risk assessments & internal controls
TRANSCRIPT
Risk Assessments &
Internal Controls
Kelly Nueske, RN, CPA, CMA, CIA
Manager, Risk Management & Performance Improvement Services
LarsonAllen, Minneapolis, MN
What is Risk?
• Exposure to the chance of injury or loss
• A hazard or dangerous chance: as in “it’s not
work my risk”
• Risk isn’t
– A feeling
– A do or a don’t
– A will or a won’t
– A have or a have not
◊ It is all these things and it just IS.
Nature of Risk
• R = risk is relative because perception of
downside and upside risk is individual, and that
applies to people and organizations.
• I = risk is intuitive because we learn with
experience and time.
• S = risk is significant because everything we do
has positive and negative consequences.
• K = risk is kinetic because it changes relative to
situations, events, time and space.
Nature of the Risk
• Risk is universal
• Risk is not properly identified and managed by
most organizations, including governments
• Need a common risk vocabulary
• Need improved risk management methodologies
• Risks are diverse & inherent to the business
operations
• If non-clinical risks are not managed they are
just as hazardous as clinical risks
Internal Risks
• Policies and Procedures
– Internal controls
• Contracting
– Vendor Relationships
– Physician Relationships
• Financial Reporting
– Financial Statements
– Tax Returns
– Cost Reports
– Investor Reporting
– Credit Risk
– Liquidity Risk
• Crisis Management Program
– Business Continuity Plan
• Human Resource Management
– Hiring & Terminations
– Employee Relations
• Governance
– CEO Succession
• Clinical Practices
– Quality
– Core measures
– Evidence Based
• Information Technology
– Security
– Disruptions
• Document Management
External Risks
• Office of the Inspector General
• CMS
• State Health Department
• OSHA
• EPA
• Investors
• CCAC
• Litigators
• Past Employees
• HIPAA
• IRS
• Auditors
• Competition
COSO
• COSO [Committee of Sponsoring Organizations of the Treadway Commission] is a voluntary private sector organization that encompasses five professions– American Accounting Association
– American Institute of CPAs
– Financial Executives International
– Institute of Internal Auditors
– Institute of Management Accountants
What is Internal Controls?
• COSO Definition
– Internal control is a process, effected by an entity’s
board of directors, management and other personnel, designed to provide reasonable assurance regarding
the achievement of objectives in the following categories
◊ Effectiveness and efficiency of operations
◊ Reliability of financial reporting
◊ Compliance with applicable laws and regulations
Components of Internal Control
• Control environment – the tone of a company and its audit committee, which influences the control consciousness of its personnel
• Risk Assessment – from a financial reporting perspective, a company’s assessment of its identification, analysis and management or risks relevant to the preparation of financial statements.
• Control Activities – the policies and procedures to ensure that the company’s directives are carried out.
• Information and Communication – the company’s information systems, which includes the accounting systems
• Monitoring – a process to assess whether controls are operating as intended and whether they are modified as appropriate for changes in conditions.
Internal Controls “Can” and “Cannot”
• Internal Controls can:
– Promote reliable internal and external financial
reporting
– Help safeguard assets
– Promote compliance with laws and regulations
– Help a company achieve its performance and
profitability targets
• Internal Controls cannot:
– Guarantee the reliability of financial reporting and compliance with laws and regulations
– Guarantee a company’s survival or success
Types of Controls
• Preventative Controls
– Designed to prevent errors or irregularities before they have occurred.
– Examples:
◊ Regular balancing and reconciling are completed by an individualindependent of the transactions processed through the account.
◊ Passwords and physical safeguards are established to restrict access to appropriate personnel.
◊ Authorization and limits are established to ensure the appropriate oversight of significant transactions
• Detective Controls
– Designed to detect errors or irregularities after they have occurred
– Examples:
◊ Exception reports are reviewed and cleared by persons with appropriate authority.
◊ Systems maintenance reports are reviewed to ensure changes are completed properly and authorized.
◊ Documentation reviews are completed to ensure files are complete.
Control Environment
• Foundation for all the other components
• Sets tone of company
• Attention and direction provided by board and
committee
• Integrity and ethic values of management
• Management philosophy and operating style
• The way management assigns authority and
responsibility
Control Activities
• The polices and procedures that ensure
necessary actions are taken to address risks
• Have various objectives and occur throughout
the company at all levels and in all functions
• Examples include:
– Performance reviews
– General controls over data center operations and system software
– Application controls over transactions
– Security of assets
– Segregation of duties
Monitoring
• Process that assesses the quality on internal
controls
• Accomplished through ongoing monitoring
• Ongoing monitoring occurs in the course of
operations
• Examples include:
– Reviewing sales or production reports for variances
– Internal audit performing separate evaluations on
controls
– Audit Committee asking questions
Risk Assessment
• Process of identifying, analyzing and managing risks relevant to objectives
• Consideration of the risk’s significance, likelihood of occurrence and how they should be managed.
• Management may initiate plans, programs or actions to address risks or accept the risk due to cost or other considerations
• Elements to consider:– Changes in operating environment– New personnel– New or revamped information systems– Rapid growth– New technology– New lines, products or activities– Corporate restructuring– Accounting pronouncements
Things to Remember About Internal Controls
• We should not use the concepts of risk, control and governance to strangle the life out of the organization.
