Post on 26-Mar-2018
transcript
3/14/2016
1
Compliance Program Effectiveness & Beyond: A Large System’s Approach to Risk
Assessment
March 18, 2016
HCCA Regional Conference – Charlotte, NC
Kathryn Dever, MBA, CHC
VP, CHS Corporate Compliance
Matthew Vogelien, CHC
AVP, CHS Corporate Compliance
Session Objectives
• Discuss the importance of risk assessment
as a part of effective compliance programs
• Define the critical components of risk
assessment
• Explore how to utilize risk assessment
results to create an improved culture of
compliance
2
3/14/2016
2
3
4
3/14/2016
3
Compliance Program Structure - Overview
5
Compliance Program “Matrix”
6
3/14/2016
4
7
CHS Compliance
Program:
2015 Snapshot
Risk Assessment: An essential element
of effective compliance programs
8
3/14/2016
5
Exception Reporting
Response & Discipline
8th Element
Risk Assessment
Oversight Prevention
Written Standards
“THE SEVEN ELEMENTS +
1”
Education / Training
Auditing & Monitoring
Effective Compliance Program
• The Carolinas HealthCare System Compliance Program is designed to incorporate the “7 elements” of an effective compliance program.
• Strategically, and in line with industry best practice, we consider Risk Assessment a critical “8th element.”
• Compliance program communications, guidance, and tools are developed at the corporate level to support our facilities and provided to our compliance stakeholders for facility-level application/implementation.
9
What is Risk Assessment?
• Recognizing and addressing apparent and emerging risks
through the assignment of quantitative and qualitative
values related to a situation and a recognized threat.
• Purpose of Risk Assessment Activities: to effectively
manage identified risks by reducing the probability of a
negative occurrence caused by internal vulnerabilities or
external threats.
• Effective management requires that risks be:
– Identified
– Measured/Assessed
– Prioritized/Managed
10Source: 2015 Health Care Compliance Association Compliance Academy
3/14/2016
6
Why is Risk Assessment essential to
an Effective Compliance Program?
Risk Assessment increases a Compliance Program’s value
to the organization because resulting data and decisions
can be used to:
• Determine areas where prior years’ auditing, monitoring and
education activities have yielded improvement and where gaps
exist.
• Determine risks that are addressable through compliance activities
• Develop an Annual Compliance Work Plan that is risk-based
– Increases the likelihood that auditing and monitoring activities detect the
biggest concerns
– Employs a variety of compliance activities to address risks (e.g.,
focused process improvement initiatives, education, resource
development) 11Source: 2015 Health Care Compliance Association Compliance Academy
Why is Risk Assessment essential to an
Effective Compliance Program? (continued)
Risk Assessment increases a Compliance Program’s value to the organization because resulting data and decisions can be used to:
• Determine how to prioritize and allocate compliance resources
– Clarifies necessary compliance budget expenses
– Illustrates when/where additional resources may be needed
• Help the Board fulfill compliance oversight responsibility by providing a comprehensive picture of the organization’s compliance risk environment
• Demonstrates compliance efforts to the OIG
– May reduce settlement amount if investigated
– May demonstrate that a Corporate Integrity Agreement (CIA) is not necessary or that is should be reduced 12
Source: 2015 Health Care Compliance Association Compliance Academy
3/14/2016
7
Critical Risk Assessment
Components
13
Risk Assessment at CHS
• Considered a key component of our Compliance Program
Effectiveness strategy
• Helps us understand where our largest risks are locally
and enterprise-wide
• Data-driven
• Considers internal and external sources
• Involves the input of key stakeholders
• Risk Assessment Components:
1. Identification of Risks
2. Measurement/Assessment of Risks
3. Prioritization/Management of Risks
14
Identify
MeasurePrioritize
3/14/2016
8
Risk Assessment at CHS (continued)
Leadership Requests
Internal & External
Environment Monitoring
Compliance Matrix Input
Single view document with a standardized approach to categorize, prioritize and manage compliance risks identified above.
