| |
Welcome to the Internal Audit and Enterprise Risk Management Semi-Annual Refresh Survey. This survey should take you approximately 10 - 15 minutes to complete. This survey helps guide the activities of Internal Audit and Enterprise Risk Management and we appreciate your time in completing this survey.
-Section 1 relates to the currently scheduled internal audits. Please review any audits that are relevant to your department and/or for which you have relevant information.
-Section 2 allows you to add up to two additional risks that you think should be considered in our internal audit plan or referred to Enterprise Risk Management. A “risk” is any event or uncertainty that could significantly enhance or impede the Company’s ability to achieve current or future objectives
-Section 3 asks you to update the current list of Enterprise Risks. In addition, at the end of the survey you will have an opportunity to bring new risks to the attention of the committee.
Please do not skip ahead in the survey and only click for the next page when you have completed the current one. You will not be able to return and review your responses.
If you have any questions about this survey, contact Anjie Vannoy at (503) 276-1865. |
| |
|
|
|
| |
| The following pages will take you through the internal audits currently scheduled through May 2012. Each page focuses on one audit. Please respond as fully as you are able before proceding to the next. |
| |
|
| |
1. Outsourced Operations (Timing Q1 2011)
The audit will focus on contractual obligations and monitoring processes between Regence and outsourced vendors. |
| |
|
| |
| 1.1. Have risks related to this audit changed significantly since March 2010? |
| |
Please describe the cause and nature of the change (such as a change in control process, external factors, internal factors, etc.). Please describe the cause and nature of the change (such as a change in control process, external factors, internal factors, etc.). |
|
| |
| 1.2. Should the timing of the audit be changed, e.g. due to conflict with system implementation, other major business disruption, or change in the risk environment? |
| |
|
|
| |
| 1.2a. If yes to change in time, when should the audit be moved to? |
| |
|
|
|
| |
| 1.2b. If yes to change in audit timing, please give the reason for the recommendation. | | |
|
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
2. Business Continuity and Disaster Recovery Audit (Q1 2011)
Annual review of our readiness to effectively recover from a major disaster. Business Continuity and Disaster Recovery plans and exercises will be assessed as well as other key control areas. |
| |
|
| |
| 2.1. Have risks related to this audit changed significantly since March 2010? |
| |
Please describe the cause and nature of the change (such as a change in control process, external factors, internal factors, etc.). Please describe the cause and nature of the change (such as a change in control process, external factors, internal factors, etc.). |
|
| |
| 2.2. Should the timing of the audit be changed, e.g. due to conflict with system implementation, other major business disruption, or change in the risk environment? |
| |
|
|
| |
| 2.2a. If yes to change in time, when should the audit be moved to? |
| |
|
|
|
| |
| 2.2b. If yes to change in audit timing, please give the reason for the recommendation. | | |
|
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
3. Medical Management Strategy (Timing Q3 2010)
The audit will include a review of our strategy related to Medical Management, including benchmarking our strategy against other blues plans. Assess if the expected savings from medical management is being realized and appropriately measured. |
| |
|
| |
| 3.1. Have risks related to this audit changed significantly since March 2010? |
| |
Please describe the cause and nature of the change (such as a change in control process, external factors, internal factors, etc.). Please describe the cause and nature of the change (such as a change in control process, external factors, internal factors, etc.). |
|
| |
| 3.2. Should the timing of the audit be changed, e.g. due to conflict with system implementation, other major business disruption, or change in the risk environment? |
| |
|
|
| |
| 3.2a. If yes to change in time, when should the audit be moved to? |
| |
|
|
|
| |
| 3.2b. If yes to change in audit timing, please give the reason for the recommendation. | | |
|
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
4. Mobile and Remote Computing (Timing Q4 2010 - Q1 2011)
Review of remote access and other safeguards to protect confidential data and protected health information on mobile devices and at remote worksite, i.e., cottage workers. Assess related security, privacy, and legal controls. Review policies, procedures and compliance. |
| |
|
| |
| 4.1. Have risks related to this audit changed significantly since March 2010? |
| |
Please describe the cause and nature of the change (such as a change in control process, external factors, internal factors, etc.). Please describe the cause and nature of the change (such as a change in control process, external factors, internal factors, etc.). |
|
| |
| 4.2. Should the timing of the audit be changed, e.g. due to conflict with system implementation, other major business disruption, or change in the risk environment? |
| |
|
|
| |
| 4.2a. If yes to change in time, when should the audit be moved to? |
| |
|
|
|
| |
| 4.2b. If yes to change in audit timing, please give the reason for the recommendation. | | |
|
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
