Healthcare Risk Isn’t What It Used to Be… Is Your Organization Prepared?

When The Harvard Business Review, The Economist Business Unit, and Booz & Company don’t just agree on a point—but overwhelmingly agree—it’s probably time to pay attention.

That’s definitely the case when it comes to understanding how risk impacts shareholder value. According to studies by all three groups, the greatest risk to organizations is at the strategic level. Not a missing zero in the annual report. Not a threatened lawsuit. It’s the entire organization’s strategic direction.

Take HBR’s study, for example. They found that 86% of shareholder value lost over the past decade was due to strategic risks. Yet auditors only spent 6% of their time focused on those issues alone.

The disconnect applies to all industries. But given how the COVID-19 pandemic has literally upended the business models of thousands of healthcare payers, providers, integrated delivery networks, and life science companies, this aspect of risk needs to be addressed more heads-on—especially for publicly listed entities.

In our experience of working with numerous healthcare clients, we’ve found that the more holistic approach to risk management the better, starting with assessing your risk maturity and tolerances.

This holistic approach begins by identifying, measuring, prioritizing, and managing an organization’s risks from the standpoint of the organization’s enterprise plans, (i.e., strategies and goals). This laser focus on the organization’s unique journey to achieving enterprise plans ensures risks discovered are clear to the organization, allowing it to effectively navigate execution and exploit opportunities.

Forget incrementalism triggered by a boil-the-ocean approach of identifying risks that an organization is likely to encounter because it belongs to a specific industry. It’s time to pivot. It’s time to focus on the big picture and how the organization has determined it needs to get to that picture.

Risk Maturity and Models

• Assessing overall governance, enterprise risk, and compliance maturity, including all lines of defense, such as operations, compliance, and internal audit.
• Assessing an organization’s risk models for internal and external tolerances along with how the organization defines and measures risk.

Governance and Compliance Program Effectiveness

• Readiness assessments for regulators, including: FDA, CMS, HRSA/340B, DEA, DOJ, DOI, DOD, Medicaid, etc.
• Culture assessments to help drive and sustain risk management programs.
• Assessing the efficacy of an organization’s governance program, including remediation timeliness, monitoring programs for fraud, waste and abuse, HIPAA, etc.

Reporting and Technology

• Assess governance, risk and compliance (GRC) monitoring dashboards, existence of data analytics for anomalies, including overpayments.
• GRC tools, including centralizing policies, audits, and compliance work plans.

Pharmacy Compliance

• Assessing operational first line of defense, inventory management risks, and pharmacy changes, such as opening, closing, or consolidating pharmacies.
• Providing guidance on opioid crisis management, 340B program assessment, and drug divergence, including inpatient and outpatient pharmacies.

Third-Party Risk Management (TPRM)

• Assessing vendor and contract risks, health plan first-tier downstream related (FDR) entities.

Operational Compliance and Internal Audit Outsource / Co-Source

• Providing a second and third line of defense for compliance and internal audit organizations respectively.
• Implementing GRC systems, co-source/outsources arrangements, or special project assistance such as provider audits or coding and billing auditing.

Many of our clients’ executive teams and Boards have asked us to help mature their risk organization and transform how they manage risks. Aside from our standard approach to assessing an organization’s risk management activities, we can dig deeper beyond the standard CMS and OIG risk management assessments to include reviewing risk culture, a health system’s net operating losses, finding the root cause of decreasing premium and patient revenues, as well as the onset of Own Risk and Solvency Assessment (ORSA) reporting.

Our assessments not only help a client mature their ERM and operational risk programs but also help them better stem-out losses, provide insights on how to successfully compete, as well as comply with ORSA, CMS, OIG, etc.

Here’s one example of engagement: The executive team and Board of a complex health system asked us to conduct an ERM cultural survey. The scope was to assess the organization’s readiness to implement a more robust risk management function and conduct a comprehensive enterprise risk assessment.

The assessment provided guidance on how to identify, measure and prioritize enterprise-wide risks. We then recommended they implement an ORSA-based ERM program to serve dual purposes: manage and monitor the client’s enterprise-wide risks, as well as meet NAIC ORSA regulatory compliance.

Both recommendations were implemented. They additionally created a Board-level risk committee as well as tools to provide oversight of enterprise-wide risks and administer risk management efforts.

Like any good investment, it took time, but the client experienced solid results:

• Significant growth in premium revenues with the same underwriting guidelines
• Improved Medicare loss ratio due to the effective management of insureds with chronic illnesses
• Improved collection of accurate risk scores for Medicare Risk Adjustment, leading to increased Medicare reimbursements
• Significant increase in risk-based capital

Business risk will always be with us. The question is how we mitigate against it. This is especially true in a heavily regulated industry like healthcare. It’s even more true today, given that it’s also seeing once-in-a-generation transformational changes that can either spell opportunities for growth—or dangerous pitfalls for failure ahead.

Healthcare payers, providers, integrated delivery networks, and life sciences companies need to choose wisely. Focusing on strategic and operating risks is the best place to start. RT and ERM are the best paths to chart.