HealthCare x R A business intelligence prescription for health care executives Winter 2016 www.grantthornton.com/hcriskmgmt Meet risk challenges through leadership, collaboration Anne McGeorge, National Managing Partner, Health Care Victor Blanchard, Director, Business Advisory Services John Summerlin, Senior Manager, Health Care Advisory Services Health care organizations continue to call for all hands on deck to keep up with transformational shifts in their industry. The shifts demand changes in processes, organizational structures and technology, which in turn create new and more complex risks. For internal audit (IA) to be a partner in identifying and managing risks, we must embrace and expand both leadership and collaboration roles. A traditional audit may not be sufficient for capturing today’s highest-risk areas. To provide a thorough audit, it is essential to build a partnership with compliance, IT, operations, finance, risk management and an entity often not engaged by IA — the clinicians.

For effective partnering with all constituents, IA must understand and be able to communicate meaningfully about how changes create heightened risk for all stakeholders, and then work with the diverse participants to build controls that can then be measured, monitored and reviewed. Changes heighten and deepen risk Changes are required because changes to payment and care models are already being implemented, putting unprecedented pressure on costs. There are several main reasons — ever-changing and expensive technology, rising insurance premiums, and the aging population, which makes up the majority of high utilizers. . Meet risk challenges through leadership, collaboration To more effectively meet health and financial needs, care delivery and outcomes measurement have become the focus of many interconnections — volume-based care and payments moving to a measurable valuebased methodology, accountable care organizations’ (ACOs’) management of the patient care continuum, health information exchanges enabling care integration through electronic sharing of patient health data, and public health and hospital/medical care entities intertwining in population health initiatives. Risk is proliferating as these and all other aspects of health care are touched by modifications and outright overhauls of the way care is delivered. IT reaches into virtually every task, producing serious data security issues through mistakes and cybercriminal activity. Health information exchanges, for all their contributions to care continuity, are inherently risky by virtue of their electronic makeup. ACOs, too, weigh heavily on the risk scale; the collaboration between previously unaffiliated providers and the sheer proliferation of population health initiatives are key factors increasing industry complexity and inherent risk profiles. These partnerships also bring the threat of the Stark Law, and increasing attention on governance of referrals and financial relationships. 2 ealthCareRx – Winter 2016 H IA can lead in collective risk assessment and management The effective identification and response to the myriad possible risks across all areas of today’s health care organizations require extensive collaboration and cooperation.

Synthesizing knowledge from the various groups tasked with identifying risks and creating processes for mitigating those risks takes a leadership team willing to set aside concerns over territory or ownership. It is only natural for IA to step into such a leadership role, having worked with many of the same leaders as part of building enterprise-wide risk management programs. IA must work directly with the leaders in every key functional area if it’s to be viewed as a thought leader on risk and control. The most effective IA functions are those that are not just at the table when strategy is set and plans developed, but are there as an active participant valued by administration and operational leadership alike.

Seasoned executives all know that building controls into the process beforehand is more effective and less costly than retrofitting them later, following a post-implementation audit. The chief audit executive (CAE) must also be the primary advocate for ensuring IA has and continues to build this capability and reputation in environments including finance, operations, compliance, IT and clinical. “If the CAE is not an equal team member with the balance of senior leadership, your IA function may be chasing risks from a bottom-up perspective rather than setting the course for managing risk,” warns Victor Blanchard, director in Grant Thornton LLP’s Business Advisory Services.

If not at the table at the senior leadership level, IA won’t know about the highest-risk areas in operations, IT, the clinical arena and other functional areas, and will always be playing catch-up in an attempt to address risks largely after the fact. . Meet risk challenges through leadership, collaboration “Take part in developing the processes and controls, and clarify the kinds of processes that can be audited and reviewed so that leaders and users can understand if the process is working the way they think it is — the way it should,” said Blanchard. “Educate your colleagues in other disciplines about what internal audit can do to help them be more successful.” Risk assessment and subsequent management necessitates agreement on descriptions so everyone can identify and categorize risks by type, severity and likelihood, and be ready to work together to mitigate them. Go beyond cooperation with others to collaboration with them. Compliance — IA might well begin with the chief compliance officer; much of compliance strategy directs efforts in risk management. Identify risks, create monitoring processes for mitigation and work together on follow-up of all processes.

Together, IA and compliance ensure a process that is not only compliant, but also designed well, effective and efficient. The customers of these types of IAcompliance collaborative audits generally learn more from them as well, further increasing the likelihood of sustained compliance. IT — “IA and IT chiefs (e.g., CIO, chief technology officer and chief information security officer) need to work together intimately so that internal controls can be built into new ideas and initiatives from the point they hit the drawing board,” said Blanchard. “The pace at which health care technology is advancing means that every minute IT consumes in addressing a risk that should have been identified during the design phase must be accounted for as an opportunity cost and in real dollars.

