3/14/2016

1

Compliance Program Effectiveness & Beyond: A Large System’s Approach to Risk

Assessment

March 18, 2016

HCCA Regional Conference – Charlotte, NC

Kathryn Dever, MBA, CHC

VP, CHS Corporate Compliance

Matthew Vogelien, CHC

AVP, CHS Corporate Compliance

Session Objectives

• Discuss the importance of risk assessment

as a part of effective compliance programs

• Define the critical components of risk

assessment

• Explore how to utilize risk assessment

results to create an improved culture of

compliance

2

3/14/2016

2

3

4

3/14/2016

3

Compliance Program Structure - Overview

5

Compliance Program “Matrix”

6

3/14/2016

4

7

CHS Compliance

Program:

2015 Snapshot

Risk Assessment: An essential element

of effective compliance programs

8

3/14/2016

5

Exception Reporting

Response & Discipline

8th Element

Risk Assessment

Oversight Prevention

Written Standards

“THE SEVEN ELEMENTS +

1”

Education / Training

Auditing & Monitoring

Effective Compliance Program

• The Carolinas HealthCare System Compliance Program is designed to incorporate the “7 elements” of an effective compliance program.

• Strategically, and in line with industry best practice, we consider Risk Assessment a critical “8th element.”

• Compliance program communications, guidance, and tools are developed at the corporate level to support our facilities and provided to our compliance stakeholders for facility-level application/implementation.

9

What is Risk Assessment?

• Recognizing and addressing apparent and emerging risks

through the assignment of quantitative and qualitative

values related to a situation and a recognized threat.

• Purpose of Risk Assessment Activities: to effectively

manage identified risks by reducing the probability of a

negative occurrence caused by internal vulnerabilities or

external threats.

• Effective management requires that risks be:

– Identified

– Measured/Assessed

– Prioritized/Managed

10Source: 2015 Health Care Compliance Association Compliance Academy

3/14/2016

6

Why is Risk Assessment essential to

an Effective Compliance Program?

Risk Assessment increases a Compliance Program’s value

to the organization because resulting data and decisions

can be used to:

• Determine areas where prior years’ auditing, monitoring and

education activities have yielded improvement and where gaps

exist.

• Determine risks that are addressable through compliance activities

• Develop an Annual Compliance Work Plan that is risk-based

– Increases the likelihood that auditing and monitoring activities detect the

biggest concerns

– Employs a variety of compliance activities to address risks (e.g.,

focused process improvement initiatives, education, resource

development) 11Source: 2015 Health Care Compliance Association Compliance Academy

Why is Risk Assessment essential to an

Effective Compliance Program? (continued)

Risk Assessment increases a Compliance Program’s value to the organization because resulting data and decisions can be used to:

• Determine how to prioritize and allocate compliance resources

– Clarifies necessary compliance budget expenses

– Illustrates when/where additional resources may be needed

• Help the Board fulfill compliance oversight responsibility by providing a comprehensive picture of the organization’s compliance risk environment

• Demonstrates compliance efforts to the OIG

– May reduce settlement amount if investigated

– May demonstrate that a Corporate Integrity Agreement (CIA) is not necessary or that is should be reduced 12

Source: 2015 Health Care Compliance Association Compliance Academy

3/14/2016

7

Critical Risk Assessment

Components

13

Risk Assessment at CHS

• Considered a key component of our Compliance Program

Effectiveness strategy

• Helps us understand where our largest risks are locally

and enterprise-wide

• Data-driven

• Considers internal and external sources

• Involves the input of key stakeholders

• Risk Assessment Components:

1. Identification of Risks

2. Measurement/Assessment of Risks

3. Prioritization/Management of Risks

14

Identify

MeasurePrioritize

3/14/2016

8

Risk Assessment at CHS (continued)

Leadership Requests

Internal & External

Environment Monitoring

Compliance Matrix Input

Single view document with a standardized approach to categorize, prioritize and manage compliance risks identified above.

