2/7/2013

www.pwc.com

Enterprise Risk Management February 26, 2013

What you do not know will not hurt you!

Enterprise Risk Management PwC

February 26, 2013 2

1

2/7/2013

Agenda • Understand what is Enterprise Risk Management (ERM) • Discuss how to implement ERM • Understand the role of Governance in ERM • Evaluate the key value derived from ERM programs

Enterprise Risk Management PwC

February 26, 2013 3

Stages of ERM Implementation Efforts ERM implementation efforts begin with basic foundational components and progress into advanced analytics and integrated management

5.1 Integration with Management Processes including Planning and Evaluation

1.1 Awareness of Importance of Risk Management

1. Culture and Governance

2.1 Risk Identification and Risk Maps

3.1 Risk Self Assessment Tools

2.2 Risk Governance, Organization, and Policy Design

3.2 Key Risk Indicators, Measures, Controls and Dashboards

2. Risk Identification

3. Risk Measurement

4.1 Management Controls and Corrective Actions

5.2 Aligned Risk Appetite, Limits, and Budgets

4.2 Stress Testing

5.3 Risk-Adjusted Return Metrics

4.3 Internal Model to Quantify Risk and Capital

5.4 Integration with Existing Company Systems

4. Advanced Analytics

5. Integrated Management

Enterprise Risk Management

Enterprise Risk Management PwC

February 26, 2013 4

4

2

2/7/2013

Exercise

Enterprise Risk Management PwC

February 26, 2013 5

Healthcare Risk Areas • Quality/Patient Care

• IT

- Evidence-based practices

- Security/access

- Outcome measures

- Data integrity

- Patient satisfaction

- System implementation

• Revenue Cycle

• Hospital Operations

- Billing errors

- Cost reduction strategies

- CDM accuracy

- Patient safety

- Denials management

- Physician alignment

Enterprise Risk Management PwC

February 26, 2013 6

3

2/7/2013

Healthcare Risk Areas continued • Finance

• Legal

- Accounts receivable reserve

- Stark and anti-kickback

- Financial statements

- Mergers and acquisitions

- Cash management

- Physician contracts

• Compliance

• Mission

- Conflicts of interest

- Community benefits

- Joint Commission

- Canon Law/ERDs

- Policies and procedures

Enterprise Risk Management PwC

February 26, 2013 7

Exercise

Enterprise Risk Management PwC

February 26, 2013 8

4

2/7/2013

Strategic Initiative View Implementation of Electronic Health Records • System implementation • IT security and access • Financial processes (budgeting, capitalization, etc.) • Policies and procedures • Quality outcomes • Patient safety • Cash management

Enterprise Risk Management PwC

February 26, 2013 9

Strategic Initiative View continued Physician Alignment • Physician contracting • Stark and anti-kickback law • Conflict of interest • Patient safety • IT system integration • Labor/pay practices

Enterprise Risk Management PwC

February 26, 2013 10

5

2/7/2013

Where is the risk? • Patient safety or physician contracts • Financial statements or system access and security • Joint Commission matters or Stark violations • Billing errors or lost charges • Electronic health record implementation or physician alignment

Enterprise Risk Management PwC

February 26, 2013 11

Risk Management Approach Recap • Traditional Approach to Risk - Specialized silos – aligned to functional areas - Focused on limited risks - Usually in response to an occurrence • Integrated Approach to Risk - Cross-functional coverage of focused risk set - Can be either reactive or proactive - Use of performance metrics

Enterprise Risk Management PwC

February 26, 2013 12

6

2/7/2013

Risk Management Approach Recap continued

• ERM Approach to Risk - Manages the entire risk portfolio - Aligned with strategic direction and priorities - Provides informed risk-taking decisions - Systematic, well-defined approach - Provides efficient use of resources - Provides a sustainable process

Enterprise Risk Management PwC

February 26, 2013 13

Key Considerations for Implementing ERM • Executive level sponsorship • Governance alignment and reporting • Collaborative risk management process (not a project!) • Common understanding of risk with defined risk criteria • Coordinated across the organization

