Risk Assessment & Enterprise Risk Management



Similar documents
Enterprise Risk Management

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

Operational Risk Management - The Next Frontier The Risk Management Association (RMA)

Policy : Enterprise Risk Management Policy

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012

The New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework

Integrated Risk Management:

ENTERPRISE RISK MANAGEMENT POLICY

Beyond risk identification Evolving provider ERM programs

A Risk-Based Audit Strategy November 2006 Internal Audit Department

The Essentials of Enterprise Risk Management. Steven C. Tourek, Senior Vice President, General Counsel & Secretary, The Marvin Companies

Analyzing Risks in Healthcare. February 12, 2014

ENTERPRISE RISK MANAGEMENT FRAMEWORK

Matthew E. Breecher Breecher & Company PC November 12, 2008

THE ROLE OF FINANCE AND ACCOUNTING IN ENTERPRISE RISK MANAGEMENT

Developing an Effective Enterprise Risk Management Program

IFAD Policy on Enterprise Risk Management

POLICY. Number: Title: Enterprise Risk Management. Authorization

IRM CERTIFICATE AND DIPLOMA OUTLINE SYLLABUS

RISK MANAGEMENT OVERVIEW 2011 RISK CONFERENCE SPONSORED BY THE FEDERAL RESERVE BANK OF CHICAGO AND DEPAUL UNIVERSITY

WFP ENTERPRISE RISK MANAGEMENT POLICY

RISK MANAGEMENT IN A FOR-

Enterprise Risk Management: COSO, New COSO, ISO Review of ERM

Introduction to Enterprise Risk Management at UVM DRAFT

Improving Financial Performance, Governance and Compliance

International Diploma in Risk Management Syllabus

COMPARATIVE STUDY BETWEEN TRADITIONAL AND ENTERPRISE RISK MANAGEMENT A THEORETICAL APPROACH

Enterprise Risk Management in Colleges and Universities

Placing a Value on Enterprise Risk Management ADVISORY

POL ENTERPRISE RISK MANAGEMENT SC51. Executive Services Department BUSINESS UNIT: Executive Support Services SERVICE UNIT:

Linking Risk Management to Business Strategy, Processes, Operations and Reporting

Get More Out of Your Risk Assessment. Austin Chapter of the IIA

An Effective Approach to Transition from Risk Assessment to Enterprise Risk Management

Governance and Risk Management in the Public Sector. Fernando A. Fernandez Inter-American Development Bank (202)

Enterprise Risk Management

ERM Program. Enterprise Risk Management Guideline

San Francisco International Airport Enterprise Risk Management

Risk Management Policy

Enterprise Risk Management

Saldanha Bay Municipality. Risk Management Strategy. Inclusive of, framework, procedures and methodology

How to Develop Successful Enterprise Risk and Vendor Management Programs

Managing Risk at Bank of America Corporation. Overview

A Risk Management Standard

Risk Management and Internal Audit Specialized Training Course Audit Risk Assessment Methodology

Risk Management - Board & Management Responsibilities Murray Short, MBA, CPA CA Not-for-Profit Partner RLB LLP

Enterprise Risk Management (ERM) & Compliance

CSR / Sustainability Governance and Management Assessment By Coro Strandberg Principal, Strandberg Consulting

and Risk Tolerance in an Effective ERM Program

Operational Risk Management Program Version 1.0 October 2013

APPENDIX A NCUA S CAMEL RATING SYSTEM (CAMEL) 1

Enterprise risk management: A pragmatic, four-phase implementation plan

Enterprise Risk Management (ERM): In Action. January Co-presented by: Michael Yip, Marsh Risk Consulting Norma Essary, DFW International Airport

Model Risk, A company perspective Peter K. Reilly, FSA Valuation Actuary & Head of Actuarial Strategic Initiatives Aetna, Inc

Risk Based Internal Auditing & Enterprise Risk

P3M3 Portfolio Management Self-Assessment

Accenture Risk Management. Industry Report. Life Sciences

Enterprise-Wide Risk Assessment

Tying It All Together: Practical ERM Integration. Richard Scanlon Vice President Enterprise Risk Management CIGNA Corporation

