Enterprise Risk Management

Enterprise Risk Management 1

Agenda Definition & Risk Response Environment Scan news from Insurance Confusion Reduction Lessons Learned from Others with an ERM program 2

Enterprise Risk Management Defined: Measures to minimize risk of medical or accidental loss or injuries. A risk is an issue yet to be realized. An unplanned outcome. A continuous, proactive and systematic process to understand, manage, and communicate risk organization-wide making strategic decisions to achieve overall corporate objectives Defined: A process affected by Board of Directors & Management, strategically applied, designed to identify potential events, manage risk (within their risk appetite), and provide reasonable assurance of an organizations objectives achievement 1 Focus: Reducing threats & impact. Risk: identification of exposure e.g. property, income, liability, personnel, operational, financial, strategic, legal, regulatory, technological, etc. Methods: Early Identification Effective Trending Appropriate Recommendations Promote Quality and Process Improvements to diminish risk of future incidents or occurrences How? Promotion and education of Incident Reporting system (including protocols & policy for the unexpected) Risk assessments, consultation, and sharing of information Integrated critical incident policy and reporting with partners Facilitation of adverse / unanticipated event disclosure 1 Adopted from Committee of Sponsoring Organizations (COSO), Enterprise Risk Management Integrated Framework (2004), p.4. 3

Risk Assessment Categories People & Projects Credentialing Labour Relations Staffing Training / Education Occ Health / Safety Operations & Environmental High Risk Clinical Programs and Activities Environment of Care Supply Chain Finance Insurance Contracts Funding Budgeting Purchasing Investments Patient Quality of Care Outcomes Satisfaction Security Mission, Vision, Values Reputation Strategy Leadership New Projects Legal/Reg Statutes, Policies, Standards, Regulations Compliance and Accreditation Technology Information Systems Security Continuity Data Integrity Capacity Failure 4

Risk Response Actions Accept and tolerate the risk Share and transfer the risk Reduce the risk: change likelihood. Change consequences. Avoid and eliminate the risk Best Practices Governance: policies, practices Development: plan for the realization of benefits Operations: plan for change testing, capacity, security Acquisition: plan for partner management Others: Focus on what is important to control, not what is easy 5

INSURANCE PROVIDER INFORMATION 6

2010 U.S. Healthcare Enterprise Risk Survey Top Risks Financial Revenue increases consistently below medical inflation Unfunded mandates for the provision of services Increasing capital costs and gaps between needed and available capital Physician relationships ability to control the direction and level of alignment of physicians and institutions Preparedness for clinical automation: inadequate I.T. requiring investment in more sophisticated systems e.g. Inability to develop a fully operational electronic health record. Improving performance in the midst of accelerating regulatory and marketplace change Employee dissatisfaction e.g. Nurses strike, resignations Source: Assessment of Key Risks for Hospitals and Healthcare Systems Spring 2010, KPMG LLP 7

Emerging Risks / Trends / Class Actions Nosocomial Infections Pathology and Lab Issues (ID, interpretation, false pos/neg, result communication) Sterilization: effectivity of equipment, staff certification Clinical Trials Treatment of Foreign Patients: Governing Law and Jurisdiction Agreement needs to be in place Disclosure: transparency and communication with patients and families Privacy: custody and control Cyber Risk: personal devices and virtual wards Source: HIROC: Partnering to Create the Safest Healthcare System 8

HIROC Top Risks 9

HIROC High Risk Management Factors 1 1. Documented Board approval of the Risk Management program, including a description of formal reporting relationship to the Board. 2. Committee with Patient Safety/Risk Management responsibilities. 3. Committee activity relating to Risk Management activity including: Infection Control, Occupational Health and Safety, Morbidity and Mortality, Pharmacy and Therapeutics, Quality Management, Utilization Review, etc. 4. Health Records policy advising Claims Manager of potential medical-legal issues. 5. Staff and medical staff awareness of Safety Reporting (RMPro) 6. Awareness of staff and medical staff of policy regarding lending and borrowing of equipment. 7. Loss control procedures including guidelines for identifying pertinent personnel/departments and for requesting the identification, location and look-up of records etc. related to an incident. 8. Responsibility for coordination of risk management delegated to one individual. 9. Managers in Patient Safety department possess a level of authority that allows them to influence change in policies and standards which govern potential loss. 10. Patient Safety Dept. receives copies of all reports and any follow-up documentation (incident reports, medication IV therapy reports, complaints) 11. Claims Manager aware of any statement of claim served upon the institution. 12. Patient Safety Manager receives medical device recalls, and alerts, and has a system in place to disseminate the information, and feedback process to ensure recommendations are adhered to. 13. Compliance with universal precautions/body substance precautions is monitored. 14. Procedure for retention of outdated policies and standards. 15. Security issues are addressed by management, medical staff and at all department levels. 16. Any breach of security is reported as a safety report. 17. All staff and medical staff wear identification badges. 18. Initial and annual credentialing systems are in place. 1. Adapted from HIROC High-risk management factors. Retrieved December, 2006 10

