PYA Compliance Consulting Manager Susan Thomas co-presented “Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management,” along with Banner Health’s Process Director Jen Brooks and Rockwell Collins’ Senior Internal Audit Analyst Laurie Lutgen at the Association of Healthcare Internal Auditors (AHIA) 36th Annual Conference.
Areas of focus included:
•Defining the organizational roles and responsibilities of internal audit, corporate compliance, and risk management.
•Discovering how a partnership of audit, compliance, and risk management can be a major advantage for an overall risk strategy.
•Considering the variety of available audit tools for managing risk.
•Discussing how to move from risk-related activities to integrated risk management.
2. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 1
Objectives
1
Define organizational roles and
responsibilities of internal audit, corporate
compliance, and risk management
Discover how a partnership of audit,
compliance, and risk management can be a
major advantage for an overall risk strategy
Discuss how to move from siloed risk-related
activities to integrated risk management
Consider utilization of tools available for
organizations to manage risk
3. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 2
Audience Poll
What is the name of the department in which
you work?
2
4. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 3
The Challenges of Managing
Organizational Risk
3
The gravity of operational risk events has increased – due to
fines and sanctions, as well as reputational and legal impacts
Government agencies are demanding more from executive
management and boards, who, in turn, are demanding more
from these support functions to ensure greater control and
oversight of key risk areas
In order to provide valuable insight to executive management
and regulatory oversight agencies, internal audit, compliance,
and risk management must figure out how to join forces
5. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 4
The Challenges of Managing
Organizational Risk (cont.)
4
The roles and responsibilities of
internal audit, compliance, and risk
management have not been clearly
defined as strategic organizational
functions
• Leads to duplication of efforts or gaps
in coverage
Lack of collaborative and standardized
processes for managing organizational
risk across the different functions:
1) Identification and data collection
2) Evaluation and prioritization
3) Action plan with mitigation
• Results in efficiencies due to duplicated or
even contradictory projects
Overlapping or redundant reports
with similar content to executive
management
• Insufficient focus on emerging risks and
limited actionable recommendations on
which executive management can act
• Challenges in trending organizational
issues that may be dispersed across
functional areas
Lack of a centralized system to
enable information sharing and
follow-up
• Evidenced by dependence on manual
processes using spreadsheets,
documents, and databases
6. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 5
What Is Organizational Risk in Healthcare?
Description of risk: A probability or threat of damage,
injury, liability, loss, or any other negative occurrence that
is caused by external or internal vulnerabilities, and that
may be avoided through preemptive action1
Organizational risk is the chance of adverse outcomes or
unfavorable consequences resulting from operations
Evaluate the likelihood that risk will occur and the impact of the
risk to organization
Some risk is acceptable or possibly unavoidable, but the
goal of organizational risk management is “No Surprises!”
1) Business Dictionary. Web Finance, Inc. http://www.businessdictionary.com/definition/risk.html
5
7. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 6
What Is Risk in the Mighty TRIAD?
6
Internal Audit
IIA defines RISK as “the possibility of an event occurring that will
have an impact on the achievement of objectives; risk is
measured in terms of impact and likelihood”1
Compliance
Compliance risk is exposure to legal penalties, financial forfeiture
and material loss an organization faces when it fails to act in
accordance with industry laws and regulations, internal policies or
prescribed best practices2
Risk Management
Incidents, damages, or loss following healthcare-related events,
such as patient safety, mandatory federal and state regulations,
potential medical errors, malpractice insurance, and claims
management3
1) Institute of Internal Auditors
2) Health Care Compliance Association
3) Association of Healthcare Risk Management
8. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 7
Top Healthcare Risks
Internal Audit
Economic conditions
Increased regulatory scrutiny
Cybersecurity
Rapid speed of disruptive innovations and new technologies
Privacy/identity management and information security
7
Source: Executive Perspectives on Top Risk for 2017. Research conducted by North Carolina State University’s ERM Initiative and Protiviti
9. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 8
Top Healthcare Risks (cont.)
Compliance
New payment methodologies
Electronic health records
Privacy, security, and technology
Regulatory investigations
Physician relationships
8
Source: Top Healthcare Compliance Issues for 2017. PreCheck Blog. Nov. 8, 2016
10. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 9
Top Healthcare Risks (cont.)