Step 2: Measurement & Assessment of Risks
FCOs
FCAs
FCCs
ReferAdditional
Info Req’d
AddressNo Action
Req’d
Investigation
Findings
Inquiries
OIG
CMS
DOJ
Audit
Results
Step 1: Identification
ofRisks
Step 3: Prioritization & Management of Risks
Risk Assessment Components
Step 1: Identification of Risks
Identifying compliance risks is an ongoing compliance activity
that leverages a variety of information sources
• Compliance Environment “news”
– OIG Work Plan: Annual & Mid-Year Updates
– DOJ memos & decisions
– CMS updates
– Communications from other regulatory bodies
– Other trusted compliance news sources
• Internal/External Audit Findings
• Internal Monitoring & Investigations Results
• Inquiries & direct reports
These inputs are collected in a central repository and are reviewed as part
of our continuous risk assessment process.16
3/14/2016
9
Risk Assessment Components
Step 1: Identification of Risks (continued)
Annually, a formal Risk Identification Survey is utilized to collect input
about current and emerging compliance risks
• Construction of Survey:
– Questions are simple, open-ended
– Completion takes 10-15 minutes
– Participants categorize their input by Risk Area
– Sources are requested, but not required
17
• Timing
– Distributed in October to coincide with the publication of the OIG Work Plan
– “Open” for 2 weeks
• Central Repository
– Results are downloaded once Survey “closes”
– Annual Risk Identification Survey results are maintained as documentation of focused risk assessment activities
Risk Assessment Components
Step 2: Measurement/Assessment of Risks
Compliance risks collected through the aforementioned
processes are individually reviewed and discussed by
the Corporate Compliance Risk Assessment Committee.
– Items collected through the continuous risk assessment and
work plan development processes are reviewed as they are
received.
– Annual Risk Identification Survey inputs are reviewed in
conjunction with the Annual OIG Work Plan, both of which
coincide with goal-setting activities for the upcoming calendar
year.
18
3/14/2016
10
Risk Assessment Components
Step 2: Measurement/Assessment of Risks (continued)
Compliance risks are discussed in detail by the Risk Assessment Committee in order to “disposition” each item. Considerations for each risk include:
• Potential Risk Impact
– Are reputational, financial or regulatory outcomes likely to occur from
non-compliance?
• Organization’s Vulnerability
– How likely is it that non-compliance related to this compliance risk will
occur?
– Are there processes in place to detect non-compliance?
• Risk Mitigation
– Are policies, procedures and/or processes in place to prevent non-
compliance? 19
Risk Assessment Components
Step 3: Prioritization/Management of Risks
• Once we assess the risk, we determine the appropriate disposition to avoid, transfer, accept or reduce/mitigate each risk.
• Risks are assigned at least one disposition, although multiple dispositions may be assigned to a single risk, including:
20
• Consider for initiative, goal or education
• Need additional information
• Risk is addressed in Work Plan or elsewhere
• No Action Required at this time
• Refer to another team (Compliance Audit, Internal
Audit, Privacy, etc)
• Refer to Facility Compliance Officer
• Refer for Compliance Work Plan Development
Appropriate
documentation should
be maintained so you
can recreate the story
on each risk, should
the need arise.
3/14/2016
11
Documentation of Risk Assessment
Activities• Important to document risk assessment inputs, decisions
and commentary in order to realize the full value of these
activities for your compliance program
– Allows for tracking risks to an appropriate “closure” point
• Closure points vary by risk area, ability to mitigate a risk,
organization’s appetite for risk acceptance and current compliance
risk environment
– Maintains the factors considered and the supporting facts used
to make decisions
• Note why a risk was not addressed, where it is referred, etc.
– Provides easily accessible data for reports to stakeholders,
organization leaders and the Board
21
Appropriate documentation and tracking leads to an elevated awareness of compliance risks and proper assessment/prioritization considerations. This discipline impacts daily
compliance activities in such a way as to make them risk-based.
Sharing Risk Assessment Results
• Important to share high level Risk Assessment data and
decisions with key stakeholders, leaders and the Board
– Helps illustrate how Compliance Program supports and protects
the organization
– Shows that you bring a “LEAN” strategy to your compliance work
– Provides necessary feedback to Risk Assessment participants
that their input is utilized and valued
22
• Memo summarizing OIG Work Plan items and how they intersection with Compliance Program activities
• Full report of Risk Identification Survey data provided to Compliance Matrix (high risk items reported to Compliance Committee of the Board
3/14/2016
12
Utilizing Risk Assessment to Create
an Improved Culture of Compliance
23
Risk Assessment’s Influence on Compliance
Culture
Risk Assessment data directly impacts the following
activities by providing information about knowledge gaps
and process improvement needs.
• Development of Compliance Work Plans
• Monitoring the Compliance Environment
• Development of compliance resources & tools
• Development and delivery of compliance
education & communications
24
Identify
MeasurePrioritize
3/14/2016
13
Continuous Compliance Work Plan
Development
On a continuous basis, Compliance Work
Plans are reviewed and updated in
accordance with a 3-year calendar.
