Insights

We are proud to be named a West Coast Regional Leader for 2024

From risk management to risk mastery

ARTICLE | May 22, 2024

Authored by RSM US LLP


The health care industry is a dynamic landscape, constantly evolving and introducing new risks and opportunities that disrupt the market.

In addition to common internal audit challenges and conventional health care risks (such as revenue cycle, human capital management, cybersecurity, contract compliance), modern health care internal audit teams must be prepared with the resources and knowledge to dive deep into emerging risk areas. Left unchecked, these risks could present substantial threats to a health care organization’s already tight margins, operational efficiencies, compliance and most importantly, patient safety

Is your organization effectively managing key risks?

Click on the following areas to learn about specific risk obstacles as well as understand the resulting positive outcomes once you apply transformative strategy.

Pharmacy operations and 340B

Managing pharmacy operations and compliance with CMS' 340B rule requires meticulous oversight. Through thorough audits and robust risk mitigation strategies, organizations can ensure compliance and financial stability.

How confident are you in navigating the intricacies of pharmacy operations and 340B compliance within your organization?

Obstacles

  • Repayment obligations on unmet eligibility criteria
  • Financial penalties, duplicating 340B program and Medicaid drug rebate discounts
  • Financial losses associated with improperly segregating 340B and non-340B eligible patients
  • Drug diversion or misuse the as result of weak controls over 340B purchased inventory

Outcomes

  • Assess compliance with 340B eligibility criteria
  • Verify eligibility status on a regular basis
  • Implement tracking and reconciliation processes to prevent duplication of claims
  • Implement an effective split billing software
  • Provide staff training to accurately identify 340B and non-340B drug usage
  • Develop robust processes to track drug utilization and prevent diversion

Deep understanding of needs and mission provides value to children’s hospital

Read the case study


"RSM helped us make sure we had the right internal team pulled together, confirmed our software needs, helped us establish governance and set us up so we were compliant."

Patrick Nolan, chief financial officer, Gillette Children’s

Back to top

Third-party risk management

Strong vendor risk management is more than the practice of evaluating and mitigating just the security- and privacy-related risks introduced by vendors. Internal audit and risk management functions are essential in mitigating the diverse risks posed by third-party relationships. By implementing comprehensive risk assessment frameworks and due diligence processes, organizations can enhance resilience in their third-party engagements.

How effective is your third-party risk management process?

Obstacles

  • Financial losses incurred when third-party vendors fail to meet contractual obligations or deliver products or services that do not meet expectations
  • Financial penalties incurred from regulators if a third-party vendor violates compliance regulations
  • Operational or clinical disruptions associated with third-party vendors failing to meet service level agreements, experiencing data breaches or cyberattacks, or failing to comply with regulatory requirements
  • Risk of reputational damage if associated with a third-party vendor that engages in unethical activities

Outcomes

  • Implement a performance monitoring system to track key performance indicators and contract compliance
  • Assess the performance and identify improvement opportunities for all third-party vendors on a periodic basis
  • Diversify vendors for critical services and develop a business continuity plan to mitigate service disruptions and ensure minimal impact on operations
  • Develop a comprehensive due diligence process that evaluates the financial and reputational health of prospective third-party vendors
  • Identify a strategy for exiting a third-party vendor relationship and planning succession

Back to top

No Surprises Act

The No Surprises Act (NSA) represents a significant regulatory framework aimed at protecting consumers from unexpected medical bills, with penalties to providers of up to $10,000 per violation. In addition to financial penalties, failure to adhere to the NSA can result in administrative burdens, reputational damage and more.

Is your organization up to date with the various elements of the NSA and do your policies, processes and technologies support adherence to the requirements?

Obstacles

  • Fines and penalties for noncompliance
  • Administrative burden to develop policies, implement systems and train staff on new requirements
  • Challenges negotiating rates with insurance companies for out-of-network costs
  • Reputational risk and patient dissatisfaction as a result of noncompliance or inaccuracy with information or estimates provided

Outcomes

  • Develop hospital’s governance framework and establish new policies where appropriate
  • Assess your organization’s billing practice by collaborating with stakeholders within key areas such as revenue cycle, legal, compliance and patient experience
  • Implement cost-estimation tools to accurately predict the costs of medical procedures and services
  • Establish dispute resolution process
  • Strategize how to reduce the out-of-network gap

Back to top

Price transparency

Hospital price and health plan transparency is a critical regulatory requirement aimed at providing patients with accurate and accessible information about the cost of health care services. Compliance with price transparency regulations is essential for health care organizations, necessitating the implementation of robust processes, controls and technologies to ensure adherence. Failure to comply with price transparency requirements can result in significant financial penalties, administrative burdens and reputational damage.

How confident are you that the processes, internal controls and technologies in place to ensure adherence to the requirements are operating effectively and as intended?