Risk Management
Medically unnecessary prescribing of opioids
Cyber risk
Healthcare infections
Telemedicine
Violence in healthcare facilities
Alarm fatigue
9
Source: National Health Care Fraud Takedown Results in Charges Against Over 412 Individuals Responsible for $1.3 Billion in Fraud Losses.
Department of Justice – Office of Public Affairs. July 13, 2017.
11 Critical Risks Facing the Healthcare Industry. Risk & Insurance. ACE Group. June 1, 2016
11. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 10
Lines of Defense of Managing
Organizational Risk
First line of defense: The tone of the organization – tone at the top,
tone in the middle, and tone at the bottom regarding managing risk,
compliance, and responsible business behavior
Second line of defense: The business unit management and
process owners
Third line of defense: Key support functions, such as compliance
management and risk management, providing an independent
responsible voice
Fourth line of defense: Internal audit, which provides independent
verification and assurance that controls are in place and operating
effectively
Fifth line of defense: Board oversight and executive management
Source: Defining The Five Lines of Defense. Jim DeLoach. Corporate Compliance Insights. Posted on January 20, 2015
10
12. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 11
Provides a process review service that adds shareholder value by
improving business and financial controls
Reviews risk management, control and governance processes, and
then identifies improvement opportunities
Provides recommendations to drive change in the business
Provides independent assurance that an organization's risk
management, governance, and internal control processes are
operating effectively
Provides an unbiased and objective view
In sum, internal auditors help organizations succeed. The assurance
part of their work involves telling managers and governors how well
the systems and processes designed to keep the organization on
track are working. Then, they offer consulting help to improve those
systems and processes where necessary.
Source: Institute of Internal Auditors
Organizational Roles and Responsibilities:
Internal Audit
13. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 12
Identifies and prioritizes risks and then deploys resources
accordingly
Carries out responsibilities within pre-determined norms that
enable the organization to act legally and ethically
Conducts regulatory and policy training
Promotes the organizational code of conduct
Provides a reporting mechanism
Mitigates the effect of third-party compliance risks: background
checks, required training and certifications, and auditing
compliance efforts
Source: Health Care Compliance Association
Organizational Roles and Responsibilities:
Compliance
14. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 13
Helps set organizational strategy to mitigate loss and foster patient
safety
Establishes a process that identifies, analyzes, and treats potential
hazards
Identifies and eliminates potential hazards before anyone is harmed
or disabled, and develops and evaluates policies and procedures
that provide guidelines for the institution and direct practice
Protects an institution from legal liability and potential financial
disaster but more importantly, serves to protect the public as well as
healthcare personnel
Surveys readiness and accreditation management
Investigates patient complaints and medical malpractice claims
Reviews medical records for liability issues
Conducts risk-management training programs
Manages lawsuits, and acts as a liaison for liability claims
Source: Association for Healthcare Risk Management
Organizational Roles and Responsibilities:
Risk Management
15. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 14
The Value of Integrated Efforts
“Working with others in collaboration is, in my mind, the future of
business. You have a larger audience, more ideas, shared risk, shared
workload, and you will be getting a portion of something greater than
had you done it alone.”
Beth Nicholls, Serial Entrepreneur,
Founder of Do What You Love
“None of us is as smart as all of us.”
Ken Blanchard, Speaker, Business Consultant,
Author of The One Minute Manager
“A single arrow is easily broken, but not ten in a bundle.”
Japanese Proverb
Partnership for an Overall Risk Strategy
16. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 15
No Integration/Communication
Separate structures and functions for internal audit, compliance,
and risk management
Assumed responsibility for managing organizational risk based on
departmental objectives
No formal coordinating structure
Functions are not integrated into organizational strategic plan
Source: Integrating Audit, Compliance, Risk Management, and General Counsel. David Galloway, Executive Director, Office of Compliance and
Audit, BYU. SCCE – Austin Presentation 2015.
Levels of Integration
17. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 16
Informal Integration
Organizational risk issues are reported up, through separate
chains of command
No formal coordination of compliance issues
Dependent on relationships and comfort of working outside of
departmental boundaries
Impromptu method may work for some issues, but not for others
Source: Integrating Audit, Compliance, Risk Management, and General Counsel. David Galloway, Executive Director, Office of Compliance and
Audit, BYU. SCCE – Austin Presentation 2015.
