examining a top-down approach to enterprise risk management
TRANSCRIPT
Examining a Top-Down Approach to Enterprise Risk Management
June 25, 2018|12:30 ET
Monique AllenAssociate General Counsel, Clinical Operations and PrivacyMemorial Hermann Health SystemHouston, Texas
Kimarie R. StratosSenior Vice President, General Counsel, and Chief Privacy OfficerMemorial Healthcare SystemHollywood, Florida
1
This luncheon is hosted by Business Law & Governance, Hospitals & Health Systems and Health Care Liability & Litigation PGs and Enterprise Risk Management and Behavioral Health TFs
Making the Case to the C-Suite
• Unprecedented external scrutiny• Competitive advantage
– Can navigate quicker than competitors
Defining ERM for the C-Suite
• Identify, assess, & manage enterprise-wide risk potentially affecting attainment of strategic goals
• Department decisions vs. enterprise decisions• Proactive vs. reactive
Obtaining C-Suite Engagement/Approval
• Demonstrate importance of C-Suite advocate• Align C-Suite perceived risks with stakeholder
perceived risks– Demonstrate disparity
• Focus on strategic goals• Communicate risk transfer in business terms
– Financial impact
MHS Case Study
• Obtaining CEO support• Engaging C-Suite • Laying framework/process in advance• Implementing ERM Program
Why MHS Began the ERM Journey
An effective ERM program allows an organization to:• Agree on risk management goals, objectives and
metrics• Assign roles and responsibilities for managing risk• Effectively communicate risk issues up and down
organization• Develop consistent and continuous approach to
identify/evaluate risk• Provide efficient structure to embed risk awareness,
processes and terminology
MHS ERM Steps
Define Scope of
Assessment
Document Review & Research
SurveyRisk
Assessment Workshop
Risk Improvement Planning
Critical Risks Assessed / Improvement Plans Created
Impact & Likelihood Ratings
Impact Score
Impact Description Financial Impact
5 CatastrophicIf this risk were to materialize, ABC Co. would find it almost impossible to
recover financially. Reputational impact would almost certainly occur.Financial impact greater than
$100M
4 SignificantThe consequences of the risk materializing are severe but could be
managed to some extent.Financial impact of more than
$50M but less than $100M
3 ModerateThe consequences of the risk materializing are less severe and can be
managed to a large extent.Financial impact of more than
$25M but less than $50M
2 LowThe consequences of the risk materializing are considered relatively
unimportant.Financial impact of more than
$10M but less than $25M
1 Negligible There are no meaningful consequences if this risk materializes.Financial impact of less than
$10M
Rating Likelihood Description Frequency
5 Expected Occurs often / is to be expectedAnnual or 2 year to 3 year type
event
4 Probable Known to occur / would not be surprising 5 year to 10 year event
3 Moderate Could occur but infrequently 10 year to 25 year event
2 Unusual Could possibly occur but would be rare 25 year to 50 year event
1 Remote Could conceivably occur but would be extremely remote 50+ year event
Likelihood / Impact Risk Distribution*
With Current ControlsRisk
#Impact
(I)Likelihood
(L) Risk Description Gross Risk Score (GRS)
1 4 4 Unable to Attract Qualified Personnel 164 4 4 Complexity of Data Structure & Environment 16
24 4 4 Inadequate Breadth / Depth of Clinical Services 162 5 3 Cyber Risks 159 4 3 Reduction in Quality of Care (Actual or Perceived) 12
23 4 3 Regulatory Compliance / Legal Environment 125 3 4 Mismatch Between Planned and Actual Workforce Needs 12
11 3 4 Resource Management / Allocation 1213 3 4 Patient Satisfaction / Patient Complaints 1216 3 4 Brain Drain: Loss / Unexpected Departure of Key Individuals 1221 3 4 Uncertainty in Clinical Enterprise 126 5 2 Significant Negative Media / Publicity Event 10
22 5 2 Catastrophic Natural Disaster 1014 4 2 Mistakes in Financial Processes / Fraud 815 4 2 IT System Crash / Breakdown 817 4 2 Terrorist Event / Violence on Campus 88 3 2 Scientific Misconduct 6
12 5 1 Loss of Tax Exempt Status 5
Top 10 RisksAssessment Output Summary
Improvement Plan
Top 10 RisksImmediate Improvement Recommendations
Likelihood / Impact Risk Distribution
With Risk Improvements ImplementedRisk
#Impact
(I)Likelihood
(L) Risk Description Gross Risk Score (GRS)
1 4 3 Unable to Attract Qualified Personnel 124 5 2 Complexity of Data Structure & Environment 10
24 5 2 Inadequate Breadth / Depth of Clinical Services 102 5 2 Cyber Risks 109 3 3 Reduction in Quality of Care (Actual or Perceived) 9
23 3 3 Regulatory Compliance / Legal Environment 95 3 3 Mismatch Between Planned and Actual Workforce Needs 9
11 3 3 Resource Management / Allocation 913 4 2 Patient Satisfaction / Patient Complaints 816 4 2 Brain Drain: Loss / Unexpected Departure of Key Individuals 821 4 2 Uncertainty in Clinical Enterprise 86 4 2 Significant Negative Media / Publicity Event 8
22 3 2 Catastrophic Natural Disaster 614 2 3 Mistakes in Financial Processes / Fraud 615 3 2 IT System Crash / Breakdown 617 3 2 Terrorist Event / Violence on Campus 68 2 2 Scientific Misconduct 4
12 2 2 Loss of Tax Exempt Status 4
Risk MatrixBefore Risk Improvements Implemented
Like
lihoo
d
Impact
Risk Matrix - Before Improvement
5
4 7, 8, 9, 10, 11 1, 2, 3
3 5, 6 4
2 17, 18 14, 15, 16 12, 13
2 3 4 5
1 19
1
Source of Risk
0 1 2 3 4 5 6
Operational
Information Technology
Human Capital
Financial
Quality
Products / Services
Legal / Regulatory
Strategic
Analysis by Source of Riskand Stratified by Risk Rank (Before Improvements)
GRS>=15 15>GRS>=10 10>GRS>=7 7>GRS>=3 GRS<3
Risk ProfileWith Current Controls & Improvements Implemented
1
2 3 2
2 1
5 3
0
1
2
3
4
5
6
0 1 2 3 4 5 6
Like
lihoo
d
Impact
Risk Distribution With Current Controls
1
2 3 4 3
1 4 1
0
1
2
3
4
5
6
0 1 2 3 4 5 6Li
kelih
ood
Impact
Risk Distribution After Improvements
Gross Risk Score = 135 Gross Risk Score = 94
Thank You
Monique AllenAssociate General Counsel, Clinical Operations and PrivacyMemorial Hermann Health SystemHouston, [email protected]
Kimarie R. StratosSenior Vice President, General Counsel, and Chief Privacy OfficerMemorial Healthcare SystemHollywood, [email protected]
Title © 2018 is published by the American Health Lawyers Association. All rights reserved. No part of this publication may be reproduced in any form except by prior written permission from the publisher. Printed in the United States of America.
Any views or advice offered in this publication are those of its authors and should not be construed as the position of the American Health Lawyers Association.
“This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering legal or other professional services. If legal advice or other expert assistance is required, the services of a competent professional person should be sought”—from a declaration of the American Bar Association.