• Risk Area leaders provide input via a risk area risk identification survey and live meetings
• Inputs from the compliance environment and the annual Risk Identification Survey are incorporated for consideration
• Work Plan items may be retired or kept
• New work plan items may be added
25
Continuous Compliance Work Plan
DevelopmentRisk Assessment and Compliance Work Plan Development are integrated, continuous processes. Risk Assessment data is utilized to:
– Develop the 36 month review plan.
– Determine the appropriate type of reviews for the current year:
Abbreviated Reviews: Work plans do not have to be “revised” during the review process if updates are not required.
Expedited Revisions: Work Plans may be revised “out of sync” with their scheduled review when the need arises (e.g., regulatory updates).
Full Reviews: Work plans are reviewed in their entirety, including newly reported risks.
3/14/2016
14
Compliance Environment Monitoring
• A collaborative compliance department initiative
designed to harness and utilize the daily monitoring of
compliance news. Objectives include:
– Enhances compliance education and communication activities
– Leverages subject matter experts to identify industry news
– Identifies compliance issues for risk assessment
27
Compliance Resources & Tools
• Resources and tools have always been an important aspect of our Compliance Program, but Risk Assessment has enabled us to identify knowledge and process gaps more quickly and with more details about what to address.
• Some of the resources and tools developed to address compliance risks include:
– Compliance Practice Guidelines: Formal documentation of a
compliance risk, including regulatory background, analysis of compliance
considerations and guidance for risk avoidance and mitigation.
– Compliance Advisories: Formal communication of new/revised
Compliance Program components, guidance, resources or tools.
– Compliance Tools: Typically accompany the above documents or a
compliance work plan, including tools such as Self Audit Templates, Self
Assessments and templates. 28
3/14/2016
15
Development & Delivery of Compliance
Education and Communications
• Our Risk Assessment process has enabled us to determine
where education resources can be most effective and
where previous education initiatives have been successful.
• Risk Assessment results are utilized to develop and refine
the annual Compliance Education & Communications Plan,
a snapshot including:
– List of education deliverables
– Planned development timeframe
– Estimated delivery timeframe
– Delivery methodology
29
Development & Delivery of Compliance
Education and Communications (continued)
• Compliance Matrix Meetings: live, in-
person meetings that include Compliance
Environment Review, Compliance Program
Updates, Focused compliance education
and case studies.
• Education Roundtables: live webinars
featuring education on a specific
compliance program feature or compliance
risk area risk.
• Compliance Newsletter: bi-monthly
publication of compliance news and
developments (CHS, local, state and
national), Compliance Program updates,
Upcoming due dates and events and
inspirational compliance perspectives from
organization leaders. 30
3/14/2016
16
Risk Assessment & Compliance
Program Effectiveness: Brief Recap
31
Exception Reporting
Response & Discipline
8th Element
Risk Assessment
Oversight Prevention
Written Standards
“THE SEVEN ELEMENTS +
1”
Education / Training
Auditing & Monitoring
Risk Assessment’s Role in Supporting
Compliance Program EffectivenessRisk Assessment Program support each of the 7 Elements of an
effective compliance program.
• Provides data to validate the successful aspects of each element’s
implementation and execution by Compliance Matrix members
• Provides data that also uncovers gaps, weakness and opportunities
for improvement regarding each element and its associated
activities
32
3/14/2016
17
Exception Reporting
Response & Discipline
8th Element
Risk Assessment
Oversight Prevention
Written Standards
“THE SEVEN ELEMENTS +
1”
Education / Training
Auditing & Monitoring
An Effective Compliance Program Supports
Risk AssessmentThe Compliance Program Elements contribute to the Risk Assessment
Process as well.
• Provide data (as input points) into the Risk Assessment process
• Serve as mitigation strategies to address compliance risks identified
through Risk Assessment activities, enabling you to prevent, detect
and deter non-compliance
33
Concluding Notes on Risk Assessment
• Compliance program effectiveness and risk assessment
should be proactive, “continuous programs” rather than
isolated or finite “reactive” activities.
• Results of both activities should be documented and
shared with key stakeholders, organization leaders and
the Board.
• Results should be leveraged to identify opportunities,
facilitate communication and planning, and implement
improvements.
34
3/14/2016
18
Session Objectives
• Discuss the importance of risk assessment
as a part of effective compliance programs
• Define the critical components of risk
assessment
• Explore how to utilize risk assessment
results to create an improved culture of
compliance
35