Presentation Makes the Case for Enterprise Risk Management

David McMillan, Pershing Yoakley & Associates, P.C.
dmcmillan@pyapc.com
(865) 673-0844
Larry Vernaglia, Foley & Lardner LLP
lvernaglia@foley.com
(617) 342-4000
Enterprise Risk
Management
A Presentation For: Massachusetts Continuing Legal Education, Inc.
May 16, 2014

May 16, 2014
Massachusetts Continuing Legal Education, Inc.
• ERM began with the Committee of Sponsoring Organizations of the Treadway
Commission (COSO), which issued “Internal Control – Integrated Framework”
to assist businesses and other entities assess and enhance their internal controls
systems.
• Over the past two decades, this framework has been incorporated into policy,
rule, and regulation, and is used by thousands of enterprises to better control their
activities in moving toward achievement of their established objectives.
• COSO’s framework for ERM helps organizations achieve their objectives:
o Strategic
o Operations
o Reporting
o Compliance
Enterprise Risk Management:
The Beginning

May 16, 2014
• ERM first implemented in financial sector (banks, investment companies,
insurers, etc.)
• Now widely utilized and well-developed across the business sector and slowly
being adopted by the healthcare industry.
• Well-known accounting compliance and corporate governance scandals (e.g.,
Enron and WorldCom) largely the impetus for the passage of the Sarbanes-Oxley
Act of 2002 (SOX), resulting in many organizations implementing ERM
programs.
• Primarily publicly traded, for-profit organizations (including healthcare).
• Increased awareness of boards of directors’ responsibility for identifying and
managing organizational risk.
Enterprise Risk Management
Across Industries

May 16, 2014
How Have Payers Traditionally
Managed Risk?
• Historically insurance companies have been designed in a silo structure (i.e.,
each operational activity is undertaken independently, as are the associated risks)
– Ex: there can be virtually no interaction between underwriting and claims
department of insurance companies. As a result of this structure, information
generated from these activities are rarely every shared or synthesized.
• In previous, less volatile years, the silo structure was workable. Given the
dramatic regulatory and technological changes in recent years, the silo structure
is giving way to newer, more strategy-focused structures, such as ERM.
• In many circumstances, the management of these risks can be more efficient if
conducted at the enterprise level.

May 16, 2014
Healthcare Risk Management
Healthcare slow to introduce ERM programs but,
as it has become increasingly evident that no
organization or business sector is immune from
catastrophic loss, the industry’s interest in ERM is
greatly increasing.
Shift away from regional operations to state, multi-
state, and/or national level has played a significant
role in igniting interest in ERM across the
healthcare industry.
Traditional Setting
Acute Care Hospital
Contemporary Setting
Expanding Beyond Hospital Walls
and State Lines

May 16, 2014
Drivers of Change
Healthcare
Industry
Changing
patient
demographics
Advances in
medicine
Competition
Patient-
centered
focus of
care
Changing
reimburse-
ment
The ACA
Increasing
regulation
Shift to EMR
and
Meaningful
Use
Necessity of
outcomes
data
Rapidly
changing
technology

May 16, 2014
Five Indications of the Industry
The Five Fundamentals Driving Healthcare
Transformation:
Read more at http://www.pyapc.com/resources/collateral/white-papers/2014-Healthcare-Whitepaper-PYA.pdf

May 16, 2014
Making the Case for
Enterprise Risk Management
Healthcare reform is causing many health systems to quickly
react/respond/implement (i.e., bundled payments, ACO regulations,
value-based purchasing, etc.)
Too often, health systems are failing to proactively plan for the
response of the reaction to health reform, often leaving the system at
risk
Hastened decisions are often made in silos and without considering
the impact/risk to all entities
EnterpriseRiskManagement

May 16, 2014
Risk Management in Face of
Rapidly Changing Environment
Today’s
Challenge:
Defining the
parameters “along the
way”
Yesterday:
• Financial derivatives in capital and debt structures
Today:
• Rapidly changing reimbursement structures
• Physician-Hospital integration (horizontal & vertical)
Tomorrow:
• Bearing insurance risk

May 16, 2014
What do YOU see?

