Leveraging Internal Audit and Corporate Compliance for Effective Risk Management April 18, 2016 Don Sinko Chief Integrity Officer Cleveland Clinic Agenda Cleveland Clinic Integrity Office Model The 3 Lines of Defense What is Enterprise Risk Management (ERM) Cleveland Clinic s Approach to ERM 2 1
Cleveland Clinic Background Unrestricted Revenue of $7.2 Billion Total Assets of $13.7 Billion 49,000 Employees 1,800 Residents & Fellows 6 Million Annual Patient Visits Over 2,500 Research Protocols 3 Cleveland Clinic Background (cont d) Main Campus Founded in 1921 - Structured as a Group Practice - 3,200 Physicians and Scientists - 11,200 Nurses - 4,450 Beds - 208,800 Surgeries 16 Family Health Centers 10 Community Hospitals Las Vegas, Abu Dhabi, Canada, London 4 2
Healthcare Risk Environment Mounting Financial Pressure & Transparency Shift to Value-Based Care Constrained Resources Reduced Reimbursements Regional, Clinically Integrated Networks Competitive Intensity Uncertainty 5 Preventative Medicine vs. Surgery Ombudsman: Patient Advocate Law Department: - Protect the Entity - Tell The Truth Integrity Office: - Transparency - Ethics - Do the Right Thing - Tell The Whole Story 6 3
7 Audit & Compliance Today More Than Just Billing & Balances Process Focused Patient Focused - Quality - Privacy/Security - Transparency Focused on Implementation of the Law - Must Know Operations/Processes - Speak the Language - Staffed with Many Disciplines 8 4
Integrity Office Audit Committee of the Board of Directors Board of Governors CEO Chief Integrity Officer Corporate Compliance Committee IT Security Office of Internal Audit Office of Corporate Compliance 9 Integrity Office (cont d) Internal Audit and Corporate Compliance Under One Umbrella - Leverages Resources - Shared Focus on Risk - Shared Focus on Processes - Still Independent of Each Other Located in the C-Suite Independent of Law Department Separate from Clinical Compliance 10 5
Integrity Office (cont d) Many Backgrounds Required for Integrity Program Effectiveness - CPAs - IT - Forensics - Nursing - Billing/Coding - Research - Pharmacy - Legal - Risk Management 11 Three Lines of Defense First Line of Defense -- Operations Institute of Internal Auditors - Risk Management Position Paper Term from Medieval Castle Systems - Moats - Stone Walls - Interior Forces Focused on External Risks 12 6
Three Lines of Defense (cont d) Second Line of Defense Risk Management Corporate Compliance Clinical Compliance Law Department Supply Chain 13 Three Lines of Defense (cont d) Third Line of Defense Independent Assurance - Internal Audit - External Audit 14 7
What is Enterprise Risk Management Important executive management responsibility to assure key risks are addressed Requires a portfolio review of risk Method to manage uncertainty and volatility Proactive and Strategic: minimize threats and capitalize on opportunities Ongoing process 15 ERM is not Replacement for internal controls Method to eliminate all risk Rigid set of rules to follow in all respects Exactly the same from year to year 16 8
Cleveland Clinic Approach to ERM Audit Committee Executive Session ERM is not the: - Internal Audit Risk Assessment - Corporate Compliance Risk Assessment Risk Evaluation Processes not Documented Not Tied to Strategy 17 Cleveland Clinic Approach to ERM (Cont.d) ERM Program Initiated - Define ERM Project Plan - Establish ERM Governance Structure - Determine Risk Appetite - Tie ERM to Strategy 18 9
ERM Project Summary Phase I Phase II Phase III Phase IV Engagement Planning & Launch Enterprise Risk Identification & Assessment Define Desired State ERM Program & Recommendations ERM Program Implementation Define Project Goals Committee Education Retain Consultant Create Awareness Current State Assessment Document Review Conduct Interviews Assess overall ERM capability Identify Risks and Risk Owners Analyze Information Validate and Prioritize Document Mitigation Steps and Gaps Validate Risk Profile and Rankings Develop Governance and Oversight Framework Determine improvements / Action Plans Develop Awareness and Education Plan Design Reporting and Monitoring Activities 19 Enterprise Risk Management Governance Structure Board of Trustees CEO Council Executive Committee Planning ERM Steering Committee Strategic Council Leadership Council Performance Improvement ERM Working Groups Strategic Planning Financial Planning Internal Audit 20 10
Established ERM Steering Committee Members from Executive and Operations Management Performed Risk Interviews Determined Top 20/10/7 Risks Tied Risks to Strategy Approved by Board of Directors Established Teams to Address Risks Monitored Risk Management Process 21 Strategic Healthcare Risk Universe External Financial Operational People Compliance Business Model Governance Resource Allocation M & A Planning Market Dynamics Network Development Investor Relations Media Relations Economy Political Environment Regulatory Structure Capital Availability Investment Risk Revenue Cycle Benefit Obligations Foreign Currency Cash Management Payer Mix Accounting and Reporting Supply Chain Information Technology Physical Assets Patient Safety and Quality Research Natural Disasters Succession Planning Labor Relations Recruitment and Retention Training and Development Company Culture Tax Compliance Anti-trust Regulatory Provisions (HIPAA, HITECH, RAC) Conflict of Interests Health and Safety Environmental 22 11
Top Risks Mapped to Strategic Initiatives Cleveland Clinic Top Risks Growth Cleveland Clinic Strategic Initiatives Integration Research & Education 23 ERM Risk Evaluation Cycle Annual Assessment Monitor Management & IA Assessments Continuous Evaluation Mitigate Assess Steering Committee & Audit Committee ERM Team Business Leaders Internal Audit 24 12
Integrity Office Involvement Plays an important role in monitoring ERM, but does NOT have primary responsibility for its implementation or maintenance Reviews internal controls and risk management processes Reviews management s risk assessments Provides advice on the improvement of internal controls and risk mitigation strategies Facilitate ERM education Communicates to Management and the Board 25 26 13