Presentation Makes the Case for Enterprise Risk Management

David McMillan, Pershing Yoakley & Associates, P.C.

[email protected]

(865) 673-0844

Larry Vernaglia, Foley & Lardner LLP

[email protected]

(617) 342-4000

Enterprise RiskManagement

A Presentation For: Massachusetts Continuing Legal Education, Inc.May 16, 2014

mailto:[email protected]

mailto:[email protected]

Page 1May 16, 2014

Massachusetts Continuing Legal Education, Inc.

• ERM began with the Committee of Sponsoring Organizations of the TreadwayCommission (COSO), which issued “Internal Control – Integrated Framework”to assist businesses and other entities assess and enhance their internal controlssystems.

• Over the past two decades, this framework has been incorporated into policy,rule, and regulation, and is used by thousands of enterprises to better control theiractivities in moving toward achievement of their established objectives.

• COSO’s framework for ERM helps organizations achieve their objectives:

o Strategic

o Operations

o Reporting

o Compliance

Enterprise Risk Management:The Beginning

Page 2May 16, 2014


• ERM first implemented in financial sector (banks, investment companies,insurers, etc.)

• Now widely utilized and well-developed across the business sector and slowlybeing adopted by the healthcare industry.

• Well-known accounting compliance and corporate governance scandals (e.g.,Enron and WorldCom) largely the impetus for the passage of the Sarbanes-OxleyAct of 2002 (SOX), resulting in many organizations implementing ERMprograms.

• Primarily publicly traded, for-profit organizations (including healthcare).

• Increased awareness of boards of directors’ responsibility for identifying andmanaging organizational risk.

Enterprise Risk ManagementAcross Industries

Page 3May 16, 2014


How Have Payers TraditionallyManaged Risk?

• Historically insurance companies have been designed in a silo structure (i.e.,each operational activity is undertaken independently, as are the associated risks)

– Ex: there can be virtually no interaction between underwriting and claimsdepartment of insurance companies. As a result of this structure, informationgenerated from these activities are rarely every shared or synthesized.

• In previous, less volatile years, the silo structure was workable. Given thedramatic regulatory and technological changes in recent years, the silo structureis giving way to newer, more strategy-focused structures, such as ERM.

• In many circumstances, the management of these risks can be more efficient ifconducted at the enterprise level.

Page 4May 16, 2014


Healthcare Risk Management

Healthcare slow to introduce ERM programs but,as it has become increasingly evident that noorganization or business sector is immune fromcatastrophic loss, the industry’s interest in ERM isgreatly increasing.

Shift away from regional operations to state, multi-state, and/or national level has played a significantrole in igniting interest in ERM across thehealthcare industry.

Traditional Setting

Acute Care Hospital

Contemporary Setting

Expanding Beyond Hospital Wallsand State Lines

Page 5May 16, 2014


Drivers of Change

HealthcareIndustry

Changingpatient

demographicsAdvances in

medicine

Competition

Patient-centeredfocus of

care

Changingreimburse-

ment

The ACA

Increasingregulation

Shift to EMRand

MeaningfulUse

Necessity ofoutcomes

data

Rapidlychanging

technology

Page 6May 16, 2014


Five Indications of the Industry

The Five Fundamentals Driving HealthcareTransformation:

Read more at http://www.pyapc.com/resources/collateral/white-papers/2014-Healthcare-Whitepaper-PYA.pdf

http://www.pyapc.com/resources/collateral/white-papers/2014-Healthcare-Whitepaper-PYA.pdf

Page 7May 16, 2014


Making the Case forEnterprise Risk Management

Healthcare reform is causing many health systems to quicklyreact/respond/implement (i.e., bundled payments, ACO regulations,

value-based purchasing, etc.)

Too often, health systems are failing to proactively plan for theresponse of the reaction to health reform, often leaving the system at

risk

Hastened decisions are often made in silos and without consideringthe impact/risk to all entities

En

terp

rise

Ris

kM

an

ag

em

en

t

Page 8May 16, 2014


Risk Management in Face ofRapidly Changing Environment

Today’sChallenge:

Defining theparameters “along the

way”

Yesterday:• Financial derivatives in capital and debt structures

Today:• Rapidly changing reimbursement structures• Physician-Hospital integration (horizontal & vertical)

Tomorrow:• Bearing insurance risk

Page 9May 16, 2014


What do YOU see?

