Transcript Document
Real World Risk Assessment Steve Lefar ©2006 [email protected] Confidential President, MediRegs Goals • Get you to think differently about the role of compliance. • Make you ponder risk differently. • Provide practical process to look at risk. ©2006 Confidential Agenda • Pessimists and Black Swans • GRC, ERM, eieio • Beyond the buzzwords-Just Do It ©2006 Confidential The cynical but common view Although inconvenient to admit, a compliance program is less to ensure obedience to the law than to deflect unwanted attention from an institution's activities….. The crucial step of determining what constitutes compliance involves interpretation and judgment. Compliance programs are good for an institution in the way that paying protection money is good for a business squeezed by the mob. If have them we must, let us recognize that the value lies in keeping the barbarians outside the gate. Kevin R. Davis is a university counsel and a senior lecturer in philosophy at Vanderbilt University. The Chronicle Review Volume 53, Issue 20, Page B11Copyright © 2006 by The Chronicle of Higher Education ©2006 Confidential Why? People Misunderstand the Geneis of Compliance--RISK • Risk Assessment:– Estimating the probability of an event occurring and the magnitude of effects if the event does occur. (Probability x Loss) • Risk management: Process of identifying, assessing, and controlling risks arising from operational factors and threats and making decisions that balance risks and costs with mission benefits. From the US Army Compliance: Adherence to a set of rules, processes or procedures to control or mitigate risk that is determined by either internal or external forces. ©2006 Confidential Managing Risk Improves Results Annualized total shareholder returns (1998-2003) for differing degrees of risk model sophistication and risk tool usage Source: PA Consulting Survey of Global Banks ©2006 Confidential 6 We don’t view risk broadly enough. The Unknown by Donald Rumsfeld As we know, • There are known knowns. Things we know we know. • We also know there are known unknowns. We know there are things we do not know. • But there are also unknown unknowns, The ones we don't know we don't know (The Black Swans). Department of Defense news briefing, Feb. 12, 2002 ©2006 Confidential Regulations target known knowns • • • • • CoPs Patient Rights Billing Rules 72-Hour Rule OIG Workplan ©2006 Confidential Many healthcare management issues are known unknowns • Severity of an epidemic • Final rule • Shift to outpatient ©2006 Confidential Unknown Unknowns • Positive Penicillin Sticky Notes FaceBook, YouTube The role of the PC 50 years ago Virtual surgery • Negative ©2006 Confidential 9/11 Sub Prime (perhaps) Diabetes epidemic Elimination of public healthcare funding Off shore health care in Dubai Risk Conundrum: We don’t contemplate Black Swans • Black Swans Things that are so far outside the realm of our life narratives as to be thought impossible. 2-4-6– What’s the Rule? Buy the book Black Swans by Nicholas Taleb ©2006 Confidential GRC, ERM, eieio • Slap a name on it, raise price 300%, get rich. Governance, Risk and Compliance Enterprise Risk Management SOX • Much of it comes from Financial Markets not Operations! Based on assumptions of Known Knowns and fathomable Known Unknowns ©2006 Confidential ERM: Latest Rage or Rubik's Cube? “… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” Source: COSO Enterprise Risk Management – Integrated Framework. 2004. COSO. ©2006 Confidential You Understand it Already The 7(8) Elements from The OIG and US Sentencing Commission. • Oversight • (Risk Assessments) • Response and Prevention • Enforcement, Incentives and Discipline • Education and Training • Reporting • Monitoring and Auditing ©2006 Confidential And you do it all day, everyday Current Risk Managers • Finance • Compliance • Internal Audits • Risk Management • Construction • Treasury • Security • Case Management • Medical Affairs ©2006 Confidential Risk Approaches Used • TQM • Six ∑ • Policy and Procedure • Accounting Controls • Clinical/critical pathways • Game Theory • Portfolio Theory • Scenario Planning(The Art of the Long View) What’s Really Different? Current • Siloed • Board oversight often limited • No infrastructure • No standards • Lack of rigor and quantitative analyses • • • • • ©2006 Confidential ERM Integrated view of riskacross the organization Stratification of Risk into a portfolio Systematic, rigorous, continuous, coordinated well defined process Senior Leadership Owns It. Linked to strategy and business objectives Risk assessment need not be complicated • Risk Assessment What are the risks? (don’t forget Black Swans) What would the impact be if it happened? How likely is it to happen? What is the overall risk given the impact and likelihood? (risk rating) • Risk Management How can we mitigate it? Who and when can we mitigate it? How do we monitor it the mitigation? ©2006 Confidential Identifying The Risks: Setting scope Financial Clinical Technology Geo-Political Risk Drivers Reputational Regulatory Strategic ©2006 Confidential Environmental Identifying The Risks: Typical Provider Community Benefit Finance, HR SOX Medical Affairs Information Systems/ Privacy Conditions Of Participation Compliance and Risk Team Financial Controls Research and Grants Lab Radiology PT/OT HIM/Coding/ Home Health Hospice SNF Vendors Health Plan ©2006 Confidential Identifying The Risks: Look everywhere • • • • • • • ©2006 Confidential Board Members Executives Vendors Partners Community Members Department Heads Employees Identifying the Risks • • • • Structure Departmental Process Topic Hybrid • • • • • • • ©2006 Confidential Tools Checklists 1-1 interviews Group interview Electronic data gathering/interviews What If exercises Scenario modeling Hazard Assessment The Power of Automation ©2006 Confidential Electronic Interviews ©2006 Confidential Electronic Scoreboards ©2006 Confidential Lies, Damn Lies and Statistics. • Probability High, Medium, Low Imminent, Probable, Possible, Unlikely ELE, Scary, Unfortunate, Who Cares • Impact High, Medium, Low Multivariate(only works with known knowns) • Financial, Clinical, Reputational, Political • Integrated Entity Type, Location, Risk Area, Issue ©2006 Confidential Emergent Risk: Preparing to Manage Happenings • You get told things every day that don't happen. It's printed in the press. The world thinks all these things happen. They never happened. • Everyone's so eager to get the story before in fact the story's there That the world is constantly being fed Things that haven't happened. • All I can tell you is, It hasn't happened. It's going to happen. Department of Defense briefing Feb. 28, 2003 ©2006 Confidential Assessing Emergent Risk Integrated end to end management of issues, events, incidents and matters. Communications Investigations Audits Centralized Database Agency ©2006 Confidential Education Talking to Management About RA Say it with pictures What is the progress of our assessments? What are we assessing and how? What are the business risk to our strategies, finances and organization? What are the compliance issues? What are our significant risks, scenarios or risk events? How significant are these risks and what is the impact? How should we manage these risks? How should we monitor these risks Charts Sources: MediRegs and Chief Security Officers.com ©2006 Confidential Rules of the Road 1. 2. 3. 4. 5. 6. ©2006 Confidential Keep it practical but exhaustive Be realistic, not idealistic. Look at what actually occurs and exists in the workplace and, in particular, include non-routine operations. Identify who is at risk. Include all workers, including visitors, contractors and the public. Start with the simple methods, use more systematic methods as necessary. Document and have an audit trail Allow for the existence of Black Swans. Not everything can be sampled or known. Prepare for them.