Levels of Integration (cont.)
18. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 17
Official Integration
Departments that manage organizational risk are in regular
contact
Regular meetings with agendas, minutes, and action plans
Cooperative process to identify and address organizational risk
Coordinated auditing, monitoring, and reporting to assure that
risks are addressed
Governance support and organizational recognition as an
assimilated function
Source: Integrating Audit, Compliance, Risk Management, and General Counsel. David Galloway, Executive Director, Office of Compliance and
Audit, BYU. SCCE – Austin Presentation 2015.
Levels of Integration (cont.)
19. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 18
18
No
Integration
Informal
Integration
Official
Integration
Images courtesy of Free Range Stock, www.freerangestock.com; and Pixabay, https://pixabay.com/
How Integrated is Your Organization?
20. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 19
Internal Audit
Compliance
Risk Management
Happy Healthcare Company
Risk Management
Move From Silos to Integration
21. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 20
View the TRIAD as a valuable resource
Different backgrounds and points of view can be used to the
organization’s advantage
Working together will create an efficiency of scale and lessen
redundancy
Develop and share collaborative work plans and discuss
data to be collected
Areas of overlap can be confronted cooperatively
For example: Never Events
Internal Audit – operational review of internal controls
Compliance – correct coding and billing
Risk Management – subject to malpractice
Strategies for Integration
22. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 21
Communicate and share information across support
functions
Remodel distribution of resources and competencies
across the organization (e.g., software, education
materials, support staff)
Understand that risk in one area can affect other areas
Ensure that information is disseminated throughout the
organization
Collaborate on education and awareness events
Coordinate investigation of complex issues and resolution
of exposure
Collaborate on annual work plans and risk assessments
Educate governance to foster a better understanding of an
integrated control environment
Strategies for Integration (cont.)
23. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 22
22
Recognize the potential positive affect of risk – not all
risk is bad
Risk can be turned into an organizational opportunity with the
right information and collaboration
Risk is inherent to a growing organization
Monitor and manage interrelated risks
Managing organizational risk is a process – that never
ends
Strategies for Integration (cont.)
24. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 23
Increase in patient satisfaction and patient outcomes
Decrease in malpractice loss
Increase accuracy with claims submission
Better documentation to support medical necessity
Proper payment for services rendered
The ability to innovate and “think outside the box”
Competitive advantage – enhanced, coordinated
management of organizational risk – exceeding
competitors’ efforts
Positive Outcomes of Integration
25. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 24
Development of a comprehensive risk portfolio providing
better levels of assurance of organizational risk
management
Deeper understanding and focused action on the most
significant risks
Bond ratings – governance oversight and integrated risk
management factors into agency rating decisions
Positive Outcomes of Integration (cont.)
26. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 25
25
Board of Directors
Executive Management
Audit
Committee Quality & Risk
Committee
Compliance
Committee
Consolidated Reporting
Internal
Audit
Compliance Risk
Management
Dept. 1 Dept. 4Dept. 3Dept. 2 Dept. 5 Dept. 6 Dept. 7
Defined Scope, Standardized Processes,
Coordinated Personnel, Infrastructure
What Would This Utopia Look Like?
27. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 26
26
Cross-functional personnel
Subject matter experts can cross over to provide support and
expertise for activities related to management of organizational
risk
Multi-disciplinary policies and procedures
Investigations, complaints, reporting, personnel requirements,
training
Information systems
Utilization of a common/shared organizational risk management
software application for efficient investigation, monitoring, auditing,
and reporting of risk issues
Provides an organizational repository of all risk-related information
Consolidated reporting
Reporting risk issues identified by type – internal audit,
compliance, risk management – to executive leadership and
governance demonstrates a comprehensive approach
Examples of Integration
28. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 27
Organizational Risk
Management Processes
– Charter and Plan,
Cross Functional
Auditing, Reporting
Risk Assessment
Questionnaires
Risk Factor Ranking
Methodology
SWOT Analysis, Root
Cause Analysis
Checklists
Diagramming techniques,
flowcharts
Software for maintaining
a repository of risk-
related data and for
reporting
Professional associations
and access to experts
Tools Available for Managing
Organizational Risk
29. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 28
AUDIENCE PARTICIPATION
WHO is responsible for the risk?