Page 10May 16, 2014


Traditional Risk ManagementProgram Structure

Manage Risks of “Separate and Distinct” Departments/SilosO

pe

ratio

ns

Fin

an

ce

Hu

ma

nC

ap

ital

Str

ate

gic

Legal/R

egula

tory

Tech

no

log

y

Ha

zard

Page 11May 16, 2014


Shifting Toward a ContemporaryModel of Risk Management

Traditional ModelTraditional Model

• Reactive• Incident-based• Clinically focused• Risk analyzed according to silo or

department (e.g., market riskshandled by marketing department,patient safety risks handled by thequality/patient safety department).

• Fails to account for the fact that risksdo not exist in isolation (i.e., crossorganizational structures,departments, etc.)




Traditional Model




Contemporary Model (ERM)Contemporary Model (ERM)

• Proactive, which better equips healthcareorganizations to focus on all risksthroughout the organization whilemaintaining patient safety, ensuringcompliance and improving theorganization’s bottom line.

• Holistic• Multidisciplinary• Risk analyzed across the entire enterprise,

not solely at silo/department level.• Accounts for synergistic relationship

among and between risks.





Contemporary Model (ERM)





Page 12May 16, 2014


ERM means different thingsto different people…

Discipline

ProcessPractice

Page 13May 16, 2014


What is Enterprise Risk Management(“ERM”)?

Enterprise risk management is a discipline that engages professionals in the practice ofidentifying, managing, controlling, and monitoring all risks to the organization.

A Discipline

A Practice

ERM can best be described as an ongoing business decision-making process instituted andsupported by the healthcare organization’s board of directors, executive administration andmedical staff leadership. ERM recognizes the synergistic effect of risks across the continuum ofcare, and has as its goals to assist the organization reduce uncertainty and process variability,promote patient safety and maximize the return on investment (ROI) through assetpreservation, value creation, and the recognition of actionable risk opportunities.

A Process

ERM is a process, effected by an entity’s board of directors, management and other personnel,applied in strategy setting and across the enterprise, designed to identify potential events thatmay affect the entity, and manage risks to be within its risk appetite, to provide reasonableassurance regarding the achievement of entity objectives.

Page 14May 16, 2014


The Board’s Responsibilityto Manage Risk

A Process

ERM is a process, effected by an entity’s board of directors, management and otherpersonnel, applied in strategy setting and across the enterprise, designed to identify potentialevents that may affect the entity, and manage risks to be within its risk appetite, to providereasonable assurance regarding the achievement of entity objectives.

The Board of Directors is not necessarily responsible forthe effects of decisions they make – they are, however,responsible for having a sound process in place for makingthese decisions, despite the outcome, good or bad, of theultimate decision.

Page 15May 16, 2014


What is Enterprise Risk Management(“ERM”)?

Creating an effective structure throughcombining the correct players with anappropriate strategy, equipping these playerswith a common understanding andappreciation for the direction of the healthsystem and engaging these players in aprocess to evaluate enterprise risk.

Page 16May 16, 2014


Example Risk Domains

Operational

• Transitions of care• Quality/coordination of care• Adverse event management• National Patient Safety Goals• Facility/equipment management• Workplace safety• Infection control• Business continuity

• Billing/collections• Corporate compliance (fraud and abuse)• Liquidity• Growth in programs/facilities• Capital structure• Capital equipment• Capitation contracts

• Staffing/turnover• Union and labor relations• Hiring, retention, education• Succession planning• Organizational direction and culture• Morale and engagement• Employment Practices liability

Strategic

• Regulatory change• Patient needs/expectations• Population health competencies• Advertising, marketing, branding• Alliances/integration/affiliations• Competition• Antitrust

• Corporate compliance• Confidentiality/security of PHI• Multiple statutes, standards, and

regulations• Accreditation• State licensure• Private inurement

• CPOE• EMR/EHR• Robotics• Telehealth/telemedicine• Radio Frequency Identification (patient

tracking, infant security, etc.)• Information exchange• Social media

• Facility management• Plant age• Natural disasters• Parking• Construction/renovation

Hazard

Financial

Legal/Regulatory Technology

Human Capital

Page 17May 16, 2014


Contemporary ERM Programs

ERM Structure and Process

Stra

teg

y

Re

al

Le

ga

l/Re

gu

lato

ryC

om

plia

nce

Fin

an

cia

lPe

rform

an

ce

Acce

ss

Ph

ysic

ian

Alig

nm

en

t

Pa

tien

t

Esta

te

Tech

no

log

yHealth systems operate multiple businesses with divergent priorities within one entity.An enterprise risk management framework, consisting of an effective structure anddisciplined process, intersects each distinctive business initiative to provide a holisticview of the health system.

Page 18May 16, 2014


Interrelated Components of ERM

InternalEnvironment

ObjectiveSetting

EventIdentification

Risk AssessmentRisk Response

ControlActivities

Information &Communication

Monitoring

Page 19May 16, 2014


COSO’s “Cube”

Entity’s Objectives

Entity’sUnits

ERM’sComponents

“A distinct relationship existsbetween an entity’s objectivesand ERM’s components, whichrepresent what is necessary toachieve objectives.”– COSO’s “Enterprise Risk Management –

Integrated Framework”

Page 20May 16, 2014


– Strategy/solution development that supports the organization’s mission, vision, andvalues

– Better equipped to anticipate and deal with the unexpected

– Increased understanding of organization-wide costs of risks

– Establishment of consistent methodology for assessing future risks

– Development of strategic, organizational framework for managing risk

– Conservation and effective allocation of limited resources

– Improved decision making and creation of formal links betweenunits/divisions/organization

– Improved success of regulatory and compliance initiatives

– And the list goes on and on…

Benefits of ERM

Page 21May 16, 2014


Designing an ERM Program

Consideration should begiven to the following:

Organizational structure (for profit, not-for-profit,governmental)

Business approach (acquisition/growth, struggling tosurvive, maintain status quo)

Strategy (academic, integrated network, community-based, etc.)

Variances in setting/locale (acute care hospital, physicianpractice, etc.)

Page 22May 16, 2014


A Practical Approach

( + ) *Right

ProcessesRightPeople

DisciplinedApproach

Ability toEvaluate Risks

Contributes toRight Culture

Page 23May 16, 2014

Massachusetts Continuing Legal Education,Inc.

• Risk management must bedrivenfrom the top down

• At its core, an ERM framework isproactive, not reactive

• A framework acknowledges thatconfronting risks before they areemergent yields significantbenefit

• A comprehensive riskmanagement framework doesnot automatically ensure that asystem will be void of future andpresent risks

The Right Process

Page 24May 16, 2014


The Right Process

• Risk Identification:

– Identification and analysis of risk is management’sresponsibility with respect to determining whichrisks may impact strategy and achievement oforganizational goals.

– It is essential to create a comprehensive list ofinternal and external risks facing the organization

– Risk identification tools can be developed and usedto survey leadership and interviews can be utilizedto develop a deeper understanding of risks alreadyidentified

Page 25May 16, 2014


The Right Process

• Risk Assessment and Evaluation:

– Once all organizational risks have beenidentified and analyzed, the next steps are:

o Understand and attempt quantification ofpotential magnitude of each risk

o Identify risk drivers

o Consider positive and negative consequencesacross the organization

o Assess likelihood and severity of each risk

Page 26May 16, 2014


The Right Process

• Tools to Evaluate Risk:

– Risk Scoring: evaluates the importance of one risk over another, accounting forlikelihood/probability and impact/severity.

• Sample formula:

Probability x Severity = Risk Score

– Risk Mapping: a data generating process that utilizes local perceptions to identifyand address risks in an effort to reveal transactions, departments, or processes thatresult in different types and levels of risks.

• Graphically depicts the organizations’ risks, displaying the relationship betweenfrequency and severity.

• Requires a team approach to identify and rank each identified risk.

Page 27May 16, 2014


The Right Process – Risk Mapping

Risk Measurement

MinimalModerate/Acceptable Untenable

Clinical Quality

Financial/Economic

Legal/Compliance

Marketing/Brand

Patient Experience

Relational

Page 28May 16, 2014


Perspective

Prospective

SeniorVP

New Initiative/ Transaction New Initiative/ Transaction New Initiative/ Transaction

Departments/ServicesDepartments/Services Departments/Services

Developing a Comprehensive RiskProfile

Departments/Services

ComprehensiveRisk Profile

ComprehensiveRisk Profile

Page 29May 16, 2014


Isolated Risk vs. Systemic Risk

Risk Profile 1

Risk Profile 2

Risk Profile 8

Risk Profile 53

SystemicRisk

How many “Moderate”s = “Untenable”?