Obstacles

  • Lack of governance structure to plan for and oversee compliance
  • Lack of resources within the organization to help with compliance
  • Lack of clarity and understanding of regulations.
  • Possible corrective action plan from CMS for noncompliance or violation
  • Potential civil monetary penalties

Outcomes

  • Implement effective program governance to establish efficient processes, controls, and materials
  • Implement key program-level internal controls to ensure regulatory compliance
  • Detect errors or irregularities
  • Monitor and report appropriately
  • Leverage price transparency as a strategic growth opportunity

Back to top

Nursing utilization

Nursing utilization is a critical aspect of health care operations, aimed at aligning clinical capabilities with patient needs to ensure that nurses are scheduled and operating at the highest level of their clinical resume. Effective nursing utilization can improve patient outcomes, enhance job satisfaction and increase cost-efficiency.

Do your internal controls and processes promote the alignment of clinical capabilities with patient needs to ensure nurses are scheduled and operating at the highest level?

Obstacles

  • Financial costs associated with utilizing skilled/registered nurses for tasks outside of their job description and experience level
  • Increase in nurses’ workloads due to system factors and expectations (e.g., nonprofessional tasks such as delivering and retrieving food trays; performing housekeeping duties; transporting patients; and ordering, coordinating or performing ancillary services)
  • Lack of sufficient time to perform tasks that can have a direct effect on patient safety
  • Reduced time spent by nurses collaborating and communicating with physicians, therefore affecting the quality of nurse-physician collaboration
  • Poor nurse-patient communication
  • Lack of defined job descriptions and clinical ladders, affecting staff retention, productivity and job satisfaction

Outcomes

  • Open dialogue with nursing teams to assess staff levels, staff qualifications and patient needs
  • Provide ongoing training and education to help nurses develop new skills and to learn emerging health care practices
  • Perform analytics/benchmarking by location, specialty, surgeon and more to identify outliers and remediate issues
  • Use clinical ladders to effectively staff nurses

Back to top

Generative artificial intelligence (AI)

Generative AI is an exciting innovation that presents both opportunities and risks for health care organizations. Effective risk management is essential to ensure that the use of generative AI is aligned with clinical quality, privacy and security, regulatory compliance, and third-party relationships. Risk management must consider multiple factors to ensure robust AI governance without serving as an anchor to the exciting innovation of generative AI.

Does your organization have the needed governance structure in place to manage the risks around clinical quality, privacy and security, regulatory compliance, and third-party relationships for AI implementation?

Obstacles

  • Potential fines due to patient privacy violations or HIPAA violations as a result of AI misuse
  • Unreliable and false claims and estimates due to improper AI monitoring and governance
  • Outputs in which AI can reflect the biases in the underlying data which can lead to incorrect recommendations, negatively affecting patients
  • Security and privacy risks such as the potential for data breaches
  • Lack of understanding among key stakeholders, leading to mistrust in the AI tool
  • Bias in outputs that negatively affect patient outcomes, ethics and health care equity
  • Potential generation of false claims, incorrect health care cost estimates and inappropriate/duplicative/surprise billing, which may compromise fraud, waste and abuse compliance, price transparency and NSA billing compliance

Outcomes

  • Establish organizational AI strategy and governance frameworks and periodically reassess
  • Implement internal controls to ensure data leveraged for AI systems are equitable and unbiased
  • Integrate data privacy rules and regulations into the design and implementation of AI model(s)
  • Establish cybersecurity controls to ensure AI systems/model(s) are protected
  • Understand input and output processes of the AI model(s)

Back to top

Laboratory operations

Lab operations are an essential component of any health care organization. In the current environment, payors are reducing reimbursements for lab tests, driving hospitals to focus on operating their labs efficiently and effectively. While improvement efforts related to lab operations may result in cost reduction and streamlined processes, internal audit can play an important role in evaluating potential risks and unintended consequences of the changes to people, process and or technology.

Have you reviewed internal controls related to lab operations to effectively balance reduction of costs and effective processes?

Obstacles

  • Lack of qualified staff and high turnover
  • Challenges associated with finding the right balance of centralized/standardized vs. localized/customized processes
  • Lack of robust data analytics capabilities to review financial performance evaluating cost of staffing, supplies contracts

Outcomes

  • Establish standardized reporting, key performance indicators, policy and process
  • Leverage analytics to identify root causes and operational inefficiencies
  • Identify automation opportunities
  • Document cost savings
  • Enhance quality metrics and patient experience
  • Establish governance leading to process improvements

Back to top

Laboratory operations

With the increasing complexity of health care delivery and the growing emphasis on patient outcomes, discharge and transition of care processes are under scrutiny. Factors such as prolonged hospital admissions, high readmission rates and inadequate discharge planning can result in inefficiencies and financial costs. Effective discharge planning and transition of care processes, on the other hand, can improve patient outcomes, reduce readmissions and increase cost-efficiency.

Does your organization have well-controlled and efficient discharge planning and transition of care process? What is your confidence level that care coordination, both internally and with external facilities, is operating effectively?

