enterprise risk management - mnshrm.org€¦ · developed erm framework and supportive governance...
TRANSCRIPT
A professional membership group of1
Enterprise Risk Management
An ASHRM Presentation
A professional membership group of2
Definition, Terms, Guiding Principles, Framework
Traditional Risk Management to ERM
Diagnostic Tools
Steps to implement an ERM Program
OBJECTIVES
A professional membership group of3
ASHRM’s ERM Definition
ERM in healthcare promotes a comprehensive framework for making risk management decisions which maximize value
protection and creation by managing risk and uncertainty and their connections to total value.
comprehensive framework value
protection creation uncertainty
A professional membership group of
≈
TRADITIONAL
Silo Approach
Risk Transfer
Claims Management
Loss Control
Fails to ID complex risk
EMERGING
Healthcare Reform
Transparency
Uncertainty in reimbursement
NEW APPROACH
Comprehensive
Strategic Planning
Risk Financing
Value Creation
Value Protection
4
Driving Need for Change
A professional membership group of
ADVANCEDINTERMEDIATEBASIC
Compartmentalized risk program
Asset preservation
Value protection
Risk identification is reactive
Inconsistencies in risk management practices
Traditional Risk Management (TRM) Program
Focused on “Pure Risk”
Insurance purchased
Risk Adverse
Risks seen in silos
Starting to compile and use data for decision-making
Developing an understanding of ERM
ERM strategies and tools utilized for key risks on a unit, departmental basis
Correlation of risk is better understood
Moving to value creation
Risk opportunities identified
“Micro” ERM application
Fully integrated program
“Everyone is a Risk Manager”
Developed risk appetite and tolerance statement
Use of risk-based decision analysis for decision-making
Developed ERM framework and supportive governance
Risk Takers
ERM is a top-down, bottom-up process
Risk identification is proactive
“Macro” ERM application
Value is recognized
EFFICIENCY IN RESOURCE CONSUMPTION
ERM PROGRAM MATURITY
5
Breaking Down the Silos: Moving to ERM
A professional membership group of
ERM | Essential Elements
GUIDING PRINCIPLES
GOVERNANCE
A professional membership group of7
TERMSValue Creation Value Protection Managing
Uncertainty
A professional membership group of
Terms
Terms & Complementary Descriptions
ComprehensiveFramework Value Protection Value Creation Managing Uncertainty
• Organization-wide• Holistic• Broad perspective• Synergistic effect• Comprehensive• Strategic• Thorough• Robust• Structured
• Reduce uncertainty• Reduce variability• Duplication• Separation• Shield assets• Efficient use of
resources• Quality outcomes• Safe practices
• Increased market share• Competitive edge• Financial strength• Improved ROI• Increased margins• Enhanced reputation• Improved satisfaction
scores• Quality outcomes• Credible• Respected
• Reduce risks• Eliminate loss• Promote standardization• Use evidence-based practice• Decrease variability• View the impact of risk
holistically not in silos (eliminate silo mentality)
• Understand chaos theory• Eliminate/minimize lost
opportunities• Captures the positive or
upsideSource: ERM—A Framework for Success, 2014
A professional membership group of
GUIDINGPRINCIPLES
9
Advance safe and trusted healthcare
Manage uncertainty
Maximize value protection and creation
Encourage multidisciplinary accountability
Optimize organizational readiness
Promote positive organizational culture
Advance ERM Practices –continuous/comprehensive
Utilize data/metrics to prioritize risks
Align risk appetite and strategy
A professional membership group of10
Risk Domains
Operational Clinical Financial HumanCapital Strategic Legal &
RegulatoryTechnology Hazard
Evaluate synergistic effect of risks
A professional membership group of
Domain Description / Example
Operational Risks resulting from inadequate or failed internal processes, people, or systems that affect business operations.
Clinical /Patient Safety
Risks associated with the delivery of care to residents, patients and other healthcare customers.
Strategic Risks associated with the focus and direction of the organization—brand, reputation, competition, failure to adapt tochanging times, health reform or customer priorities
Financial Decisions that affect the financial sustainability of the organization, access to capital or external financial ratings throughbusiness relationships or the timing and recognition of revenue and expenses make up this domain
Human Capital This domain refers to the organization’s workforce. This is an important issue in today’s tight labor and economicmarkets
Legal /Regulatory
Risks are generally associated with fraud and abuse, licensure, accreditation, product liability, management liability,Centers for Medicare and Medicaid Services (CMS) Conditions of Participation (CoPs) and Conditions for Coverage(CfC), as well as issues related to intellectual property.
Technology This domain covers machines, hardware, equipment, devices and tools, but can also include techniques, systems andmethods of organization.
HazardThis ERM domain covers assets and their value. Traditionally, insurable hazard risk has related to natural exposure andbusiness interruption. Specific risks can also include risk related to: facility management, plant age, parking (lighting,location, and security), valuables, construction/renovation, earthquakes, windstorms, tornadoes, floods, fires.
A professional membership group of12
Risk Tolerance & Risk Appetite
Risk Tolerance
Risk Appetite
An articulated quantified measure of the maximum amount of risk an organization can stand to assume in order to avoid failing to meet its objectives.
An articulated quantified measure of the amount of risk an organization seeks to assume in order to maximize fulfillment of its objectives.
RISK AVERSE
RISK TAKER
GuaranteedCost
Cash Flow Programs
Retro Dividend Programs
SelfInsurance
Captives
A professional membership group of
For every project, initiative, and strategic direction there is a…
There are identifiable factors that drive each final outcome:
Costs Time Other resources Returns Revenues Fulfillment
of mission
Range of possible inputs Range of possible outputs
Some are internal to the organization, others are external.
Some are random, others are not.
Some are controllable & others are beyond the organization’s ability to control.
13
A Risk-Aware Culture Understands…
A professional membership group of14
ERM as a Decision Making Process
Examining/evaluating alternate risk techniques
Selecting the best techniques to implement
Identifying and analyzing an organization’s exposure to loss
Monitoring the techniques making changes as necessary
Implementing the selected risk techniques
IDENTIFY & ANALYZE
1EVALUATE
ALTERNATIVES
2
34
5
SELECT BEST TECHNIQUE
MONITOR, CHANGE,
LEARN
IMPLEMENT CHOSEN
TECHNIQUE
ERM
A professional membership group of
MacroMicro
Risk list Risk ranking Risk inventory Risk register Risk strategy Risk mitigation Risk evaluation
15
Approach and Tools
A professional membership group of16
RISK # RISK NAME RISK DOMAIN
F1 Payer Mix/Reimbursement Financial
T1 IT Infrastructure & Security Technology
T2 Cyber-Liability Technology
LR1 Research Compliance Legal/Regulatory
LR2 Regulatory Changes Legal/Regulatory
H1 Environmental/Disposal of toxic chemo-therapeutic waste Hazard
HC1 Succession Planning Human Capital
S1 Recruitment & Retention – Physicians Strategic
Risk List Template--Macro
A professional membership group of17
Potential Risk Associated with Acquisition of a Multi-Specialty Physician Medical Practice
OPERATIONALCLINICAL/ PATIENT SAFETY
FINANCIAL STRATEGY LEGAL/ REGULATORY
HUMAN CAPITAL HAZARD TECHNOLOGY
Access to care
Infection control
Hand washing
Culture/ environment
Inadequate policies and procedures
Failure to follow EBM
Adverse event reporting
Informed Consent
Failure to diagnosis
Failure to refer
Misdiagnosis
Clinical continuity
Medication admin. & safety
Critical test results
Payer mix
Reimbursement
Access to capital
Contracts management
Supply management
Collection/AR
M, A, & D
Competition
Conflicts of interest
Diminishedmarket-share
Reputation
HIPAA
ACO
Employment practices liability
Mandatory reporting
Data breach
Physician turnover
Competency
Retention & recruitment
Competitive benefit program
Aging workforce
Drug diversion
Disruptive behavior
OSHA
Crisis management
Fire safety
UST
Environment of care
Emergencypreparedness
Critical care
Hybrid EHR
Meaningful Use
Social networking
Multiple and competing vendors
Data security
Encryption
Micro-Physician Practice Acquisition Risk List
A professional membership group of18
Risk Ranking Process
Risk ranking provides an initial means of prioritizing assessed risks based upon assessments of IMPACT and LIKELIHOOD.