HOW should other support areas be involved?
Patient complaint about inappropriate EMR access
Drug diversion detection
False claim due to altered documentation
What’s the RISK?
31. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 30
Thank You!
30
Jennifer Brooks, BSN
Senior Director
of Practice Transformation
Susan Thomas
CHC®, CIA, CRMA, CPC®
Manager, Healthcare Consulting
The presenters would like to thank Sheila Limmroth CIA
®
, CHS, HIPAA Privacy Officer/Legal Services
Specialist for DCH Health System for her valuable insight and contributions to this presentation.
Notes de l'éditeur
The lack of collaboration impacts resource allocation and prioritization, for example:
IT support for disparate organizational risk management initiatives on top of all of the other IT projects
Staffing necessary to implement competing processes in different areas
So if we take a minute and pause right here, what have you learned at this point that you can take back to your organization?
1.) If you have not been having open dialogue with your compliance and risk management colleagues, now is the time to start.
2.) Perhaps that first dialogue or meeting can be about risk and whether you are each performing a risk assessment individually and does an opportunity exist to collaborate on a combined risk assessment?
3.) Risk assessment collaboration can lead to collaboration on actual projects. In the long run this process ensures all elements of risk are considered and productivity increases across the departments involved. Let’s take an example of how collaboration works using physician contracts: Internal Audit may audit medical directorships and have findings related to timesheet preparation. However, because they did not involve Risk Management in the process they may not know that they are completely missing contracts for 2 physicians and because Compliance was not involved, Internal Audit may not realize that the amounts paid or the services provided are in violation of the Stark Law. This is a simplified example of how working together can results in improvements in the quality of work product and better manage the organization’s risk.
We have had a record year for fines from the Office for Civil Rights in 2016. Additionally, organizations are being hit by ransomware attacks—it is not a question of “if” but, rather, a question of “when.” Has risk management and compliance and internal audit worked together with Privacy and Security staff to ensure the process is being properly managed all the way from testing backup tapes, to having cyber-insurance, to having a breach notification and response team ready to assemble.
By a show of hands, how many people feel your role in internal audit has shifted? In the past you may have performed primarily financial and operational auditing….audits we like to term “traditional” audits. Now there is an expectation that internal audit play more of a consulting role and be pro-active instead of reactive. Working in a silo cannot get the job done in 2017. As new risks within the industry emerge, we have to work with others to properly prepare the organization for “what is just around the corner.” It is more important than ever that Internal Audit have a seat at the “c-suite” table and add value through what is learned on the front lines. This means more compliance and IT auditing than in the past.
Compliance and internal audit will find they have a lot of commonality and using this commonality can assist in pushing through change that may be necessary for the good of the organization. For example, Internal Audit may want to change the organization’s policy on gifts and gratuities because they feel the amount of food being brought into the facility be vendors provides the appearance of conflict. They cannot get traction because, let’s face it, who doesn’t like free food? However, Internal Audit meets with Compliance and learns about the Sunshine Law and learns that a log should be maintained of free food that is given to physicians. Working together, they are able to change the policy because several risks were identified as they worked together.
One area that definitely requires collaboration among the three areas: Drug Diversion We all know that we are facing, as a Nation, an opioid epidemic. These three departments can work closely together along with your Pharmacy and the c-suite to ensure your facility is taking appropriate measure to prevent adding to this epidemic.
The movement does not have to happen over night. It can be having lunch with your compliance or risk management counterpart and getting to know one another. That can lead to discussing projects and finding common ground. Often, in the process of working together, these three distinct areas become an adhesive group because they have similar interests within the organization and can rely on one another for support and advice.
You will be amazed at what you can accomplish together. For example, I am aware of one hospital where these departments each individually felt IT Security education was lacking for the workforce. Each had tackled their concerns with management but there was no interest to formalize an education program. The emphasis was on HIPAA Privacy education for the workforce. Together, Compliance, Internal Audit, and Risk Management documented their concerns and ultimately an IT Security Education Team was formed that provided monthly IT Security education for the workforce utilizing a new movie theme each month. It was and is a huge success because of the voices of many versus the voices of a few stating what was needed.