Enterprise Risk Management Maximizing Value by May 24
Enterprise Risk Management: Maximizing Value by May 24, 2018 Managing Risk 1
Introduction Jeff Wright, CPA, CIA, PMP Senior Manager Risk and Accounting Advisory Services 312. 602. 3530 Jeff. Wright@plantemoran. com Katy Dettman, CPA Principal Risk and Accounting Advisory Services 312. 980. 3325 Katy. Dettman@plantemoran. com 2
Plante Moran – fast facts 3
Today’s Agenda • Overview of Enterprise Risk Management • Summary of ERM activities • Fraud Risk Pyramid • Sample Fraud Risk Assessment 4
Two Most Common Myths About ERM Myth #1: ERM is a process only handled by the chief financial officer or finance. Fact #1: The ERM risk universe consists of strategic, financial, operational and compliance risks. All members of senior management are needed to participate in the ERM process to have adequate knowledge and experience with the various risk strategies required. ERM does not lie within finance alone. 5
Two Most Common Myths About ERM Myth #2: ERM is a periodic event that requires updates only quarterly, semi-annually or annually. Fact #2: ERM is a process just like any other process within the organization (payroll, inventory, revenue, accounts payable, etc. ). The ERM process for each company are at different stages of maturity. Your risk profile is continuously changing and your ERM process to adapt with your risk profile. 6
What is Enterprise Risk Management (ERM)? The Committee of Sponsoring Organization (COSO) defined ERM: Enterprise risk management is a process, affected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and Manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. 7
Evolution of Risk Management 1960 s 1970 s 1980 s 1990 s 2000 s 2010 s Today’s Focus Insurable Risk Quantifiable Risk Enterprise Risks based on historical loss experience and for which insurance policies can be purchased: • Property/Casualty • Errors & omissions • Liability • Workman’s compensation • Fire/Flood Financial instruments emerged and shifted focus to quantifiable risk and other management tools: • Earnings at risk • Value at risk • Historical predictors • Monte Carlo simulations Risks are classified as: • Strategic • Finance/Reporting • Operational • Compliance Management uses a topdown approach to identify, measure, and mitigate risks 8
ERM – Internal Environment An organization must ensure that the risk management environment occurs on an enterprise-wide approach versus a silo approach. Monitoring controls are established at the entity level for a entity-wide view of risk taking to account for risk objectives from each process. ERM Revenue Cycle Technology & Cyber Accounting & Treasury Supply Chain Privacy Quality Risk 1 Risk 2 Risk 3 Risk 1 Risk 2 Risk 3 9
ERM Infrastructure Framework RESPONSIBILITIES ERM INFRASTUCTURE INFORMATION FLOW BOARD OF DIRECTORS Approve ERM Charter, Assign Authority, Board Oversight CHIEF EXECUTIVE OFFICER Program sponsorship, establish tone at the top, delegate authority, report to Board ERM COMMITTEE Program Coordination, establish Policy & Procedures, create monitoring controls, assignment of risk owners, establish reporting protocols FINANCIAL/ REPORTING RISK OWNERS STRATEGIC RISK OWNERS OPERATIONAL RISK OWNERS COMPLIANCE RISK OWNERS CFO, CONTROLLER CEO, COO/CNO, CHIEF MEDICAL OFFICER, CHIEF MARKETING OFFICER COO/CNO, DEPARTMENT DIRECTORS, SERVICE LINE LEADERS RISK MANAGEMENT, COMPLIANCE, LEGAL Risk Owners: Identify risks applicable to each function of the organization and assume monitoring responsibility Control Owners: Perform monitoring of each risk and report back to Risk Owners and/ or ERM Committee 1 st Line of Defense 10
ERM Development Overview INPUTS STEP 1 STEP 2 STEP Planning Meeting to Understand Objective Setting, Build Out Risk Universe and Infrastructure Pyramid. Develop Impact & Likelihood Criteria for Inherent Risk Hold Risk Workshop to risk rate Inherent Risk, Mitigating Activities and calculate Residual Risk 3 : Develop Risk Treatment, Strategies and potential improvements to Control Activities STEP Deliver Risk Model with rankings and Key Risk Indicators (KRI’s) and Monitoring Controls for ERM Committee. Leverage Risk Rankings for Internal Audit Plan 4 OUTPUTS • Risk register with customized risk universe • Risk summaries with detail treatment strategies and risk playbook • Robust ERM infrastructure with reporting and monitoring controls • Identify potential Internal Audits for Control Testing 11
Count 22 Strategic 25 Operational 13 Financial 13 Compliance 73 Total Risks Education Risk Universe: Sample STRATEGIC (22) • Access to Talent • Budgeting and Forecasting • Capital Planning • Community Health Needs • Competition • Conflict of Interest • Culture • Economic Downturn • Staff Sourcing and Retention • Ethics • IT Strategic Planning • Leadership Succession • Legislative/Regulatory • Media/ Social Media Risk • Opportunity Cost • Organizational Structure • Political • Reputation • Resource Planning • Revenue Enhancement • Strategic Partnerships • Strategic Planning OPERATIONAL (25) • Quality of Care • Business Continuity Plan/ Disaster Recovery • Change Management • Cost Containment • Service Line Management • Data Privacy • Employee Misconduct (harassment, sexual, etc. ) • Census/Volume