– Risks were assessed assuming the effectiveness of existing risk management activities.
Risk rankings are used to identify a risk’s position on a Risk Map.
Multiply the IMPACT assessment and the LIKELIHOODassessment for each risk.
Reference the product against a range of values.
Assign one of four risk rankings (Very High, High, Medium or Low) based upon referenced range.
RISK RANKING OVERVIEW
RISK RANKING CALCULATION STEPS
RISK RANKING MATRIX
LIKELIHOOD
IMPA
CT
Unlikely Potential Likely
Insi
gnifi
cant
Mod
erat
eC
ritic
al
Risk Map
VERY HIGH Greater than 17.0
HIGH Greater than 10.0, but less than 17.0
MEDIUM Greater than 5, but less than 10.0
LOW Less than 5.0
RISK RANKING RANK RANGE
A professional membership group of19
Risk Assessment Scales LIKELIHOOD
Adapted from original work by Aon Corporation in collaboration with client. Permission granted to use for educational purposes.
RATINGLIKELIHOOD
DESCRIPTION CHARACTERISTICS
5 Almost Certain/Already Occurring
In System/Process: Knowledge Based Decisions by Trained Person Controls: Not Working/May Not Exist Expected to Occur: Daily/Weekly
4 Likely In System/Process: Rule-Based Decisions by Trained Person Expected to Occur: Annually
3 Potential In System/Process: Automated or Controlled by Trained Person Controls: Preventative not Detective Expected to Occur: Every 2 – 5 Years
2 Unlikely In System/Process: Highly Automated with Validation and Monitoring Expected to Occur: Every 5 – 20 Years
1 Rare Controls: Preventative and Detective Not Expected to Occur
A professional membership group of
RATINGIMPACT
FINANCIAL PATIENT SAFETY OPERATIONS/PROCESS REPUTATIONAL LEGAL/REGULATORY
5Critical
Cash: Results in <20 days cash on hand
Property damage: >$250,000
Key contract loss Loss of business
Death/permanent disability
Event: Suicide/Rape/ Child Abduction
Significant labor relations event
Workplace safety: multiple lost time injuries/ recordable incidents
PHI/PI Breach: >100
Significant brand impairment; loss of significant market share
Sustained, negative media coverage
Customer satisfaction: <85%
Loss of license State/Federal
investigation
4Major
Cash/expense: $150,000 Property damage:
$100,000 - 250,000 Additional unexpected
capital required
Substantiated boundary or code of conduct incident
Major or critical health incident
Non-compliance with Standard of Care
Loss/significant turnover of key personnel
IT systems disruption Workplace safety: Lost
time and recordable incidents
PHI/PI Breach: <100
Temporary but significant negative media coverage
Customer satisfaction: 85-88%
State/Federal inquiry (not investigation)
3Moderate
Cash/expense: $50,000 Property damage:
$10,000–100,000
Upward trend in minor health incidents
No clinical continuity
Loss of or increased turnover in key positions
Operational disruption or increased costs due to regulatory change
Negative media mention (state)
Customer satisfaction: 88-90%
Corporate non-compliance with financial impact
Insurance access implications
2Minor
Cash/expense: $10,000 Property damage:
<$10,000
Minor health incidents; Patient not knowledgeable of failure
Distraction in employee base
Customer satisfaction: 90–94%
Minor violations (e.g., auto)
1Insignificant
Insignificant property damage or impact to cash
No impact on the delivery of care
Customer satisfaction: >95%
Risk Assessment Scales IMPACT
20 Adapted from original work by Aon Corporation in collaboration with client. Permission granted to use for educational purposes.