Obstacles

  • Financial costs associated with prolonged hospital admissions; CMS penalties for high readmission rates
  • Increase in utilization of nurses for patients with prolonged hospital admissions
  • Risk of inadequate discharge with fewer facilities for patients to transition into
  • Need for recertification for continued hospitalization if the physician does not find available beds in participating long-term facilities to transition the patient into
  • Poor communication between staff, teams, hospital and external providers negatively affecting documentation, discharge delays, follow-up care and health outcomes
  • Noncompliance with CMS transition care management services requirements

Outcomes

  • Achieve discharge planning/assessment within 24 hours of admission
  • Achieve separation of duties between clinical care and discharge,
  • Achieve appropriate staffing ratio of patients to providers and case managers
  • Reduce delays in discharge
  • Ensure adherence to multiple requirements
  • Encourage continuous relationship-building efforts with external long-term care facilities
  • Provide efficient case management, owned by case manager/care coordinator/social worker

Back to top

Clinical labor pay practices

Health care organizations have experienced a significant increase in clinical labor costs. These increased costs are largely related to the rise in shift bonus and shift differential expenses for employed staff as well as increased expenditures for contracted clinical resources needed to maintain the staffing levels required to meet surging patient care needs.

How strong are your processes and internal controls to forecast demand and monitor the accuracy and appropriateness of clinical labor costs?

Obstacles

  • Inconsistent, time-consuming, manual processes
  • Inaccurate reimbursement rates that do not reflect increasing costs
  • Insufficient nurse-patient ratios affecting quality of care
  • Cost of alternative staffing models creating strain across the system
  • Emerging nursing shortages caused by inadequate staffing, heavy workloads, increased use of overtime, a lack of sufficient support staff, and adequate wages

Outcomes

  • Modernize clinical labor pricing to help recruit and retain clinical labor staff
  • Implement competitive compensation packages that recognize sustainable rate increases
  • Leverage productivity enabling technology to free up capacity and alleviate pressures caused by labor shortages
  • Implement an accurate payroll system and regularly conduct audits to identify and correct any payroll errors
  • Review employee classifications to ensure staff qualifications align with job roles
  • Establish effective communication channels with staff and union representatives

Back to top

Supply management

Poor supply management results in a system that is wasteful, costly, ineffective and prone to fraud/abuse, and can negatively influence clinical quality. While improvement efforts related to supply management may result in cost reduction and streamlined processes, an internal audit can play an important role in evaluating potential risks and unintended consequences of the changes to people, process and technology.

How efficient is the supply management in your organization?

Obstacles

  • Poor inventory management, physician preferences, lack of good data, lack of standardization and inefficient practices contributing to a system that is costly, ineffective, prone to fraud/abuse and influences clinical quality
  • Multiple operating rooms that utilize single supply room
  • Unclear roles and responsibilities of vendors across the inventory life cycle, especially for high-dollar implants and orthopedic supplies
  • Varying inventory control considerations, requirements, expiration dates creating an opportunity for human error, manual workarounds, waste/loss/theft

Outcomes

  • Leverage supply chain data to identify operational gaps
  • Monitor how much was paid, what patient was charged and how much was reimbursed by the payor
  • Identify supplies that are purchased across multiple locations for greater purchasing power or standardization
  • Leverage dashboarding opportunities to track and discard items that have expired or been recalled
  • Prevent fraud or optimization by identifying mismatches in use vs. charges

Back to top


Staying informed of and keeping pace with traditional and emerging risks, and preparing accordingly, is critical for organizations seeking to maintain their competitive edge and provide exceptional patient care in the new reality of health care.

Have you ever struggled to define internal audit?

Join our team for Episode 1 of Material Observations: Insights on Internal Audit. The premiere episode of our new podcast, “Material Observations: Insights on Internal Audit,” dives right in with a broad discussion of what internal audit means in today’s marketplace, the impact internal audit is having, and why these internal audit professionals love what they do.

Let's Talk!

Call us at +1 213.873.1700, email us at solutions@vasquezcpa.com or fill out the form below and we'll contact you to discuss your specific situation.

  • Topic Name:
  • Should be Empty:

This article was written by RSM US LLP and originally appeared on 2024-05-22.
2022 RSM US LLP. All rights reserved.
https://rsmus.com/insights/industries/health-care/from-risk-management-to-risk-mastery.html

RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each is separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit rsmus.com/about us for more information regarding RSM US LLP and RSM International. The RSM logo is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.

​Vasquez & Company LLP is a proud member of the RSM US Alliance, a premier affiliation of independent accounting and consulting firms in the United States. RSM US Alliance provides our firm with access to resources of RSM US LLP, the leading provider of audit, tax and consulting services focused on the middle market. RSM US LLP is a licensed CPA firm and the U.S. member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.

Our membership in RSM US Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise and technical resources.

For more information on how ​Vasquez & Company LLP can assist you, please call +1 213.873.1700.

Subscribe to receive important updates from our Insights and Resources.

  • Should be Empty: