Regan A. Pennypacker (regan@ancorat.com) is President of Ancorat Consulting LLC in Hope Valley, RI.
We assess risk all the time. What happens if we don’t pay the electric bill? How close can we get to an angry dog? What if we said everything that was on our minds?
These seemingly easy choices we make each day are informed by our personal past experiences, knowledge of the experiences of others, and a weighing of benefits and risks based on this information. It could be said that assessing risk is a means of survival, because it helps drive the choices we make in each situation in the game of life. Each choice made, determined by our risk assessments, determines how far we get in the game.
Using that analogy, it should be clear that we have the basic tools to conduct a risk assessment hardwired in our brains. These tools come free of charge, and it is up to each person to decide how they use them. It is better to eliminate the possibility of making a poor choice rather than cleaning up the mess of making such a choice. That said, many industries mandate risk assessments to be conducted as part of their normal operations.
Federal agency requirement
Over the past two decades, the Department of Health and Human Services (HHS) Office of Inspector General (OIG) developed a series of documents outlining compliance program requirements aimed at numerous entities supporting the healthcare and delivery system. After soliciting recommendations for formal guidance and after releasing a draft version, the OIG released finalized voluntary Compliance Program Guidance on November 15, 1999, for the Medicare + Choice (now Medicare Advantage, or MA) Organizations in an effort to promote “a high level of ethical and lawful conduct throughout the entire healthcare industry.”[1]
The Centers for Medicare & Medicaid Services (CMS) took the voluntary guidance and implemented requirements. Among other compliance program elements, CMS requires organizations such as those offering MA and/or Part D benefits to establish and implement an effective system for routine monitoring and identification of compliance risks.[2] ,[3] Sub-regulatory guidance requires policies and procedures to conduct a formal baseline assessment of major compliance and fraud, waste, and abuse risk areas, such as through a risk assessment. The assessment has to take all Medicare business operational areas into account. Each area must be assessed for the types and levels of risks the area presents to the Medicare program and to the organization.
How should we define risk assessment? Dictionaries define the two words independently, and many industry descriptions are available. To conduct a risk assessment is to identify, track, and prioritize weaknesses and vulnerabilities within a particular organization, project, or other activity.
Answering the question “why” do risk assessments should be simple. To identify risks and analyze potential effects and damage is to proactively inform decision-makers regarding next steps. Done correctly, the process should include the assessment of the likelihood of adverse effects as well as the prioritization of next steps in planning auditing and monitoring activities.
Responding to the question “how” to do them can be more of a challenge. The agency does not specifically outline how an organization must conduct the assessment. However, suggestions are made by CMS regarding the factors for considering risks, such as size of the department, complexity of the activities conducted, and past compliance issues. Additional factors can and should be included, based on an organization’s past experience and the knowledge of the experience of other organizations. Armed with a spectrum of factors, an organization may calculate risk scores using a wider lens:
-
Beneficiary impact – How do the operational area’s activities impact the health, wellness, and finances of Medicare beneficiaries?
-
Experience of the staff – Has an operational area experienced recent or significant turnover? Has a change in management or other restructuring occurred in the last 12 months?
-
Division responsibilities – Does the operational area work on the Medicare line of business only, or do they work on other lines subject to different regulations, such as Federal Employees Health Benefit Program, Marketplace plans, and/or Medicaid?
-
Vendor support – Is an operational function shared with or supported by a vendor? Is the function performed entirely by a vendor?
-
Enrollment growth – Has recent enrollment growth affected an area’s ability to perform their function?
-
Agency audit protocol – Is the operational area a focus in the most recently published CMS Program Audit Protocol?