The Tao of Medical Risk Management

What is Medical risk management and why is it important for your business?

Medical Risk Management is the identification and mitigation of threats to employee health in order to increase health and productivity at the lowest possible health plan costs.

Medical risk management important for your business for 3 reasons:

1. Healthier employees are good for business – they are more productive, have lower health insurance premiums and infect fewer colleagues during flu season….
2. You want healthier employees, but you also want the most cost-effective healthcare plans and healthcare measures for your employees.
3. You want to be ethical

The 2010 Patient Protection Affordable Health Care Act, seeks to promote corporate wellness programs by expanding the insurance discounts that companies can offer their employees. Kevin Volpp, Professor of Medicine and Health Care Management at U Penn, shows in his study, A Randomized, Controlled Trial of Financial Incentives for Smoking Cessation how financial incentives can be used to promote healthy behavior, but he also noted that these incentives can raise both ethical and efficacy issues. 

A 2011 McKinsey study showed that 30%-50% of employers plan to stop offering health insurance to their employees once the health law is implemented in 2014. The decision employers face under ObamaCare is straightforward: pay $20,000 per year for family coverage, or pay a $2,000 penalty to the government.

What is the Tao of medical risk management?

I have heard of military operations that were clumsy but swift, but I have never seen one that was skillful and lasted a long time. Master Sun (Chapter 2 – Doing Battle, the Art of War).

Should we rely on government regulations,  or should we go outside the organization to look for healthcare risks we’ve never thought about and discover new links and interdependencies and creative ways of improving wellness?

How do we find the best and most cost-effective healthcare measures for our business and employees?

This article introduces a practical approach that will help the senior executives in any sized business unit successfully improve compliance and reduce healthcare value at risk. We call this approach “Medical Risk Management 2.0” and base it on 3 principles.

1. Adopt a standard language of Medical risk management
2. Learn to speak the language fluently
3. Go green – recycle your risk and compliance

Medical risk management – an opportunity to improve business productivity

Healthcare governance, compliance and risk regulation comes in 3 flavors: government legislation, industry regulation and vendor-neutral security standards. Government legislation HIPAA were enacted to protect the consumer by requiring better governance and a top-down risk analysis process.

PCI DSS 2.0; a prominent example of industry regulation, was written to protect the credit card associations by requiring merchants and processors to use a set of security controls for the credit card number with no risk analysis.

The vendor-neutral standard, ISO27001 helps protect information assets using a comprehensive set of people, process and technical controls with an audit focus.

The COSO  view is that governance, risk and compliance activities are an opportunity to improve the operation:

“If the internal control system is implemented only to prevent fraud and comply with laws and regulations, then an important opportunity is missed…the same internal controls can also be used to systematically improve businesses, particularly in regard to effectiveness and efficiency.”

Medical risk management 1.0 – fixed controls and plans

The COSO position makes sense, but in practice it’s difficult to attain process improvement through enterprise GRC management.

Unlike finance/corporate-governance programs, medical risk management lacks generally accepted principles and metrics.

For example – where finance managers routinely use VaR (value at risk) calculations, HR managers are uncomfortable with assessing employee healthcare risk in financial measures.

The finance department has quarterly close but HR staffers deal with employee productivity and healthcare issues in an ongoing effort that ebbs and flows but never ends.

This creates silos – medical risk management and employee governance for the HR organization and a fraud committee for the finance staff and auditors. It’s a safe bet that the fraud committee doesn’t talk to the HR medical risk management people.

Most organizations assume a fixed structure of systems and controls and procedures for risk and compliance management.

The problem is that, in reducing the organization to passive executives of procedures and policies, we ignore the extreme ways in which employee healthcare issues change over time.

Any policy or plan or strategy that is presumed optimal today is likely to be obsolete tomorrow. Learning about changes in public policy or changes in disease vectors must be at the heart of day-to-day medical risk management.

A fixed control model of medical risk management is flawed because it disregards a key feature of healthcare – namely that both employees and healthcare providers have imperfect knowledge in making their decisions. Recognizing that our knowledge is imperfect is the key to solving this problem. The goal of medical risk management should be to develop a more insightful approach than fixed policies and procedures.

Medical Risk management 2.0 – The Tao

Step 1 – get everyone speaking the same language.

Adopt a standard language of medical risk management- the threat analysis base class

We formalize this language using a threat analysis base class which (like any other class), has attributes and methods. Attributes have two sub-types – threat entities and people entities.

Threat entities

Assets have value, fixed or variable in Dollar, Euro, and Rupee etc. Examples of assets are employee productivity and intellectual property maintained by employees.

Vulnerabilities are weaknesses or a lacking in employee health. For example – employees with vertigo working in high places.

Threats exploit vulnerabilities to cause damage to assets. For example – an earthquake is a threat to the employees and intellectual property maintained by employees.

Countermeasures have a cost, fixed are variable and mitigate the vulnerability. For example – helping employees overcome vertigo and reduce their weight with onsite wellness and exercise programs.

People entities

Business decision makers encounter vulnerabilities and threats that damage company assets in their business unit. In a process of continuous interaction and discovery, risk is part of the cost of doing business.

Attackers create threats and exploit vulnerabilities to damage assets – it might be a virus or an epidemic of eating fried snickers.

Consultants assess risk and recommend countermeasures. It’s all about the billable hours.

Vendors provide healthcare and wellness plans. The effectiveness of vendor offerings is poorly understood and often masked with marketing rhetoric and pseudo-science.

Methods

The threat analysis base class prescribes 4 methods:

• SetThreatProbability -estimated annual rate of occurrence of the threat
• SetThreatDamageToAsset – estimated damage to asset value in a percentage
• SetCountermeasureEffectiveness – estimated effectiveness of the countermeasure in a percentage.
• GetValueAtRisk

Step 2 – Lean how to speak the language fluently

A language with 8 words is not hard to learn, it’s easily accepted by CFO, HR manager and CEO since these are familiar business terms.

The application of our 8 word language is also straightforward.

Instances of the threat analysis base class are “threat models” – and can be used in the entire gamut of medical risk management activities. For example – employee heath is an asset, air conditioning systems that transmit viruses through a building are a vulnerability and the countermeasure would be making sure that the filters are clean and HVAC  systems checked periodically.

You can document the threat models in almost any risk assessment application (if you have one and it supports the 8 attributes). If you don’t have a risk assessment application , there is an excellent free piece of software to do threat modeling – available at http://www.ptatechnologies.com

Step 3 – Go green – recycle your medical risk management threat models

Leading up to the Al Qaida attack on the US in 9/11, the FBI investigated, the CIA analyzed but no one bothered to discuss the impact of Saudis learning to fly but not land airplanes.

This sort of risk management disconnect in organizations is easily resolved between silos, by the common, politically neutral language of the threat analysis base class.

Summary

Effective medical risk management requires neither better mathematical models nor complex enterprise software. It does require us to explore new threat models and go outside the organization to look for risks we’ve never thought about and discover new links and interdependencies that may threaten our business. If you follow the Tao of Medical Risk management – it will be more than a fulfillment exercise.