460 likes | 1.21k Views
Enterprise Risk Management. Wayne L. Brannan, CPHRM, CBCP, CHSP, ARM Director, Risk Management The Medical University of South Carolina. What is Enterprise Risk Management?. The COSO* Definition:
E N D
Enterprise Risk Management Wayne L. Brannan, CPHRM, CBCP, CHSP, ARM Director, Risk Management The Medical University of South Carolina
What is Enterprise Risk Management? • The COSO* Definition: “Enterprise Risk Management is a process, effected by an entity’s Board of Directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” *The Committee of Sponsoring Organizations of the Treadway Commission www.coso.org
ERM Key Elements • Analyzes risk “across the enterprise” • Manages multiple risks in an integrated manner – rather than in separate risk “silos” • Elevates Risk Management as a strategic partner in achieving corporate goals and objectives
Elements of ERM Framework • Education and Internal Environment • Objective Setting • Event Identification • Risk Assessment • Risk Response • Control Activities • Information and Communication • Monitoring
Why ERM? MEDICAL CHIEF SURVIVES SCANDAL –TIES TO ENRON AND IMCLONE CALLED BAD LUCK MEDICAL OVER-BILLING RESULTS IN $5.6M FINE CHIEF UROLOGIST CHARGED WITH RESEARCH CONFLICT OF INTEREST EIGHT MORE HOSPITAL LAWSUITS ADDED TO ALLEGED CHARITY CARE VIOLATIONS Corporate Scrutiny Regulatory Issues Research UNIVERSITY MEDICAL CENTER MISUSES FEDERAL GRANT = $32M FINE MEDICAL CENTER CHARGED WITH RESEARCH FRAUD AND ABUSE AUDIT FINDS HOSPITAL FAILED TO REPORT HUNDREDS OF MISTAKES
Why ERM? THE DOCTOR IS IN BUT NOT IN THE U.S. – “nighthawking” to India, Israel, Australia . . . RAPIST ACCESSES PATIENT RECORDS HOSPITAL MULLS CRIMINAL SCREENING CASE HEARING ON KIDNAPPING MEMBER OF DOCTORS WITHOUT BORDERS MISSION TO START ON MONDAY TELEMEDICINE AT HEART OF DIAGNOSTIC CHANGES Foreign Issues Outsourcing Technology STUDENT SEARCHING FOR INFORMATION ABOUT DOCTOR IS LINKED TO PRIVATE PATIENT FILES EXTORTION THREATS TO RELEASE PATIENT RECORDS – CLIENTS NOT INFORMED OF INDIA STAFFS BREACH DETAILED PSYCHOLOGICAL RECORDS ACCIDENTALLY POSTED ON WEBSITE FOR EIGHT DAYS HACKERS ACCESS 7000 PATIENT FILES
Why ERM? DOCTOR SELLS OWN SPERM FOR IN VITRO FERTILIZATION LAWSUITS FILED OVER CUSTODY OF FROZEN EMBRYOS THE ETHICS OF BABY MAKING WILLED BODY PROGRAM SUSPENDED AMID ALLEGATIONSOF ILLEGAL BODY PARTS SALES CA PHYSICIANS FIND SUCCESS IN THE SPA BUSINESS Risk Outliers WHY DID THEY DIE IN COSMETIC SURGERY? BABY KIDNAP STAGED TO SUE HOSPITAL FOR BREACH OF SECURITY ORGAN REMOVAL RULED HOMICIDE
Why ERM? LACK OF SUPERVISION OF STUDENTS’ ROTATIONS FAILURE TO GET INFORMED CONSENT FOR MINORS PARTICIPATING IN CLINICAL TRIALS NON-COMPLIANCE INTERIM LIFESAFETY MEASURES NON REGISTRATION OF SELECT AGENTS USED IN RESEARCH Loss of Accreditation Loss of Federal Funding FACULTY CONSULTING WITH PRIVATE SUPPLIERS OF MEDICAL DEVICE INAPPROPRIATE BILLING FOR TIME AND ACTIVITY WHILE WORKING UNDER FEDERALLY FUNDED GRANT INACCURATE REPORTING OF NONRESIDENT ALIENS
The Value of ERM • The underlying premise of ERM is that every entity exists to provide value for its stakeholders • Stakeholders of not-for-profit entities realize value when they recognize receipt of valued social benefit—i.e. “the Mission” • A key to achieving that social benefit and a key to survival is to identify and manage risk across the enterpriserather than narrowly focusing in certain “traditional” risk areas • ERM facilitates an entity’s ability to achieve its performance and profitability targets; it prevents loss of resources; it ensures compliance with laws and regulations; avoiding damage to reputations, and achieving corporate goals and objectives – and does this from a broader perspectivethan traditional RM • ERM identifies areas where due diligence/auditingis prudent due to increased corporate scrutiny (Leapfrog Initiative, Sarbanes Oxley)
Roadblocks • Complex & takes time • Needs transition from Theory to Action plan • Requires combined knowledge and focus – legal, financial, internal audit, clinical, insurance, compliance, operations, etc. • Turf Wars between departments and divisions can occur • Requires a new paradigm
How to Achieve ERM within your Facility • Embrace “enterprise-wide” risk oversight • Require that RM evaluate risk issues from new strategies well in advanceof implementing those strategies • Foster a collaborative effort to address risk and quality concerns – and to make pro-active decisions including risk management considerations as well as operational strategies • Determine and assign authority levels for managing risks • Facilitate open communication of risk
Role of Risk Officer • Establish ERM policies and set goals for implementation • Frame accountability and authority • Promote ERM competence throughout the entity • Guide integration of ERM with other business planning and management activities • Oversee development of entity-wide and business unit specific risk tolerances • Facilitate managers’ development of reporting protocols (ERM Roundtable) • Report to senior leadership on progressand recommend action as needed
Develop a Strategy Matrix • Define key organizational short and long term goals • Strategic • Operational • Financial • Map key risk management issues that will support goals or that could threaten the goals • Identify and prioritize risk management strategies • Document assignments of responsibility and timelines for achieving goals and objectives
The ERM Fusion Model Incorporating JCAHO Patient Safety Goals ERM
The ERM Fusion Model Incorporating JCAHO Patient Safety Goals ERM
The ERM Fusion Model Incorporating JCAHO’s Top 10 Items that will Make or Break You Expired Medications/Supplies Violations of Patient Confidentiality Use of Non-calibrated/Non-verified Equipment Inability to Articulate Section/Unit PI Processes Unfamiliarity with EM Procedures ERM Unfamiliarity with NPSGs Inability to Validate Physician/Staff Competency Insufficient/Non-existent Documentation By-passing Informed Consent Improper Storage/Cluttered Areas