John Phelps, the 2013 president of the Risk and Insurance Management Society, has a message for CFOs: they need to see risk management as a valuable tool that can help move a company toward its objectives while helping with cost containment. He would also like them to understand that risk can be identified, measured for intensity and impact, understood, and then diminished — as has been the case with his company.

Phelps, who is the director of business risk solutions for Blue Cross and Blue Shield of Florida Inc. (Florida Blue), has seen the benefits firsthand. At his own company, risk management has been key in helping to prepare for President Obama’s Patient Protection and Affordable Care Act. Designed to increase efficiencies between the payer and providers, the act represents a sea change in compensation models and relations with customers.

Florida Blue, a not-for-profit with about 4 million health-care members and serving 15.5 million people in 16 states through its affiliated companies, wants health-care financing to be realigned to reward both practitioners and consumers.

To achieve its goals of controlling costs and increasing the quality of care, Phelps says, Florida Blue is developing provider groups called accountable care organizations (ACOs). These are groups, or “communities,” of doctors, hospitals, and other health-care providers who will work together to coordinate care for their Medicare patients. The ACOs will help avoid duplication of services, prevent medical errors, and, at the same time, keep costs down, the theory goes.

Why the change to the ACO model? The previous fee-for-service model compensated doctors and hospitals for services provided — doctor visits and procedures — without any consideration of outcomes. The more services a doctor provided to the member, the more Florida Blue paid the doctor or hospital, Phelps explains.

The new model will be “value based,” he says. Under the new reimbursement models, there is an emphasis on the quality of the care rendered. The better the quality of its services, the more a provider can make in income, says Phelps. The better the patient outcomes, the greater the reimbursement.

When it came time for the company to identify the risks associated with this new model, risk management was called in. Phelps engaged people from all over the company who were affected by the new law, including those in health-care services, IT, finance, legal affairs, compliance, and internal audit. The team identified the relevant risks associated with the transformation to the new reimbursement method and evaluated each risk against the company’s standard rating criterion, he says.

Some of the risks, such as the implications and consequences of an unintended release of protected health information, were not previously understood, Phelps says. He cites a study by Ponemon Institute: according to the Third Annual Benchmark Study on Patient Privacy and Data Security, data breaches can have severe economic consequences. While the cost of breaches can range from $10,000 to more than $1 million per breach, Ponemon calculates that the average cost for the organizations represented in its study is $2.4 million over a two-year period — slightly up from $2.2 million in 2011 and $2.1 million in 2010 — which can have a significant impact on both Florida Blue’s bottom line and its reputation.

Process Change Assessed
Tackling this new dynamic required Florida Blue to initiate a process change. Phelps gives an example of the company’s consideration of a third-party vendor to help improve service to members who have a particular disease.

“That’s a change in process, and my department would conduct a risk assessment with the project team and other areas of the company impacted,” he says. “It provides them with richer (and often additional) information about the risks associated with this change. This helps the team build a better process with less uncertainty.”

The risks evaluated in a risk-assessment session can include systems risk, if a particular system can’t handle a new change; information-security risk; threats to reputation; risks from the loss of a key employee; and liability risk. Each risk is evaluated on a scale of 1 to 10 for three risk aspects: impact, likelihood, and effectiveness of controls, says Phelps. The scoring allows creation of a risk index to help determine which risks are more significant to the company.

After the risks have been identified and evaluated, a mitigation plan is developed by the responsible area, Phelps says. Specific measures are listed on the plan to reduce the uncertainty associated with the risk. Next, a deliverable date and person responsible are assigned. “My department follows up on these plans quarterly,” he notes.

As a result of its work with the third-party vendor risk, the development team made changes in contracts and the supporting processes to address those risks. These changes have helped Florida Blue curtail the risk of data breaches, along with other risks. The changes may include improving indemnification and insurance coverage to address the confidentiality peril, as well as changes in the responsibilities of workers to control the risk better, depending upon the contract and the risk, Phelps says.

All this planning and evaluation will help ensure a smoother transition to the new environment created by the act, will help avoid costly pitfalls, and help minimize any possible lapses in relations with health-care providers and patients, he says.

“This is an example of risk management’s value, which can be difficult to prove, but no one can argue that in this case the enterprise risk management process provided significant value and supported the achievement of corporate objectives,” Phelps observes.

In fact, he adds, “This is an example where the value of risk management is clear.”