Transcript Document
Real World
Risk
Assessment
Steve Lefar
©2006
[email protected]
Confidential
President, MediRegs
Goals
• Get you to think differently about the
role of compliance.
• Make you ponder risk differently.
• Provide practical process to look at risk.
©2006
Confidential
Agenda
• Pessimists and Black Swans
• GRC, ERM, eieio
• Beyond the buzzwords-Just Do It
©2006
Confidential
The cynical but common view
Although inconvenient to admit, a compliance program is less
to ensure obedience to the law than to deflect unwanted
attention from an institution's activities…..
The crucial step of determining what constitutes compliance
involves interpretation and judgment.
Compliance programs are good for an institution in the way
that paying protection money is good for a business
squeezed by the mob. If have them we must, let us
recognize that the value lies in keeping the barbarians
outside the gate.
Kevin R. Davis is a university counsel and a senior lecturer in
philosophy at Vanderbilt University.
The Chronicle Review Volume 53, Issue 20, Page B11Copyright © 2006 by The Chronicle of Higher Education
©2006
Confidential
Why? People Misunderstand the Geneis
of Compliance--RISK
• Risk Assessment:– Estimating the probability of an event
occurring and the magnitude of effects if the event does
occur. (Probability x Loss)
• Risk management: Process of identifying, assessing, and
controlling risks arising from operational factors and
threats and making decisions that balance risks and
costs with mission benefits. From the US Army
Compliance: Adherence to a set of rules, processes or
procedures to control or mitigate risk that is determined
by either internal or external forces.
©2006
Confidential
Managing Risk Improves Results
Annualized total shareholder returns (1998-2003) for differing degrees of risk model sophistication and risk tool usage
Source: PA Consulting
Survey of Global Banks
©2006
Confidential
6
We don’t view risk broadly enough.
The Unknown by Donald Rumsfeld
As we know,
• There are known knowns. Things we know
we know.
• We also know there are known unknowns.
We know there are things we do not know.
• But there are also unknown unknowns, The
ones we don't know we don't know (The Black
Swans).
Department of Defense news briefing, Feb. 12, 2002
©2006
Confidential
Regulations target known knowns
•
•
•
•
•
CoPs
Patient Rights
Billing Rules
72-Hour Rule
OIG Workplan
©2006
Confidential
Many healthcare management
issues are known unknowns
• Severity of an epidemic
• Final rule
• Shift to outpatient
©2006
Confidential
Unknown Unknowns
• Positive
Penicillin
Sticky Notes
FaceBook, YouTube
The role of the PC 50 years ago
Virtual surgery
• Negative
©2006
Confidential
9/11
Sub Prime (perhaps)
Diabetes epidemic
Elimination of public healthcare funding
Off shore health care in Dubai
Risk Conundrum: We don’t
contemplate Black Swans
• Black Swans
Things that are so far outside the realm of
our life narratives as to be thought
impossible.
2-4-6– What’s the Rule?
Buy the book Black Swans by Nicholas Taleb
©2006
Confidential
GRC, ERM, eieio
• Slap a name on it, raise price 300%, get
rich.
Governance, Risk and Compliance
Enterprise Risk Management
SOX
• Much of it comes from Financial
Markets not Operations!
Based on assumptions of Known Knowns
and fathomable Known Unknowns
©2006
Confidential
ERM: Latest Rage or Rubik's Cube?
“… a process, effected by an
entity's board of directors,
management and other
personnel, applied in strategy
setting and across the
enterprise, designed to identify
potential events that may affect
the entity, and manage risks to
be within its risk appetite, to
provide reasonable assurance
regarding the achievement of
entity objectives.”
Source: COSO Enterprise Risk Management – Integrated
Framework. 2004. COSO.
©2006
Confidential
You Understand it Already
The 7(8) Elements from The OIG
and US Sentencing Commission.