A professional membership group of21
Sample Formulas
Probability X Severity = Risk Score
1 to 5 X 1 to 5 = Risk Score
1 X 1 = 1 (lowest score)
5 X 5 = 25 (max. score)
1
(Probability + Time to Impact) X Severity = Risk Score
(1 to 5 + 1 to 3) X 1 to 5 = Risk Score
1 + 1 X 1 = 2 (lowest score)
5 + 3 X 5 = 40 (highest score)
2
A professional membership group of22
RANK RISK NAME RISK CATEGORY LIKELIHOOD (1.00 TO 5.00)
IMPACT (1.00-5.00) RISK RANKING
1 Payer Mix / Reimbursements Financial 4.33 4.42 19.14 (Very High)
2 Billing Accuracy Financial 4.33 4.25 18.42 (Very High)
3 IT Infrastructure Technology 4.50 3.92 17.63 (Very High)
4 Confidentiality / Data Security Technology 4.08 4.08 16.67 (High)
5 Recruitment & Retention (Physician) Human capital 4.33 3.67 15.89 (High)
6 Health Reform Strategic / External 3.42 4.25 14.52 (High)
7 Adequate Protocols, Controls & Policies Operational 3.42 3.92 13.38 (High)
8 Cost Management Financial 3.08 4.08 12.59 (High)
9 Recruiting & Retention (Non-Physician) Human Capital 3.50 3.50 12.25 (High)
10 Safety & Security Operational) 3.58 3.33 11.94 (High)
11 Business Model / Service Units Strategic / External 3.17 3.75 11.88 (High)
12 Facility & Equipment Management Hazard 3.83 2.92 11.18 (High)
13 Employee Engagement Human Capital 3.17 3.50 11.08 (High)
14 Competition Strategic / External 2.92 3.75 10.94 (High)
15 Quality Outcomes Clinical 3.17 3.42 10.82 (High)
16 Skills & Competencies Human Capital 3.17 3.17 10.03 (High)
17 Conflict of Interest Operational (Non-Clinical) 3.42 2.92 9.97 (Medium)
18 Patient Needs Strategic / External 3.17 3.08 9.76 (Medium)
19 Support Staff / Staffing Levels Human Capital 2.91 3.08 8.97 (Medium)
20 Capacity & Availability of Space Strategic / External 2.92 3.00 8.75 (Medium)
21 Adequate Policies & Procedures Operational (Non-Clinical) 3.08 2.75 8.48 (Medium)
22 Compliance Operational (Non-Clinical) 2.50 2.83 7.08 (Medium)
Risk Inventory
Adapted from original work by Aon Corporation in collaboration with client. Permission granted to use for educational purposes.
A professional membership group of23
Risk-Aware Culture Objectives
Risk Inventory to Risk Register
Opportunity to Create/Protect Value
Risk Response and Solutions
Top 3–5 Risks
Definition of Risk
Risk Score and Risk Drivers
Risk Register
A professional membership group of
Risk Register
Category/Domain
RiskDefined
Likelihood (L), frequency, numbers #, probability
Impact (I), financial severity $, harm index
Risk Score (RS)
L x I = RS
Risk Drivers (internal & external)
Risk Response
(in place & needed)
Opportunityto create, enhance value or protect
Risk Inventory to Risk Register
24
A professional membership group of25
Risk Register
A professional membership group of26
Strategies and Solutions
Once risks have been identified, defined, rated and ranked, and discussed to determine risk drivers and current risk management activities, the next step is to determine what further strategies and solutions are needed to minimize the potential for loss and how value can be created.