Step 2: Measurement & Assessment of Risks

FCOs

FCAs

FCCs

ReferAdditional

Info Req’d

AddressNo Action

Req’d

Investigation

Findings

Inquiries

OIG

CMS

DOJ

Audit

Results

Step 1: Identification

ofRisks

Step 3: Prioritization & Management of Risks

Risk Assessment Components

Step 1: Identification of Risks

Identifying compliance risks is an ongoing compliance activity

that leverages a variety of information sources

• Compliance Environment “news”

– OIG Work Plan: Annual & Mid-Year Updates

– DOJ memos & decisions

– CMS updates

– Communications from other regulatory bodies

– Other trusted compliance news sources

• Internal/External Audit Findings

• Internal Monitoring & Investigations Results

• Inquiries & direct reports

These inputs are collected in a central repository and are reviewed as part

of our continuous risk assessment process.16

3/14/2016

9

Risk Assessment Components

Step 1: Identification of Risks (continued)

Annually, a formal Risk Identification Survey is utilized to collect input

about current and emerging compliance risks

• Construction of Survey:

– Questions are simple, open-ended

– Completion takes 10-15 minutes

– Participants categorize their input by Risk Area

– Sources are requested, but not required

17

• Timing

– Distributed in October to coincide with the publication of the OIG Work Plan

– “Open” for 2 weeks

• Central Repository

– Results are downloaded once Survey “closes”

– Annual Risk Identification Survey results are maintained as documentation of focused risk assessment activities

Risk Assessment Components

Step 2: Measurement/Assessment of Risks

Compliance risks collected through the aforementioned

processes are individually reviewed and discussed by

the Corporate Compliance Risk Assessment Committee.

– Items collected through the continuous risk assessment and

work plan development processes are reviewed as they are

received.

– Annual Risk Identification Survey inputs are reviewed in

conjunction with the Annual OIG Work Plan, both of which

coincide with goal-setting activities for the upcoming calendar

year.

18

3/14/2016

10

Risk Assessment Components

Step 2: Measurement/Assessment of Risks (continued)

Compliance risks are discussed in detail by the Risk Assessment Committee in order to “disposition” each item. Considerations for each risk include:

• Potential Risk Impact

– Are reputational, financial or regulatory outcomes likely to occur from

non-compliance?

• Organization’s Vulnerability

– How likely is it that non-compliance related to this compliance risk will

occur?

– Are there processes in place to detect non-compliance?

• Risk Mitigation

– Are policies, procedures and/or processes in place to prevent non-

compliance? 19

Risk Assessment Components

Step 3: Prioritization/Management of Risks

• Once we assess the risk, we determine the appropriate disposition to avoid, transfer, accept or reduce/mitigate each risk.

• Risks are assigned at least one disposition, although multiple dispositions may be assigned to a single risk, including:

20

• Consider for initiative, goal or education

• Need additional information

• Risk is addressed in Work Plan or elsewhere

• No Action Required at this time

• Refer to another team (Compliance Audit, Internal

Audit, Privacy, etc)

• Refer to Facility Compliance Officer

• Refer for Compliance Work Plan Development

Appropriate

documentation should

be maintained so you

can recreate the story

on each risk, should

the need arise.

3/14/2016

11

Documentation of Risk Assessment

Activities• Important to document risk assessment inputs, decisions

and commentary in order to realize the full value of these

activities for your compliance program

– Allows for tracking risks to an appropriate “closure” point

• Closure points vary by risk area, ability to mitigate a risk,

organization’s appetite for risk acceptance and current compliance

risk environment

– Maintains the factors considered and the supporting facts used

to make decisions

• Note why a risk was not addressed, where it is referred, etc.

– Provides easily accessible data for reports to stakeholders,

organization leaders and the Board

21

Appropriate documentation and tracking leads to an elevated awareness of compliance risks and proper assessment/prioritization considerations. This discipline impacts daily

compliance activities in such a way as to make them risk-based.

Sharing Risk Assessment Results

• Important to share high level Risk Assessment data and

decisions with key stakeholders, leaders and the Board

– Helps illustrate how Compliance Program supports and protects

the organization

– Shows that you bring a “LEAN” strategy to your compliance work

– Provides necessary feedback to Risk Assessment participants

that their input is utilized and valued

22

• Memo summarizing OIG Work Plan items and how they intersection with Compliance Program activities

• Full report of Risk Identification Survey data provided to Compliance Matrix (high risk items reported to Compliance Committee of the Board

3/14/2016

12

Utilizing Risk Assessment to Create

an Improved Culture of Compliance

23

Risk Assessment’s Influence on Compliance

Culture

Risk Assessment data directly impacts the following

activities by providing information about knowledge gaps

and process improvement needs.

• Development of Compliance Work Plans

• Monitoring the Compliance Environment

• Development of compliance resources & tools

• Development and delivery of compliance

education & communications

24

Identify

MeasurePrioritize

3/14/2016

13

Continuous Compliance Work Plan

Development

On a continuous basis, Compliance Work

Plans are reviewed and updated in

accordance with a 3-year calendar.