• Oversight
• (Risk Assessments)
• Response and Prevention
• Enforcement, Incentives and
Discipline
• Education and Training
• Reporting
• Monitoring and Auditing
©2006
Confidential
And you do it all day, everyday
Current Risk Managers
• Finance
• Compliance
• Internal Audits
• Risk Management
• Construction
• Treasury
• Security
• Case Management
• Medical Affairs
©2006
Confidential
Risk Approaches Used
• TQM
• Six ∑
• Policy and Procedure
• Accounting Controls
• Clinical/critical
pathways
• Game Theory
• Portfolio Theory
• Scenario Planning(The
Art of the Long View)
What’s Really Different?
Current
• Siloed
• Board oversight often
limited
• No infrastructure
• No standards
• Lack of rigor and
quantitative analyses
•
•
•
•
•
©2006
Confidential
ERM
Integrated view of riskacross the organization
Stratification of Risk
into a portfolio
Systematic, rigorous,
continuous,
coordinated well
defined process
Senior Leadership
Owns It.
Linked to strategy and
business objectives
Risk assessment need not be
complicated
• Risk Assessment
What are the risks? (don’t forget Black Swans)
What would the impact be if it happened?
How likely is it to happen?
What is the overall risk given the impact and
likelihood? (risk rating)
• Risk Management
How can we mitigate it?
Who and when can we mitigate it?
How do we monitor it the mitigation?
©2006
Confidential
Identifying The Risks: Setting scope
Financial
Clinical
Technology
Geo-Political
Risk
Drivers
Reputational
Regulatory
Strategic
©2006
Confidential
Environmental
Identifying The Risks: Typical Provider
Community
Benefit
Finance, HR
SOX
Medical Affairs
Information
Systems/
Privacy
Conditions
Of
Participation
Compliance
and
Risk Team
Financial
Controls
Research
and Grants
Lab
Radiology
PT/OT
HIM/Coding/
Home Health
Hospice
SNF
Vendors
Health Plan
©2006
Confidential
Identifying The Risks: Look everywhere
•
•
•
•
•
•
•
©2006
Confidential
Board Members
Executives
Vendors
Partners
Community Members
Department Heads
Employees
Identifying the Risks
•
•
•
•
Structure
Departmental
Process
Topic
Hybrid
•
•
•
•
•
•
•
©2006
Confidential
Tools
Checklists
1-1 interviews
Group interview
Electronic data
gathering/interviews
What If exercises
Scenario modeling
Hazard Assessment
The Power of Automation
©2006
Confidential
Electronic Interviews
©2006
Confidential
Electronic Scoreboards
©2006
Confidential
Lies, Damn Lies and Statistics.
• Probability
High, Medium, Low
Imminent, Probable, Possible, Unlikely
ELE, Scary, Unfortunate, Who Cares
• Impact
High, Medium, Low
Multivariate(only works with known knowns)
• Financial, Clinical, Reputational, Political
• Integrated
Entity Type, Location, Risk Area, Issue
©2006
Confidential
Emergent Risk: Preparing to Manage
Happenings
• You get told things every day that don't happen. It's
printed in the press. The world thinks all these things
happen. They never happened.
• Everyone's so eager to get the story before in fact the
story's there That the world is constantly being fed
Things that haven't happened.
• All I can tell you is, It hasn't happened. It's going to
happen.
Department of Defense briefing
Feb. 28, 2003
©2006
Confidential
Assessing Emergent Risk
Integrated end to end management of issues,
events, incidents and matters.
Communications
Investigations
Audits
Centralized Database
Agency
©2006
Confidential
Education
Talking to Management About RA
Say it with pictures
What is the progress of our
assessments?
What are we assessing and
how?
What are the business risk to
our strategies, finances and
organization?
What are the compliance
issues?
What are our significant risks,
scenarios or risk events?
How significant are these risks
and what is the impact?
How should we manage these
risks?
How should we monitor these
risks
Charts Sources: MediRegs and Chief Security Officers.com
©2006
Confidential
Rules of the Road
1.
2.
3.
4.
5.
6.
©2006
Confidential
Keep it practical but exhaustive
Be realistic, not idealistic. Look at what actually
occurs and exists in the workplace and, in
particular, include non-routine operations.
Identify who is at risk. Include all workers, including
visitors, contractors and the public.
Start with the simple methods, use more systematic
methods as necessary.
Document and have an audit trail
Allow for the existence of Black Swans. Not
everything can be sampled or known. Prepare for
them.