Ready, Willing & Able Michael Cover, Manager, Blue Cross Blue Shield of Michigan
Agenda 1. Organization Overview 2. GRC Journey Story 3. GRC Program Roadmap 4. Program Objectives and Guiding Principals 5. Evolving your Program 6. Key Learnings and Best Practices 7. Audience Questions and Discussion
Blue Cross Blue Shield of Michigan: Company Overview Who we are A nonprofit mutual insurance company founded in 1939 The largest health insurer in Michigan, serving 4.5 million people here and 1.6 million more in other states The largest network of doctors and hospitals in Michigan: 152 hospitals, and more than 33,000 doctors An independent licensee of the Blue Cross and Blue Shield Association Number of employees: more than 8,100 What we do Design, sell and manage health benefit plans for individuals, families and Michigan-based employers, including: Traditional plans PPO (preferred provider organization) plans HMO (health maintenance organization) plans Medicare plans Medicaid and state plans Wellness-based plans Plans with health spending accounts Dental and vision plans International plans
GRC Journey Story: Blue Cross Blue Shield of Michigan Largest health insurer and network of doctors and hospitals in Michigan MetricStream Apps: Integrated GRC covering Compliance, Issue, Risk, Regulatory Alerts, Audit, Policy and Case Aligned program with business strategy Increased assurance of compliance with multiple regulations including Patient Protection Affordable Care Act, Model Audit Rule, Health Insurance Portability and Accountability Act, and Michigan Insurance Code Increased transparency into compliance issues Increased agility with integrated workflow and simplified processes with automated notifications BEFORE Disparate views of compliance dependencies Silos of compliance information Time consuming reporting processes Redundant processes Decentralized document management Audit fatigue Segregated data archiving AFTER Over 200 qualified metrics driving decisions based on common risk universe Increased transparency and line of sight into issues and risks throughout the enterprise Replaced numerous SharePoint sites with a single compliance platform Replaced and consolidated case management systems "GRC implementations are strategic. When done correctly, you can streamline your processes and enable collaboration across multiple business areas. This allows companies to leverage a common platform which leads to increased transparency and accountability. Michael Cover, GRC leader, Blue Cross Blue Shield, Michigan Watch Michael Cover s Case Study from the GRC Summit 2017 https://www.youtube.com/watch?v= C0mmmTIRfsA&t=392s
The GRC program journey has leveraged a phased roll out to drive business area enablement 2010 2014 2015 2016 2017 2018 Completed RFI Considered architecture flexibility and industry rating Made decision to use MetricStream outsourced model Defined clear program objectives Defined foundational elements common definitions Implemented same sign-on Added Affordable Care Act Completed Model Audit Rule pilot Qualified Health Plan attestations with evidence Executed executive surveys for risk assessment Debarment monitoring and tracking Implemented Model Audit Rule configuration Completed end user upgrades, no customizations presented ease for upgrade Added key state requirements for monitoring Added attorney client privilege function Added Office of the General Counsel legal matter management Added Internal Audit issue followup Generated Own Risk Solvency Assessment baseline report Integrated Active Directory Added reporting enhancements Planned for enterprise policy management Planned HITRUST policy and control framework Added Enterprise privacy monitoring
Departments are driving enterprise-level benefits Modules Functionality Risk Quarterly Risk Assessments Priority Enterprise Risk Annual Risk Assessment Ongoing Risk Assessment Third Party Risk Policy & Document Issue Policy Attestation Monitor Issues Policy Approval Monitor Corrective Action Plans Document Section 1557 Issues Departmental Procedures Regulatory Audit Issues Internal Audit Issues Internal Control Testing Issues Metric Monitoring Agent Complaint Monitoring Managed Care Manual Review Internal Control Testing OPM Reporting Risk Adjustment Data Validation QHP Attestations HITRUST Requirement Monitoring Project Documentation & Reporting Compliance Reviews Project Project Time Reporting Requirement Accreditation Requirements Debarment Checks HIPAA Risk Assessment Data Feed Attestations HITRUST Self- Assessment Incident Monitoring Fraud Investigations OCR Complaints Legal Case HIPAA Privacy Incident Enterprise Security Incidents External Audit Customer Audits Regulatory Audits Implemented In-Process Planned
Define your program objectives and set guardrails for how the team engages with the business Program Objectives Guiding Principals Governance Senior Executive Alignment and Buy-in Committees Policies and Procedures Organizational Structure Internal & External Communications Integrated Risk Risk Identification and Assessment Risk Tolerance and Analysis Risk Monitoring and Mitigation Risk Based Performance Coordinated Functions Scope and Coverage Methods and Practices Infrastructure and People Information and Technology Business Level Performance Self Assessment and Mitigation Metrics and Measures Challenge status quo Readiness and maturity Communicate often Partner with business Be your own champion Maintain Urgency OOTB functionality Customer focus Live the mantra Process and Control Optimization Programs and Major Initiatives Know Process Tipping Point
Allow your program to evolve and embrace the mantra! 2014 2015 2016 2017 2018 GRC All Aboard! Readiness! Readiness! Readiness! Transparency Alignment Reporting Do Different Do Better Ready, Willing & Able
Learn from the past or you re doomed to repeat it People Require iterative training for refresher, use of videos for efficiency Mind set change from that s how we always did things Manual processes completed by workforce members require change management support What is entered is what displays Process Time spent up front on communizing definitions and reporting Workflow is powerful embrace it but strike a balance GRC tool capabilities may impact your workflow Pilots are important and plan for more testing than you think Redundancies reduced, increases efficiency and transparency Technology GRC tools typically require significant platform planning for internal user and external user access Customizations should be avoided to optimize technology upgrades Vendor Maintain a the partnership and grow through collaboration Remember the strategic nature of the program and keep them onsite
Know your business partners, understand their goals and realize the cross functional transparency Compliance Model Audit Rule Enterprise Security Enterprise Risk Information Technology Information Security GRC Tool Integration Corporate & Financial Investigations Office of General Counsel Data Governance
Questions?
Thank You Continue the conversation on #GRCSummit