306- lefar real world risk assessment - hcca official site
TRANSCRIPT
1
©2006Confidential
800-808-6800 www.mediregs.com
Risk Assessment andManagement
for the Real WorldSteve LefarMediRegs
©2006Confidential
Agenda
• Why Risk Assessment Matters. • Enterprise Risk Management.• Assessing Risk in the Resource
Constrained Environment.
2
3©2006Confidential
Managing Risk Can Improve Results
Source: PA Consulting Survey of Global Banks
Annualized total shareholder returns (1998-2003) for differing degrees of risk model sophistication and risk tool usage
©2006Confidential
Compliance Cynicism Abounds
Although inconvenient to admit, a compliance program is less to ensure obedience to the law than to deflect unwanted attention from an institution's activities…..
The crucial step of determining what constitutes compliance involves interpretation and judgment…..
Compliance programs are good for an institution in the way that paying protection money is good for a business squeezed by the mob. If have them we must, let us recognize that the value lies in keeping the barbarians outside the gate.Kevin R. Davis is a university counsel and a senior lecturer in philosophy at Vanderbilt University.
The Chronicle Review Volume 53, Issue 20, Page B11Copyright © 2006 by The Chronicle of Higher Education
3
©2006Confidential
The Unknown by Donald Rumsfeld
As we know, • There are known knowns. There are things
we know we know. • We also know there are known unknowns.
That is to say we know there are some things we do not know.
• But there are also unknown unknowns, The ones we don't know we don't know.
Department of Defense news briefing, Feb. 12, 2002
Top Leaders Look Through A Risk Prism
©2006Confidential
Grounding Compliance In Risk Management Will Help The Image
• Risk Assessment:– Estimating the probability of an event occurring and the magnitude of effects if the event does occur. (Probability x Loss)
• Risk management: Process of identifying, assessing, and controlling risks arising from operational factors and threats and making decisions that balance risks and costs with mission benefits. From the US Army
Compliance: Adherence to a set of rules, processes or procedures to control or mitigate risk that is determined
by either internal or external forces.
4
©2006Confidential
And Help Our Organizations Prepare For Compliance “Events”
What happened?
That would have been easy to fix upfront?
I thought you owned that one?
Why didn’t we know?
That is going to cost millions?
I thought she/hewas a good hire
©2006Confidential
Even Regulations Are Risk Controls
• CoPsPatient RightsNursing Care
• OIG WorkplanFinancial Fraud/Mistakes
Handout: Patient Rights Question Set
5
©2006Confidential
ERM: Latest Rage or Rubik's Cube?“… a process, effected by an
entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
Source: COSO Enterprise Risk Management – Integrated Framework. 2004. COSO.
©2006Confidential
You Understand It Already
The 7(8) Elements from The OIG and US Sentencing Commission.
• Oversight• (Risk Assessments)• Response and Prevention• Enforcement, Incentives and
Discipline• Education and Training• Reporting• Monitoring and Auditing
6
©2006Confidential
And Do It All Day, EverydayCurrent Risk Managers
• Finance• Compliance• Internal Audits• Risk Management• Construction• Treasury• Security• Case Management• Medical Affairs
Risk Approaches Used• TQM• Six ∑• Policy and Procedure• Accounting Controls• Portfolio Theory• Game Theory• Scenario Planning • Clinical/critical
pathways
©2006Confidential
What’s Really Different?
Current• Siloed• Board oversight often
limited• No infrastructure• No standards• Lack of rigor and
quantitative analyses
ERM• Integrated view of risk-
across the organization• Stratification of Risk
into a portfolio• Systematic, rigorous,
continuous, coordinated well defined process
• Senior Leadership Owns It.
• Linked to strategy and business objectives
7
©2006Confidential
Assessing Risk With Limited Resources
©2006Confidential
Risk Assessment Simplified
• Risk AssessmentWhat are the risks?What would the impact be if it happened?How likely is it to happen?What is the overall risk given the impact and likelihood? (risk rating)
• Risk ManagementRisk How can we mitigate it?Who and when can we mitigate it?What is the ongoing risk and how do we monitor it?
8
©2006Confidential
Identifying the Risks
• Known KnownsRegulationsFinancial mattersNew projects
• The Known UnknownsBehaviors of patients and staffPotential pandemics or epidemics
• The Unknown Unknowns
©2006Confidential
Identifying The Risks: Setting scope
Financial
Geo-Political
Environmental
Regulatory
Strategic
Reputational
Technology
Clinical
RiskDrivers
9
©2006Confidential
Identifying The Risks: Typical Provider
CommunityBenefit
Medical Affairs
ConditionsOf
Participation
Researchand Grants
LabRadiology
PT/OT
Home HealthHospice
SNFHealth Plan
Vendors
HIM/Coding/
FinancialControls
InformationSystems/ Privacy
Finance, HRSOX
Compliance and
Risk Team
©2006Confidential
Identifying The Risks: Look Everywhere
• Board Members• Executives• Vendors• Partners• Community Members• Department Heads• Employees
10
©2006Confidential
Identify The Risks: Policies
If a thousand trees were turned into policies would anyone care more?
A Real Tool• Existence ≠ Awareness ≠ Utility• Clearly linked to a business and control
objective stemming from a risk assessment.• Integrated into workflow processes via
automation whenever possible (if you have to pull it off the shelf, it won’t get used)
©2006Confidential
Identifying the Risks
Structure• Departmental• Process• Topic• Hybrid
Tools• Checklists• 1-1 interviews• Group interview• Electronic data
gathering/interviews• What If exercises• Scenario modeling• Hazard Assessment
12
©2006Confidential
Electronic Scoreboards
©2006Confidential
Assessing Impact and Probability
• ProbabilityHigh, Medium, LowImminent, Probable, Possible, UnlikelyELE, Scary, Unfortunate, Who Cares
• ImpactHigh, Medium, LowMultivariate
• Financial, Clinical, Reputational, Political
• IntegratedEntity Type, Location, Risk Area, Issue
13
©2006Confidential
Managing Real Time Risk
Happenings • You get told things every day that don't happen. It's
printed in the press. The world thinks all these things happen. They never happened.
• Everyone's so eager to get the story before in fact the story's there That the world is constantly being fed Things that haven't happened.
• All I can tell you is, It hasn't happened. It's going to happen.
Department of Defense briefing Feb. 28, 2003
©2006Confidential
Assessing Real Time RisksIntegrated end to end management of issues,
events, incidents and matters.
Communications
Centralized Database
Agency
Investigations
Education
Audits
14
©2006Confidential
Talking to Management About RA
What is the progress of our assessments?What are we assessing and how?What are the business risk to our strategies, finances and organization?What are the compliance issues?What are our significant risks, scenarios or risk events?How significant are these risks and what is the impact? How should we manage these risks?How should we monitor these risks
Charts Sources: MediRegs and Chief Security Officers.com
©2006Confidential
Rules Of The Road
1. Keep it practical but exhaustive2. Don’t be idealistic. Look at what
actually goes on.3. Identify the known-knowns, unknown
knowns and unknown unknowns.4. Put it in business terms