COSO model is a top-down methodology focusing on risks within Strategic, Operational, Reporting and Compliance areas, and is widely accepted in the business community. Embracing this Framework because it forces the organization/system to think of risk very broadly before driving down into lower levels of the organization. In this way, organizations draw conclusions not in departmental silos, but view the common elements of risk across organizational units. The Framework also challenges organizations into decisions around risk appetite, strategy and objective setting, which is very important as most of an organization s decisions around risk will have short- and long-term investments, and modeling those risks is important for building a strategy. Strategic high-level goals, aligned with and supporting its mission Operations effective and efficient use of its resources Reporting reliability of reporting Compliance compliance with applicable laws and regulations 13 Risk Maturity Framework The integrated risk approach begins with an understanding of a System s Risks and Risk practices. Organizations typically reside in one area while aspiring to enhance the successful risk optimization strategy Basic or Fundamental Limited Board or Senior emphasis on risk management Silo d risk monitoring Fragmented coverage of critical risks A common language and consistent approach does not exist Investment in IT limited or fragmented Poor risk communications No effort to anticipate Skillful or Developed Board and Senior support Enterprise wide coordination of risk management activities On going risk profiling Integrated risk coverage among risk monitoring groups and management Tone at the Top support of ERM and alignment to risk tolerance/appetite IT begins to evolve with alignment of objectives Strategic or Optimized Proactive Board and Senior involvement Embed risk activities into ongoing business processes Risk managed and assessed across a common risk culture Constant analysis of risk portfolio Risk optimization and reporting to Board and Senior Leadership Creates a culture of accountability and responsibility and continuous monitoring 14 Risk Opportunity Value Enterprise Risk (ERM) Model UNDERSTAND THE BUSINESS RISK OPPORTUNITY VALUE Business Model Identify & Define Significant Risk Appetite Risks Risk Tolerance Assess Impact Organizational Culture Assess Likelihood Organizational Structure Quantify and Prioritize Optimize Link Risks to Corporate Strategies Create a risk model Linkage to COSO ERM Components: Linkage to Risk Tolerance/Risk Appetite Maximize Risk Profile Fine tune scenarios for risk response Avoidance Share/Transfer Mitigate/Reduce Acceptance Risk based decision making Alignment to Mission Vision and Goals Increased Stakeholder and Shareholder value Cost reduction and enhanced recognition in the marketplace Create risk accountability and responsibility Internal Environment Objective Setting Event Identification Risk Assessment Information and Communication Monitoring Risk Response Control Activities Information and Communication Information and Communication Monitoring Linkage to S & P Guidance: Organization Structure Roles and Responsibilities Accountability Policies to include strategy, tolerance authority and disclosure Infrastructure to include personnel, operations, data and technology Methodology to include risk metrics, stress testing, validation and performance measurement awareness of risk Global Approach to Risk Understanding of future modifications to risk profile Emerging Risks Quantifying Risk Tolerance True assignment of credit rating and understanding of risk exposure 15 5

6 Constantly Adapting to Risk and Identifying your Weaknesses Identifying and documenting risks and processes at the strategic, operational, financial reporting and compliance levels. Developing linkage to strategic corporate objectives, risk tolerance, and risk appetite Developing linkage to processes, to sub-processes, and IT infrastructure Assessing impact and likelihood of risk 16 UNDERSTAND THE BUSINESS Identify Risks Linkage to strategic objectives. Linkage to system processes and sub-processes. Glean information across the system, by performing a thorough interview process. Interview all key stakeholders and follow a risk universe (business model). Develop an understanding of risk events versus audit activities (process) Utilize various venue s to capture risk universe (voting technology, survey, interview, knowledge gained from past results, professional judgment) Provide thorough update to Senior Leadership and the Board. 17 Risk Profile - Categories These distinct but overlapping categories a particular objective can fall into more than one category address different entity needs and may be the direct responsibility of different process owners, managers or executives. 18 Strategic Operational Governance Effectiveness Strategic Plan and Alliances Corporate Oversight Ethics Reputation Public Confidence (Relations) Information & Communication Market Position Care Models IT Infrastructure and Deployment Faith Based Mission Quality and Patient Safety Access & of Patient Care Attract Patients Business Continuity and Disaster Preparedness Licensing/Accreditation Physician Performance Clinical Outcomes Patient Satisfaction Effective and efficient deployment of resources Research 6

7 Risk Profile - Categories These distinct but overlapping categories a particular objective can fall into more than one category address different entity needs and may be the direct responsibility of different process owners, managers or executives. Reporting Financial Reporting Financial Systems Revenue Cycle Treasury & Investments Supply Chain Capital Access & Vendor Relations & Contracts Risk (Insurance) Compliance Tax Exempt Status MD Arrangements Survey response Compliance with Laws & Regulation Information Security & Integrity Claim Compliance Antitrust 19 RISK Analyze Risks Understand gross versus residual risk in the context of likelihood of occurrence of risk event. (Analysis through Rating, Ranking & Prioritizing Risks) Look for patterns, trends, and compile risk events into framework and business/system model (core/support). Provide thorough update to Senior Leadership and the Board. 20 Risk Ranking Definitions Example Risk Tolerance Definition LIKELIHOOD The inherent probability of each risk materializing (without the benefit of existing controls or contingency plans) will be evaluated utilizing a combination of the qualitative and quantitative criteria. Risk Tolerance Definition IMPACT The potential impact of each risk (without the benefit of existing controls) will be evaluated utilizing a combination of qualitative and quantitative criteria (per occurrence, annualized). 21 7

