3/16/2016

1

Leveraging Internal Audit and Corporate Compliance for

Effective Risk Management

Leveraging Internal Audit and Corporate Compliance for

Effective Risk Management

April 18, 2016

Don SinkoChief Integrity Officer

Cleveland Clinic

2

AgendaAgenda

• Cleveland Clinic Integrity Office Model

• The 3 Lines of Defense

• What is Enterprise Risk Management (ERM)

• Cleveland Clinic’s Approach to ERM

3/16/2016

2

3

Cleveland Clinic Background

• Unrestricted Revenue of $7.2 Billion

• Total Assets of $13.7 Billion

• 49,000 Employees

• 1,800 Residents & Fellows

• 6 Million Annual Patient Visits

• Over 2,500 Research Protocols

4

• Main Campus Founded in 1921- Structured as a Group Practice- 3,200 Physicians and Scientists- 11,200 Nurses- 4,450 Beds- 208,800 Surgeries

• 16 Family Health Centers• 10 Community Hospitals• Las Vegas, Abu Dhabi, Canada, London

Cleveland Clinic Background (cont’d)Cleveland Clinic Background (cont’d)

3/16/2016

3

5

• Mounting Financial Pressure & Transparency

• Shift to Value-Based Care

• Constrained Resources

• Reduced Reimbursements

• Regional, Clinically Integrated Networks

• Competitive Intensity

• Uncertainty

Healthcare Risk EnvironmentHealthcare Risk Environment

6

Preventative Medicine vs. Surgery

• Ombudsman: Patient Advocate• Law Department:

- Protect the Entity- Tell The Truth

• Integrity Office:- Transparency- Ethics- Do the Right Thing- Tell The Whole Story

3/16/2016

4

7

8

Audit & Compliance Today

• More Than Just Billing & Balances• Process Focused• Patient Focused

- Quality- Privacy/Security- Transparency

• Focused on Implementation of the Law- Must Know Operations/Processes- Speak the Language- Staffed with Many Disciplines

3/16/2016

5

9

CEOChief Integrity

Officer

Office ofInternalAudit

Office ofCorporate

Compliance

Corporate Compliance Committee

Audit Committeeof the

Board of Directors

Board of Governors

Integrity Office

ITSecurity

10

Integrity Office (cont’d)

• Internal Audit and Corporate Compliance Under One Umbrella- Leverages Resources- Shared Focus on Risk- Shared Focus on Processes

- Still Independent of Each Other

• Located in the C-Suite• Independent of Law Department• Separate from Clinical Compliance

3/16/2016

6

11

Integrity Office (cont’d)

• Many Backgrounds Required for Integrity Program Effectiveness- CPAs- IT- Forensics- Nursing- Billing/Coding- Research- Pharmacy- Legal- Risk Management

12

Three Lines of Defense

First Line of Defense -- Operations

• Institute of Internal Auditors- Risk Management Position Paper

• Term from Medieval Castle Systems- Moats- Stone Walls- Interior Forces

• Focused on External Risks

3/16/2016

7

13

Three Lines of Defense (cont’d)

Second Line of Defense

• Risk Management

• Corporate Compliance

• Clinical Compliance

• Law Department

• Supply Chain

14

Three Lines of Defense (cont’d)

Third Line of Defense

• Independent Assurance

- Internal Audit

- External Audit

3/16/2016

8

What is Enterprise Risk ManagementWhat is Enterprise Risk Management

• Important executive management responsibility to assure key risks are addressed

• Requires a portfolio review of risk

• Method to manage uncertainty and volatility

• Proactive and Strategic: minimize threats and capitalize on opportunities

• Ongoing process 15

ERM is not…ERM is not…

• Replacement for internal controls

• Method to eliminate all risk

• Rigid set of rules to follow in all respects

• Exactly the same from year to year

16

3/16/2016

9

17

Cleveland Clinic Approach to ERM

Audit Committee Executive Session

• ERM is not the:- Internal Audit Risk Assessment

- Corporate Compliance Risk Assessment

• Risk Evaluation Processes not Documented

• Not Tied to Strategy

18

Cleveland Clinic Approach to ERM (Cont.d)

• ERM Program Initiated- Define ERM Project Plan

- Establish ERM Governance Structure

- Determine Risk Appetite

- Tie ERM to Strategy

3/16/2016

10

ERM Program Implementation

Define DesiredState ERM Program & Recommendations

Enterprise RiskIdentification &Assessment

Engagement Planning & Launch

Phase III Phase IVPhase IIPhase I

ERM Project Summary

•Define Project Goals

•Committee Education

•Retain Consultant

•Create Awareness

•Current State Assessment

•Document Review

•Conduct Interviews

•Assess overall ERM capability

•Identify Risks and Risk Owners

•Analyze Information

•Validate and Prioritize

•Document Mitigation Steps and Gaps

•Validate Risk Profile and Rankings

•Develop Governance and Oversight Framework

•Determine improvements / Action Plans

•Develop Awareness and Education Plan

•Design Reporting and Monitoring Activities

19

Enterprise Risk Management Governance Structure

Board of Trustees

CEO Council

ERM Working Groups

ERM Steering Committee

Financial Planning

Strategic Planning

Executive Committee

Planning

Leadership Council

StrategicCouncil

Performance Improvement

Internal Audit

20

3/16/2016

11

Established ERM Steering CommitteeEstablished ERM Steering Committee

• Members from Executive and Operations Management

• Performed Risk Interviews

• Determined Top 20/10/7 Risks

• Tied Risks to Strategy

• Approved by Board of Directors

• Established Teams to Address Risks

• Monitored Risk Management Process21

Healthcare Risk UniverseHealthcare Risk UniverseStrategic CompliancePeopleOperationalExternal

• Business Model

• Governance

• Resource Allocation

• M & A

• Planning

• Market Dynamics

• Network Development

• Investor Relations

• Media Relations

• Economy

• Political Environment

• Regulatory Structure

• Supply Chain

• Information Technology

• Physical Assets

• Patient Safety and Quality

• Research

• Natural Disasters

• Succession Planning

• Labor Relations

• Recruitment and Retention

• Training and Development

• Company Culture

• Tax Compliance

• Anti-trust

• Regulatory Provisions (HIPAA, HITECH, RAC)

• Conflict of Interests

• Health and Safety

• Environmental

Financial

• Capital Availability

• Investment Risk

• Revenue Cycle

• Benefit Obligations

• Foreign Currency

• Cash Management

• Payer Mix

• Accounting and Reporting

22

3/16/2016

12

Top Risks Mapped to Strategic InitiativesTop Risks Mapped to Strategic Initiatives

Cleveland Clinic Top Risks

Cleveland Clinic Strategic Initiatives

Growth IntegrationResearch & Education

23

24

Continuous Evaluation

Annual Assessment

ERM Risk Evaluation CycleERM Risk Evaluation Cycle

AssessMitigate

Monitor

ERM TeamSteering Committee & Audit Committee

Business Leaders Internal Audit

Management &IA Assessments

3/16/2016

13

25

Integrity Office Involvement

• Plays an important role in monitoring ERM, but does NOT have primary responsibility for its implementation or maintenance

• Reviews internal controls and risk management processes

• Reviews management’s risk assessments

• Provides advice on the improvement of internal controls and risk mitigation strategies

• Facilitate ERM education

• Communicates to Management and the Board

26