Enterprise Risk Management Program At HCA
Enterprise Risk ManagementProgram at HCAERM RoundtableFebruary 25, 2005HCADavid Hughes, CPA, CIAAVP, ERM Office
nt&&BoardBoardReportingReportingHCA
About HCA Corporate Headquarters in Nashville, TN190 Hospitals91 Surgery Centers23 states, England & SwitzerlandPublic Company 21B Total Assets 22B Annual Revenue190,000 Employees150 Internal AuditorsHCA3
Internal Auditing(New Definition)“Internal auditing is an independent, objectiveassurance and consulting activity designed toadd value and improve an organization’soperations. It helps an organization accomplishits objectives by bringing a systematic,disciplined approach to evaluate and improvethe effectiveness of risk management, control,and governance processes.”- The IIA’s Professional Practices FrameworkHCA4
New Management & Board ResponsibilitiesRoles and Responsibilities The CEO is ultimately responsible andshould assume ownership for ERM. The board of directors provides importantoversight to ERM, and is aware of andconcurs with the entity’s risk appetite.- COSO ERM Integrated Framework - Executive SummaryHCA
Evolution of Our ERM ProgramCEO Poll ofDivisionExecutivesFirst “Enterprise”Risk Interviewswith ExecutiveManagement2000PresentedSummaryResults to CEOand PresidentHCAPresented SummaryResults to CEO,President andExecutive Mgt. TeamRisk AssessmentAddressed DuringExecutive Mgt.Strategic Retreat2001Presented to theBoard ofDirectorsRisk AssessmentUpdated, ResponseMonitoringEstablished andOwners IdentifiedSarbanesOxley ActPasses2002ExternalConsultant Hiredto ConductDetailed RiskInterviewsRisk StatusReporting to theAudit Committeeand BoardCEO ProposesRisk Assessmentand Monitoringnew ERM OfficeResponsibility
Evolution of Our ERM Program (continued)Risk InterviewsConductedPresentedSummaryResults to CEOand President2003Risk SurveysDistributed toExpand CoverageHCAPresented Resultsto the Board asPart of theCompany’sStrategic PlanningInitiativeRisk InterviewsExpanded toinclude fullBoardPresented SummaryResults to CEO,President andExecutive Mgt. Team2004Risk SurveyCoverageExpanded2005 Plan StrengthenMonitoring andReporting Tools tomove from an “Event”to more of acontinuous “Process”2005Presented Resultsto the Board asPart of theCompany’sStrategic PlanningInitiative
Enterprise Risk ManagementLines of Reporting and Accountability - 2005Enterprise Risk Management andBusiness Continuity Planning OfficeInternal AuditDepartmentEnterprise ProgramManagement Office (EPMO)Jack BovenderCEOMarilyn TavennerGroup President OP ServicesJoe SteakleySVP, Internal AuditBruce MooreCOO, OP ServicesDavid HughesAVP, ERM And BCP mentSarbanes-OxleyProgramProgramLeaderLeader- Sarbanes-OxleySection404- Section 404- -SectionSection302302/ /906906DirectorBusiness Continuity PlanningHCAInternal AuditDepartment andResourcesBarbara FotopoulosVP, EPMO
Enterprise Risk ManagementProgram Objective at HCAEstablish an integrated approach to risk management: Drive the risk management process at the strategicand operational levels of the organization; Develop risk response processes; Monitor performance to provide assurance that the riskmanagement approach is operating effectively tosupport achievement of the company’s objectives; and Periodically report to Executive Management and theBoard on these initiatives.HCA22
Enterprise Risk ManagementRisk Identification and AssessmentHCA
Risk AssessmentScope of Risk Interview / Survey ProcessInterviewed¾ All 12 Non-Management Members of theBoard of Directors¾ All 24 Members of Executive Management¾ All 14 Division PresidentsSurveyed¾ All 14 Division CFOs¾ 27 Hospital CEOs¾ 30 Hospital CFOsHCA
Risk AssessmentRisk Identification ProcessWe asked the following question“What are the top three business risks(in priority order) the Company facesover the next two years that could havea significant adverse effect on theCompany’s ability to achieve its strategicand/or financial objectives?”Interviewees’Interviewees’ toptop threethree risksrisks werewere rankedranked onon aa 5,5, 3,3, 22 pointpoint scalescale respectivelyrespectivelyHCA
Ranking ProcessManagement’s responses were assigned values basedon a 10 point scale. Their first risk was assigned avalue of "5", the second a "3" and the last one a "2".Many of the participants disclosed additional risks thatwere not in their top three but they felt were risks thatthey were concerned about. These additional risks(2nd Tier) were marked with an "X" and were notincluded in the value ranking.Specific comments of each executive were keptconfidential.HCA
Response SummaryRisk 1Risk 2Risk 3Executive#1Executive#2Executive#3532535Risk 4Risk 5TotalHCAX1023102X10Executive#425310Total131095340
Risk Assessment SurveyHCA
Risk Assessment SurveyHCA
Risk Assessment#Board MembersPrior year riskassessment ranking2004 Top Business Risks1 Adverse Changes in Regulatory Environment2XX%¾ Sub-risk¾ US Government actions that significantly reduce the company’srevenues (Medicare cuts, etc.)¾ Sub-risk2 Bad Debts¾ Growth of uninsured and underinsured patients¾ Increasing number of patients will elect to go without insurancecoverage due to cost of insuranceHCAXX%