STANDARDS OF SOUND BUSINESS AND FINANCIAL PRACTICES. ENTERPRISE RISK MANAGEMENT Framework

ENTERPRISE RISK MANAGEMENT POLICY

A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000

Understanding Enterprise Risk Management. Presented by Dorothy Gjerdrum Arthur J Gallagher

ENTERPRISE RISK MANAGEMENT FOR BANKS

ASAE s Job Task Analysis Strategic Level Competencies

MISSION VALUES. The guide has been printed by:

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

Solution Overview Better manage environmental, occupational safety, and community health hazards by turning risk into opportunity

FlyntGroup.com. Enterprise Risk Management and Business Impact Analysis: Understanding, Treating and Monitoring Risk

APPENDIX 50. Enterprise risk management - Risk management overview

ISO and Risk Management

May Wilfrid Laurier University Enterprise Risk Management Draft Final Report

Audit of the Test of Design of Entity-Level Controls

Risk Management Policy and Framework

Enterprise Risk Management

Hand IN Hand: Balanced Scorecards

Strategic Risk Assessment. A first step for improving risk management and governance. COVER STORY. By Mark L. Frigo and Richard J.

fs viewpoint

Enterprise Risk Management Handbook. June, 2010

Sample Financial institution Risk Management Policy 2011

Board of Directors Meeting 12/04/2010. Operational Risk Management Charter

The Value of Vulnerability Management*

COSO 2013 Internal Control Framework

University of St. Gallen Law School Law and Economics Research Paper Series. Working Paper No June 2007

building a business case for governance, risk and compliance

Strategic Risk Management for School Board Trustees

RISK MANAGEMENT & ISO 9001:2015. Greg Hutchins PE CERM Quality + Engineering CERM Academy GregH@CERMAcademy.com 800.COMPETE or

Successfully identifying, assessing and managing risks for stakeholders

Consumer Goods and Services

Assessing & Managing IT Risk

Enterprise Risk Management in a Highly Uncertain World. A Presentation to the Government-University- Industry Research Roundtable June 20, 2012

Fundamentals of Risk Management Understanding, evaluating and implementing effective risk management

Risk management and the transition of projects to business as usual

Applying Risk Assessment to Your Audit Plan Break-out Session T3, Tuesday, October 26 2:00-2:50pm

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

Enterprise Risk Management

Aberdeen City Council IT Governance

Fraud Risk Management

Risk Management Policy Adopted by:

Transcription:

Risk Assessment & Enterprise Risk 1 Healthcare Corporate Governance Today s environment requires building a culture of risk awareness and management of risk across the organization, while formulating less redundancy in human capital, adequate risk mitigation aligned with strategic objectives and the overall mission. Enhancing the organizations risk awareness and focus can assist management in the movement beyond reactionary responses into a proactive risk response. Risk has far reaching impact, various operational risk events will impact the system and incidents of risk will be apparent across the system when the focus is not holistic. Organizations must begin to consider the implications of risk across the entire enterprise, in order to achieve the best performance for its investment and maintain the focus for strategic decision-making, instead of on reacting to a particular event, chasing the competition or reacting to low level incidents. 2 There Is a Compelling Case for Improving Risk Governance for Healthcare An accelerated rate of change in healthcare industry The ascension of new business risks and priorities Increased regulatory pressure and oversight from agencies (including complex technical HIPAA requirements) Need for enhanced governance effectiveness Need for enhanced control reliance driving transparency and accountability Increased consumer pricing pressures, and financial reporting and integrity Data Integrity issues resulting from complex billing and payment models Research & Clinical excellence Capital Investment Constraints Resource Shortages Deficient IT investment Low marketplace tolerance for surprises 3 1