Management • Facilities Maintenance / Condition/ Janitorial • Health & Safety • Hiring and Termination • IT Governance • IT Infrastructure • IT Security • Clinical Documentation • Accreditation • Physical Security • Supply Chain • Population Health Management • Foundation/Fundraising • Patient Safety • Advanced Practice Practitioners • Charge Capture • Fixed Assets Management • Telehealth FINANCIAL (13) • Accuracy and Completeness of Accounting Data • Denials Management • Cash Management/ Custodial/ Banking • Debt Management • Financial Reporting • Payroll • Patient Accounting • Professional Liability • Interest Rate • Liquidity • Accounts Receivable Valuation • Accounts Payable Management • Federal and State (CMS) Funding COMPLIANCE (13) • • • • 340 B Drug Program Vendor Contracts Environmental Debt Covenants Fraud, Waste, and Abuse Fed, State, Local laws Physician Financial Arrangements Healthcare Reform Clinical Research Labor/ Unions Coding Privacy and Security (HIPAA) Office of Inspector General Work Plan 12
ERM – Objective Definitions Risk: The possibility of an event occurring that may have either a positive or negative impact on the achievement of objectives Inherent Risk: The impact and likelihood of a risk event occurring BEFORE consideration of mitigating controls or circumstances. Mitigating The internal controls or safeguards in place to decrease the chance of Activities: a risk event from occurring. Residual Risk: The impact and likelihood of a risk event occurring AFTER consideration of a risk event occurring. 13
Inherent Risk Impact & Likelihood Ranking Criteria - Sample Impact Criteria - Impact Risk Ranking 5 (high) 4 3 Financial – increased expense or lost revenue or lost funding: >$500 K $350 K - $500 K $200 K - $350 K or Strategic: Major Impact to 2 Significant Impact to Multiple Strategic Plan Objectives or Operational : Electronic Health Record or >3 Days 24 – 72 hours 12 – 24 hours IT Shutdown Reputation Significant Serious Moderate Inability to provide Serious impact to Moderate impact to Quality of Care quality care provide quality care or Regulatory: Federal, State, & Local Govt. Large-scale Material breach but Material breach which – HIPAA, CMS, OIG, etc. breach of regulation cannot be rectified can be rectified Likelihood Criteria - Inherent Risk Ranking 5 (high) 4 3 Probability of an event occurring in a given year: >50% 20 – 50% 10 – 20% or Event Occurrence (on average): Once a year or more 1 in 3 years 1 in 5 years 2 1 (low) $50 K - $200 K <$50 K Major Impact to 1 Strategic Objective Minimal Impact to 1 Strategic Objective 4 – 12 hours < 4 hours Limited impact to provide quality care Minimal breach which cannot be rectified can be readily rectified 2 1 (low) 5 – 10% <5% 1 in 7 years 1 in 10 years 14
Mitigating Activities Inventory of Mitigating Activities (12 Most Common): Ranking of Mitigating Activities: Preventative Controls Detective Controls 1. 2. 3. 4. 5. 6. 7. Reconciliation 8. Management Review 9. Master File Change Reports 10. Journal Entry review 11. Confirmations 12. Performance Reviews Policies & Procedures Segregation of Duties Delegation of Authority User ID/ Passwords System Access Physical Controls Mitigating Activities: Ranking Probability that the Mitigating Activities will identify, classify, manage and mitigate the risk to the organization 1 Weak – Unlikely 2 Moderate – Possible 3 Strong - Probable 15
Residual Risk – Sample Risk Dashboard KEY = Inherent Risk = Residual Risk 0 -8 = Below Tolerance 9 -16 = Within Tolerance and Risk Limit >16 = Above Risk Limit X = Increasing Velocity | = Stable Velocity 16
Residual Risk – Sample Dashboard Reports 17
Key Risk Indicators (KRI’s) 3 Types of Data Sources: Data Source KRI Public Available Information Risk Owner Monitoring: Economic Slowdown Risk Build KRI dashboards • Unemployment rates • Interest rates • Consumer spending/ CPI • Commodity prices Internal System Information Risk Owner Monitoring: Cybersecurity Risk • • • Internal Manual Information Risk Owner Monitoring: Physical Security Risk • • Firewall system report Penetration attack volumes 24/7 monitoring diagnostics Property inspection routine/ polling Security Alarms Video Surveillance News events (weather reports, protesters, etc. ) 18
KRI Monitoring Tool 19
KRI Monitoring Tool 20
Continuous Information Flow ERM is a journey, not a destination We prescribe the A. I. M. Technique: • Assess • Implement • Monitor The end goal is continuous information flow throughout the ERM Infrastructure 21
ERM – Critical Success Factors Value propositions from a mature ERM process: Ownership Risk owners are assigned and understand their responsibility for management, oversight and assurance. Assurance Stakeholders are assured that risk is being managed within the organization’s risk tolerance and receive information regarding the quality and type of control in place. Oversight & Responsibility Visibility Critical risks facing the organization have been identified, managed and reported on a level and frequency that support the organization’s risk tolerance. Management has clear view of their risk universe utilizing dashboards showing monitoring controls and residual risk with an actionable playbook ready to execute. 22
Q&A 23
- Slides: 23