Upload
pya
View
243
Download
0
Embed Size (px)
DESCRIPTION
PYA Principal David McMillan recently co-presented “Enterprise Risk Management” at the Massachusetts Continuing Legal Education 15th Annual Hospital & Health Law Conference.
Citation preview
David McMillan, Pershing Yoakley & Associates, P.C.
(865) 673-0844
Larry Vernaglia, Foley & Lardner LLP
(617) 342-4000
Enterprise RiskManagement
A Presentation For: Massachusetts Continuing Legal Education, Inc.May 16, 2014
Page 1May 16, 2014
Massachusetts Continuing Legal Education, Inc.
• ERM began with the Committee of Sponsoring Organizations of the TreadwayCommission (COSO), which issued “Internal Control – Integrated Framework”to assist businesses and other entities assess and enhance their internal controlssystems.
• Over the past two decades, this framework has been incorporated into policy,rule, and regulation, and is used by thousands of enterprises to better control theiractivities in moving toward achievement of their established objectives.
• COSO’s framework for ERM helps organizations achieve their objectives:
o Strategic
o Operations
o Reporting
o Compliance
Enterprise Risk Management:The Beginning
Page 2May 16, 2014
Massachusetts Continuing Legal Education, Inc.
• ERM first implemented in financial sector (banks, investment companies,insurers, etc.)
• Now widely utilized and well-developed across the business sector and slowlybeing adopted by the healthcare industry.
• Well-known accounting compliance and corporate governance scandals (e.g.,Enron and WorldCom) largely the impetus for the passage of the Sarbanes-OxleyAct of 2002 (SOX), resulting in many organizations implementing ERMprograms.
• Primarily publicly traded, for-profit organizations (including healthcare).
• Increased awareness of boards of directors’ responsibility for identifying andmanaging organizational risk.
Enterprise Risk ManagementAcross Industries
Page 3May 16, 2014
Massachusetts Continuing Legal Education, Inc.
How Have Payers TraditionallyManaged Risk?
• Historically insurance companies have been designed in a silo structure (i.e.,each operational activity is undertaken independently, as are the associated risks)
– Ex: there can be virtually no interaction between underwriting and claimsdepartment of insurance companies. As a result of this structure, informationgenerated from these activities are rarely every shared or synthesized.
• In previous, less volatile years, the silo structure was workable. Given thedramatic regulatory and technological changes in recent years, the silo structureis giving way to newer, more strategy-focused structures, such as ERM.
• In many circumstances, the management of these risks can be more efficient ifconducted at the enterprise level.
Page 4May 16, 2014
Massachusetts Continuing Legal Education, Inc.
Healthcare Risk Management
Healthcare slow to introduce ERM programs but,as it has become increasingly evident that noorganization or business sector is immune fromcatastrophic loss, the industry’s interest in ERM isgreatly increasing.
Shift away from regional operations to state, multi-state, and/or national level has played a significantrole in igniting interest in ERM across thehealthcare industry.
Traditional Setting
Acute Care Hospital
Contemporary Setting
Expanding Beyond Hospital Wallsand State Lines
Page 5May 16, 2014
Massachusetts Continuing Legal Education, Inc.
Drivers of Change
HealthcareIndustry
Changingpatient
demographicsAdvances in
medicine
Competition
Patient-centeredfocus of
care
Changingreimburse-
ment
The ACA
Increasingregulation
Shift to EMRand
MeaningfulUse
Necessity ofoutcomes
data
Rapidlychanging
technology
Page 6May 16, 2014
Massachusetts Continuing Legal Education, Inc.
Five Indications of the Industry
The Five Fundamentals Driving HealthcareTransformation:
Read more at http://www.pyapc.com/resources/collateral/white-papers/2014-Healthcare-Whitepaper-PYA.pdf
Page 7May 16, 2014
Massachusetts Continuing Legal Education, Inc.
Making the Case forEnterprise Risk Management
Healthcare reform is causing many health systems to quicklyreact/respond/implement (i.e., bundled payments, ACO regulations,
value-based purchasing, etc.)
Too often, health systems are failing to proactively plan for theresponse of the reaction to health reform, often leaving the system at
risk
Hastened decisions are often made in silos and without consideringthe impact/risk to all entities
En
terp
rise
Ris
kM
an
ag
em
en
t
Page 8May 16, 2014
Massachusetts Continuing Legal Education, Inc.