Fixing systems for avoidable riskrelated issues is time diverted from more meaningful projects and true value-added endeavors being postponed or neglected.” A value that IA can add, said John Summerlin, senior manager in Grant Thornton’s Health Care Advisory Services practice, is “helping to ensure that IT is achieving its enablement mission. Then IT projects can be gauged for whether the right efficiencies are supporting the organization’s transformation events.” 3 ealthCareRx – Winter 2016 H Operations — IA can help verify that evaluation of the operations (e.g., physician and nursing staffing, support staffing) has been included in the plans for these transformational initiatives. Ask these questions, said Summerlin: “Have we defined what we will be doing differently at the point of care to align with our new strategies? Have we developed processes to limit patient leakage? Are we capturing the relevant information for our quality metrics or outcomesbased measures?” Finance — Collaboration with finance can take the form of monitoring and oversight of financial activities to ensure visibility into key metrics, and reporting is shifting its perspective to align with transformation initiatives.

“For example,” said Summerlin, “if there is an ACO contract, you need to be able to look at spending in line with key success measures for that contract.” This is where the revenue cycle traditionally fits in; now it is necessary to address enhancement of these core processes to account for the new delivery models. Clinicians — Because of its responsibility for providing assurance that the organization is meeting its mission, objectives and goals, IA must be directly involved in the clinical space. Key relationships for IA include the chief medical officer, chief nursing officer, quality, clinical analytics, patient safety and other medical professionals. IA may first need to make its presence known — frequently, medical leaders and their teams are unaware of IA or, worse, have an inaccurate perception of how IA can support risk management in a clinical setting.

The introductions go both ways; medical leaders first need to be assured of IA’s intentions in seeking to build relationships in the clinical space, and not in the management of clinical process or decision-making. With initial rapport and understanding in place, medical leadership is more likely to share information about the processes that underlie clinical functions. . Meet risk challenges through leadership, collaboration For example, procedures related to high-alert medications — these are drugs that can cause significant patient harm if administered incorrectly. A nurse obtains a drug and determines if it is on the hospital’s high-alert medication list. If it is listed, policy likely requires an independent double-check by the nurse prior to administration to the patient. This would mean the medication must pass an additional level of scrutiny before it is administered. In a clinically oriented audit, IA can assist leadership with education, analytics and process mapping. For example, IA could help the chief nursing officer determine whether nurses understand the difference between a double-check and an independent doublecheck. Without having to understand the medical aspects of the process, IA can provide substantive value in the assessment of processes that support clinical care. An example from the operating room would be a checklist or procedure for minimizing the likelihood of a retained foreign object (RFO), such as a sponge left in a person’s body.

In an RFO event, the surgeon may be subject to a probationary period of 90 to 120 days intended to reinforce procedures and controls to prevent RFOs. IA is not equipped to question a surgeon’s ability or the process for performing a medical procedure, but can review documentation and nonmedical processes put in place as part of the probationary and post-probationary periods. In this way, IA can ensure that medical leadership’s expectations are met and procedures to control RFOs are followed. Contacts Anne McGeorge National Managing Partner Health Care T +1 704 632 3520 E anne.mcgeorge@us.gt.com Victor Blanchard Director Business Advisory Services T +1 410 244 3210 E victor.blanchard@us.gt.com John Summerlin Senior Manager Health Care Advisory Services T +1 404 475 0188 E john.summerlin@us.gt.com As for every other function and process in the organization, the point is to assure a quality result — one that was agreed upon and planned for from the start. IA’s ability to collaborate, along with its unique perspective, will be a critical tool in successfully managing the transformation occurring in health care today. Contact us to learn more about how we can help your organization manage its risk. About the newsletter HealthCareRx is published by Grant Thornton LLP.

Founded in Chicago in 1924, Grant Thornton LLP (Grant Thornton) is the U.S. member firm of Grant Thornton International Ltd, one of the world’s leading organizations of independent audit, tax and advisory firms. In the United States, Grant Thornton has revenue in excess of $1.3 billion and operates 57 offices with more than 500 partners and 6,000 employees.

Grant Thornton works with a broad range of dynamic publicly and privately held companies, government agencies, financial institutions, and civic and religious organizations. This content is not intended to answer specific questions or suggest suitability of action in a particular case. For additional information about the issues discussed, contact a Grant Thornton LLP professional. Connect with us grantthornton.com @grantthorntonus linkd.in/grantthorntonus “Grant Thornton” refers to Grant Thornton LLP, the U.S. member firm of Grant Thornton International Ltd (GTIL), and/or refers to the brand under which the GTIL member firms provide audit, tax and advisory services to their clients, as the context requires.

GTIL and each of its member firms are separate legal entities and are not a worldwide partnership. GTIL does not provide services to clients. Services are delivered by the member firms in their respective countries.

GTIL and its member firms are not agents of, and do not obligate, one another and are not liable for one another’s acts or omissions. In the United States, visit grantthornton.com for details. © 2016 Grant Thornton LLP  |  All rights reserved  |  U.S. member firm of Grant Thornton International Ltd .