Compliance, Internal Audit, and Risk Management: What do they look like at a Managed Care Plan?

Transcription

1 Compliance, Internal Audit, and Risk Management: What do they look like at a Managed Care Plan? And, other words of wisdom... Objectives: Define risk and identify where risk comes from Recognize what risk activities are being performed in health plans now Experience how two health plans address risks Categorize the similarities and differences among Enterprise Risk Management, Internal Audit, Compliance programs Define Enterprise Risk Management (ERM) 2014 Compliance Institute March 30,

2 Objectives (Cont.) Discuss the elements and components of Enterprise Risk Management (ERM) Review where your plan is in the ERM Share a sample of what an ERM might look like Identify best practices to achieve to the ultimate state of ERM for your organization 2014 Compliance Institute March 30, Objectives (Cont.) And, other words of wisdom from you. Questions and Answers on any health plan topics 2014 Compliance Institute March 30,

3 Define Risk Risk From Merriam Webster s Dictionary noun \ˈrisk\: the possibility that something bad or unpleasant (such as an injury or a loss) will happen someone or something that may cause something bad or unpleasant to happen a person or thing that someone judges to be a good or bad choice for insurance, a loan, etc Compliance Institute March 30, Define Risk Risk is a function of the likelihood of a given threatsource s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. Source: NIST National Institute of Standards and Technology 2014 Compliance Institute March 30,

4 Risk Factors to Consider Could the event (risk) happen? What is the probability it is likely to happen? What is the impact (how bad would it be) if it were to happen? How can you reduce the probability it will happen (mitigation)? Can you create a contingency plan to reduce the impact? 2014 Compliance Institute March 30, Do You Know All Your Risks? Never in all history have we harnessed such formidable technology. Every scientific advancement known to man has been incorporated into its design. The operational controls are sound and foolproof! This quote was said by whom? 2014 Compliance Institute March 30,

5 Who Said It? E. J. Smith, the Captain of the Titanic Sooner or later, there will be a crisis that tests your health plan. Are you ready? What examples come to mind for you? 2014 Compliance Institute March 30, Where Does Risk Come From? Multiple sources of risks (threats) across broad categories, including: Natural Threats Floods, earthquakes, tornadoes, landslides, avalanches, electrical storms, and other such events. Human Threats Events that are either enabled by or caused by human beings, such as unintentional acts (inadvertent data entry) or deliberate actions (network based attacks, malicious software upload, unauthorized access to confidential information). Environmental Threats Long term power failure, pollution, chemicals, liquid leakage. Source: NIST (National Institute of Standards and Technology) 2014 Compliance Institute March 30,

6 What Types of Risks Might a Health Plan Have? Internal risks, e.g., operational experience and expertise, succession planning, talent management, quality, technology External risks, e.g., new lines of business, competition, Super Sandy storms, fire Compliance, Regulatory, and Legal risks, e.g., CMS, OMIG, DOH, DOI, DOJ, HHS OCR 2014 Compliance Institute March 30, What Types of Risks Financial risks, e.g., unsound rates, unexpected penalty, market share shrinks Business risks, e.g., mergers and acquisitions, marketplace expansions (QHP) Reputational risks, e.g., how we are viewed in the marketplace Health and Safety risks, e.g., for members and employees Legal, e.g., fraud, theft, sexual harassment 2014 Compliance Institute March 30,

7 Similarities and Differences Among ERM, Internal Audit, and Compliance How are they the same? How are they different? 2014 Compliance Institute March 30, Internal Audit Internal focus Reviews known issues often financially focused Risk is identified and handled by mitigating or eliminating Focus is on auditing It is owned by Internal Audit and Finance or Audit Committee 2014 Compliance Institute March 30,

8 Compliance Internal and external Regulatory, governmental audit focus within the operational areas Commitment to compliance with laws at a minimum Risk is managed narrowly, i.e., eliminate and meet compliance obligations It is owned by Compliance, Leadership, Board Committee 2014 Compliance Institute March 30, Define Enterprise Risk Management Enterprise Risk Management is a process, effected by an entity s Board of Directors, management and other personnel, applied in a strategy setting across the enterprise, designed to identify potential events that may affect the entity, and to manage risk to be within its risk appetite, providing reasonable assurance regarding the achievement of entity objectives. Source: COSO ERM Integrated Framework, Executive Summary September Compliance Institute March 30,

