1 ENTERPRISE RISK MANAGEMENT, INTERNAL AUDIT & COMPLIANCE: ADOPTING INDUSTRY BEST PRACTICES PRESENTED BY: CYPRIAN DEVINE-PEREZ, PHD, CRMA NYU MEDICAL CENTER - OFFICE OF COMPLIANCE, PRIVACY & INTERNAL AUDIT Co-contributor: NOAH D. SHANNON, MBE ND SHANNON ASSOCIATES, INC. PRESIDENT AHIA 31 st Annual Conference August 26-29, 2012 Philadelphia PA www.ahia.org
Discussion Items Introduction Experience & Learnings from Private Sector/BioPharmaceutical Industry Translation to Healthcare Providers NOTE: the content of this presentation contains opinions held by the presenter and does not necessarily reflect positions held by NYU Medical Center. 2 2
Biopharmaceutical Industry Learnings 3 3
Introduction There is a long, productive history of collaboration between pharmaceutical industry and academic medical centers In general, new learnings and technologies have made their way from academia to industry In the areas of Internal Audit (IA), Compliance and risk management, however, there may be an opportunity to reverse the direction of this collaboration The following presentation shares some perspectives on how this might be done including practical approaches & tools to align IA, Compliance & Risk management NOTE: the content of this presentation contains opinions held by the presenter and does not necessarily reflect positions held by NYU Medical Center. 4 4
5 My Background Started early career in Hospital/Health Administration in NYC not-for-profit and public hospital systems Followed by 12 years spend a NYC-based BioPharma organization i in the following capacities: i Business Continuity/Disaster Recovery Planning for R&D and Corporate offices Internal Audit managing audits, SOX & Enterprise Risk Management (ERM) roll-outs Clinical Research auditing clinical trials around world Currently at New York University Medical Center with responsibilities in areas of ERM and Internal Audit 5
BioPharma Experience/Learnings: Private Sector Under Scrutiny 6 Life Sciences/ Healthcare Industry Significant ifi and increasing regulatory scrutiny, e.g. Financial reporting SOX Sales & Marketing Activities Clinical Trials Manufacturing Standards Numerous regulators with overlapping demands 6
Recent Large Pharmaceutical Industry Settlements Company Settlement Allegation GSK (2012) $3 billion Off-label/inappropriate promotion/pricing violations Abbott (2012) $1.5 billion Off-label/inappropriate promotion Pfizer (2009) $2.3 billion Off-label/inappropriate promotion Additional billion dollar cases Pending 7
Rise of Individual Liability for Industry Executives 8 We are going to start using the responsible corporate official doctrine to get high level executives out of companies -Lewis Morris, Chief Counsel, OIG I can assure you that when we have the evidence, and the facts of the law allow us to pursue criminal cases against individuals such that we can put them in prison for these offenses, we will do that -Tony West, Assistant Attorney General of DOJ s Civil Division 8
Why Consider Industry Practices? 9 Scrutiny of industry has foreshadowed enforcement for health providers/hospitals Regulators made significant investment in infrastructure and development of tested approaches; proved effective given level of settlements Regulator recognition and approval of certain approaches (as codified in Corporate Integrity Agreements, etc.) 9
Selected Hospital Industry Settlements 10 Tenet Healthcare $900 M Billing violations, including manipulation of payments to Medicare, as well as kickbacks, upcoding, and bill padding. HCA $731 M Billing for unnecessary lab tests, upcoding, billing for advertising under the guise of community education St. Barnabas Hospitals $265 M Inappropriate p billing for outlier Medicaid payments See Web Resource page at end of presentation for additional details and settlements. NOTE: Outlier payments may only be claimed if a procedure is particularly difficult or complex 10
Learnings From BioPharma Industry Key Program Components 11 Internal Environment Risk Assessment Control Activities Information and Communication Monitoring Framework based on Committee of Sponsoring Organizations of the Treadway Commission (COSO). Enterprise Risk Management Integrated Framework. 2004. 11
Industry Responses: Internal Environment 12 Internal Environment Risk Assessment Control Activities Industry Best Actively create the right Practice culture Information and Communication Monitoring Develop a branded culture and integrity campaign Promote tone from the top and from the middle through ongoing communications Drive compliance and integrity through performance management (incentives and disincentives) Demystify the compliance program through outreach 12