Risk Management in Face ofRapidly Changing Environment
Today’sChallenge:
Defining theparameters “along the
way”
Yesterday:• Financial derivatives in capital and debt structures
Today:• Rapidly changing reimbursement structures• Physician-Hospital integration (horizontal & vertical)
Tomorrow:• Bearing insurance risk
Page 9May 16, 2014
Massachusetts Continuing Legal Education, Inc.
What do YOU see?
Page 10May 16, 2014
Massachusetts Continuing Legal Education, Inc.
Traditional Risk ManagementProgram Structure
Manage Risks of “Separate and Distinct” Departments/SilosO
pe
ratio
ns
Fin
an
ce
Hu
ma
nC
ap
ital
Str
ate
gic
Legal/R
egula
tory
Tech
no
log
y
Ha
zard
Page 11May 16, 2014
Massachusetts Continuing Legal Education, Inc.
Shifting Toward a ContemporaryModel of Risk Management
Traditional ModelTraditional Model
• Reactive• Incident-based• Clinically focused• Risk analyzed according to silo or
department (e.g., market riskshandled by marketing department,patient safety risks handled by thequality/patient safety department).
• Fails to account for the fact that risksdo not exist in isolation (i.e., crossorganizational structures,departments, etc.)
• Reactive• Incident-based• Clinically focused• Risk analyzed according to silo or
department (e.g., market riskshandled by marketing department,patient safety risks handled by thequality/patient safety department).
• Fails to account for the fact that risksdo not exist in isolation (i.e., crossorganizational structures,departments, etc.)
Traditional Model
• Reactive• Incident-based• Clinically focused• Risk analyzed according to silo or
department (e.g., market riskshandled by marketing department,patient safety risks handled by thequality/patient safety department).
• Fails to account for the fact that risksdo not exist in isolation (i.e., crossorganizational structures,departments, etc.)
Contemporary Model (ERM)Contemporary Model (ERM)
• Proactive, which better equips healthcareorganizations to focus on all risksthroughout the organization whilemaintaining patient safety, ensuringcompliance and improving theorganization’s bottom line.
• Holistic• Multidisciplinary• Risk analyzed across the entire enterprise,
not solely at silo/department level.• Accounts for synergistic relationship
among and between risks.
• Proactive, which better equips healthcareorganizations to focus on all risksthroughout the organization whilemaintaining patient safety, ensuringcompliance and improving theorganization’s bottom line.
• Holistic• Multidisciplinary• Risk analyzed across the entire enterprise,
not solely at silo/department level.• Accounts for synergistic relationship
among and between risks.
Contemporary Model (ERM)
• Proactive, which better equips healthcareorganizations to focus on all risksthroughout the organization whilemaintaining patient safety, ensuringcompliance and improving theorganization’s bottom line.
• Holistic• Multidisciplinary• Risk analyzed across the entire enterprise,
not solely at silo/department level.• Accounts for synergistic relationship
among and between risks.
Page 12May 16, 2014
Massachusetts Continuing Legal Education, Inc.
ERM means different thingsto different people…
Discipline
ProcessPractice
Page 13May 16, 2014
Massachusetts Continuing Legal Education, Inc.
What is Enterprise Risk Management(“ERM”)?
Enterprise risk management is a discipline that engages professionals in the practice ofidentifying, managing, controlling, and monitoring all risks to the organization.
A Discipline
A Practice
ERM can best be described as an ongoing business decision-making process instituted andsupported by the healthcare organization’s board of directors, executive administration andmedical staff leadership. ERM recognizes the synergistic effect of risks across the continuum ofcare, and has as its goals to assist the organization reduce uncertainty and process variability,promote patient safety and maximize the return on investment (ROI) through assetpreservation, value creation, and the recognition of actionable risk opportunities.
A Process
ERM is a process, effected by an entity’s board of directors, management and other personnel,applied in strategy setting and across the enterprise, designed to identify potential events thatmay affect the entity, and manage risks to be within its risk appetite, to provide reasonableassurance regarding the achievement of entity objectives.
Page 14May 16, 2014
Massachusetts Continuing Legal Education, Inc.
