© 2008 Sinaiko Healthcare Consulting, Inc. Proprietary and Confidential 1

HCCA Audit & Compliance Committee Academy

Risk Assessment and Internal Controls

Kelly Nueske, RN, CPA, CMA, CIA

Managing Director

Enterprise Risk Services ~ Internal Audit & Compliance

Agenda

Risk Internal Controls Risk Assessment Enterprise Risk Management

© 2008 Sinaiko Healthcare Consulting, Inc. Proprietary and Confidential 2

Nature of Risk

R = risk is relative because perception of downside and upside risk is individual, and that applies to people and organizations.

I = risk is intuitive because we learn with experience and time.

S = risk is significant because everything we do has positive and negative consequences.

K = risk is kinetic because it changes relative to situations, events, time and space.

© 2008 Sinaiko Healthcare Consulting, Inc. Proprietary and Confidential 3

Nature of Risk

Risk is universal Risk is not properly identified and managed by most

organizations, including governments Need a common risk vocabulary Need improved risk management methodologies Risks are diverse & inherent to the business

operations If non-clinical risks are not managed they are just as

hazardous as clinical risks

Internal Risks

Policies and Procedures– Internal controls

Contracting– Vendor Relationships

– Physician Relationships Financial Reporting

– Financial Statements

– Tax Returns

– Cost Reports

– Investor Reporting

– Credit Risk

– Liquidity Risk Crisis Management Program

– Business Continuity Plan

Human Resource Management– Hiring & Terminations

– Employee Relations Governance

– CEO Succession Clinical Practices

– Quality

– Core measures

– Evidence Based Information Technology

– Security

– Disruptions Document Management

External Risks

Office of the Inspector General

CMS State Health Department OSHA EPA Investors CCAC

Litigators Past Employees HIPAA IRS Auditors Competition

What About the Unknown?

What Affects Risk?

Organizational culture and ethics Financial pressures Technology Competition Business strategy i.e. joint ventures, mergers,

acquisitions State and Federal Laws Accreditation

Change = Risk

© 2008 Sinaiko Healthcare Consulting, Inc. Proprietary and Confidential 8

COSO

COSO [Committee of Sponsoring Organizations of the Treadway Commission] is a voluntary private sector organization that encompasses five professions formed in 1985– American Accounting Association– American Institute of CPAs– Financial Executives International– Institute of Internal Auditors– Institute of Management Accountants

What is Internal Controls?

COSO Definition– Internal control is a process, effected by an entity’s board of

directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories

» Effectiveness and efficiency of operations» Reliability of financial reporting» Compliance with applicable laws and regulations

COSO Internal Control Framework

1. Control EnvironmentThe organizational culture that influences ethical behavior, workplace integrity, risk and compliance consciousness of its personnel.

2. Risk AssessmentThe process of identifying risks that threaten the institution’s achievement of objectives.

3. Information and Communication SystemsThe process for providing the right information to the right people at the right time for them to effectively carry out their responsibilities.

4. MonitoringThe management process in place to verify controls are working as intended and identify anomalies.

5. Control ActivitiesThe activities established to support compliance requirements and risk responses selected by management are carried out.

Internal Controls “Can” and “Cannot”

Internal Controls can:– Promote reliable internal and external financial reporting– Help safeguard assets– Promote compliance with laws and regulations– Help a company achieve its performance and profitability

targets

Internal Controls cannot:– Guarantee the reliability of financial reporting and

compliance with laws and regulations– Guarantee a company’s survival or success

Types of Controls Preventative Controls

– Designed to prevent errors or irregularities before they have occurred.– Examples:

» Regular balancing and reconciling are completed by an individual independent of the transactions processed through the account.

» Passwords and physical safeguards are established to restrict access to appropriate personnel.» Authorization and limits are established to ensure the appropriate oversight of significant

transactions Detective Controls

– Designed to detect errors or irregularities after they have occurred– Examples:

» Exception reports are reviewed and cleared by persons with appropriate authority. » Systems maintenance reports are reviewed to ensure changes are completed properly and

authorized.» Documentation reviews are completed to ensure files are complete.

Directive Controls– Explain “how to do” something or a process– Examples:

» Policies and Procedures

Risk Assessment vs Enterprise Risk Management

Risk Assessment– The identification, measurement and prioritization of likely relevant

events or risks that may have a material consequence on an organization’s ability to achieve its objectives.

– Typically performed by Internal Audit, Compliance and Risk Management annually.

Enterprise Risk Management– A process, effected by an entity’s board of directors, management and

other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

– An organizational approach to managing risk that is owned by Management.