Lessons Learned CONFUSION REDUCTION 11

Lessons Learned Traditional concerns: we will worry about that if a situation arises we cannot get people to fulfill normal project tasks we don t have time to plan projects as it is without theoretical risks piled on top risk planning is too theoretical its like we are planning for failure Practical measures Risk Management effectiveness and value should be measured Focus needs to be specific, realistic, and actionable For projects: 10% of resourcing on risks max. Regularly review risks to imbed in culture and reduce blame Actively manage a fixed number of risks and reprioritize others Multi-dimensional impact analysis (cost, schedule, quality, scope, etc.) General Risk assessment cannot be viewed as episodic, and info needs to build vs. becoming stale w same results Data & Information gathered needs to be easy to interpret and use. Assess risk adjusted returns. Risk follow-up needs to have clarity, accountability, and ownership Risk response needs to be balanced to value (e.g. avoiding an excessive cost burden) Risk assessment needs to be built into business processes vs. being added to the day-to-day responsibilities Risk assessments need to be centrally coordinated vs. performed independently across the organization Risk assessment will not prevent a big failure it reduces the risk and increases the responsiveness 12

Identification: Risk Identification Incident reports for the unexpected or change in anticipated disease / treatment process of a patient / client / resident Managers review and report to Risk Management Severity is assessed with RM follow-up Incidents are tracked and trended in a database De-identified data in aggregate is distributed to managers regularly Agenda item in staff meetings Patient and family feedback through client representatives, care providers, etc. to RM Process Managers and staff develop strategies for most situations Sometimes other stakeholders are engaged for action plans (e.g. policy development, procedural changes, etc.) Multi-disciplinary reviews in a non-blame environment sponsored by sr. management 13

Success Framework 1) High level framework and communication tool Single page view of business focus, milestones, activities 2) Critical Event Trees highest risk events 3) Schedule Risk Analysis Identify method of completion in time and budget Identify issues, confidence & near critical paths Engage in an iterative development path 4) Develop Risk Trees and Risk Action Plans Assume events will occur (break optimism cult). Develop plan. Use effective tools: risk register, actions, due dates, mitigations, etc. A materialized risk is an issue: corrective action & work-effort 5) Frequent Consultation 6) Transparency 14

Key Principles 1 Clearly established risk assessment governance process Board and Audit Committee identify and address risk Risk facilitator owns process to analyze & discuss Management manages risk & engages process owners Specific identification of risk assessment objectives Organizational objectives define the scope of assessment The appetite for risk assigns risk tolerance (acceptable variation) Organizational objectives measurements should define the risk rating scales Risk measure timelines should align with the achievement of objectives Prioritization of resources / actions are based on assessment ratings Management makes decisions using a portfolio view of risks Enterprise Risk Management looks at the inter-relationships between risks Correlations may expose assessment variations and change systemic response Insight into potential risks come from leading indicators Use Key Risk Indicators (KRI) in addition to KPIs. Use Leading Indicators: measures that signal a change in the environment E.g. s: increase in late supply shipments; outbreaks; reduction in funding; etc. 1 Adopted from: A Practical Guide to Risk Assessment. PriceWaterhouseCoopers 15

How to proceed? AVAILABLE PROGRAM & TOOLS 16

Communicate Risk Assessment Steps Establish the context of risk Use Patient / Client and Business objectives as a basis. Use this as a gauge for risk appetite. Use strategy maps, cause & effect relationships, value assessments, etc. Identify potential events threatening objectives achievement Establish an event inventory using internal (survey, process, events, etc.) and external sources (benchmark, tech breakthroughs, etc.) Evaluate risk/reward in context of volatility affect on key business services Assess potential impact and risk tolerance Categorize potential event categories opportunities (positive) or risks (negative) Evaluate within a framework (see key principles, etc.) & risk map Establish risk tolerance relative importance of objectives with risk limits Develop and Iteratively Refine the Response Framework Regularly evaluate risk tolerance, event probabilities & impacts, backup plans, etc. Actions taken should demonstrably lower risk probabilities and incrementally build Consider hedging instruments: risk sharing, insurance, outsourcing, etc. Maintain and Monitor the Program / Metrics / Framework Risk Context Identification Assessment Response Maintain & Monitor Aggregate individual residual risks together to a portfolio view (inter-dependencies and inter-connections) Action plan assignment needs to have capacity, capability, and authority Communicate, communicate, communicate 17

