Presentation on theme: "Building a Compliance Risk Monitoring Program HCCA Compliance Institute New OrleansApril 19, 2005 Lois Dehls Cornell, Esq. Assistant Vice President, Deputy."— Presentation transcript:
Building a Compliance Risk Monitoring Program HCCA Compliance Institute New OrleansApril 19, 2005 Lois Dehls Cornell, Esq. Assistant Vice President, Deputy General Counsel, Senior Compliance Officer 781.466.1025 Lois_Cornell@tufts-health.com
 Compliance Risk Monitoring Overview u Regulatory Guidance u Establish Ownership and Team u Identification of Potential Risks u Initial Assessment & Documentation u Prioritization & Reporting u Ongoing Monitoring & Identification of New Risks
 Getting Started: u Using Regulatory Guidance u Establishing Ownership and a Compliance Risk Monitoring Team
 Regulatory Guidance u Amendments to the Sentencing Guidelines The organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement … to reduce the risk of criminal conduct identified through this process. –Assess periodically the risk that criminal conduct will occur, including assessing the: Nature and seriousness of such criminal conduct Likelihood that certain criminal conduct may occur because of the nature of the organization’s business. Prior history of the organization http://www.ussc.gov/2004guid/2004cong.pdf 2. EFFECTIVE COMPLIANCE AND ETHICS PROGRAM §8B2.1. Effective Compliance and Ethics Program
 Regulatory Guidance CORPORATE RESPONSIBILITYAND CORPORATE COMPLIANCE: A Resource for Health Care Boards of Directors Structural Questions: Does the compliance program address the significant risks of the organization? How were those risks determined and how are new compliance risks identified and incorporated into the program? Health care organizations operate in a highly regulated industry and must address various standards, government program conditions of participation and reimbursement, and other standards applicable to corporate citizens irrespective of industry. A comprehensive ongoing process of compliance risk assessment is important to the Board’s awareness of new challenges to the organization and its evaluation of management’s priorities and program resource allocation. http://oig.hhs.gov/fraud/docs/complianceguidance/040203CorpRespRsceGuide.pdf
 Developing the Risk Monitoring Process u Develop a “Compliance Risk Monitoring (CRM) Team” with Key Stakeholders –Which areas already monitor or audit for risks? Compliance, Legal, Government Affairs, Internal Audit, HR, Clinical, Information Systems u Establish the role of the CRM Team –Identify potential risks –Assess the status of potential risks that are identified –Review and prioritize –Monitor risks on an ongoing basis Compliance risk monitoring may already be performed by individuals in different areas of the company. The challenge is to coordinate these efforts and make people accountable for reporting potential risks.
 Identification of Potential Risks u Get the blessing of Senior Management to implement compliance risk monitoring u Collect potential risks by surveying all areas of the organization: –Start with your CRM Team –Survey your Legal Department –Survey area directors and key project managers u Meet with people in groups or individually u Use the phone, email and voice mail
 Initial Risk Assessment u Depending on the size of your organization, you may need a few months to identify risks u Meet with your CRM Team to review the risks that have been identified and to assign team members to assess each risk. –Assignments are based on the oversight responsibilities of the participant e.g., Government Affairs department representative, who oversees company compliance with state law, would monitor compliance in Member Services with appeal and grievance requirements
 Documentation: Use Care! u Use a compliance risk assessment template to frame the issue in terms of the requirement and how the potential risk is being controlled. u If the probability of noncompliance and the potential damage to the company is high, ensure that your Legal Department is involved and that communications are covered under Attorney-Client privilege. –Risk monitors need to be aware of this
 Documentation of Potential Risks u Develop a template to document potential risks: –Regulatory requirement –Business owner, and others involved –Status to control or mitigate risk (see next slide) –Potential likelihood and potential impact in terms of financial penalties, regulatory oversight, bad press –Who monitors the risk –How often it should be monitored
 Documentation of Risk Status u Assessing the Status of a Risk –Controls in place; no further action steps need to be developed –Action steps identified and/or in process of being implemented –Part of Internal Audit plan:Date: __________________ –Part of Gov’t Affairs review:Date: __________________ –Need to develop and implement a plan –Need to gather more information –Assessment complete. No further action or monitoring needed.
 Documentation of Risk Potential u Potential Likelihood of the Risk Occurring: High Medium Low u Potential Impact if Risk Occurs (Check all that apply) : High Financial Reg.Oversight PR Medium Financial Reg.Oversight PR Low Financial Reg.Oversight PR
 Risk Prioritization u Once the initial assessments are complete, meet with the CRM Team to prioritize all identified risks u Sort risks based on the: –status of their controls –likelihood that noncompliance could occur, and –potential impact to the company u Set aside risks that have a low probability and would have low impact
 Risk Reporting u Inform Senior Leaders that risk(s) have been identified in their area –Make sure they know about it, eliminate surprise –Gives them opportunity for input –Helps you prepare for report to Steering Comm. u Report to Compliance Steering Committee –Give the prioritized risk list to your compliance oversight committee for their review and approval –Get their input on prioritization –Last step before reporting to the Board
 Risk Reporting u Report to the Audit & Compliance Committee of the Board –Provide Board A&C with high level overview of the compliance risk monitoring process and findings –Be prepare to speak to any information that you have documented –Be clear about next steps and timing of next report
 Ongoing Compliance Risk Monitoring u From the list of prioritized risks, establish ongoing risk monitoring that occurs quarterly, semi-annually or annually, depending to the initial recommendation on the risk assessment template (Slide #10) u Use the same monitor (from the CRM Team) who first helped assess each risk. (Slide #9) u Establish a point person in the Compliance Dept. to ensure that new assessments and updated templates are completed when due. u Timing of future monitoring for each risk is based on new assessment findings.
 Ongoing Compliance Risk Monitoring u Use existing audit functions to assess issues where the risk potential is uncertain –Ask Internal Audit to add the review of a particular department and process to their annual audit plan –Ask Government Affairs to do a formal audit of issues where compliance with state or federal regulations may be in question
 Identification of New Potential Risks u New potential compliance risks can be identified at any time in the course of managing your compliance program u In addition, formally solicit new risks annually from key departments and leaders –People become familiar with roles and process over time, fewer meetings may be needed u As new risks are identified and prioritized, add them to the ongoing monitoring process