The arrival of the Patient Protection and Affordable Care Act (PPACA) in 2010 brought in a number of changes to the health insurer’s business model, and prompted them to rethink the way they managed compliance. It was evident that traditional compliance methods based on manual spreadsheets and ad hoc processes would no longer work. A more advanced solution was needed – one that would save time and costs by automating various compliance workflows, while also improving visibility into compliance risks and issues across the enterprise.
The insurer’s vision was long-term -- to not only meet PPACA requirements, but to also build an integrated and sustainable approach to compliance across multiple healthcare regulations, including the Model Audit Rule (MAR), Health Insurance Portability and Accountability Act (HIPAA), and the Michigan insurance code.
Before the PPACA, the insurer’s approach to compliance was highly manual. Disparate papers, spreadsheets, and shared drives were used to document internal controls, as well as to track regulations, and manage large data volumes. This approach soon became inefficient, time-consuming, and prone to errors in processes, data, and reporting. To add to the challenge, there was no efficient, coordinated mechanism to monitor regulatory alerts. Neither was there a common, consistent taxonomy to define and communicate compliance issues. However, all of that began to change with the enforcement of the PPACA in 2010.
The insurer, already regulated in various capacities by state and federal rules, now had to have their entire book of business subject to federal scrutiny. They needed a robust compliance management system to ensure that the new healthcare reforms were implemented and monitored in a sustainable and reliable manner. Their aim was to integrate all regulatory compliance processes so that the insights that ultimately rolled up to the senior management and board would provide a complete, accurate, and real-time view of enterprise-wide compliance. To meet these requirements, the insurer chose to embark on a GRC journey with MetricStream.
Using the MetricStream GRC Platform as a foundation, the firm gradually rolled out an integrated GRC solution beginning with compliance issue management, followed by compliance risk management, policy management, case management, and audits. Today, an efficient and standardized compliance program is in place with timelier visibility into risks and other areas of concern.
The solution has helped the insurer identify all applicable regulatory requirements along with the “enterprise work effort” for each of them. Enterprise work effort is a project targeted at ensuring that compliance requirements and controls are implemented effectively. For each requirement of the PPACA, as well as MAR and other regulations, the solution enables the compliance team to build a control library, and to test these controls on a periodic basis. A distinct “implementation status” feature helps in tracking the progress of all work efforts.
•Inefficient manual methods to document internal controls
• Disconnected compliance processes
• Fragmented visibility into compliance issues
• Compliance management
• Regulatory alerts management
• Risk management
• Policy and document management
• Compliance case management
• Compliance issue management
• Audit management
• Better decision-making with over 200 qualified metrics based on a common compliance and risk universe
•Increased transparency into compliance issues and risks throughout the enterprise
•Improved agility with a common compliance platform, integrated workflows, and simplified processes
• Rapid reporting capability which reduced reporting time from 30 days to 2-3 days
Using the MetricStream GRC Platform’s data foundation, the insurer has mapped all regulations in a structured, multi-dimensional, and relational compliance data universe that is used as a “single source of truth” for compliance across different departments. Regulatory feed channels have been set up to automatically integrate regulatory updates from multiple external sources. If there are any issues or exceptions that arise, they are managed through the solution’s issue management functionality.
With the MetricStream solution, the insurer can swiftly assess the likelihood and impact of compliance risks based on configurable methodologies and algorithms. Users gain visibility into both quantitative and qualitative risk ratings, while graphical dashboards provide an aggregated view of compliance risks and areas of concern. In addition, risk heat maps and color-coded charts present a simplified visualization of complex compliance and risk data, sorted by risk type, department, and other parameters.
The solution has enabled the insurer to streamline policy management processes across business units and divisions, while enhancing consistency in policy related workflows. The tool’s integrated data model makes it easy for the compliance team to understand the impact of regulations, risks, and controls on policies, so that they can then take steps to be audit-ready.
Using the solution, the insurer has simplified its case management process, from case recording to case resolution. Over 10,000 users across the organization can log compliance cases which are then prioritized based on their criticality and priority. Multiple investigators can collaborate on each case, documenting findings and resolving issues. Intuitive reports and dashboards highlight cases that need immediate action and further investigation.
The fully integrated solution with compliance risks, policies, and case data aggregated on a common platform, has allowed the insurer to build a best-in-class compliance program that provides management with timely visibility into risk and compliance initiatives
The MetricStream solution has helped the insurer create and maintain an annual audit plan to accommodate different audits across the organization. Audits can be scheduled periodically or on an ad-hoc basis for internal departments, processes, and projects. Based on the master audit plan, the scheduler can select a team of auditors and assign the audit responsibility with a due date. Auditors, in turn, can define checklists, track tasks, record findings and observations, and confirm the audit assignment as well as the completion of the audit. Thereafter, audit reports can be created and presented to the audit committee and the board.