5. Product Development & Management (Timing Q1 2011)
Audit will include a review of the product development cycle for critical projects at key stages of product development, reviewing management’s progress and adherence to procedures and ensuring ongoing risk evaluation. Assess pricing strategy related to product development and the impact of regulation of competition. Review the process related to product management and accountability after a product is released. |
| |
|
| |
| 5.1. Have risks related to this audit changed significantly since March 2010? |
| |
Please describe the cause and nature of the change (such as a change in control process, external factors, internal factors, etc.). Please describe the cause and nature of the change (such as a change in control process, external factors, internal factors, etc.). |
|
| |
| 5.2. Should the timing of the audit be changed, e.g. due to conflict with system implementation, other major business disruption, or change in the risk environment? |
| |
|
|
| |
| 5.2a. If yes to change in time, when should the audit be moved to? |
| |
|
|
|
| |
| 5.2b. If yes to change in audit timing, please give the reason for the recommendation. | | |
|
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
| Audits scheduled 2011/2012. Please quickly review audits and timing and let us know if you think the timing should be adjusted. |
| |
|
| |
1. Medicare Compliance (Timing 2011/12)
The audit will focus on areas that CMS will potentially audit in coming years. |
| |
|
| |
| 1.1. Should the timing of the audit be changed, e.g. due to conflict with system implementation, other major business disruption, or change in the risk environment? |
| |
If yes to change in time, when should the audit be moved to? |
|
|
|
| |
2. Treasury - Investments (Timing 2011/12)
The audit will focus on reviewing compliance with investment policies, procedures, and strategies, system access and interfaces, as well as investment risk policies. |
| |
|
| |
| 2.1. Should the timing of the audit be changed, e.g. due to conflict with system implementation, other major business disruption, or change in the risk environment? |
| |
If yes to change in time, when should the audit be moved to? |
|
|
|
| |
3. Regulatory Compliance (Timing 2011/12)
The audit will focus on how Regence ensures compliance with new regulations, including tracking, monitoring, and communication. State and federal regulations will be included. |
| |
|
| |
| 3.1. Should the timing of the audit be changed, e.g. due to conflict with system implementation, other major business disruption, or change in the risk environment? |
| |
If yes to change in time, when should the audit be moved to? |
|
|
|
| |
4. Server Virtualization (Timing 2011/12)
The audit will include reviewing the security policy and procedures as well as compliance with policy and procedures for virtual servers and the applications they support, including: patch management, configuration management, security configuration across sibling servers / applications, firewall and deployment configuration, and attack vector mitigation. |
| |
|
| |
| 4.1. Should the timing of the audit be changed, e.g. due to conflict with system implementation, other major business disruption, or change in the risk environment? |
| |
If yes to change in time, when should the audit be moved to? |
|
|
|
| |
5. Data Management (Timing 2011/12)
Audit will include a review of the data strategy, whether stakeholders can get accurate and necessary information out of the systems from which key decisions are made. The process by which the IT function identifies and manages unstructured data will be evaluated, including an assessment of the methods of data retrieval, classification, tagging, and securitization. Potentially will include an enterprise “commons” review, in which all of the channels (internal and external) through which data is created, stored, and disseminated in the enterprise is identified and evaluated to ensure they are actively monitored and managed by the IT function. |
| |
|
| |
| 5.1. Should the timing of the audit be changed, e.g. due to conflict with system implementation, other major business disruption, or change in the risk environment? |
| |
If yes to change in time, when should the audit be moved to? |
|
|
|
| |
6. Large Group Pricing Strategy (Timing 2011/12)
The audit will include a review of the link between large group pricing and features, functionality, and impact of customization. Policies and procedures around customization will be evaluated, as well as communication with key business areas impacted by customizations. |
| |
|
| |
| 6.1. Should the timing of the audit be changed, e.g. due to conflict with system implementation, other major business disruption, or change in the risk environment? |
| |
If yes to change in time, when should the audit be moved to? |
|
|
|
| |
7. Human Resources (Timing 2011/12)
The audit will focus on change readiness, resource capacity, and retention strategy. |
| |
|
| |
| 7.1. Should the timing of the audit be changed, e.g. due to conflict with system implementation, other major business disruption, or change in the risk environment? |
| |
If yes to change in time, when should the audit be moved to? |
|
|
|
| |
8. IT Investment Audit (Timing 2011/12)
Review the process by which IT investment decisions are made to ensure the business value at risk is considered at all levels of support, strategic priorities are mapped to short- and long-term IT projects and key stakeholders are included in the process so that all partners understand the implications of all investment decisions. |