May 16, 2014
Traditional Risk Management
Program Structure
Manage Risks of “Separate and Distinct” Departments/Silos
Operations
Finance
HumanCapital
Strategic
Legal/Regulatory
Technology
Hazard

May 16, 2014
Shifting Toward a Contemporary
Model of Risk Management
Traditional ModelTraditional Model
• Reactive
• Incident-based
• Clinically focused
• Risk analyzed according to silo or
department (e.g., market risks
handled by marketing department,
patient safety risks handled by the
quality/patient safety department).
• Fails to account for the fact that risks
do not exist in isolation (i.e., cross
organizational structures,
departments, etc.)
• Reactive
• Incident-based
departments, etc.)
Traditional Model
• Reactive
• Incident-based
departments, etc.)
Contemporary Model (ERM)Contemporary Model (ERM)
• Proactive, which better equips healthcare
organizations to focus on all risks
throughout the organization while
maintaining patient safety, ensuring
compliance and improving the
organization’s bottom line.
• Holistic
• Multidisciplinary
• Risk analyzed across the entire enterprise,
not solely at silo/department level.
• Accounts for synergistic relationship
among and between risks.
• Holistic
Contemporary Model (ERM)
• Holistic

May 16, 2014
ERM means different things
to different people…
Discipline
ProcessPractice

May 16, 2014
What is Enterprise Risk Management
(“ERM”)?
Enterprise risk management is a discipline that engages professionals in the practice of
identifying, managing, controlling, and monitoring all risks to the organization.
A Discipline
A Practice
ERM can best be described as an ongoing business decision-making process instituted and
supported by the healthcare organization’s board of directors, executive administration and
medical staff leadership. ERM recognizes the synergistic effect of risks across the continuum of
care, and has as its goals to assist the organization reduce uncertainty and process variability,
promote patient safety and maximize the return on investment (ROI) through asset
preservation, value creation, and the recognition of actionable risk opportunities.
A Process
ERM is a process, effected by an entity’s board of directors, management and other personnel,
applied in strategy setting and across the enterprise, designed to identify potential events that
may affect the entity, and manage risks to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity objectives.

May 16, 2014
The Board’s Responsibility
to Manage Risk
A Process
ERM is a process, effected by an entity’s board of directors, management and other
personnel, applied in strategy setting and across the enterprise, designed to identify potential
events that may affect the entity, and manage risks to be within its risk appetite, to provide
reasonable assurance regarding the achievement of entity objectives.
The Board of Directors is not necessarily responsible for
the effects of decisions they make – they are, however,
responsible for having a sound process in place for making
these decisions, despite the outcome, good or bad, of the
ultimate decision.

May 16, 2014
What is Enterprise Risk Management
(“ERM”)?
Creating an effective structure through
combining the correct players with an
appropriate strategy, equipping these players
with a common understanding and
appreciation for the direction of the health
system and engaging these players in a
process to evaluate enterprise risk.

May 16, 2014
Example Risk Domains
Operational
• Transitions of care
• Quality/coordination of care
• Adverse event management
• National Patient Safety Goals
• Facility/equipment management
• Workplace safety
• Infection control
• Business continuity
• Billing/collections
• Corporate compliance (fraud and abuse)
• Liquidity
• Growth in programs/facilities
• Capital structure
• Capital equipment
• Capitation contracts
• Staffing/turnover
• Union and labor relations
• Hiring, retention, education
• Succession planning
• Organizational direction and culture
• Morale and engagement
• Employment Practices liability
Strategic
• Regulatory change
• Patient needs/expectations
• Population health competencies
• Advertising, marketing, branding
• Alliances/integration/affiliations
• Competition
• Antitrust
• Corporate compliance
• Confidentiality/security of PHI
• Multiple statutes, standards, and
regulations
• Accreditation
• State licensure
• Private inurement
• CPOE
• EMR/EHR
• Robotics
• Telehealth/telemedicine
• Radio Frequency Identification (patient
tracking, infant security, etc.)
• Information exchange
• Social media
• Facility management
• Plant age
• Natural disasters
• Parking
• Construction/renovation
Hazard
Financial
Legal/Regulatory Technology
Human Capital

May 16, 2014
Contemporary ERM Programs
ERM Structure and Process
Strategy
Real
Legal/Regulatory
Compliance
FinancialPerformance
Access
PhysicianAlignment
Patient
Estate
Technology
Health systems operate multiple businesses with divergent priorities within one entity.
An enterprise risk management framework, consisting of an effective structure and
disciplined process, intersects each distinctive business initiative to provide a holistic
view of the health system.

