The second most important function an executive and/or a governance board conducts (second only to planning) is risk management. This key leadership function is evolving rapidly primarily due to the evolutionary movement around compliance (ACA, CMS, etc.) and the payer focal shift from episodic, procedural care to outcome or evidenced based care, pay-for-performance, etc. Similarly, as government policy shifts so does commercial market dynamics with like movements toward pay-for-performance and disease management. While the core concept of “enterprise” protection remains the same, the scope today is different, the breadth wider and the responsibilities and tasks more structured than say, ten plus years ago.
Risk management is the term that encompasses a series of activities, programs, policies, etc. that work (ideally) together to protect and secure the overall enterprise/organizational identity, value, market share, legal structure and by downstream relationship, the stakeholders/shareholders. Its activities, etc. are passive and active. Passive activities (examples) include the purchase of insurance and implementation of firewalls and data security systems. Active activities include audits, training of staff, QA/QI activities, customer/patient engagement programs, etc. The purpose of this post is to focus on the “active” elements and in particular, the most important elements today given the evolving environment and the new risks emerging. The purpose is to frame a model of risk prevention culture rather than an environment fraught with rule deontology and protectionism. The latter tends to breed its own kind of risk(s) in addition to the risk(s) it seeks mitigate.
I like to think of effective risk management plans today as having six key elements. Importantly, the plan is not operative while the elements are. The plan is what the organization uses to monitor the completion (activities), ongoing improvement (identification and address of organizational weakness and vulnerability), and accountability of management in identifying and managing risk. Remember, these elements are the “active” side. I, for sake of the theme of this article, will assume that providers acquire adequate insurance policies utilizing industry professionals in their development plus that they maintain modern IT infrastructure to secure patient data, etc.
- Organizational Focus on Patient Care Quality and Service: This isn’t about slogans or marketing rather, it is about having an overall and deeply integrated culture around patient care outcomes and satisfaction. In a pay-for-performance, competitive, ACO world, this element is key.
- Executive and Board involvement in QA/QI, especially at the highest organizational levels.
- Compensation for management and executives incorporating (heavily) patient outcomes and satisfaction to the degree that all other elements are dwarfed by the weight given to this measure.
- Monitoring in-place of key patient outcome data and benchmarking of the same.
- Monitoring of response and wait times. This element is key as the goal is to create response times as near as possible/practical to immediate or to minimize wait times wherever possible.
- A program of patient/family engagement that includes surveys, focus groups, etc.
- A grievance resolution system that is open, accessible and seeks to address concerns as instantaneous as possible. The approach must be around resolving concerns without delay and bureaucracy.
- Staff training focused on customer service, QA/QI, communication and dealing with patient/family stress, trauma, etc.
- Engagement of staff in a “bottom-up” program or approach whereby lower level line staff are engaged in all training, QA/QI processes, mentoring, etc.
- Audit Contractors and Sub-Contractors: The use of contractors such as physician intensivists (hospitalists) and therapy companies, imaging companies, lab providers, environmental service providers (laundry, housekeeping, etc.) is on the rise as organizations seek to control costs and improve efficiency. Contractors, etc. yield new risk as their conduct, care, service, etc. create a risk transferable directly to the parent organization. The risk of course, is multi-fold. First, as applicable, is care risk (outcomes, service, competence, qualifications, insurance, etc.). Second, is labor risk (legal status, background checks, etc.). Third, is billing risk and compliance risk. If the contractor is involved in any element of care that is billable to a payer (Medicare, Medicaid, commercial insurance), the organization must assure complete compliance with billing and care provision rules in order to negate billing fraud or inappropriate claims risk (risk of non-payment or worse). Summarized, organizations must monitor and audit, externally, the work of contractors. Immunization clauses within contracts cannot supplant audits of risk areas proportional to the scope of the service agreement. For example, the organization must audit its medical staff, the care provided, documentation, billing as applicable, patient contact and satisfaction, response times, etc. The same is true for any care service contractor.