The Board’s Responsibilityto Manage Risk
A Process
ERM is a process, effected by an entity’s board of directors, management and otherpersonnel, applied in strategy setting and across the enterprise, designed to identify potentialevents that may affect the entity, and manage risks to be within its risk appetite, to providereasonable assurance regarding the achievement of entity objectives.
The Board of Directors is not necessarily responsible forthe effects of decisions they make – they are, however,responsible for having a sound process in place for makingthese decisions, despite the outcome, good or bad, of theultimate decision.
Page 15May 16, 2014
Massachusetts Continuing Legal Education, Inc.
What is Enterprise Risk Management(“ERM”)?
Creating an effective structure throughcombining the correct players with anappropriate strategy, equipping these playerswith a common understanding andappreciation for the direction of the healthsystem and engaging these players in aprocess to evaluate enterprise risk.
Page 16May 16, 2014
Massachusetts Continuing Legal Education, Inc.
Example Risk Domains
Operational
• Transitions of care• Quality/coordination of care• Adverse event management• National Patient Safety Goals• Facility/equipment management• Workplace safety• Infection control• Business continuity
• Billing/collections• Corporate compliance (fraud and abuse)• Liquidity• Growth in programs/facilities• Capital structure• Capital equipment• Capitation contracts
• Staffing/turnover• Union and labor relations• Hiring, retention, education• Succession planning• Organizational direction and culture• Morale and engagement• Employment Practices liability
Strategic
• Regulatory change• Patient needs/expectations• Population health competencies• Advertising, marketing, branding• Alliances/integration/affiliations• Competition• Antitrust
• Corporate compliance• Confidentiality/security of PHI• Multiple statutes, standards, and
regulations• Accreditation• State licensure• Private inurement
• CPOE• EMR/EHR• Robotics• Telehealth/telemedicine• Radio Frequency Identification (patient
tracking, infant security, etc.)• Information exchange• Social media
• Facility management• Plant age• Natural disasters• Parking• Construction/renovation
Hazard
Financial
Legal/Regulatory Technology
Human Capital
Page 17May 16, 2014
Massachusetts Continuing Legal Education, Inc.
Contemporary ERM Programs
ERM Structure and Process
Stra
teg
y
Re
al
Le
ga
l/Re
gu
lato
ryC
om
plia
nce
Fin
an
cia
lPe
rform
an
ce
Acce
ss
Ph
ysic
ian
Alig
nm
en
t
Pa
tien
t
Esta
te
Tech
no
log
yHealth systems operate multiple businesses with divergent priorities within one entity.An enterprise risk management framework, consisting of an effective structure anddisciplined process, intersects each distinctive business initiative to provide a holisticview of the health system.
Page 18May 16, 2014
Massachusetts Continuing Legal Education, Inc.
Interrelated Components of ERM
InternalEnvironment
ObjectiveSetting
EventIdentification
Risk AssessmentRisk Response
ControlActivities
Information &Communication
Monitoring
Page 19May 16, 2014
Massachusetts Continuing Legal Education, Inc.
COSO’s “Cube”
Entity’s Objectives
Entity’sUnits
ERM’sComponents
“A distinct relationship existsbetween an entity’s objectivesand ERM’s components, whichrepresent what is necessary toachieve objectives.”– COSO’s “Enterprise Risk Management –
Integrated Framework”
Page 20May 16, 2014
Massachusetts Continuing Legal Education, Inc.
– Strategy/solution development that supports the organization’s mission, vision, andvalues
– Better equipped to anticipate and deal with the unexpected
– Increased understanding of organization-wide costs of risks
– Establishment of consistent methodology for assessing future risks
– Development of strategic, organizational framework for managing risk
– Conservation and effective allocation of limited resources
– Improved decision making and creation of formal links betweenunits/divisions/organization
– Improved success of regulatory and compliance initiatives
– And the list goes on and on…
Benefits of ERM
Page 21May 16, 2014
Massachusetts Continuing Legal Education, Inc.
Designing an ERM Program
Consideration should begiven to the following:
Organizational structure (for profit, not-for-profit,governmental)
Business approach (acquisition/growth, struggling tosurvive, maintain status quo)
Strategy (academic, integrated network, community-based, etc.)
Variances in setting/locale (acute care hospital, physicianpractice, etc.)
Page 22May 16, 2014
Massachusetts Continuing Legal Education, Inc.