Risk Assessment Interview SummaryBoard and Corporate ManagementAggregate Board,Corporate and Division Management1. Risk2. Risk3. Risk4. Risk5. Risk6. Risk7. Risk8. Risk9. Risk10. RiskBoard of Directors1.2.3.4.5.Risk (2)RiskRisk (1)RiskRisk6. Risk (3)7. Risk8. Risk9. Risk10. Risk (5)Executive Management1. Risk2. Risk3. Risk4. Risk5. Risk6. Risk7. Risk8. Risk9. Risk10. RiskHCA(9)(1)(2)(10)(3)(4)(5)Division Management1. Risk2. Risk3. Risk4. Risk5. Risk6. Risk7. Risk8. Risk9. Risk10. Risk(2)(7)(1)(3)(4)(6)(5)Prior year riskassessment ranking (#)
Risk Assessment Interview SummaryHospital ManagementHospital CEOsAggregate Hospital CEOs and CFOs1. Risk2. Risk3. Risk4. Risk1.2.3.4.RiskRiskRiskRisk5. Risk (2)6. Risk7. Risk (8)8. Risk9. Risk10. Risk5. RiskHospital CFOs6. Risk7. Risk1. Risk8. Risk2. Risk9. Risk3. Risk10. Risk4. Risk5. Risk6. Risk7. Risk8. Risk9. RiskHCA(7)(5)(1)(3) & (4)10. RiskPrior year riskassessment ranking (#)
Risk AssessmentSummaryAggregate Board,Corporate and DivisionManagementAggregate HospitalCEOs and 9.Risk9.Risk10.Risk10.RiskHCA
Next StepsUsing the Company’s defined strategy, objectivesand risks identified: Identify the risk owners; Work with the risk owners to facilitate assessment ofthe risks identified and to determine the appropriate riskresponses; Implement control activities to address the risks; Monitor effectiveness of the controls; and Report the results to Executive Management and theBoard of Directors.HCA
Risk AssessmentExample of Risk ReportingHCA Business Risk AssessmentRisk1. Tone at theTop –Maintainingan effectivegovernancestructure tooverseecompliancewith lawsandregulationsand ensurethe accuracyof financialreportingOwner(s) ummaryCurrent Status After the management change in 1997, themajor focus was to establish an executiveteam focused on ethical conduct andpromoting “patient first” mission and valuesthroughout HCA (i.e., committed to the careBeginningand improvement of human life, act withStatusabsolute honesty, integrity and fairness).The Audit Committee (in conjunction withInternal Audit and E&Y) oversees keyfinancial and legal risks to the company. TheEthics & Compliance Committee (inconjunction with FTI, GovernmentalOperations Support, and Internal Audit)oversees the compliance program, which isadministered by the Ethics & ComplianceDepartment.* Potential Exposure: Likelihood that the risk could have a significant adverse affect on the Company’s ability toachieve its strategic and/or financial objectives. The beginning potential exposure status is as of January 1,2004 with status estimated using a 2-year forward view.HCA
Questions and AnswersDavid Hughes(615) 344-2025David.Hughes3@hcahealthcare.comHCA
Enterprise Risk Management Program Objective at HCA Establish an integrated approach to risk management: Drive the risk management process at the strategic and operational levels of the organization; Develop risk response processes; Monitor performance to provide assurance that the risk management approach is operating effectively to
management and Board Established risk officer or head of risk position (may not be solely focused on risk) Functioning cross-functional senior management risk committee Risk management viewed as a "partner" by the business units Resources dedicated to risk management at the enterprise level Existence of some risk policy
3 Enterprise Anti-Fraud Committee: Purpose: To establish governance, visibility, and direction for enterprise fraud risks, controls and response activities. Chartering committee: Enterprise Operational Risk Committee (EORC) Key Responsibilities: -Recommend:- Enterprise Fraud Risk Policy updates - Enterprise-level tolerances-Manage:- Enterprise fraud risk standards
operational risk management as part of enterprise risk management. Keywords: Operational Risk, Enterprise Risk, Banking, Financial Services, Cyber Risk 1 Clinical Associate Professor, Managerial Economics and Decision Sciences. Kellogg School of Management Northwestern University, Evanston, IL USA. E-mail: russell-walker@kellogg.northwestern.edu
81. Risk Identification, page 29 82. Risk Indicator*, page 30 83. Risk Management Ω, pages 30 84. Risk Management Alternatives Development, page 30 85. Risk Management Cycle, page 30 86. Risk Management Methodology Ω, page 30 87. Risk Management Plan, page 30 88. Risk Management Strategy, pages 31 89. Risk
Risk is the effect of uncertainty on objectives (e.g. the objectives of an event). Risk management Risk management is the process of identifying hazards and controlling risks. The risk management process involves four main steps: 1. risk assessment; 2. risk control and risk rating; 3. risk transfer; and 4. risk review. Risk assessment
Tunnelling Risk Assessment 0. Abstract 1. Introduction and scope 2. Use of risk management 3. Objectives of risk assessment 4. Risk management in early design stages 5. Risk management during tendering and contract negotiation 6. Risk management during construction 7. Typical components of risk management 8. Risk management tools 9. References .
Enterprise Risk Management Enterprise risk management is a process, applied in strategy setting across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. COSO COSO's ERM Framework
vRelease Version July 2019 CUDA Runtime API API Reference Manual