Goals of an Effective Internal Control Structure for Healthcare Systems Achieve stated mission and objectives of organization Strengthen risk management performance Implement an Integrated Enterprise Risk Process that includes people, process and technology Promote efficiency in operations, reduce risk of asset losses, ensure reliability of financial data and performance Integrity of overall Financial Reporting/Board Reporting Consider utilization of Sarbanes Oxley Compliance Strategy Improve Revenue Cycle operations and focus on cost containment Promote compliance with established policy, laws and regulations HIPAA, Medicare/Medicaid, Contract Administration, JCAHO Improve Quality of Patient Care Reduce Never/Sentinel Events Reduce Medication ID errors Improve Outcomes 4 Movement from Traditional Risk Assessment to Implementing ERM Requires an integration of risk management with existing management processes, identifying future events that can have both positive and negative effects and evaluating effective strategies for managing the organization s exposure to those future possible events. ERM transforms risk management to a proactive, continuous, value-based, broadly focused and process-driven activity. The Past Risks as individual hazards Risk as danger The Future Risks in the context of business strategy Risk as danger and opportunity Risk Mitigation (protect against downside) Risk Limits Haphazard risk quantification Risk Optimization (exploit upside) Risk Strategy Monitoring & Measurement Emphasis: Financial Function Emphasis: Strategic All Functions 5 Historical Internal Audit Coverage Areas Strategic Risks: Limited or non-existent? Tone at the top? Strategic Planning? Real Estate Ventures? Executive T/E Review? Financial Risks: Revenue Cycle Financial Close/Reporting Process Treasury? Inventory/Fixed Assets? Capital Process? Operational Risks: Procurement Process Information Technology? Clinical Rounding? Contract Administration? Compliance Risks: Applicable Laws Regulatory Environment Legal Risks Physician Contracting? Physician Arrangements? 6 2

Implement an Integrated Approach to Risk Traditionally, many organizations have a silo d approach to its Risk efforts;, Internal Audit, Compliance and Corporate Ethics, Risk, Legal, Operational Self Assessment, Clinical Quality Units often operate independently. Opportunity to improve the risk management approach exists in today s systems Identify Opportunities to Improve Performance Enhance operational effectiveness Activities operate within the established risk tolerance levels Protect the system against Surprises Taking maximum advantage of risk opportunities, not just adverse events Ensure the technology investment is providing the right return Consistency in Risk Information Imbed the consideration of cost/benefit analysis, process efficiency Consistent measurement of risk thru common risk language Development of new programs and critical projects Improved resource allocations Integrity of Senior Reporting Technology is aligned with the system Build on Governance Momentum in the Industry Expansion or Implementation of Enterprise Risk (ERM) approach to risk management Early Adopter implementation throughout the system Directly tie risk management to accountability and transparency Enable the establishment of selfsustaining programs to identify, assess, and manage risks IT initiatives support the overall system and controls are automated for continuous monitoring 7 Enterprise Risk Defined Enterprise risk management is a process, effected by an entity s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. Committee of Sponsoring Organizations of the Treadway Commission September 2004 8 Enterprise Risk Provides for a common risk language Creating measurement and understanding across the organization. Enhances the current risk identification process This provides assurance that key risks are identified, assessed, monitored, and communicated in an integrated process across the organization. Prepares the system to react to risk events Managers/Directors and Senior Leadership implement process procedures to address the events timely and effectively. Implements a proactive risk strategy versus a reactive response Provides a formal, yet simple communication vehicle This allows management, staff, legal counsel, staff members, and the Board to manage risk. Applies inherent monetary and human resource availability factors into assessing and prioritizing risk Assesses the various key risks that could stand in the way of attaining the organization s mission Limits being SURPRISED by a risk event 9 3

