Live from Managed Care – Audit Readiness and Internal Control, Post Reform

By Kortney Nordrum, CHC

Presentation by:

Sharon Gipson, VP, Corporate and IT Audit & Advisory Services, Blue Cross Blue Shield of Michigan

Risk control is part of everyday work. Risk is the possibility that an event will occur that impacts our ability to achieve our objectives, goals, end results or other desired outcomes.
The more systems you have, the more complexity is added to your risk environment.

Management is responsible for the first line of controls – they are the first line of defense. Management is responsible for control measures – managing, monitoring and reporting on them, including implementing internal control policies. Good control structures lead to a healthy compliance environment.

An internal control policy is a standard that’s attached to the internal audit policy. It sets the expectation that management is in charge of the internal controls and compliance structures to support the organization’s commitment to conduct its business in accordance with all applicable federal, state, and local laws.
All employees are responsible for knowing the controls and complying with them.

Sharon’s Risk-Intelligent-Decision-Making Approach:

1. Identify the risk. This includes knowing all of the facts of a given situation. Do not make assumptions or form opinions. Find the facts and document them. Also evaluate reputational risk—how could this risk impact the company’s reputation?

2.  Evaluate the options. What do you do with the information you have? What are your next steps?

3.  Understand the boundaries. Are you characterizing this risk as “sufficient” or a “best practice”. Sufficiency is enough to meet the criteria and that’s all. Best practice may come at a cost and your organization may not want to bear that cost for any given reason.

4. Be transparent with decisions and assign accountability. People are more connected than they like to think. Encourage everyone to think how each decision affects their colleagues upstream and colleagues downstream. Get input from your  stakeholders to make sure you’re not creating more of a problem than the one you’re trying to solve. How do your decisions impact the control environment of those around you, or those that depend on your work?  Also, make sure there is an owner. Someone must be accountable for each decision.

5. Achieve risk intelligence. This isn’t always the best decision or the only decision, but if you can show the steps you took and how you came to the decision, you’re more likely to get buy-in from those around you.

Another recommendation is to perform an annual risk assessment. Each risk assessment should include the following 5 phases:

1. Understand the business;

2. Develop a risk model;

3. Prioritize the risks;

4. Develop a risk-based plan;

5. Execute your plan.

Additionally, it is important that your entire organization have a common risk and issue language around your key success factors. Each employee and department should have a thorough understanding of what your risks are and what constitutes success for those factors. An example of common language is below.


Finally, when partnering on coordinated compliance projects, it is good to keep the following in mind:

  • Set clear project goals and objectives and gain business buy-in.
  • Communicate frequently, both internally and with any stakeholders. Internal communication goes a long way toward building a team environment.
  • Build a team environment. It will help you work together and help you communicate to the business what you need and what you have accomplished.
  • Develop guidelines for your coordinated projects, and follow them.
  • Work directly with business, but interview your project management office for advisory projects. Interacting with the business is important to get the rich information you may not get otherwise.
  • Agree early on on the type of report and your audience, and communicate it throughout the process. Individuals may be more likely to share information with you if they know who will eventually read the report.
  • Appoint a lead for the administration of the process to make sure everything is getting done and is well organized.
  • Agree on document storage.


Comments are closed.