A professional membership group of
Risk Likelihood Impact Strategies & Solutions Type1. Payer mix Very High Very High Monitor all contracts and payer mix Prevention/Reduction
(Proactive/Reactive)
2. Billing accuracy Very High Very High Record review to ensure accurateentry & reporting of time
Prevention(Proactive)
3. Data breach High High Develop P&P for employee use of social media; monitor compliance
Prevention(Proactive)
4. Engagement High High Repositioning employees to new or better fitting positions; monitor turnover rates
Prevention(Proactive)
5. Medication error High Very High Double check all weight-based medication dosages for obese & pediatric pts
Prevention/Duplication(Proactive)
6. Cyclical nature of insurance market
Moderate Moderate Diversify insurance portfolio among several insurers and SIR
Separation(Proactive)
27
Tracking Strategies & Solutions
A professional membership group of
Potential Risk Mitigation Strategy Impact on Inherent Risk Score
Implementation of policies & procedures -3 -2 -1 0
Monitoring (telemetry, hand-washing) -3 -2 -1 0
Use of risk control programs (fall prevention) -3 -2 -1 0
Educational initiatives to relevant parties -3 -2 -1 0
Use of evidence-based practice (best practices, algorithms) -3 -2 -1 0
Use of specific technology (CPOE, RFID) -3 -2 -1 0
Use of clinical decision support systems -3 -2 -1 0
Enhanced communication (informed consent, disclosure & apology) -3 -2 -1 0
Implementation of TeamSTEPPS -3 -2 -1 0
Legend: Impact on the Inherent Risk Score with the Implementation of Mitigation Strategies:Highly Effective = - 3/Effective = - 2/Adequate but needs work = - 1 /No strategies in place = 0
Risk Mitigation
28
A professional membership group of
Risk Domain Risk Score (Inherent)
Mitigation Strategyand Solutions Efficacy Risk Score
(Residual)Payer Mix Finance 22 (Very High) Develop procedures to review
all contracts 120 days before renewal
- 3 19 (Very High)
Succession Planning
Human Capital
17 (Very High) Design & maintain formal plans for recruitment & placement of senior leadership
0 17 (Very High)
Clinical Care Clinical/Patient Safety
16 (High) Double check all high-risk medication calculations
- 2 14 (High)
Conflict of Interest Operations 9 (Medium) Board approved conflict of interest policy, education & monitoring
-1 8 (Medium)
Terrorism Hazard 8 (Medium) Purchase insurance;emergency preparedness
- 2 6 (Low)
Results of Mitigation on Inherent Risk Scores
29
A professional membership group of30
KPI & KRI
Track achievement of specific organizational goals:FINANCIALDays cash on hand
OPERATIONAL30-day readmission rate
HUMAN RESOURCESTurnover rate
Key Performance
Indicators
KPIs
Key Risk Indicators
KRIs
Factors that drive risks related to specific initiatives:
CONSTRUCTIONWeather delays, material cost over-runs
ACO DEVELOPMENTLack of physician alignment, competition from other ACOs
SERVICE LINE EXPANSIONLabor shortages
A professional membership group of31
Getting Started
A professional membership group of32
Preparing for ERM
Review strategic plan for organization
Evaluate organizational readiness
Identify and engage an executive level champion
Initiate/facilitate ERM program committees: development team, ERM Steering Committee /Oversight Committee, ERM Work Group
Review and identify risk tools
Compile and share resource lists, reference materials, subject matter experts
Develop a timeline
21
4
3 5 76
A professional membership group of33
Developing an Infrastructure
The “Worker Bees”
you + other day-to-day staff
Helpful if Interdepartmental
ERM Working Group
Internal Audit
Corporate Compliance
Key Committees
Linkages with Other Key Functions
Written ERM Plan
Governing Board Reporting
A professional membership group of
Offer education on uncertainty/risk
Develop a well articulated vision and plan
Maintain a positive culture and environment
Implement cross-functional teams
Develop and implement a communication plan
Integrate risk awareness with strategic planning
Determine availability of internal resources
34
Step to Implementation
Obtain Board and senior leadership support1
23
4
5
6
7
8
A professional membership group of35
Implementation Steps | PLANNING
KNOW the organization’s mission, vision, objectives, and current strategic plan.