8 Risk Matrix currence Probability of Occ Low Frequency/ High Severity Low Frequency/ Low Severity High Frequency/ High Severity High Frequency/ Low Severity Magnitude of Impact 22 Healthcare Industry Issues and Potential Risks Strategic Operational High level goal supporting strategic growth are not well known Inability to meet increasing customer demand in primary/secondary markets Foundation brand awareness is not well known In-efficient or in-effective use and deployment of resources Loss of patient or public confidence Governance is not known and followed Systems aren t scaleable and utilized to promote information and communication through the system Reliance on technologies is not available to provide just in time information related to patient care Reporting Compliance Leakage within revenue cycle Limited cash flow Limited financial performance Legal action as a result of patient care incident Regulatory oversight pending Inability to react to changing regulatory pressures and scrutiny (e.g. HIPPA, Sarbanes Oxley, IRS 990) Reliability of financial reporting and management decisions based on data provided Evolving processing technologies to support data integrity and real time reporting of key performance indicators Evolving processing technologies creating pressure to maintain competitive edge 23 Risk Tolerance Definition LIKELIHOOD Rating Probability of Risk Materializing Attributes 3 High > 50 % Process is complex and requires significant coordination (detailed procedures have not been documented and appropriately tested and in place to rely upon) Significant oversight and controls to ensure adherence to regulatory requirements High reliance on manual process to ensure system & process integrity IT controls & processes are inadequate to prevent problems 2 Medium % Process is routine but relies heavy on human intervention (procedures exist and are documented but have not been appropriately tested and in place to rely upon) Moderate level of oversight and controls to ensure adherence to regulatory environment (however, regulatory environment is stable/consistent) Moderate reliance on manual and automated control environment to ensure system & process integrity IT controls and processes are documented and provide some assurance 1 Low < 10 % Procedures exist and documented but may not be followed consistently and may require additional control enhancements Minimal oversight required, stable regulatory environment Little or no reliance on manual process to ensure system & process integrity 24 8

9 Risk Tolerance Definition IMPACT Rating Probability of Risk Materializing Attributes 3 High > $10 m Resulting in monetary penalties, prosecution and/or loss of reputation (>5.69% annualized) Hospital wide reduction in Patient Identification errors. > 5 annualized Hospital wide preventable Sentinel events Imminent or serious cash flow problems resulting in use of investments or borrowing Loss of patient or public confidence and/or market share Key sponsors, customers, or alliances are threatened Departmental turnover in critical functions is >25% 2 Medium $5 10 m Reportable self disclosure may result in minimal fine with required plan for corrective action (> % annualized) Hospital wide reduction in Patient identification errors. </= 5 annualized Hospital wide preventable Sentinel events Cash flow may be adversely affected on an interim basis and may require use of investment or borrowing Event requires significant senior management attention and intervention Departmental turnover in critical functions is >20% 1 Low < $1 m Non compliance with existing internal policy & procedures with no resulting external ramifications (</= 4.75 %annualized) Hospital wide reduction in Patient identification errors/target baseline 0 annualized Hospital wide preventable Sentinel events Minimal impact on cash flow 25 Event does not require significant senior management time Departmental turnover in critical functions is >15% OPPORTUNITY Evaluate Risks Evaluate the different scenarios for risk response decisions: Avoidance Share/Transfer Mitigate/Reduce Acceptance Linkage should occur to the risk appetite/tolerance for the system. 26 Sample Risk Profile Almost Certain Revenue Cycle IT Mgmt Compliance Patient Care Likelihood of Oc currence Likely Human Resources Materials Financial Fundraising Strategic Health Information Legal Facility Remote Insignificant Moderate 27 Magnitude of Impact Significant 9

10 VALUE Address Risks Evaluate the different silos and ensure risks are adequately addressed. Ethics (Compliance, Governance) Risk (Insurance, Incident) Clinical Effectiveness (Quality) Audit & Assurance Services (Internal Audit) External Audit Security Legal Environmental Know what s being covered, what s not and more importantly. why!! 28 VALUE Monitor Risks Develop continuous and on-going process. Its everyone s responsibility. Institutionalize the process. Everyone should understand difference between Internal Audit monitoring and other monitoring. 29 ERM Challenges Support of a risk champion to assist in driving the ERM process implementation. Specific qualities needed to be a risk champion : Knowledge of Industry Strategic Focus Evangelist Facilitator Board Access Focused coordination with The System s Risk Functions already in place. ERM is strengthened by the alignment of these groups and common processes and context of risk

11 ERM Challenges Technology: Understand that technology solution's promising an all encompassing implementation solution may not be the answer. Focus on methodology first, utilize technology as enabler to the process. Systemic thinking is key to the process. Systemic thinking drives event identification, gross risk vs. residual risk discussions, and mitigating controls, risk universe vs. audit or silo approach to risk. Raise risk awareness, speak to challenges around accountability and transparency within the system. 31 ERM Challenges Risk Assessment is critical component of ERM but not all encompassing. Group should understand the differences. Show some immediate tangible results. Work off multi year plan Address risk within consistent context throughout the system Define risk tolerance for system Don t underestimate resistance to change. 32 Next Steps Develop Business Model Refine Risk Ranking/Rating Criteria Likelihood Criteria Impact Criteria Control Classifications Perform On-Going Risk Assessment Identify Analyze Evaluate Monitor Broadly Educate Risk Tolerance/Appetite Develop Communication Protocol 33 11

12 Next Steps - continued Further alignment to overall System of Risk Clinical Operations & Effectiveness (incl. Quality) Corporate Ethics and Compliance Risk (Insurance) Audit & Assurance Services Legal Environmental Security Other? 34 Questions?