A Practical Approach
( + ) *Right
ProcessesRightPeople
DisciplinedApproach
Ability toEvaluate Risks
Contributes toRight Culture
Page 23May 16, 2014
Massachusetts Continuing Legal Education,Inc.
• Risk management must bedrivenfrom the top down
• At its core, an ERM framework isproactive, not reactive
• A framework acknowledges thatconfronting risks before they areemergent yields significantbenefit
• A comprehensive riskmanagement framework doesnot automatically ensure that asystem will be void of future andpresent risks
The Right Process
Page 24May 16, 2014
Massachusetts Continuing Legal Education, Inc.
The Right Process
• Risk Identification:
– Identification and analysis of risk is management’sresponsibility with respect to determining whichrisks may impact strategy and achievement oforganizational goals.
– It is essential to create a comprehensive list ofinternal and external risks facing the organization
– Risk identification tools can be developed and usedto survey leadership and interviews can be utilizedto develop a deeper understanding of risks alreadyidentified
Page 25May 16, 2014
Massachusetts Continuing Legal Education, Inc.
The Right Process
• Risk Assessment and Evaluation:
– Once all organizational risks have beenidentified and analyzed, the next steps are:
o Understand and attempt quantification ofpotential magnitude of each risk
o Identify risk drivers
o Consider positive and negative consequencesacross the organization
o Assess likelihood and severity of each risk
Page 26May 16, 2014
Massachusetts Continuing Legal Education, Inc.
The Right Process
• Tools to Evaluate Risk:
– Risk Scoring: evaluates the importance of one risk over another, accounting forlikelihood/probability and impact/severity.
• Sample formula:
Probability x Severity = Risk Score
– Risk Mapping: a data generating process that utilizes local perceptions to identifyand address risks in an effort to reveal transactions, departments, or processes thatresult in different types and levels of risks.
• Graphically depicts the organizations’ risks, displaying the relationship betweenfrequency and severity.
• Requires a team approach to identify and rank each identified risk.
Page 27May 16, 2014
Massachusetts Continuing Legal Education, Inc.
The Right Process – Risk Mapping
Risk Measurement
MinimalModerate/Acceptable Untenable
Clinical Quality
Financial/Economic
Legal/Compliance
Marketing/Brand
Patient Experience
Relational
Page 28May 16, 2014
Massachusetts Continuing Legal Education, Inc.
Perspective
Prospective
SeniorVP
New Initiative/ Transaction New Initiative/ Transaction New Initiative/ Transaction
Departments/ServicesDepartments/Services Departments/Services
Developing a Comprehensive RiskProfile
Departments/Services
ComprehensiveRisk Profile
ComprehensiveRisk Profile
Page 29May 16, 2014
Massachusetts Continuing Legal Education,Inc.
Isolated Risk vs. Systemic Risk
Risk Profile 1
Risk Profile 2
Risk Profile 8
Risk Profile 53
SystemicRisk
How many “Moderate”s = “Untenable”?
Isolated Risk
Risk Measurement
MinimalModerate/Acceptable Untenable
Clinical Quality
Financial/Economic
Legal/Compliance
Marketing/Brand
Patient Experience
Relational Risk Measurement
MinimalModerate/
Acceptable Untenable
Clinical Quality
Financial/Economic
Legal/Compliance
Marketing/Brand
Patient Experience
Relational
Risk Measurement
MinimalModerate/
Acceptable Untenable
Clinical Quality
Financial/Economic
Legal/Compliance
Marketing/Brand
Patient Experience
Relational
Risk Measurement
MinimalModerate/
Acceptable Untenable
Clinical Quality
Financial/Economic
Legal/Compliance
Marketing/Brand
Patient Experience
Relational
Page 30May 16, 2014
Massachusetts Continuing Legal Education,Inc.
• The Right People make up the ERM evaluation team.
• Right People, typically members of senior management, areresponsible for evaluating risks respective to his or herposition within the organization and hold responsibility forstrategic initiatives.
( + ) *Right
ProcessesRightPeople
DisciplinedApproach
Ability toEvaluate Risks
Contributes toRight Culture
The Right People
Page 31May 16, 2014
Massachusetts Continuing Legal Education, Inc.