UNDERSTAND current practice regarding risk identification, analysis and reporting.
LEARN how the organization identifies opportunities to create value.
IDENTIFY organizational objectives for establishing an ERM program.(Why now? Is there a sentinel, triggering event such as a rating agency’s questions during a visit)
EVALUATE organizational readiness for ERM specifically as it respects culture
DESCRIBE resources necessary for ERM program development and implementation and identify if those resources are external or internal to the organization and are they available
A professional membership group of36
Implementation Steps | DEVELOPMENT
DRAFT clearly articulated goals and objectives.
DEVELOP and deliver ERM education to board, senior leadership and medical staff leaders.
ENGAGE and deploy necessary resources.
DEVELOP risk appetite and tolerance statements for significant risks, organization wide and/or by domain.
DEVELOP a framework including organizational Guiding Principles.
DRAFT the ERM plan and timeline
DEVELOP committee structure (ERM steering committee and ERM work group); identify membership as appropriate and draft committee charters
IDENTIFY success metrics to mirror articulated goals and objectives
A professional membership group of37
Implementation Steps | INTEGRATION
INTEGRATE ERM practices into the strategic planning process, business-practices and business unit
SUPPORT and implement the steps to effectively and efficiently identify, assess, and respond to organizational exposure to loss including the techniques for: avoidance, retention, transfer, mitigation and value creation
ADOPT risk champions for specific projects and as program supporters from among the board, senior leadership and medical staff leadership
INTEGRATE the process throughout the organization by educating all employees on their role and responsibility in ERM program
DEVELOP a communication plan to facilitate organizational wide integration
A professional membership group of38
Implementation Steps | MONITOR / EVALUATION
How success will be measured
What metrics will be used
How often to report, in what format, and to whom to report
The assigned responsible party(s).
Build criteria into each implemented risk strategy to identify:
Identified risks
Risk prioritization
Status of risk strategies implemented
Value creation opportunities
Goals for the next period
Challenges encountered
Recommended new projects and strategies
Periodic (monthly, quarterly, yearly) reviews of KPIs and KRIs to evaluate all risk identified and the effectiveness of chosen risk strategies
Prepare an annual ERM Program report for the Board that includes:
A professional membership group of39
Hallmarks of Sustainable ERM
1 Board-level commitment
9 A move from focusing on risk avoidance and mitigation
8 Identification of new and emerging risks
7 Use of sophisticated quantification methods
6 Integration of financial and operational risk information
5 Transparency
4 Engagement of stakeholders
3 An ERM culture that encourages full engagement and accountability
2 A dedicated risk executive
A professional membership group of40
Risk Managers Should Take the Lead
Remember… ERM is a relatively new concept in the field.
Many organizations are just beginning to adopt ERM principles.
Risk Manager to take the lead in keeping ERM alive.
The Risk Manager needs to continually explain the benefits of an ERM approach.
Risk Managers must be aware of the strategic plans.
Be armed with a battery of tools & techniques so ERM can come alive.
Gather anecdotal information & real-world examples of how ERM was beneficial.
The Risk Manager must remain a committed advocate.
Consider the development of an annual report.
Identify a champion for ERM throughout the enterprise.
A professional membership group of41
In Summary
The next 10 years in healthcare will be one of dramatic change highlighted by:
Change in the delivery model for how patients receive care across the healthcare continuum
Formation of new relationships and partnerships
Change in how care will be financed and providers reimbursed
Patients will have responsibility and a voice not previous heard
The emphasis on quality outcomes and minimization of process variability will continue to challenge us all
The development, implementation and support of an ERM Program will meet the challenge of addressing organizational risks proactively, meeting these new challenges directly
A professional membership group of
Questions?
42
A professional membership group of
Contact
Denise Shope RN, MHSA, ARM, CPHRM, FASHRMRisk Management ConsultantRCM&D [email protected]
43