Industry Responses: Risk Assessment 13 Internal Environment Risk Assessment Control Activities Industry Best Formalized, ongoing, g, closed- Practice loop risk assessment Information and Communication Monitoring Consider automating risk assessment data collection Ensure the participation i of all relevant stakeholders don t assess in a vacuum Use risk assessment findings to allocate risk mitigation resources Close the loop by integrating g learnings into future cycles 13
Industry Responses: Control Activities (1 of 2) 14 Internal Environment Risk Assessment Control Activities Industry Best Invest in prevention Practice Information and Communication Monitoring Effective controls may require an investment, but are well worth it Don t just develop policy and procedure, ensure widespread awareness through effective training Develop controls that are comparable to the sophistication of the underlying practice or transaction Partner with IT and others where necessary 14
Industry Responses: Control Activities (2 of 2) 15 Internal Environment Risk Assessment Control Activities Industry Best Drive stakeholder Practice accountability for key controls Information and Communication Monitoring You can t do it alone. Use audits and assessments to drive stakeholder enhancement of their own controls they own the controls Where possible, build compliance controls into existing workflow (e.g., budgeting and financial systems) rather than creating new systems Automate reporting of exceptions and other management review tools 15
Industry Responses: Information & Communication 16 Internal Environment Risk Assessment Control Activities Industry Best Get the right information to Practice the right people at the right Information and Communication Monitoring time Identify key signals that provide insight for compliance performance management Identify which stakeholders need information, and on what timeline Where possible, use systems and dashboards to facilitate communication Avoid information overload 16
Industry Responses: Monitoring 17 Internal Environment Risk Assessment Control Activities Industry Best Utilize continuous review Practice across multiple channels Information and Communication Monitoring Inform and focus monitoring based on risk assessment Use a combination of live and electronic monitoring i Capture data electronically to support effective reporting and trending Monitor both transactions and compliance signals as well as the effectiveness of controls 17
BioPharma Responses: Additional Best Practices 18 Create concrete goals and objectives for the program and measure your progress Assess the overall program on a regular basis Consider using a third-party to achieve an objective assessment Leverage technology as appropriate to address increasing i transaction volumes and to support improved reporting Strong partnership between Legal, Compliance, Audit and Quality Assurance organizations Ensure linkage with Enterprise Risk Management 18
Translation to Healthcare Providers Internal Environment Risk Assessment Control Activities Information and Communication Monitoring 19 19
Healthcare Providers: Enterprise Risk Assessment Internal Environment Risk Assessment Control Activities Information and Communication Monitoring Enterprise Risk Assessment Identify key risks across the organization i Operating environment becoming more complex & dynamic with economic volatility, regulatory change, price pressures, etc. Investors & key stakeholders have higher expectations for risk management no surprises Regulators expect risk infrastructure in place and relative to scale & complexity Rating agencies incorporating formal ERM assessments into credit rating evaluation process believe organizations with ERM are better managed 20 20
Healthcare Providers: Enterprise Risk Assessment Can be used as resource allocation guide Where should Internal Audit & Compliance focus their time? Where should Medical Center be spending time on improving controls and/or mitigation activities? Can IA provide insights into improvement opportunities? Enhanced governance through understanding of risks and who manages Improved compliance with regulations and requirements through proactive identification & management Opportunities to leverage technology in survey tool & reporting 21 21