- Billing Audits: This element is particularly crucial for government programs such as Medicare and Medicaid. Providers today must get in the habit of reviewing their claims submitted to payer sources, particularly the government. Two huge risk areas are present today. First, focused fraud actions against providers under the False Claims Act. Audits here are all about making sure that what was billed was actually provided, documented, necessary and compliant. Second, billing accuracy such that claim submissions are “clean” and “accurate”. Denials for inaccuracy, etc. can lead to imbalances in error rates and thus, probes and claims held for review. The latter negatively impacts cash flow and staff productivity as extra work to justify payment is required. I also recommend that organizations be very, very careful about compensation programs tied to revenues and claims, especially without counter-balancing elements and a strong audit program. I like billing audits that are third-party conducted, benchmarked against regional and national data (our business should look like others in the region and nationally) and occur episodically and randomly as frequent as monthly and certainly, no less than quarterly.
- Organizational Transparency and Staff Engagement: A huge risk area providers continue to face is the mixed message and incongruent messages sent to staff from leadership and at the highest levels of the organization. The impetus behind so many False Claims investigations and actions undertaken by the DOJ (Department of Justice) isn’t smart federal auditors – its disgruntled staff. Whistleblowers are the fundamental impetus behind False Claims allegations and actions. Mitigating this risk is simple (beyond doing the right things of course). Organizations, especially leadership, must be transparent and as open and candid as possible. The point here is that there really is no reason to not share goals, plans, operating data, etc. with staff. When I was a CEO, my office was never locked and thus, work and files on my desk and credenza. My compensation was open and I did not hide what I made or how I made it. Not too surprising, across decades of running large healthcare organizations, I never had a fraud allegation or an allegation of any impropriety. Staff knew what the corporate plans were, how they achieved compensation and bonuses, etc. We gain-shared so staff had opportunities to reap reward as the organization grew and performed. Staff engagement means at the planning and implementation levels. It also means active programs of training and a large amount of dialogue regarding why the organization does what it does and where the right and wrong lie. The same Whistleblower mentality is also fundamentally sound when it is used to police bad internal behavior, including that of management.
- Focus on Competence: A simple thing but rarely do I see this element boldly, prominently emphasized. Competence is about the ability to do what is required at the professional, validated level. It is about validation of core skills and abilities within a framework of education and testing. Organizations that focus on developing and maintaining staff and managerial competence limit risk inherently. All together, risk is often a byproduct of incompetence and protection of a weak, status quo. If excellence and competence is demanded and the systems engaged and in-place to assure it, then there is little room for marginal, sub-standard and incompetent to remain. How does an organization focus on competence? First, eliminate old, worn out HR policies and job descriptions and performance evaluations and replace the same with competency and behavioral standards. Competency standards are the elements one must demonstrate and perform as part of the job at a repetitive, proficient level. Behavior standards are the elements of personal conduct and accountability that the organization demands (uniforms, attendance, inservice attendance, etc.). Evaluate standards routinely, move in new skills, refine old skills, educate and test. Require ongoing passage and demonstration and be intolerant of employees and managers that can’t/won’t meet the competency and behavioral requirements. Competency standards are required for ongoing employment; reward for performance thus can only and should only occur when the base standard is consistently exceeded.
- Be Public: By employing all of your constituents in oversight, the likelihood of getting surprised or being caught off guard is minimized. Be public as possible with standards, expectations, contact information, grievance steps, etc. Be open to all criticism and frankly, demand (as much possible) feedback regarding just about anything in the business. No reason that business goals can’t be public and yes, even margin goals. Heck, explain why margins are necessary. Engage the broader universe and community and ask for input and reactions. People will tell you the good, the bad and the ugly – the latter being where potential risk lies. Force the conversation and the accountability and in doing so, limit a large area where risk can fulminate.
