PYA Compliance Consulting Manager Susan Thomas co-presented “Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management,” along with Banner Health’s Process Director Jen Brooks and Rockwell Collins’ Senior Internal Audit Analyst Laurie Lutgen at the Association of Healthcare Internal Auditors (AHIA) 36th Annual Conference. Areas of focus included: •Defining the organizational roles and responsibilities of internal audit, corporate compliance, and risk management. •Discovering how a partnership of audit, compliance, and risk management can be a major advantage for an overall risk strategy. •Considering the variety of available audit tools for managing risk. •Discussing how to move from risk-related activities to integrated risk management.

1. Susan Thomas
PYA
Jennifer Brooks
Arizona Care Network
Managing Organizational Risk:
The Mighty Triad of Internal Audit,
Compliance, and Risk Management

2. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 1
Objectives
1
Define organizational roles and
responsibilities of internal audit, corporate
compliance, and risk management
Discover how a partnership of audit,
compliance, and risk management can be a
major advantage for an overall risk strategy
Discuss how to move from siloed risk-related
activities to integrated risk management
Consider utilization of tools available for
organizations to manage risk

3. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 2
Audience Poll
What is the name of the department in which
you work?
2

4. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 3
The Challenges of Managing
Organizational Risk
3
The gravity of operational risk events has increased – due to
fines and sanctions, as well as reputational and legal impacts
Government agencies are demanding more from executive
management and boards, who, in turn, are demanding more
from these support functions to ensure greater control and
oversight of key risk areas
In order to provide valuable insight to executive management
and regulatory oversight agencies, internal audit, compliance,
and risk management must figure out how to join forces

5. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 4
The Challenges of Managing
Organizational Risk (cont.)
4
The roles and responsibilities of
internal audit, compliance, and risk
management have not been clearly
defined as strategic organizational
functions
• Leads to duplication of efforts or gaps
in coverage
Lack of collaborative and standardized
processes for managing organizational
risk across the different functions:
1) Identification and data collection
2) Evaluation and prioritization
3) Action plan with mitigation
• Results in efficiencies due to duplicated or
even contradictory projects
Overlapping or redundant reports
with similar content to executive
management
• Insufficient focus on emerging risks and
limited actionable recommendations on
which executive management can act
• Challenges in trending organizational
issues that may be dispersed across
functional areas
Lack of a centralized system to
enable information sharing and
follow-up
• Evidenced by dependence on manual
processes using spreadsheets,
documents, and databases

6. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 5
What Is Organizational Risk in Healthcare?
 Description of risk: A probability or threat of damage,
injury, liability, loss, or any other negative occurrence that
is caused by external or internal vulnerabilities, and that
may be avoided through preemptive action1
 Organizational risk is the chance of adverse outcomes or
unfavorable consequences resulting from operations
 Evaluate the likelihood that risk will occur and the impact of the
risk to organization
 Some risk is acceptable or possibly unavoidable, but the
goal of organizational risk management is “No Surprises!”
1) Business Dictionary. Web Finance, Inc. http://www.businessdictionary.com/definition/risk.html
5

7. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 6
What Is Risk in the Mighty TRIAD?
6
Internal Audit
IIA defines RISK as “the possibility of an event occurring that will
have an impact on the achievement of objectives; risk is
measured in terms of impact and likelihood”1
Compliance
Compliance risk is exposure to legal penalties, financial forfeiture
and material loss an organization faces when it fails to act in
accordance with industry laws and regulations, internal policies or
prescribed best practices2
Risk Management
Incidents, damages, or loss following healthcare-related events,
such as patient safety, mandatory federal and state regulations,
potential medical errors, malpractice insurance, and claims
management3
1) Institute of Internal Auditors
2) Health Care Compliance Association
3) Association of Healthcare Risk Management

8. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 7
Top Healthcare Risks
 Internal Audit
 Economic conditions
 Increased regulatory scrutiny
 Cybersecurity
 Rapid speed of disruptive innovations and new technologies
 Privacy/identity management and information security
7
Source: Executive Perspectives on Top Risk for 2017. Research conducted by North Carolina State University’s ERM Initiative and Protiviti

9. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 8
Top Healthcare Risks (cont.)
 Compliance
 New payment methodologies
 Electronic health records
 Privacy, security, and technology
 Regulatory investigations
 Physician relationships
8
Source: Top Healthcare Compliance Issues for 2017. PreCheck Blog. Nov. 8, 2016

10. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 9
Top Healthcare Risks (cont.)
 Risk Management
 Medically unnecessary prescribing of opioids
 Cyber risk
 Healthcare infections
 Telemedicine
 Violence in healthcare facilities
 Alarm fatigue
9
Source: National Health Care Fraud Takedown Results in Charges Against Over 412 Individuals Responsible for $1.3 Billion in Fraud Losses.
Department of Justice – Office of Public Affairs. July 13, 2017.
11 Critical Risks Facing the Healthcare Industry. Risk & Insurance. ACE Group. June 1, 2016

11. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 10
Lines of Defense of Managing
Organizational Risk
 First line of defense: The tone of the organization – tone at the top,
tone in the middle, and tone at the bottom regarding managing risk,
compliance, and responsible business behavior
 Second line of defense: The business unit management and
process owners
 Third line of defense: Key support functions, such as compliance
management and risk management, providing an independent
responsible voice
 Fourth line of defense: Internal audit, which provides independent
verification and assurance that controls are in place and operating
effectively
 Fifth line of defense: Board oversight and executive management
Source: Defining The Five Lines of Defense. Jim DeLoach. Corporate Compliance Insights. Posted on January 20, 2015
10

12. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 11
 Provides a process review service that adds shareholder value by
improving business and financial controls
 Reviews risk management, control and governance processes, and
then identifies improvement opportunities
 Provides recommendations to drive change in the business
 Provides independent assurance that an organization's risk
management, governance, and internal control processes are
operating effectively
 Provides an unbiased and objective view
In sum, internal auditors help organizations succeed. The assurance
part of their work involves telling managers and governors how well
the systems and processes designed to keep the organization on
track are working. Then, they offer consulting help to improve those
systems and processes where necessary.
Source: Institute of Internal Auditors
Organizational Roles and Responsibilities:
Internal Audit

13. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 12
 Identifies and prioritizes risks and then deploys resources
accordingly
 Carries out responsibilities within pre-determined norms that
enable the organization to act legally and ethically
 Conducts regulatory and policy training
 Promotes the organizational code of conduct
 Provides a reporting mechanism
 Mitigates the effect of third-party compliance risks: background
checks, required training and certifications, and auditing
compliance efforts
Source: Health Care Compliance Association
Organizational Roles and Responsibilities:
Compliance

14. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 13
 Helps set organizational strategy to mitigate loss and foster patient
safety
 Establishes a process that identifies, analyzes, and treats potential
hazards
 Identifies and eliminates potential hazards before anyone is harmed
or disabled, and develops and evaluates policies and procedures
that provide guidelines for the institution and direct practice
 Protects an institution from legal liability and potential financial
disaster but more importantly, serves to protect the public as well as
healthcare personnel
 Surveys readiness and accreditation management
 Investigates patient complaints and medical malpractice claims
 Reviews medical records for liability issues
 Conducts risk-management training programs
 Manages lawsuits, and acts as a liaison for liability claims
Source: Association for Healthcare Risk Management
Organizational Roles and Responsibilities:
Risk Management

15. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 14
The Value of Integrated Efforts
“Working with others in collaboration is, in my mind, the future of
business. You have a larger audience, more ideas, shared risk, shared
workload, and you will be getting a portion of something greater than
had you done it alone.”
Beth Nicholls, Serial Entrepreneur,
Founder of Do What You Love
“None of us is as smart as all of us.”
Ken Blanchard, Speaker, Business Consultant,
Author of The One Minute Manager
“A single arrow is easily broken, but not ten in a bundle.”
Japanese Proverb
Partnership for an Overall Risk Strategy

16. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 15
 No Integration/Communication
 Separate structures and functions for internal audit, compliance,
and risk management
 Assumed responsibility for managing organizational risk based on
departmental objectives
 No formal coordinating structure
 Functions are not integrated into organizational strategic plan
Source: Integrating Audit, Compliance, Risk Management, and General Counsel. David Galloway, Executive Director, Office of Compliance and
Audit, BYU. SCCE – Austin Presentation 2015.
Levels of Integration

17. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 16
 Informal Integration
 Organizational risk issues are reported up, through separate
chains of command
 No formal coordination of compliance issues
 Dependent on relationships and comfort of working outside of
departmental boundaries
 Impromptu method may work for some issues, but not for others
Source: Integrating Audit, Compliance, Risk Management, and General Counsel. David Galloway, Executive Director, Office of Compliance and
Audit, BYU. SCCE – Austin Presentation 2015.
Levels of Integration (cont.)

18. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 17
 Official Integration
 Departments that manage organizational risk are in regular
contact
 Regular meetings with agendas, minutes, and action plans
 Cooperative process to identify and address organizational risk
 Coordinated auditing, monitoring, and reporting to assure that
risks are addressed
 Governance support and organizational recognition as an
assimilated function
Source: Integrating Audit, Compliance, Risk Management, and General Counsel. David Galloway, Executive Director, Office of Compliance and
Audit, BYU. SCCE – Austin Presentation 2015.
Levels of Integration (cont.)

19. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 18
18
No
Integration
Informal
Integration
Official
Integration
Images courtesy of Free Range Stock, www.freerangestock.com; and Pixabay, https://pixabay.com/
How Integrated is Your Organization?

20. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 19
Internal Audit
Compliance
Risk Management
Happy Healthcare Company
Risk Management
Move From Silos to Integration

21. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 20
 View the TRIAD as a valuable resource
 Different backgrounds and points of view can be used to the
organization’s advantage
 Working together will create an efficiency of scale and lessen
redundancy
 Develop and share collaborative work plans and discuss
data to be collected
 Areas of overlap can be confronted cooperatively
 For example: Never Events
 Internal Audit – operational review of internal controls
 Compliance – correct coding and billing
 Risk Management – subject to malpractice
Strategies for Integration

22. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 21
 Communicate and share information across support
functions
 Remodel distribution of resources and competencies
across the organization (e.g., software, education
materials, support staff)
 Understand that risk in one area can affect other areas
 Ensure that information is disseminated throughout the
organization
 Collaborate on education and awareness events
 Coordinate investigation of complex issues and resolution
of exposure
 Collaborate on annual work plans and risk assessments
 Educate governance to foster a better understanding of an
integrated control environment
Strategies for Integration (cont.)

23. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 22
22
 Recognize the potential positive affect of risk – not all
risk is bad
 Risk can be turned into an organizational opportunity with the
right information and collaboration
 Risk is inherent to a growing organization
 Monitor and manage interrelated risks
 Managing organizational risk is a process – that never
ends
Strategies for Integration (cont.)

24. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 23
 Increase in patient satisfaction and patient outcomes
 Decrease in malpractice loss
 Increase accuracy with claims submission
 Better documentation to support medical necessity
 Proper payment for services rendered
 The ability to innovate and “think outside the box”
 Competitive advantage – enhanced, coordinated
management of organizational risk – exceeding
competitors’ efforts
Positive Outcomes of Integration

25. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 24
 Development of a comprehensive risk portfolio providing
better levels of assurance of organizational risk
management
 Deeper understanding and focused action on the most
significant risks
 Bond ratings – governance oversight and integrated risk
management factors into agency rating decisions
Positive Outcomes of Integration (cont.)

26. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 25
25
Board of Directors
Executive Management
Audit
Committee Quality & Risk
Committee
Compliance
Committee
Consolidated Reporting
Internal
Audit
Compliance Risk
Management
Dept. 1 Dept. 4Dept. 3Dept. 2 Dept. 5 Dept. 6 Dept. 7
Defined Scope, Standardized Processes,
Coordinated Personnel, Infrastructure
What Would This Utopia Look Like?

27. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 26
26
 Cross-functional personnel
 Subject matter experts can cross over to provide support and
expertise for activities related to management of organizational
risk
 Multi-disciplinary policies and procedures
 Investigations, complaints, reporting, personnel requirements,
training
 Information systems
 Utilization of a common/shared organizational risk management
software application for efficient investigation, monitoring, auditing,
and reporting of risk issues
 Provides an organizational repository of all risk-related information
 Consolidated reporting
 Reporting risk issues identified by type – internal audit,
compliance, risk management – to executive leadership and
governance demonstrates a comprehensive approach
Examples of Integration

28. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 27
Organizational Risk
Management Processes
– Charter and Plan,
Cross Functional
Auditing, Reporting
Risk Assessment
Questionnaires
Risk Factor Ranking
Methodology
SWOT Analysis, Root
Cause Analysis
Checklists
Diagramming techniques,
flowcharts
Software for maintaining
a repository of risk-
related data and for
reporting
Professional associations
and access to experts
Tools Available for Managing
Organizational Risk

29. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 28
AUDIENCE PARTICIPATION
WHO is responsible for the risk?
HOW should other support areas be involved?
 Patient complaint about inappropriate EMR access
 Drug diversion detection
 False claim due to altered documentation
What’s the RISK?

30. Save the Date
San Diego, CA
August 26-29, 2018

31. Managing Organizational Risk: The Mighty Triad of Internal Audit, Compliance, and Risk Management Page 30
Thank You!
30
Jennifer Brooks, BSN
Senior Director
of Practice Transformation
Susan Thomas
CHC®, CIA, CRMA, CPC®
Manager, Healthcare Consulting
 The presenters would like to thank Sheila Limmroth CIA
®
, CHS, HIPAA Privacy Officer/Legal Services
Specialist for DCH Health System for her valuable insight and contributions to this presentation.