Healthcare Providers: Partial Risk Universe 22 FINANCIAL Late / Lost Charges Credit Rating Adverse Changes in Industry Regulations REGULATORY / COMPLIANCE Economic Recession Endowment underperforms New GAAP rules HIPAA/Privacy Increase in OIG/Regulatory Focus & Audits Coding accuracy Conflicts of Interest Expense Management Medicare / Medicaid Fraud Payor Mix decline Revenue Cycle- Collections Human/Animal Research Copyright violations Provider Assets Negative Media Coverage Competition Corporate Culture Loss of Intel. Property Patient & Staff Health & Safety Workplace Violence Utility failures Mergers & Consolidation Emergency Preparedness Logistics Provider Failures Economic Factors Health Reform Fraud / Embezzlement IT Failures (hardware, software, network) STRATEGIC Pricing Pressures Loss of Key Personnel OPERATIONAL False Claims Act Qui-Tam lawsuit Accounting or Internal Controls Failures Providers Faces a Number of Diverse, Complex & Interrelated Risks 22
Healthcare Providers: Risk Assessment Getting Started Identify key risks Senior Management Interviews Define ERM Program Infrastructure Identify some supporters in other areas, e.g. Finance, Clinical Research, Facilities, etc. who see the value in conducting Risk Assessments or are already conducting their own Provide status reports to Management & Audit Committee on mitigation activities Be clear on role of Internal laudit/compliance & risk owners, e.g. some risks to be managed and not audited Use as key input to develop annual Internal Audit and Compliance Annual workplans 23 23
Healthcare Providers: Risk Assessment Define Program roll-out Enterprise Risk Management consider an iterative, multi-year implementation and leverage technologies Phase 1: Phase 2: Phase 3: Define Risk Assessment Process & ERM Framework Year One: Interviews with Senior Leaders Year Two: on-line survey Senior Leaders & Key Risk Owners Improve Framework & Risk Management Capabilities & Coordination Align Compliance, Internal Audit & Other risk Assessments Develop Sharepoint site to share Provide consulting tools/resources advice Improved reporting Transition to a Continuous ERM Program Incorporate into capital allocation decisions & strategic t planning 24 24
Healthcare Providers: Risk Assessment Align & Find Supporters Compliance & Internal Audit Board of Directors Audit Committee Information Technology ERM Oversight Committee ERM Oversight Cross-Functional Coordination Crisis Management Patient Safety Environmental Health & Safety (EHS) * Not meant to be a complete list of all risk management functions Security ERM can help to align various organizational risk assessments 25 25
Healthcare Providers: Risk Assessment Getting Started Define criteria for impact and likelihood Criteria should be simple, but be useful across disparate audiences when ranking risks e.g. regulatory, financial, operational, legal, etc. Involve key financial and other Senior Leaders in developing criteria what s important to you? What dollar/regulatory sanctions thresholds distinguish impact levels? Define risk language/terminology Risk, Control, Inherent/Residual Risk, Mitigation Plans, etc. 26 26
Healthcare Providers: Map Risk Assessment Reports High Improve Strongly Monitor # Top Risk Areas (Not risk-ranked) kd) Magnitude of Impact/ /Exposure Low Monitor Low Accept/Optimize High 1 Clinical Research Activities 2 Construction Project Activities 3 4 5 6 HIPAA/Data Privacy Issues EHR Implementation Faculty Group Physician Contracting Procurement Activities Likelihood of Occurrence 27
Healthcare Providers: Risk Assessment Provide Status Reports/Sample Report Date: 6/21/2012 Last Report Date: 5/24/2012 Next Report Date: 8/20/2012 Risk Area Est. Completion of Major Activities Proposed Control Owner(s) Status Update/Comments 1 Clinical Research Activities 9/30/2012 John Doe G All mitigation activities on target. 2 Construction Project Activities 7/31/2013 Jane Smith Y Construction audit firm start date delayed. 3 HIPAA/Data Privacy Issues 9/1/2012 Fred Johnson G Awaiting report from consultant on assessment of current process and controls. 4 EHR Implementation 1Q2013 Kenneth Hilton G Implementation proceeding as per plan; no significant delays. 5 Faculty Group Physician Contracting 4Q2011 Cathleen Jones G All key mitigation activities occurring on time. 6 Procurement Activities 2Q2013 Tom Smith & Cathleen Jones R Development of key policies and procedures delayed.. On Schedule to Meet Date G Minor Delays Y Significant Delays R 28