• Risk Area leaders provide input via a risk area risk identification survey and live meetings

• Inputs from the compliance environment and the annual Risk Identification Survey are incorporated for consideration

• Work Plan items may be retired or kept

• New work plan items may be added

25

Continuous Compliance Work Plan

DevelopmentRisk Assessment and Compliance Work Plan Development are integrated, continuous processes. Risk Assessment data is utilized to:

– Develop the 36 month review plan.

– Determine the appropriate type of reviews for the current year:

Abbreviated Reviews: Work plans do not have to be “revised” during the review process if updates are not required.

Expedited Revisions: Work Plans may be revised “out of sync” with their scheduled review when the need arises (e.g., regulatory updates).

Full Reviews: Work plans are reviewed in their entirety, including newly reported risks.

3/14/2016

14

Compliance Environment Monitoring

• A collaborative compliance department initiative

designed to harness and utilize the daily monitoring of

compliance news. Objectives include:

– Enhances compliance education and communication activities

– Leverages subject matter experts to identify industry news

– Identifies compliance issues for risk assessment

27

Compliance Resources & Tools

• Resources and tools have always been an important aspect of our Compliance Program, but Risk Assessment has enabled us to identify knowledge and process gaps more quickly and with more details about what to address.

• Some of the resources and tools developed to address compliance risks include:

– Compliance Practice Guidelines: Formal documentation of a

compliance risk, including regulatory background, analysis of compliance

considerations and guidance for risk avoidance and mitigation.

– Compliance Advisories: Formal communication of new/revised

Compliance Program components, guidance, resources or tools.

– Compliance Tools: Typically accompany the above documents or a

compliance work plan, including tools such as Self Audit Templates, Self

Assessments and templates. 28

3/14/2016

15

Development & Delivery of Compliance

Education and Communications

• Our Risk Assessment process has enabled us to determine

where education resources can be most effective and

where previous education initiatives have been successful.

• Risk Assessment results are utilized to develop and refine

the annual Compliance Education & Communications Plan,

a snapshot including:

– List of education deliverables

– Planned development timeframe

– Estimated delivery timeframe

– Delivery methodology

29

Development & Delivery of Compliance

Education and Communications (continued)

• Compliance Matrix Meetings: live, in-

person meetings that include Compliance

Environment Review, Compliance Program

Updates, Focused compliance education

and case studies.

• Education Roundtables: live webinars

featuring education on a specific

compliance program feature or compliance

risk area risk.

• Compliance Newsletter: bi-monthly

publication of compliance news and

developments (CHS, local, state and

national), Compliance Program updates,

Upcoming due dates and events and

inspirational compliance perspectives from

organization leaders. 30

3/14/2016

16

Risk Assessment & Compliance

Program Effectiveness: Brief Recap

31

Exception Reporting

Response & Discipline

8th Element

Risk Assessment

Oversight Prevention

Written Standards

“THE SEVEN ELEMENTS +

1”

Education / Training

Auditing & Monitoring

Risk Assessment’s Role in Supporting

Compliance Program EffectivenessRisk Assessment Program support each of the 7 Elements of an

effective compliance program.

• Provides data to validate the successful aspects of each element’s

implementation and execution by Compliance Matrix members

• Provides data that also uncovers gaps, weakness and opportunities

for improvement regarding each element and its associated

activities

32

3/14/2016

17

Exception Reporting

Response & Discipline

8th Element

Risk Assessment

Oversight Prevention

Written Standards

“THE SEVEN ELEMENTS +

1”

Education / Training

Auditing & Monitoring

An Effective Compliance Program Supports

Risk AssessmentThe Compliance Program Elements contribute to the Risk Assessment

Process as well.

• Provide data (as input points) into the Risk Assessment process

• Serve as mitigation strategies to address compliance risks identified

through Risk Assessment activities, enabling you to prevent, detect

and deter non-compliance

33

Concluding Notes on Risk Assessment

• Compliance program effectiveness and risk assessment

should be proactive, “continuous programs” rather than

isolated or finite “reactive” activities.

• Results of both activities should be documented and

shared with key stakeholders, organization leaders and

the Board.

• Results should be leveraged to identify opportunities,

facilitate communication and planning, and implement

improvements.

34

3/14/2016

18

Session Objectives

• Discuss the importance of risk assessment

as a part of effective compliance programs

• Define the critical components of risk

assessment

• Explore how to utilize risk assessment

results to create an improved culture of

compliance

35