Enterprise Risk Management PwC

February 26, 2013 14

7

2/7/2013

ERM Implementation Process Flow Board Sets Direction

Establish ERM Structure

Strategic Assessment

Risk Assessment

Establish Priorities and Develop Work Plans

Control Activities

Monitor

Evaluate

Communicate Enterprise Risk Management PwC

February 26, 2013 15

ERM Implementation Key Steps • Board and governance committee direction • Establish ERM team and structure - Cross-functional team of senior management - Charter with defined roles and responsibilities - Workflows and timelines • Strategic assessment - Identify the key strategic and business operating priorities for the organization (importance) - What could prevent organization from achieving the priorities

Enterprise Risk Management PwC

February 26, 2013 16

8

2/7/2013

ERM Implementation Key Steps continued • Conduct Risk Assessment - Develop a common risk criteria matrix - Identify risk assessments already being conducted - Coordinate risk assessment activities - Prioritize/rank key risks • Establish Priorities and Workplans - Identify process and control gaps - Develop control activities - Monitor processes and control compliance Enterprise Risk Management PwC

February 26, 2013 17

ERM Implementation Key Steps continued • Evaluate Risk - What risk remains unmitigated - Collectively, how much risk exists - What resources are needed to reduce the risk • Communicate Results - Reporting formats and detail varies by audience • Continue - This is a process, not a one-time project Enterprise Risk Management PwC

February 26, 2013 18

9

2/7/2013

ERM Implementation Process Flow Board Sets Direction

Establish ERM Structure

Strategic Assessment

Risk Assessment

Establish Priorities and Develop Work Plans

Control Activities

Monitor

Evaluate

Communicate Enterprise Risk Management PwC

February 26, 2013 19

Governance Role in ERM • Board Responsibility - Establish strategic direction - Reduce risk - Guide executive management • Audit Committee - Understand risk management methodologies - Monitor progress - Evaluate results of monitoring functions (Compliance, Internal Audit, etc.)

Enterprise Risk Management PwC

February 26, 2013 20

10

2/7/2013

Governance Role in ERM continued • Specialty Committees - Understand the key risks impacting their area of speciality - Review risk dashboards or key performance indicators - Evaluate management remediation and control activities

Note: Some risks may need to be communicated to several committees based on the broad reach. For example, electronic health records may be reported to the committee responsible for IT and the committee responsible for quality.

Enterprise Risk Management PwC

February 26, 2013 21

Stages of ERM Implementation Efforts ERM implementation efforts begin with basic foundational components and progress into advanced analytics and integrated management

5.1 Integration with Management Processes including Planning and Evaluation

1.1 Awareness of Importance of Risk Management

1. Culture and Governance

2.1 Risk Identification and Risk Maps

3.1 Risk Self Assessment Tools

2.2 Risk Governance, Organization, and Policy Design

3.2 Key Risk Indicators, Measures, Controls and Dashboards

2. Risk Identification

3. Risk Measurement

4.1 Management Controls and Corrective Actions

5.2 Aligned Risk Appetite, Limits, and Budgets

4.2 Stress Testing

5.3 Risk-Adjusted Return Metrics

4.3 Internal Model to Quantify Risk and Capital

5.4 Integration with Existing Company Systems

4. Advanced Analytics

5. Integrated Management

Enterprise Risk Management

Enterprise Risk Management PwC

February 26, 2013 22 22

11

2/7/2013

Key Lessons Learned • Board and executive-level commitment is key • Develop an ERM leader or team - Cross-functional - Senior leaders • Coordinate efforts already in place BEFORE creating new infrastructure • Focus on the BIG picture • Establish ERM as a PROCESS not a PROJECT • Streamline reporting - Dashboard versus detail

Enterprise Risk Management PwC

February 26, 2013 23

Key Value of ERM • Enables a broader view of risk • Identifies emerging risk (proactive versus reactive) • Enables entire organization to view and evaluate risk in a consistent manor using established criteria • Assists in prioritization and usage of resources • Enables better dialogue around risk to achieving strategies and business priorities

Enterprise Risk Management PwC

February 26, 2013 24

12

2/7/2013

This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. © 2012 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers LLP which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.

13