| |
|
| |
| 8.1. Should the timing of the audit be changed, e.g. due to conflict with system implementation, other major business disruption, or change in the risk environment? |
| |
If yes to change in time, when should the audit be moved to? |
|
|
|
| |
9. Pharmacy (Timing 2011/12)
Audit will focus on the timeliness of retro-terms and the impact of not pursuing pharmacy recoveries on retro-terms, Medicare Part D claims reprocessing, administrative fees, and Maximum Allowable Cost (MAC) pricing. |
| |
|
| |
| 9.1. Should the timing of the audit be changed, e.g. due to conflict with system implementation, other major business disruption, or change in the risk environment? |
| |
If yes to change in time, when should the audit be moved to? |
|
|
|
| |
10. HIPPA Physical Safeguards (Timing 2011/12)
This audit will focus on physical safeguard controls including facility access controls, workstation use, workstation security, and device and media controls. |
| |
|
| |
| 10.1. Should the timing of the audit be changed, e.g. due to conflict with system implementation, other major business disruption, or change in the risk environment? |
| |
If yes to change in time, when should the audit be moved to? |
|
|
|
| |
11. Trizetto Hosting - Site Visits (Timing Q3 2011)
This IT audit will focus on audit change management, SDLC security, data conversion, as well as risk sections of HIPAA Administrative Safeguards Audit. In addition, third party expenses and validatation of chargeable hours for approved purchase orders will be audited. |
| |
|
| |
| 11.1. Should the timing of the audit be changed, e.g. due to conflict with system implementation, other major business disruption, or change in the risk environment? |
| |
If yes to change in time, when should the audit be moved to? |
|
|
|
| |
| 1.1. Are there additional risks not related to the current Audit Plan which might merit our attention? |
| |
|
|
| |
| 1.2. Description of Risk: | | |
|
|
| |
| |
|
|
|
| 1.4. Department Most Impacted: Please select an option from the drop down menu below. After selecting an option, another drop down list will be displayed. Select an appropriate option from that list as well.
|
|
|
|
|
|
|
|
|
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
| 2.1. Is there additional risk you can identify? |
| |
|
|
| |
| 2.2. Description of Risk: | | |
|
|
| |
| |
|
|
|
| 2.4. Department Most Impacted: Please select an option from the drop down menu below. After selecting an option, another drop down list will be displayed. Select an appropriate option from that list as well.
|
|
|
|
|
|
|
|
|
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
|
|
| |
The following pages will take you through the ERM top risks for Regence. Each page focuses on one risk. Please respond as fully as you are able before proceding to the next.
The ratings for each risk consists fo two numbers. The first number is the risk likelihood (within an 18 month time horizon) and the second is the potential risk impact.
Likelihood is defined as:
Rare (1): less than 5% chance of occurrence or once every 10 years
Unlikely (2): 5-24% chance of occurrence or once every 5 years
Possible (3): 25-49 % chance of occurrence or once every 18 months
Likely (4): 50-84% chance of occurrence or at least once per year
Certain (5): greater than 85% chance of occurrence or more than 5 times each year
Impact is defined as:
Insignificant (1): Financial impact <$5M. No impact on market perception and/or member experience
Minor (2): Financial impact of $5M-$10M. Limited impact on market perception and/or member experience
Moderate (3): Financial impact of $10M-$15M. Some deterioration of market perception and/or member experience
Major (4): Financial impact of $15M-$20M. Significant deterioration of market perception and/or member experience
Catastrophic (5): Financial impact >$20M. Catastrophic deterioration of market perception and/or member experience |
| |
|
| |
1. Product Development & Deployment - Coordinated deployment and administration of new products.
Current rating: 3.0/4.0. |
| |
|
| |
| 1.1. Has the risk changed significantly? |
| |
Please describe the cause and nature of the change (such as a change in control process, external factors, internal factors, etc.). Please describe the cause and nature of the change (such as a change in control process, external factors, internal factors, etc.). |
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
2. Health Care Cost Management - Cost effective navigation and advice consistent with member engagement view.
Current rating: 4.0/4.0. |
| |
|
| |
| 2.1. Has the risk changed significantly? |
| |
Please describe the cause and nature of the change (such as a change in control process, external factors, internal factors, etc.). Please describe the cause and nature of the change (such as a change in control process, external factors, internal factors, etc.). |
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
3. Non-Competitive Cost Structure - High retention charges impacting ability to retain groups and attract new business.
Current rating: 5.0/4.0. |
| |
|
| |
| 3.1. Has the risk changed significantly? |
| |
Please describe the cause and nature of the change (such as a change in control process, external factors, internal factors, etc.). Please describe the cause and nature of the change (such as a change in control process, external factors, internal factors, etc.). |
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
4. CP-SS Migration - Date slippage of product releases and insufficient sales of new products resulting in delayed retirement of legacy systems.