© 2008 Sinaiko Healthcare Consulting, Inc. Proprietary and Confidential 14

What is Risk Assessment?

Peformed annually Process includes:

– Interviews– Documentation review– Employee surveys

Final deliverable– Internal Audit workplan– Compliance workplan

© 2008 Sinaiko Healthcare Consulting, Inc. Proprietary and Confidential 15

What is Enterprise Risk Management?

Holistic approach to identifying risk – more than regulatory compliance, financial, medical liability, patient safety, general liability or SOX

Creates a portfolio view of risks

Identifies interrelationships and interdependencies among risks

Offers ability to manage risks within and across business units

What is Enterprise Risk Management?

Improves organization’s ability to identify and seize opportunities – competitive edge

Considers risk in the formulation of business strategy

Method to achieve business objectives

Involves all levels of management

Process to identify, analyze, mitigate/manage, measure and communicate risks across organization

Who is responsible for ERM? Everyone! Board of directors provide guidance, direction and

monitoring Audit Committee, Risk Committee or full board receive

“dashboard” on risk and establish risk tolerance CEO has ultimate ownership and sets tone for ERM

process Each level of management stays informed and takes

ownership of risks at their level Chief Risk Officer, if one exists, is facilitator and

challenger of process Risk Management Team comprised of CEO, CFO,

COO, CRO, CIO, CNO, CMO, etc to oversee and support process

Risk Domains

Operational– Core business including systems and processes. Example: outpatient

care Financial

– Ability to earn, raise or access capital. Example: bonds Human

– Recruiting, retention and managing workforce. Example: worker’s compensation

Strategic– Ability to grow and expand. Example: joint ventures

Legal/Regulatory– Statutory, regulatory compliance, licensure, accreditation. Example:

HIPAA, OSHA, JC Technology

– Biomedical & information technologies. Example: CPOE

COSO Internal Control Framework (Original)

COSO ERM Integrated Framework

Sample Risk Assessment Results

Risk Area/Project Name Assign Risk Domain: TotalPoints

Revenue Cycle Financial 655

Billing Compliance Regulatory 655

Privacy and Security Regulatory 655

Grants and Research Financial 625

Competition Strategic 625

Investments Financial 610

Business Continuity Plan Operational 560

Mental Health Access Operational 560

Core Measures Operational 525

Cash Controls Financial 525

Human Resources Operations Human 520

Accounts Payable Financial 495

Governance (Committee Charters) Governance 475

Credit Balances Regulatory 465

Computer Operations Technology 445

Wireless Network Technology 445

Sample Risk Assessment Heat Map

+Risk+ Risk

+ Risk

+ Risk

+ Risk

+Risk+ Risk

+ Risk

+ Risk

+ Risk

+ Risk

+ Risk

+ Risk

+ Risk

Something to Remember

Risk management and risk assessment are not an exact science. There is no one size fits all approach.– The process is unique to your organization.– They are only one component of audit plan development.– They include many variables.– Scoring of individual risk factors and risk by several people

will like result in disagreement.– The results should feel right, especially in terms of how risk

is viewed overall and what rises as significant versus not so significant.

– Audit and Compliance Committee members should not get caught up in the details.

Questions to Ask

Is our executive management excited and passionate about their work?

Do they believe in and fulfill their responsibilities in a manner that embraces mission and vision?

For high risks, like a major system install, do we have someone with passion for leading the project and are they in the risk position to lead?

Does the risk management and risk assessment approach make sense for our organization?

Are we satisfied with the results of the risk assessment?

Questions to Ask

What other factors are used in developing the annual compliance and audit work plans?

How are the risks not included in those plans being addressed?

What risks are addressed by the board or its committees?

What risks are managed by operations and management?

Is management talking to the committee about risk and controls or is it a topic only understood by Internal Audit?

Questions to Ask

Who is responsible for ensuring compliance? How do we know they are meeting the responsibility? What major gaps do we currently have to fill and what

are our plans to do so? How concerned should we be about the gaps in the

short and long run? What do we want to see and what should we see? How and when will an issue be resolved?

Conclusion

Leaders…..– Understand the risks most pertinent to their organization– Manage the risks in an integrated fashion– Prioritize risk management efforts around:

» Risks having the biggest potential impact and,» Are most likely to occur

Contact Information:

Kelly Nueske, RN, CPA, CMA, CIA

Managing Director

Enterprise Risk Services ~ Internal Audit & Compliance

Kelly.nueske@sinaiko.com

715.338.5566