Healthcare is a risky business; particularly in heavily regulated environments such as nursing homes and home health and hospice. The fact that a certain level of risk is omnipresent means that the opportunity constantly exists for an organization that improperly identifies and manages its risks, to suffer expensive damages ranging from financial loss to loss of reputation to ongoing compliance problems. All too often, organizations tend to rely on industry normative practices such as committees, policies and procedures and audit tools as means of combatting risk exposure. This information sharing and gathering process coupled with the “hoped for” Hawthorne effect (watched people tend to be compliant is the desired outcome) in reality, falls quite a bit short of performing the optimal function – that of mitigating large risk exposure. In reality, the steps of information sharing and gathering and auditing can have almost a somnambulant effect – putting the organization to sleep under the false pretense that all is well.
Taken apart, the flaws or gaps if you will, in this normative style of risk management are many. The first is the assumption that what the organization is auditing is actually where the real risk begins. For example, auditing charted documentation assumes that the age old adage of, “its documented its done” is correct. What occurs in reality is that charting and documentation becomes the focus of compliance and without a methodology in place to correlate the activity of charting to a specific completed event, the risk actually lies in the documentation. In other words, it is entirely possible (and I have seen it happen) where the charting or documentation doesn’t really reflect the care being delivered or the condition of the patient point-in-time creating an enormous legal and compliance risk.
A second and equally flawed assumption is that the results of audits and information shared actually is put to use by the people who receive the information. Meetings filled with reports about one risk area or the other are only as productive and beneficial as the willingness or the requirement of the people in the room to do something with the information. All too often, the wrong people receive the information; they lack the authority or the organizational standing to actually address the points functionally, that are identified as risks.
A third and final flaw is the notion that activity, no matter what it is (auditing, committees, reports) alleviates risk (e.g., we have a system in-place to identify and deal with risk). What typically happens is the activity breeds only a system of non-reporting, over-documentation, compliant behavior ( the biggest potential area of risk) and a false sense that whatever it might be, will be detected and corrected by “our program”. As John Dewey would say, the only activity that is beneficial is purposeful activity and to have purposeful activity, one needs to have a process in place of hypothesis, inquisition, testing and final analysis.
In order to develop a more functional organization-wide approach to risk management, certain assumptions of where risk begins need to be clarified and understood. I like to use the following categories.
- Management: Ineffective management and managers improperly trained and tasked then not held accountable is undoubtedly, the largest risk area for an organization. Managers at any level that are illegitimate in terms of their organizational authority or their training will consistently either miss areas of risk or fail to seek and act on identified risk areas, causing enormous levels of ongoing risk.
- Employees: Similar in many regards to management in so much that ill-trained, ill-equipped employees are an enormous risk to the organization. In many regards, employee risk is a by-product of ineffective management and a dysfunctional organizational structure. All too often, organizations incur unnecessary employee risk by not addressing bad employees and bad employee habits quickly and efficiently for a whole host of specious reasons.
- Organizational Structure and Culture: Mitigating risk is an enterprise wide endeavor and organizations that realize this address the totality of the risk profile. In the best of cases, culture evolves around identifying and solving problems, improving processes, consistently learning and engaging the totality of the organization in “doing the right thing”. In order for this to occur however, the organization must provide training, reward, resources, and support across all levels.
- External Environment: All too often, organizations view risk as something that is within their purview, within their walls. In reality, the world beyond the walls constantly creates new levels of risk that need to be addressed, analyzed, and re-addressed again.
Starting to craft or perhaps, re-design an organization’s risk profile logically starts with the development of a structure and culture that by its nature, mitigates risks. Crafted correctly, an organizational structure can address the risks associated with management, employment and the external environment. Below are some (not an exhaustive list) key structural elements that are important in developing a structure that better identifies and mitigates risk.
- Lean: Organizations which fight bureaucracy and remain clean and lean are far more adept at identifying and mitigating risk than organizations heavily structured and replete with bureaucracy. In healthcare, the tendency is for organizations to become highly bureaucratized with layers of managers and supervisors. An organizational structure that is more functionally created with limited layers between the lowest employment level and senior or upper management is easier to navigate and quicker (if all other elements are in place) to identify and solve potential risk creating events or processes.