The Right People
CEO
CFO
COO
CMO
CNO
CIO
Human Resources
Legal Counsel
Risk Manager
Real Estate/Facility ManagementKey Leader
Page 32May 16, 2014
Massachusetts Continuing Legal Education, Inc.
Accumulating the Results
CEO
SVPInformatio
n
SVPFinance
SVPOperations
SVPQuality
Page 33May 16, 2014
Massachusetts Continuing Legal Education, Inc.
Frequency
Transparency
Board Involvement
Accountability
( + )*RightProcesses
RightPeople
DisciplinedApproach
Ability toEvaluate Risks
Contributes toRight Culture
Disciplined Approach
Page 34May 16, 2014
Massachusetts Continuing Legal Education, Inc.
Dysfunctional Practices,Dysfunctional Culture
• Arthur Andersen– Inability to question superior's practices and incapability to suggest new
ways of doing things. When these practices no longer worked, the cultureshifted to keeping clients at any cost.
– Resistance to change from seemingly unethical to ethical practices. The rootof the problem was top management figures who exemplified poor ethicalpractices.
– Culture shifted to increasing revenue from clients as much as possible.
– Began to underestimate vulnerabilities in their practices, jeopardizingthe organization's future.
Page 35May 16, 2014
Massachusetts Continuing Legal Education, Inc.
• Risk management must be driven from the top down andembedded in an organization’s culture
• At the core of the ERM framework, an entity must be proactive,not reactive
• Health systems should plan for risks, and create an efficientstructure and a disciplined process to evaluate potentially riskystrategic decisions.
( + )*RightProcesses
RightPeople
DisciplinedApproach
Ability toEvaluate Risks=>
Ability to Evaluate Risks
Page 36May 16, 2014
Massachusetts Continuing Legal Education, Inc.
• Volume of data most organizations collect, process and analyze growingexponentially.
• Numerous organizations, such as IBM and Microsoft, are now offering productsto utilize big data to analyze/predict risk.
• Example: Google Flu Trends
– “…we can accurately estimate the current level of weekly influenza activity in each region ofthe United States, with a reporting lag of about one day.” – Google, 2009
– Found that certain search terms are good indicators of flu activity. Google Flu Trends, incollaboration with the CDC, uses aggregated Google search data to estimate flu activity.
– Early detection of a disease outbreak can reduce number of people affected. Google’s up-to-date influenza estimates may enable public health officials and health professionals to betterrespond to seasonal epidemics and pandemics.
Ability to Evaluate Risks
Page 37May 16, 2014
Massachusetts Continuing Legal Education,Inc.
Implementing aContemporary ERM System
ERMSystem
Page 38May 16, 2014
Massachusetts Continuing Legal Education, Inc.
Challenges to Implementing aContemporary ERM System
• Competition among units (quality, risk management,patient safety, corporate compliance, etc.)Territorial Turf
• Cultural incompatibility and diversity may act as barriersCulture
• Moving away from tradition punitive environment centeredaround individual employee/staff error to an organizationalemphasis on systems
Changing Environment
• Employees often have a hard time working in teams and/orpromoting communication on their own
Teams andCommunication
• Technology should be used to support the core operationsof healthcare and to support patient safety, decreasemedical error, and improve management.
Limited use ofTechnology
• C-suite should understand the concepts of ERM and alsolend organizational support for program development andimplementation
Inadequate Senior-Level Support
• Willingness to devote time to implementation may holdmany organizations back from ERM.
Length of Time toImplement
Page 39May 16, 2014
Massachusetts Continuing Legal Education, Inc.
Challenges to Implementing aContemporary ERM System
• Expertise in risk and finance may belimited.Expertise
• May be difficult to demonstrateimmediate, quantifiable ROI.ROI
• Without change and follow-through, ERMprograms become static and eventuallydwindle in support and effectiveness.
Follow-through
• Successful ERM programs recognize theimportance of employee involvement andcontributions and value their input.
EmployeeInvolvement in
Design
Page 40May 16, 2014
Massachusetts Continuing Legal Education, Inc.
Success Factors of ERM Programs
• In assessment• In scoring measurement• Quantifying and benchmarking results• Decreased variability through
evidence-based practice
Consistency
• Internal• External
Monitoring and evaluation
Leadership support and apositive culture
Broad-based employeeinvolvement
Page 41May 16, 2014
Massachusetts Continuing Legal Education, Inc.
Questions?