Isolated Risk

Risk Measurement

MinimalModerate/Acceptable Untenable

Clinical Quality

Financial/Economic

Legal/Compliance

Marketing/Brand

Patient Experience

Relational Risk Measurement

MinimalModerate/

Acceptable Untenable

Clinical Quality

Financial/Economic

Legal/Compliance

Marketing/Brand

Patient Experience

Relational

Risk Measurement

MinimalModerate/


Clinical Quality

Financial/Economic

Legal/Compliance

Marketing/Brand

Patient Experience

Relational

Risk Measurement

MinimalModerate/


Clinical Quality

Financial/Economic

Legal/Compliance

Marketing/Brand

Patient Experience

Relational

Page 30May 16, 2014


• The Right People make up the ERM evaluation team.

• Right People, typically members of senior management, areresponsible for evaluating risks respective to his or herposition within the organization and hold responsibility forstrategic initiatives.

( + ) *Right

ProcessesRightPeople

DisciplinedApproach



The Right People

Page 31May 16, 2014


The Right People

CEO

CFO

COO

CMO

CNO

CIO

Human Resources

Legal Counsel

Risk Manager

Real Estate/Facility ManagementKey Leader

Page 32May 16, 2014


Accumulating the Results

CEO

SVPInformatio

n

SVPFinance

SVPOperations

SVPQuality

Page 33May 16, 2014


Frequency

Transparency

Board Involvement

Accountability

( + )*RightProcesses

RightPeople

DisciplinedApproach



Disciplined Approach

Page 34May 16, 2014


Dysfunctional Practices,Dysfunctional Culture

• Arthur Andersen– Inability to question superior's practices and incapability to suggest new

ways of doing things. When these practices no longer worked, the cultureshifted to keeping clients at any cost.

– Resistance to change from seemingly unethical to ethical practices. The rootof the problem was top management figures who exemplified poor ethicalpractices.

– Culture shifted to increasing revenue from clients as much as possible.

– Began to underestimate vulnerabilities in their practices, jeopardizingthe organization's future.

Page 35May 16, 2014


• Risk management must be driven from the top down andembedded in an organization’s culture

• At the core of the ERM framework, an entity must be proactive,not reactive

• Health systems should plan for risks, and create an efficientstructure and a disciplined process to evaluate potentially riskystrategic decisions.

( + )*RightProcesses

RightPeople

DisciplinedApproach

Ability toEvaluate Risks=>

Ability to Evaluate Risks

Page 36May 16, 2014


• Volume of data most organizations collect, process and analyze growingexponentially.

• Numerous organizations, such as IBM and Microsoft, are now offering productsto utilize big data to analyze/predict risk.

• Example: Google Flu Trends

– “…we can accurately estimate the current level of weekly influenza activity in each region ofthe United States, with a reporting lag of about one day.” – Google, 2009

– Found that certain search terms are good indicators of flu activity. Google Flu Trends, incollaboration with the CDC, uses aggregated Google search data to estimate flu activity.

– Early detection of a disease outbreak can reduce number of people affected. Google’s up-to-date influenza estimates may enable public health officials and health professionals to betterrespond to seasonal epidemics and pandemics.

Ability to Evaluate Risks

Page 37May 16, 2014


Implementing aContemporary ERM System

ERMSystem

Page 38May 16, 2014


Challenges to Implementing aContemporary ERM System

• Competition among units (quality, risk management,patient safety, corporate compliance, etc.)Territorial Turf

• Cultural incompatibility and diversity may act as barriersCulture

• Moving away from tradition punitive environment centeredaround individual employee/staff error to an organizationalemphasis on systems

Changing Environment

• Employees often have a hard time working in teams and/orpromoting communication on their own

Teams andCommunication

• Technology should be used to support the core operationsof healthcare and to support patient safety, decreasemedical error, and improve management.

Limited use ofTechnology

• C-suite should understand the concepts of ERM and alsolend organizational support for program development andimplementation

Inadequate Senior-Level Support

• Willingness to devote time to implementation may holdmany organizations back from ERM.

Length of Time toImplement

Page 39May 16, 2014


Challenges to Implementing aContemporary ERM System

• Expertise in risk and finance may belimited.Expertise

• May be difficult to demonstrateimmediate, quantifiable ROI.ROI

• Without change and follow-through, ERMprograms become static and eventuallydwindle in support and effectiveness.

Follow-through

• Successful ERM programs recognize theimportance of employee involvement andcontributions and value their input.

EmployeeInvolvement in

Design

Page 40May 16, 2014


Success Factors of ERM Programs

• In assessment• In scoring measurement• Quantifying and benchmarking results• Decreased variability through

evidence-based practice

Consistency

• Internal• External

Monitoring and evaluation

Leadership support and apositive culture

Broad-based employeeinvolvement

Page 41May 16, 2014


Questions?