- Education/Learning Based: Organizations which place a heavy emphasis on continuous learning and staff development are better equipped, from a knowledge base, to identify and address risk.
- soliciting Information and Feedback: Organizations which place a heavy emphasis on gathering input from multiple sources via multiple methods will be in a position to quickly identify areas of possible risk. The information loop should be through and across employees, customers, referral sources, vendors, contractors, the community at large, and any other major consistent constituency the organization deals with on a regular basis. Tools need not be fancy but in all cases should encompass surveys, phone, face-to-face, web, and periodic focus groups.
- Gain Sharing: Organizations that are focused on sharing the results of good and fruitful activity are more likely to gain employee buy-in; critical to reducing risk. In an organization I led, we shared the dividends from Worker’s Comp experience with the employees – dollar for dollar. When our self-funded health plan had better utilization experience and costs therefore reduced, employees received the benefit in lower premiums. Ideas that saved money and improved safety or patient experience received cash prizes and/or other rewards.
- Excellent Employee Relations: Having good employee relations is less about being “nice” to employees and more about being a good employer. For an organization to be a good employer, it must adhere to some very basic principles and practices and consistently communicate the same to employees.
Have exceptionally clear job descriptions.
Have a very simple, easily understood discipline system.
Terminate employees only “for cause”.
Make “reward” a liberal and frequent part of your practices.
Have an extensive and paid-for orientation program.
Require continuing education for all employees and pay for it.
Require management to be extremely visible as often as possible.
Create minimal separation between management and employees (lunch rooms, events, education, etc.)
Share all information about the company, including financial data, with employees.
Reward performance heavily and personally wherever possible.
Be quick to discipline and terminate “for cause” – don’t allow issues to fester.
Allow employees to participate in and be responsible for, QI and QA activities.
Effective Management: Managers must be good coaches, good inquisitors, good planners and extremely adept at confrontation. Management that is weak in any area leaves open large areas for risks to occur. Management must be continuously developed and provided with the challenge and the authority to constantly improve the processes and to identify and resolve, areas of inefficiency or operating problems. Management must be similarly, rewarded for producing results and achieving high levels of safety and customer/employee satisfaction. I personally believe that managers need to be evaluated on their ability to plan, to problem solve and to minimize turnover risk and to increase employee and customer satisfaction. I also believe that managers need to be evaluated on how well they interact with and support the efforts of other managers; how well they cross-manage and cross-plan within the normal organizational boundaries.
Strategic Plan: Organizations with a high aptitude for strategic planning and a current strategic plan are far more in-tune with the external environment and the risks that are present internally and externally to the organization. Strategic plans should be living documents, constantly reviewed and updated. A key element in preparing and evaluating this plan is the SWOT (Strengths, Weakness, Opportunities, and Threats) exercise. This SWOT exercise is invaluable on an ongoing basis as a means of updating and evaluating the strategic plan as well as in identifying risk.
Allocate Resources: Mitigating risk does not have to be expensive but it does require investments to be made. For example, all of the above steps taken but no investments made in keeping equipment modern and in good repair leaves a major area of risk exposed. Companies need to become accustomed to allocating resources based on a “reduction or abatement of risk” as a measurement of return. Organizations should understand that the prevention of risk equates to a reduction or elimination of resources that would be spent in the event of a major event (fines, legal fees, loss of reputation, etc.). In nearly all cases, the resources used in recovering from a preventable event are far greater in cost to an organization than the cost of resources used in prevention.
Getting risks under control and keeping them under control can be a major step forward in terms of organizational prosperity (improved profitability) and organizational prominence. Good risk prevention leads to good compliance results, excellent reputation, employee retention, employee productivity and organizational effectiveness. As risk “un-checked” permeates an organization’s effectiveness and ability to manage proactively, reducing and/or eliminating it only makes good business sense.