• Risk assessment and internal controls are tools.
– We must use them wisely and in a manner that supports the mission and vision of the organization.
– Like the organizations served, these tools are as unique as theyare similar.
• Internal controls should be balanced to the risk addressed.
• Internal controls are often better at keeping honest people honest than they are at preventing criminals.
• Don’t expect to control all risks.
What is Enterprise Risk Management?
• Holistic approach to identifying risk – more than
regulatory compliance, financial, medical liability,
patient safety, general liability or SOX
• Creates a portfolio view of risks
• Identifies interrelationships and
interdependencies among risks
• Offers ability to manage risks within and across
business units
• Improves organization’s ability to identify and
seize opportunities – competitive edge
What is Enterprise Risk Management?
• Considers risk in the formulation of business strategy
• Method to achieve business objectives
• Involves all levels of management
• Process to identify, analyze, mitigate/manage, measure and communicate risks across organization
• Measurement of risks includes severity and magnitude of impact
• Can eliminate duplicates efforts [Internal Audit, Compliance, Risk Management]
Benefits of Enterprise Risk Management
• Successful risk identification & mitigation become key elements of a strategic plan
– Competitive advantage for those with ERM capability & discipline
– Mitigate downside exposure and capitalize on upside opportunities
• Reduced financial losses
• Improve business performance
• Enhanced risk identification and assessment processes
• Improved awareness and collaboration
• Improved decision making and accountability
• Improved regulatory compliance
Risk of No Enterprise Risk Management
• All risks are a threat if ignored
• Bankruptcies
• Fraud
• Restatement of earnings
• Decrease business valuation
• Loss of customers
• Careers destroyed
• Lack credibility in market
COSO ERM – Integrated Framework
• States “ERM is a process, effected by an entity’s
board of directors, management and other
personnel, applied in strategy setting and across
the enterprise, designed to identify potential
events that may affect the entity, and manage
risk to be within its risk appetite, to provide
reasonable assurance regarding the
achievement of entity objectives.”
Risk Domains
• Operational – core business including systems and processes. Example: outpatient care
• Financial – ability to earn, raise or access capital. Example: bonds
• Human – recruiting, retention and managing workforce. Example: worker’s compensation
• Strategic – ability to grow and expand. Example: joint ventures
• Legal/Regulatory – statutory, regulatory compliance, licensure, accreditation. Example: HIPAA, OSHA, JC
• Technology – biomedical & information technologies. Example: CPOE
• Governance – board and committee structure, and roles and responsibilities. Example: Audit Committee Charter
Risks and Control
Operational Risks
Legal/Regulatory
Risks
Financial
Risks
ENTITY
ENTITY
Control
Environment
Control Procedures
Monitoring
Governance
Risks
Technology
Risks
Human
RisksStrategic
Risks
Something to Remember
• Risk management and risk assessment are not an exact science. There is no one size fits all approach.– The process is unique to your organization.– They are only one component of audit plan
development.
– They include many variables.– Scoring of individual risk factors and risk by several
people will like result in disagreement.– The results should feel right, especially in terms of
how risk is viewed overall and what rises as significant versus not so significant.
– Audit and Compliance Committee members should not get caught up in the details.
Who is responsible for ERM?
• Everyone!• Board of directors provide guidance, direction and
monitoring
• Audit Committee, Risk Committee or full board receive “dashboard” on risk and establish risk tolerance
• CEO has ultimate ownership and sets tone for ERM process
• Each level of management stays informed and takes ownership of risks at their level
• Chief Risk Officer, if one exists, is facilitator and challenger of process
• Risk Management Team comprised of CEO, CFO, COO, CRO, CIO, CNO, CMO, etc to oversee and support process
Questions to Ask
• Is our executive management excited and
passionate about their work?
• Do they believe in and fulfill their responsibilities
in a manner that embraces mission and vision?
• For high risks, like a major system install, do we
have someone with passion for leading the
project and are they in the risk position to lead?
• Does the risk management and risk assessment
approach make sense for our organization?
• Are we satisfied with the results of the risk
assessment?
Questions to Ask
• What other factors are used in developing the
annual compliance and audit work plans?
• How are the risks not included in those plans
being addressed?
• What risks are addressed by the board or its
committees?
• What risks are managed by operations and
management?
• Is management talking to the committee about
risk and controls or is it a topic only understood
by Internal Audit?
Questions to Ask
• Who is responsible for ensuring compliance?
• How do we know they are meeting the
responsibility?
• What major gaps do we currently have to fill and
what are our plans to do so?
• How concerned should we be about the gaps in
the short and long run?
• What do we want to see and what should we
see?
• How and when will an issue be resolved?
Conclusion
• Leaders…..
– Understand the risks most pertinent to their
organization
– Manage the risks in an integrated fashion
– Prioritize risk management efforts around:
◊ Risks having the biggest potential impact and,
◊ Are most likely to occur
Contact Information:
Kelly Nueske
Manager, Risk Management & Performance
Improvement Services
Phone:612.376.4739