Frequency The number of losses/events/ likelihood. Communicate Operations/Env Finance People Patient Technology Strategy/Rep Legal/Reg Frameworks Risk Context Identification Assessment Response Maintain & Monitor Often- 5 Occurs often, every 1-6 months Possible 3 Likely/known to occur, every 6 months year Rare 2 Could occur, once every 1-10 years Never 1 Could happen, but likely not, once every 10-100 years Medium 5 Medium 3 Low 2 Low 1 Insignificant/ Near Miss/ No Harm (1) No impact, event did not reach patient or staff member High 10-20 Medium 6-12 Medium 4-8 Low 2-4 Minor (2-4) Could have little impact/ effect on organization/patient/ staff Consequences / Severity The severity/amount of a loss/event, focus on actual or potential harm Very High 25-35 High 15-21 Medium 10-14 Medium 5-7 Moderate (5-7) Could have a moderate impact/effect/ exposure on organization/ patient/ staff Very High 40-50 Very High 24-30 High 16-20 Medium 8-10 Major (8-10) Could lead to serious risk exposure for the organization/patient/ staff 18

Risk Category Risk Evaluation & Management Tools Risk Description Risk Category Risk Priority Risk Impact Assessment Risk Category Probability Impact Consequences Weight (Prob * Impact) Risk Category Mitigation Outcomes Actions Owner Responses 19

Risk Management Tools Incident Reporting Solution Disaster Recovery & Business Continuity Plan Emergency and Pandemic Plan Occupational Health and Safety Monitoring, performance & sick management Strategic Planning Patient & Staff Safety, Violence, Harrassment Planning Standing Agenda Item Preventative Maintenance Program Credentialing, consent, confidentiality, privacy, release management Contract, procurement, and supply chain management Exceptions, abnormals, adverse events management Audits, inspections, reviews, assessments Programs: Infection Control; Quality Improvement Insurance, working capital, management reporting 20

Now What? KEY QUESTIONS AND NEXT STEPS 21

Risk Review Key Questions 1) Are any of our objectives at risk? 2) Are we in compliance with policies and regulations? 3) What risk events have been escalated? 4) What trends require immediate attention? 5) What risk areas need to be reviewed? 6) Are these risks within acceptable limits? i.e. what is the frequency, are there financial consequences, are there patient or staff safety consequences? 7) How will the risk be managed/monitored? 8) What are the controls in place to manage high and medium risks? 9) How will each unit/program/team be accountable for the management of this risk? 10) How will the success be measured? St. Joseph Health Care s Risk Management Framework 22

Enterprise Key Questions Operational Do people with risk management accountability have the authority to change process / practices governing the potential loss? Are leaders oriented to risk management strategies? Are staff, physicians, volunteers, contractors, etc. oriented to safety reporting & policies? Is credentialing an ongoing process How is safety and security ensured? High Risk Practices / Areas How are high risk practices addressed (meds, falls, specimens, consent, restraints, observation, etc.)? What is equipment and medical device prevention and maintenance program? What processes control, monitor, and ensure high standards of documentation and communication? Legal / Regulatory: Are the appropriate people immediately notified? Are there risks to statutory / regulatory compliance, adherence with legislation, standards, accreditation, etc. People Resourcing Clear and consistent policies re: termination, education, succession planning, recruitment, harassment, system abuse, etc. How is monitoring of clinical competency accomplished? How is privacy and confidentiality maintained? Financial Is there a consistent process for contract agreement, development, renewal, and archiving, etc.? Technology Are there risks associated with biomedical, IT, data integrity, systems security, disaster recovery & business continuity, etc. Strategy Are there constraints to growth, budget, LHIN funding, quality of care, public relations, etc. Are there risks to culture, change response / planning, etc. 23

Risk Assessment Methodologies Qualitative Categorization of potential risks using nominal or ordinal scales (ranked comparatively to each other) External validation mitigates bias Quantitative Benchmarking Probabilistic modeling (e.g. backtesting, loss event assessments, and at-risk modeling) = likelihood and impact Non-probabilistic modeling (e.g. stress tests, sensitivity analysis, and scenario analysis) = impact Used as internal event data builds and can be tracked Refined through iteration 24

Next Steps Based on our size and available resources, focus on: Insurance company risk assessment checklists Published Patient Safety best practice checklists Standards based industry tools Divvy the work up to areas of responsibility using a common tool such as excel Standardize the assessment tool (such as shown earlier) and rank the risks according to: Impact Probability / Frequency Order of magnitude costs to resolve Area / type of risk Focus resources on the top ten and develop a mitigation strategy for each (avoid, share, reduce impact or consequence, or accept and move on) 25

THANK YOU 26