Healthcare Providers: Risk Assessment Provide Status Reports/Sample Risk #3 Risk Category Risk Area(s) Mitigating Actions Compliance Non-compliance with HIPPA/data privacy standards for protection of Protected Health Information (PHI) Define role-based security with data access limited to specific job function for applications with PHI Review and provide protection for specific data types and patient populations, e.g. HIV, Psych, etc. Define robust monthly reports to identify potential breaches Update all HIPAA/Data Privacy Related Policies Ensure annual training for all employees and vendors with additional training for employees regularly dealing with PHI As ERM program matures, the team can add sophistication to Mitigation Plans with detailed project plans including defined responsibilities, timelines, and detailed tasks. 29
Healthcare Providers: Risk Assessment Role of IA IA should play a role in ERM to use risks list/profile to develop annual audit plan Determine risk management standards, e.g. criteria for impact ratings Establish common risk language, metrics & tools Advises business & functional leaders on risk identification & assessments Aggregates risk information across the organization/enterprise Establish and facilitate risk reporting processes IA should not be responsible for managing risk or conducting business unit risk assessments business owns the controls and/or the fix 30 30
Healthcare Providers: Risk Assessment & Annual Workplan Development 31 Report Progress Hospital Staff Reporting Management Report & Dashboard Risk Assessment On-line Survey Tool Senior Leadership/ Management Mitigation Plans Other Source of Risk Information: OIG Work Plan Regulations DOJ Settlements Other External Internal SMEs Risk List Annual Internal Audit & Compliance Workplan Audit Committee & Senior Management Reporting 31
Providers: Internal Environment 32 Internal Environment Risk Assessment Control Activities Internal Create a culture of high ethics Environment Information and Communication Monitoring Promote tone from the top and tone at the middle through ongoing communications Provide regular communications emails, newsletters, orientation programs, office meetings, etc. Support compliance and integrity it through h performance management clear job descriptions & defined performance management processes Other key elements Code of Conduct, Hotline & Outreach activities 32
Healthcare Providers: Control Activities 33 Internal Environment Risk Assessment Control Activities Control Education on controls & Activities control ownership Information and Communication Monitoring Need Management commitment Start with good Policies & Procedures Education on controls for Senior Leaders & Control Owners both preventive & detective ti Promote process/control mapping Partner with IT & Business Process Owners - increase in automated controls 33
Industry Responses: Information & Communication 34 Internal Environment Risk Assessment Control Activities Information & Identify & map key Communication information and users Information and Communication Monitoring Identify and map who has and who needs what information & timing Leverage technology & develop dashboards to facilitate communication use to aggregate data from multiple systems; try various report formats Get clarity from Audit Committee & Executive Management Avoid information i overload 34
Industry Responses: Monitoring 35 Internal Environment Risk Assessment Control Activities Monitoring Define monitoring activities beyond audits & partner with Information and Communication Monitoring business process owners Inform and focus monitoring based on enterprise risk assessment use to develop Annual Audit Plan & inform management Use a combination of live and electronic monitoring Partner with business process owners for continuous monitoring/quality assurance vs. scheduled audits/reviews Monitor transactions standardized di d exception reports; partner with business process owners 35
Healthcare Providers Summary/Other Learnings Keep up with Professional Associations hlfl helpful benchmarking and other information through formal/informal channels Partner with business process owners from risk assessment to control mapping to auditing & monitoring Find Internal Audit/Compliance kindred spirits across the organization clinical research, operations, security, IT, etc. Work with External Auditors Leverage and stay current with technology 36 36
37 Appendix 37
38 Thanks for your time & attention. ti 38
Web Resources 39 http://www.taf.org/ - Online resource for False Claims Act settlements http://oig.hhs.gov/compliance/corporate-integrity-hhagreements/cia-documents.asp - CIAs and other OIG gov/compliance/corporate-integrityregulatory action http://www.justice.gov/briefing-room.html - Announcements of key settlements http://www.coso.org/-erm.htm Enterprise Risk Management resources 39
Save the Date: August 25-28, 2013 32 nd Annual Conference Chicago, IL 40