Audit s Revised Corporate Governance Approach Audit Redesign Partnering on Special Projects Risk Assessments: Entity/ Process Level and Fraud Staff Retention/Turnover Business Self Assessment Balancing IA with SOX Compliance, Risk and Consulting Services Co-source SME s As Is Process Control Reviews To Be Process Control Reviews Diagnostic Reviews Consulting/Project Approach Remediation/Impleme ntation Support Ongoing Controls Guidance 10 Clinical Focus and Process Alignment Validate Control Environment Organizational or Process Changes Fraud Risk Assessment SME (IT, Technical/Quality Reviews) Documentation: Continuous Updating and Process Validation Testing/Remediation Partnering with Outside Resources (Risk Mgmt, Legal, Compliance) Technology Risk Assessment IT Project Compliance Assurance Business Continuity Technology Security Integrated Risk Assessment The first goal of our risk assessment methodology, is to identify a universe of business risks, then to assess the likelihood of occurrence and the impact of each risk, thus prioritized in order of importance. Consider risks broadly, addressing the strategic, reporting, operating and regulatory compliance risks of facing the organization/system today and in the future. The objectives for conducting an entity wide risk assessment: Identify all areas of potential risk in the organization; Understand the business model factors impacting the organizations risk profile; Evaluate the functions for managing risk; and current integration opportunities, Establish an integrated plan and resources to ensure effective monitoring of risk. 11 Develop Business Model Utilize a risk framework. Identify the various risk frameworks and select an appropriate framework for the system. COSO (Committee of Sponsoring Organizations) Coco (Canadian framework) ERM (Integrated framework) AU/NZ (Australian framework) ISO Guidelines Establish standard business risk language What is risk? Risk? Enterprise Risk? Understand and define the systems risk appetite 12 4

Framework for Enterprise Risk The COSO model is a top-down methodology focusing on risks within Strategic, Operational, Reporting and Compliance areas, and is widely accepted in the business community. Embracing this Framework because it forces the organization/system to think of risk very broadly before driving down into lower levels of the organization. In this way, organizations draw conclusions not in departmental silos, but view the common elements of risk across organizational units. The Framework also challenges organizations into decisions around risk appetite, strategy and objective setting, which is very important as most of an organization s decisions around risk will have short- and long-term investments, and modeling those risks is important for building a strategy. Strategic high-level goals, aligned with and supporting its mission Operations effective and efficient use of its resources Reporting reliability of reporting Compliance compliance with applicable laws and regulations 13 Risk Maturity Framework The integrated risk approach begins with an understanding of a System s Risks and Risk practices. Organizations typically reside in one area while aspiring to enhance the successful risk optimization strategy Basic or Fundamental Limited Board or Senior emphasis on risk management Silo d risk monitoring Fragmented coverage of critical risks A common language and consistent approach does not exist Investment in IT limited or fragmented Poor risk communications No effort to anticipate Skillful or Developed Board and Senior support Enterprise wide coordination of risk management activities On going risk profiling Integrated risk coverage among risk monitoring groups and management Tone at the Top support of ERM and alignment to risk tolerance/appetite IT begins to evolve with alignment of objectives Strategic or Optimized Proactive Board and Senior involvement Embed risk activities into ongoing business processes Risk managed and assessed across a common risk culture Constant analysis of risk portfolio Risk optimization and reporting to Board and Senior Leadership Creates a culture of accountability and responsibility and continuous monitoring 14 Risk Opportunity Value Enterprise Risk (ERM) Model UNDERSTAND THE BUSINESS RISK OPPORTUNITY VALUE Business Model Identify & Define Significant Risk Appetite Risks Risk Tolerance Assess Impact Organizational Culture Assess Likelihood Organizational Structure Quantify and Prioritize Optimize Link Risks to Corporate Strategies Create a risk model Linkage to COSO ERM Components: Linkage to Risk Tolerance/Risk Appetite Maximize Risk Profile Fine tune scenarios for risk response Avoidance Share/Transfer Mitigate/Reduce Acceptance Risk based decision making Alignment to Mission Vision and Goals Increased Stakeholder and Shareholder value Cost reduction and enhanced recognition in the marketplace Create risk accountability and responsibility Internal Environment Objective Setting Event Identification Risk Assessment Information and Communication Monitoring Risk Response Control Activities Information and Communication Information and Communication Monitoring Linkage to S & P Guidance: Organization Structure Roles and Responsibilities Accountability Policies to include strategy, tolerance authority and disclosure Infrastructure to include personnel, operations, data and technology Methodology to include risk metrics, stress testing, validation and performance measurement awareness of risk Global Approach to Risk Understanding of future modifications to risk profile Emerging Risks Quantifying Risk Tolerance True assignment of credit rating and understanding of risk exposure 15 5

Constantly Adapting to Risk and Identifying your Weaknesses Identifying and documenting risks and processes at the strategic, operational, financial reporting and compliance levels. Developing linkage to strategic corporate objectives, risk tolerance, and risk appetite Developing linkage to processes, to sub-processes, and IT infrastructure Assessing impact and likelihood of risk 16 UNDERSTAND THE BUSINESS Identify Risks Linkage to strategic objectives. Linkage to system processes and sub-processes. Glean information across the system, by performing a thorough interview process. Interview all key stakeholders and follow a risk universe (business model). Develop an understanding of risk events versus audit activities (process) Utilize various venue s to capture risk universe (voting technology, survey, interview, knowledge gained from past results, professional judgment) Provide thorough update to Senior Leadership and the Board. 17 Risk Profile - Categories These distinct but overlapping categories a particular objective can fall into more than one category address different entity needs and may be the direct responsibility of different process owners, managers or executives. 18 Strategic Operational Governance Effectiveness Strategic Plan and Alliances Corporate Oversight Ethics Reputation Public Confidence (Relations) Information & Communication Market Position Care Models IT Infrastructure and Deployment Faith Based Mission Quality and Patient Safety Access & of Patient Care Attract Patients Business Continuity and Disaster Preparedness Licensing/Accreditation Physician Performance Clinical Outcomes Patient Satisfaction Effective and efficient deployment of resources Research 6

Risk Profile - Categories These distinct but overlapping categories a particular objective can fall into more than one category address different entity needs and may be the direct responsibility of different process owners, managers or executives. Reporting Financial Reporting Financial Systems Revenue Cycle Treasury & Investments Supply Chain Capital Access & Vendor Relations & Contracts Risk (Insurance) Compliance Tax Exempt Status MD Arrangements Survey response Compliance with Laws & Regulation Information Security & Integrity Claim Compliance Antitrust 19 RISK Analyze Risks Understand gross versus residual risk in the context of likelihood of occurrence of risk event. (Analysis through Rating, Ranking & Prioritizing Risks) Look for patterns, trends, and compile risk events into framework and business/system model (core/support). Provide thorough update to Senior Leadership and the Board. 20 Risk Ranking Definitions Example Risk Tolerance Definition LIKELIHOOD The inherent probability of each risk materializing (without the benefit of existing controls or contingency plans) will be evaluated utilizing a combination of the qualitative and quantitative criteria. Risk Tolerance Definition IMPACT The potential impact of each risk (without the benefit of existing controls) will be evaluated utilizing a combination of qualitative and quantitative criteria (per occurrence, annualized). 21 7

Risk Matrix currence Probability of Occ Low Frequency/ High Severity Low Frequency/ Low Severity High Frequency/ High Severity High Frequency/ Low Severity Magnitude of Impact 22 Healthcare Industry Issues and Potential Risks Strategic Operational High level goal supporting strategic growth are not well known Inability to meet increasing customer demand in primary/secondary markets Foundation brand awareness is not well known In-efficient or in-effective use and deployment of resources Loss of patient or public confidence Governance is not known and followed Systems aren t scaleable and utilized to promote information and communication through the system Reliance on technologies is not available to provide just in time information related to patient care Reporting Compliance Leakage within revenue cycle Limited cash flow Limited financial performance Legal action as a result of patient care incident Regulatory oversight pending Inability to react to changing regulatory pressures and scrutiny (e.g. HIPPA, Sarbanes Oxley, IRS 990) Reliability of financial reporting and management decisions based on data provided Evolving processing technologies to support data integrity and real time reporting of key performance indicators Evolving processing technologies creating pressure to maintain competitive edge 23 Risk Tolerance Definition LIKELIHOOD Rating Probability of Risk Materializing Attributes 3 High > 50 % Process is complex and requires significant coordination (detailed procedures have not been documented and appropriately tested and in place to rely upon) Significant oversight and controls to ensure adherence to regulatory requirements High reliance on manual process to ensure system & process integrity IT controls & processes are inadequate to prevent problems 2 Medium 10 50 % Process is routine but relies heavy on human intervention (procedures exist and are documented but have not been appropriately tested and in place to rely upon) Moderate level of oversight and controls to ensure adherence to regulatory environment (however, regulatory environment is stable/consistent) Moderate reliance on manual and automated control environment to ensure system & process integrity IT controls and processes are documented and provide some assurance 1 Low < 10 % Procedures exist and documented but may not be followed consistently and may require additional control enhancements Minimal oversight required, stable regulatory environment Little or no reliance on manual process to ensure system & process integrity 24 8

Risk Tolerance Definition IMPACT Rating Probability of Risk Materializing Attributes 3 High > $10 m Resulting in monetary penalties, prosecution and/or loss of reputation (>5.69% annualized) Hospital wide reduction in Patient Identification errors. > 5 annualized Hospital wide preventable Sentinel events Imminent or serious cash flow problems resulting in use of investments or borrowing Loss of patient or public confidence and/or market share Key sponsors, customers, or alliances are threatened Departmental turnover in critical functions is >25% 2 Medium $5 10 m Reportable self disclosure may result in minimal fine with required plan for corrective action (>4.75 5.69% annualized) Hospital wide reduction in Patient identification errors. </= 5 annualized Hospital wide preventable Sentinel events Cash flow may be adversely affected on an interim basis and may require use of investment or borrowing Event requires significant senior management attention and intervention Departmental turnover in critical functions is >20% 1 Low < $1 m Non compliance with existing internal policy & procedures with no resulting external ramifications (</= 4.75 %annualized) Hospital wide reduction in Patient identification errors/target baseline 0 annualized Hospital wide preventable Sentinel events Minimal impact on cash flow 25 Event does not require significant senior management time Departmental turnover in critical functions is >15% OPPORTUNITY Evaluate Risks Evaluate the different scenarios for risk response decisions: Avoidance Share/Transfer Mitigate/Reduce Acceptance Linkage should occur to the risk appetite/tolerance for the system. 26 Sample Risk Profile Almost Certain Revenue Cycle IT Mgmt Compliance Patient Care Likelihood of Oc currence Likely Human Resources Materials Financial Fundraising Strategic Health Information Legal Facility Remote Insignificant Moderate 27 Magnitude of Impact Significant 9

VALUE Address Risks Evaluate the different silos and ensure risks are adequately addressed. Ethics (Compliance, Governance) Risk (Insurance, Incident) Clinical Effectiveness (Quality) Audit & Assurance Services (Internal Audit) External Audit Security Legal Environmental Know what s being covered, what s not and more importantly. why!! 28 VALUE Monitor Risks Develop continuous and on-going process. Its everyone s responsibility. Institutionalize the process. Everyone should understand difference between Internal Audit monitoring and other monitoring. 29 ERM Challenges Support of a risk champion to assist in driving the ERM process implementation. Specific qualities needed to be a risk champion : Knowledge of Industry Strategic Focus Evangelist Facilitator Board Access Focused coordination with The System s Risk Functions already in place. ERM is strengthened by the alignment of these groups and common processes and context of risk. 30 10

ERM Challenges Technology: Understand that technology solution's promising an all encompassing implementation solution may not be the answer. Focus on methodology first, utilize technology as enabler to the process. Systemic thinking is key to the process. Systemic thinking drives event identification, gross risk vs. residual risk discussions, and mitigating controls, risk universe vs. audit or silo approach to risk. Raise risk awareness, speak to challenges around accountability and transparency within the system. 31 ERM Challenges Risk Assessment is critical component of ERM but not all encompassing. Group should understand the differences. Show some immediate tangible results. Work off multi year plan Address risk within consistent context throughout the system Define risk tolerance for system Don t underestimate resistance to change. 32 Next Steps Develop Business Model Refine Risk Ranking/Rating Criteria Likelihood Criteria Impact Criteria Control Classifications Perform On-Going Risk Assessment Identify Analyze Evaluate Monitor Broadly Educate Risk Tolerance/Appetite Develop Communication Protocol 33 11

Next Steps - continued Further alignment to overall System of Risk Clinical Operations & Effectiveness (incl. Quality) Corporate Ethics and Compliance Risk (Insurance) Audit & Assurance Services Legal Environmental Security Other? 34 Questions? 35 36 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information