Current rating: 4.0/5.0. |
| |
|
| |
| 4.1. Has the risk changed significantly? |
| |
Please describe the cause and nature of the change (such as a change in control process, external factors, internal factors, etc.). Please describe the cause and nature of the change (such as a change in control process, external factors, internal factors, etc.). |
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
5. Medicare Compliance - Compliance progam in place.
Current rating: 2.0/3.0. |
| |
|
| |
| 5.1. Has the risk changed significantly? |
| |
Please describe the cause and nature of the change (such as a change in control process, external factors, internal factors, etc.). Please describe the cause and nature of the change (such as a change in control process, external factors, internal factors, etc.). |
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
6. Data Center Failure - Physical and virtual plant failure resulting in inability to execute core business functions.
Current rating: 2.0/5.0. |
| |
|
| |
| 6.1. Has the risk changed significantly? |
| |
Please describe the cause and nature of the change (such as a change in control process, external factors, internal factors, etc.). Please describe the cause and nature of the change (such as a change in control process, external factors, internal factors, etc.). |
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
7. Health Care Reform - Legislation inconsistent with Regence strategies; inability to quickly implement legislative changes.
Current rating: 4.0/4.5. |
| |
|
| |
| 7.1. Has the risk changed significantly? |
| |
Please describe the cause and nature of the change (such as a change in control process, external factors, internal factors, etc.). Please describe the cause and nature of the change (such as a change in control process, external factors, internal factors, etc.). |
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
8. Document Retention - Adherence to defensible document retention policy.
Current rating: 3.0/3.0. |
| |
|
| |
| 8.1. Has the risk changed significantly? |
| |
Please describe the cause and nature of the change (such as a change in control process, external factors, internal factors, etc.). Please describe the cause and nature of the change (such as a change in control process, external factors, internal factors, etc.). |
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
9. Operational Acuity - Maintaining quality of core functions while implementing business process and system changes.
Current rating: 2.0/3.0. |
| |
|
| |
| 9.1. Has the risk changed significantly? |
| |
Please describe the cause and nature of the change (such as a change in control process, external factors, internal factors, etc.). Please describe the cause and nature of the change (such as a change in control process, external factors, internal factors, etc.). |
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
10. Billing & Delinquency Process. Design of the billing and delinquency process.
Current rating: 3.0/2.0.
|
| |
|
| |
| 10.1. Has the risk changed significantly? |
| |
Please describe the cause and nature of the change (such as a change in control process, external factors, internal factors, etc.). Please describe the cause and nature of the change (such as a change in control process, external factors, internal factors, etc.). |
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
11. Data Analytics Strategy - Management of data for competitive advantage.
Current rating: 5.0/4.0. |
| |
|
| |
| 11.1. Has the risk changed significantly? |
| |
Please describe the cause and nature of the change (such as a change in control process, external factors, internal factors, etc.). Please describe the cause and nature of the change (such as a change in control process, external factors, internal factors, etc.). |
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
12. Rate Approval - Market Intelligence, pricing methods and regulatory review.
Current rating: 4.0/4.0. |
| |
|
| |
| 12.1. Has the risk changed significantly? |
| |
Please describe the cause and nature of the change (such as a change in control process, external factors, internal factors, etc.). Please describe the cause and nature of the change (such as a change in control process, external factors, internal factors, etc.). |
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
13. On-boarding. Lack of a timely and meaningful enrollment process.
Current rating: 4.0/4.0 |
| |
|
| |
| 13.1. Has the risk changed significantly? |
| |
Please describe the cause and nature of the change (such as a change in control process, external factors, internal factors, etc.). Please describe the cause and nature of the change (such as a change in control process, external factors, internal factors, etc.). |
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
| ADDITIONAL RISKS FOR CONSIDERATION BY ERM COMMITTEE |
| |
|
| |
| 1.1. Is there another risk that should be considered by the Enterprise Risk Management Committee? |
| |
|
|
| |
| 1.2. If yes to another risk that should be considered by the ERM committee, descibe new risk. | | |
|
|
| |
| |
|
|
|
|
|
|
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
| 2.1. Is there another risk that should be considered by the Enterprise Risk Management Committee? |
| |
|
|
| |
| 2.2. If yes to another risk that should be considered by the ERM committee, descibe new risk. | | |
|
|
| |
| |
|
|
|
|
|
|
|
| |
Please do not click on the Submit button until you have completed the current page.
You will not be able to return to this page. |
| |
|
Loading...