May 16, 2014
Interrelated Components of ERM
Internal
Environment
Objective
Setting
Event
Identification
Risk AssessmentRisk Response
Control
Activities
Information &
Communication
Monitoring

May 16, 2014
COSO’s “Cube”
Entity’s Objectives
Entity’s
Units
ERM’s
Components
“A distinct relationship exists
between an entity’s objectives
and ERM’s components, which
represent what is necessary to
achieve objectives.”
– COSO’s “Enterprise Risk Management –
Integrated Framework”

May 16, 2014
– Strategy/solution development that supports the organization’s mission, vision, and
values
– Better equipped to anticipate and deal with the unexpected
– Increased understanding of organization-wide costs of risks
– Establishment of consistent methodology for assessing future risks
– Development of strategic, organizational framework for managing risk
– Conservation and effective allocation of limited resources
– Improved decision making and creation of formal links between
units/divisions/organization
– Improved success of regulatory and compliance initiatives
– And the list goes on and on…
Benefits of ERM

May 16, 2014
Designing an ERM Program
Consideration should be
given to the following:
Organizational structure (for profit, not-for-profit,
governmental)
Business approach (acquisition/growth, struggling to
survive, maintain status quo)
Strategy (academic, integrated network, community-
based, etc.)
Variances in setting/locale (acute care hospital, physician
practice, etc.)

May 16, 2014
A Practical Approach
( + ) *
Right
Processes
Right
People
Disciplined
Approach
Ability to
Evaluate Risks
Contributes to
Right Culture

May 16, 2014
Massachusetts Continuing Legal Education,
Inc.
• Risk management must be
driven
from the top down
• At its core, an ERM framework is
proactive, not reactive
• A framework acknowledges that
confronting risks before they are
emergent yields significant
benefit
• A comprehensive risk
management framework does
not automatically ensure that a
system will be void of future and
present risks
The Right Process

May 16, 2014
The Right Process
• Risk Identification:
– Identification and analysis of risk is management’s
responsibility with respect to determining which
risks may impact strategy and achievement of
organizational goals.
– It is essential to create a comprehensive list of
internal and external risks facing the organization
– Risk identification tools can be developed and used
to survey leadership and interviews can be utilized
to develop a deeper understanding of risks already
identified

May 16, 2014
The Right Process
• Risk Assessment and Evaluation:
– Once all organizational risks have been
identified and analyzed, the next steps are:
o Understand and attempt quantification of
potential magnitude of each risk
o Identify risk drivers
o Consider positive and negative consequences
across the organization
o Assess likelihood and severity of each risk

May 16, 2014
The Right Process
• Tools to Evaluate Risk:
– Risk Scoring: evaluates the importance of one risk over another, accounting for
likelihood/probability and impact/severity.
• Sample formula:
Probability x Severity = Risk Score
– Risk Mapping: a data generating process that utilizes local perceptions to identify
and address risks in an effort to reveal transactions, departments, or processes that
result in different types and levels of risks.
• Graphically depicts the organizations’ risks, displaying the relationship between
frequency and severity.
• Requires a team approach to identify and rank each identified risk.

May 16, 2014
The Right Process – Risk Mapping
Risk Measurement
Minimal
Moderate/
Acceptable Untenable
Clinical Quality
Financial/Economic
Legal/Compliance
Marketing/Brand
Patient Experience
Relational

May 16, 2014
Perspective
Prospective
Senior
VP
New Initiative/ Transaction New Initiative/ Transaction New Initiative/ Transaction
Departments/ServicesDepartments/Services Departments/Services
Developing a Comprehensive Risk
Profile
Departments/Services
Comprehensive
Risk Profile
Comprehensive
Risk Profile

May 16, 2014
Inc.
Isolated Risk vs. Systemic Risk
Risk Profile 1
Risk Profile 2
Risk Profile 8
Risk Profile 53
Systemic
Risk
How many “Moderate”s = “Untenable”?
Isolated Risk
Risk Measurement
Minimal
Moderate/
Clinical Quality
Financial/Economic
Legal/Compliance 
Marketing/Brand
Patient Experience
Relational Risk Measurement
Minimal
Moderate/
Clinical Quality
Financial/Economic
Marketing/Brand
Patient Experience
Relational
Risk Measurement
Minimal
Moderate/
Clinical Quality
Financial/Economic
Marketing/Brand
Patient Experience
Relational
Risk Measurement
Minimal
Moderate/
Clinical Quality
Financial/Economic
Marketing/Brand
Patient Experience
Relational

May 16, 2014
Inc.
• The Right People make up the ERM evaluation team.
• Right People, typically members of senior management, are
responsible for evaluating risks respective to his or her
position within the organization and hold responsibility for
strategic initiatives.
( + ) *
Right
Processes
Right
People
Disciplined
Approach
Ability to
Evaluate Risks
Contributes to
Right Culture
The Right People

May 16, 2014
The Right People
CEO
CFO
COO
CMO
CNO
CIO
Human Resources
Legal Counsel
Risk Manager
Real Estate/Facility Management
Key Leader

May 16, 2014
Accumulating the Results
CE
O
SVP
Informatio
n
SVP
Finance
SVP
Operations
SVP
Quality

May 16, 2014
 Frequency
 Transparency
 Board Involvement
 Accountability
( + )*Right
Processes
Right
People
Disciplined
Approach
Ability to
Evaluate Risks
Contributes to
Right Culture
Disciplined Approach

May 16, 2014
Dysfunctional Practices,
Dysfunctional Culture
• Arthur Andersen
– Inability to question superior's practices and incapability to suggest new
ways of doing things. When these practices no longer worked, the culture
shifted to keeping clients at any cost.
– Resistance to change from seemingly unethical to ethical practices. The root
of the problem was top management figures who exemplified poor ethical
practices.
– Culture shifted to increasing revenue from clients as much as possible.
– Began to underestimate vulnerabilities in their practices, jeopardizing
the organization's future.

May 16, 2014
• Risk management must be driven from the top down and
embedded in an organization’s culture
• At the core of the ERM framework, an entity must be proactive,
not reactive
• Health systems should plan for risks, and create an efficient
structure and a disciplined process to evaluate potentially risky
strategic decisions.
( + )*Right
Processes
Right
People
Disciplined
Approach
Ability to
Evaluate Risks=>
Ability to Evaluate Risks

May 16, 2014
• Volume of data most organizations collect, process and analyze growing
exponentially.
• Numerous organizations, such as IBM and Microsoft, are now offering products
to utilize big data to analyze/predict risk.
• Example: Google Flu Trends
– “…we can accurately estimate the current level of weekly influenza activity in each region of
the United States, with a reporting lag of about one day.” – Google, 2009
– Found that certain search terms are good indicators of flu activity. Google Flu Trends, in
collaboration with the CDC, uses aggregated Google search data to estimate flu activity.
– Early detection of a disease outbreak can reduce number of people affected. Google’s up-to-
date influenza estimates may enable public health officials and health professionals to better
respond to seasonal epidemics and pandemics.
Ability to Evaluate Risks

May 16, 2014
Inc.
Implementing a
Contemporary ERM System
ERM
System

May 16, 2014
Challenges to Implementing a
• Competition among units (quality, risk management,
patient safety, corporate compliance, etc.)Territorial Turf
• Cultural incompatibility and diversity may act as barriersCulture
• Moving away from tradition punitive environment centered
around individual employee/staff error to an organizational
emphasis on systems
Changing Environment
• Employees often have a hard time working in teams and/or
promoting communication on their own
Teams and
Communication
• Technology should be used to support the core operations
of healthcare and to support patient safety, decrease
medical error, and improve management.
Limited use of
Technology
• C-suite should understand the concepts of ERM and also
lend organizational support for program development and
implementation
Inadequate Senior-
Level Support
• Willingness to devote time to implementation may hold
many organizations back from ERM.
Length of Time to
Implement

May 16, 2014
Challenges to Implementing a
• Expertise in risk and finance may be
limited.Expertise
• May be difficult to demonstrate
immediate, quantifiable ROI.ROI
• Without change and follow-through, ERM
programs become static and eventually
dwindle in support and effectiveness.
Follow-through
• Successful ERM programs recognize the
importance of employee involvement and
contributions and value their input.
Employee
Involvement in
Design

May 16, 2014
Success Factors of ERM Programs
• In assessment
• In scoring measurement
• Quantifying and benchmarking results
• Decreased variability through
evidence-based practice
Consistency
• Internal
• External
Monitoring and evaluation
Leadership support and a
positive culture
Broad-based employee
involvement

May 16, 2014
Questions?

Presentation Makes the Case for Enterprise Risk Management

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (18)

Similar a Presentation Makes the Case for Enterprise Risk Management

Similar a Presentation Makes the Case for Enterprise Risk Management (20)

Más de PYA, P.C.

Más de PYA, P.C. (20)

Último

Último (20)

Presentation Makes the Case for Enterprise Risk Management