9 Define Enterprise Risk Management Enterprise risk management (ERM) is the process of planning, organizing, leading, and controlling the activities of an organization in order to minimize the effects of risk on an organization's capital and earnings. Enterprise risk management expands the process to include not just risks associated with accidental losses, but also financial, strategic, operational, and other risks. Source: SearchCIO riskmanagement 2014 Compliance Institute March 30, Enterprise Risk Management Internal and external focus Embraces organizational strategy Risk is managed broadly, i.e., accept, mitigate, transfer, reduce, avoid, or eliminate It is owned by everyone Takes into account the corporate strategies and current marketplace 2014 Compliance Institute March 30,

10 What Does That Mean? It is obtaining everyone s involvement at all levels, and Identifying events i.e., risks to the health plan Determining what the likelihood is it will happen and the impact should it happen Deciding how to manage those risks by assessing, transferring, mitigating or eliminating them, and Assuring that the process is done with strategic goals and opportunities in mind 2014 Compliance Institute March 30, What ERM is Enterprise Risk Management connects the links between departments and divisions with collaboration at all levels of the organization. Communication is the key to get a true Enterprise Risk Management program successfully in place Compliance Institute March 30,

11 How Do You Develop An Enterprise Risk Management Program? There are three basic steps (depending on what you read, it could be 4, 5, or up to 16) Step 1 Evaluation Assess best practices (from other health plans, colleagues, consulting firms, external resources, e.g., Google) 2014 Compliance Institute March 30, How Do You Develop An Enterprise Risk Management Program? (Cont.) Step 2 Structure Program Define specific processes, framework committees, involve key Board of Directors and Executive Leadership Team members Step 3 Execute Risk Assessment CEO driven process with accountability by functional executive leaders 2014 Compliance Institute March 30,

12 The Spectrum of ERMs Mature: Exhibit Best Practices Leadership driven ERM process, e.g., CEO or COO Formal Plan Development Actively implementing via internal committee structure and Risk Oversight Committee (BOD) Interconnectivity of all areas are addressed Advanced communication among committees 2014 Compliance Institute March 30, The Spectrum of ERMs Engaged & Involved: Some efforts made to address ERM Performed an enterprise wide risk assessment Begin to structure framework Still developing implementation approaches Infancy At the starting gate: Less Evolved No formal plan yet Address enterprise risk as part of overall audit, compliance, and operational efforts 2014 Compliance Institute March 30,

13 One Size Does NOT Fit All! EMR is an on going process, not something that you implement and then check it off your list! The program develops over time and requires consistent attention and oversight Compliance Institute March 30, ERM Where Do You Start? Research and evaluate what would work for your plan Set up the Framework of the Program, including Structure Perform a Based line Risk Assessment (and do it every 12 months) Identify and assess risks by Risk Management or Risk Oversight Committee with collaboration from other committees (Compliance, Finance, Continuous Quality Improvement ) 2014 Compliance Institute March 30,

14 ERM Where Do You Start Assign Risk to Executive Leadership Team members Each Risk has ONE Owner Include the Each Risk identified above as a Performance Objective for the responsible Executive Report key risks through a BOD committee (Audit, Risk Management, Compliance or directly to the full BOD) with a work plan to address those risks Continuous process it starts again 2014 Compliance Institute March 30, Benefits of an ERM Protect the plan from being vulnerable Provides an enterprise oversight at the highest level that includes risks identified by Internal Audit, Compliance, or operational sources Creates an integrated approach with alignment to corporate strategy; ultimately supports success of those strategies 2014 Compliance Institute March 30,

15 Benefits of an ERM Reduces risks (all types) Shows transparency and accountability throughout the organization Streamlines processes to produce better outcomes Demonstrates visibility and awareness at the highest level of the health plan Improves reputation and fosters trust 2014 Compliance Institute March 30, Benefits of an ERM Eliminates redundancy in process and effort Promotes collaboration and unifies the organization (reduces the silo approach) Prioritizes goals and objectives as well as allocation of resources at the enterprise level with ability to influence strategic vision Builds a shared sense of vision and purpose Diminishes financial volatility 2014 Compliance Institute March 30,

16 What could an ERM Look Like? 2014 Compliance Institute March 30, Contact Information Lori Oleson Director of Compliance and Quality, Government Programs, Blue Cross Blue Shield of Minnesota David Crawford Assistant Vice President, Corporate Compliance, Affinity Health Plan Tel: (718) Caron R. Cullen Sr. Vice President & Chief Compliance Officer, Affinity Health Plan Tel: (718) Compliance Institute March 30,