Transcript for audio podcast: Federal News Radio:
Incorporating Risk Management and Assessment to Maximize Resources and Results
From the Office of Inspector General of Department of Health and Human Services
[Emily Kopp] You can't really do that much more with less so before diving into a project it makes sense to know how much trouble you could be getting into. Some agencies are applying this theory to their programs by incorporating risk assessment into their planning. Tom Salmon is Assistant Inspector General for Audit Services for the Health and Human Services Department, and he joins us now with a bit more about this approach. Hi Tom.
[Tom Salmon] Hi Emily, how are you?
[Emily Kopp] Fine, thank you. So when you're talking about planning and incorporating risk management, what are the basics of doing that?
[Tom Salmon] The basics of risk management are assessing threats, vulnerabilities, consequences and necessary actions. And it feeds into supporting effective use of resources which was what this whole conference at AGA was about this last couple of days. It was being more strategic because we've gone from doing more with less to less with less and now we have to be super strategic with less. People are trying to not be flat-footed despite sequestration and other resources threats.
[Tom Temin] So in other words as an IGs office you could do 99 audits of the cafeteria and count the sugar packets missing or you could do two audits at CMS and save billions and billions and billions of dollars?
[Tom Salmon] Right and that brings up another point. Trying to work strategically with what you audit. When I was the state auditor in Vermont I could sit down with the governor and say these are the four or five things that I'm concerned about based on what we've assessed in terms of materiality, impact, liquidity things like that. What are you interested in? So having conversations with CMS, Civil Rights related to HIPAA or the national coordinators related to electronic health records - these are all critical steps.
[Emily Kopp] So tell us a little bit more about what you've done at the Inspector General's Office. What are some of the decisions you've made related to risk management?
[Tom Salmon] Well one of the things risk management does is support strategic planning and vice versa. I was very fortunate. I came here because for several months the OIG HHS has been working on a strategic plan that is refreshing our aspirations. What that does is it starts to assess our internal risks but also our internal capacities. And as you know, with many IGs we're cross component. We have not just auditors but we have investigators evaluators and inspectors. So when we're picking jobs and we're going after certain risk areas we have to do it in coordination with other components we've got to share our strengths. Fortunately the two go hand in hand - strategic planning, refreshing aspirations, knowing what your capacities are whether it's in audits, investigations. Also in IT, IT audit, what are your capacities there so that you can have basically full coverage of the water front?
[Tom Temin] I guess that must be a process you're going through to make sure that, for example, your office is ready to keep an eye on these health exchanges because the HHS is very involved with them. There are some federal versions that are not at the state level.
[Tom Salmon] Well, and you bring up a good point. It has been a very busy and busy hectic summer as we're trying to be as proactive as possible. One of the phone calls we recently had, I swear, was like saving about 200 hours of research time was getting state auditors on the phone, getting GAO on the phone and going around, literally around the country and assessing who is doing what, where, in terms of the exchanges on the state ones as well as on the Federal side.
[Tom Temin] Because within the exchanges, you've got a lot of elements. You've got IT that makes it run and all of the software that encompasses the rules, plus you've got program integrity to worry about.
[Tom Salmon] That's the thing. The whole point of the last couple days is our mission is to protect and preserve the integrity of these programs. And that's really the focus, to become watertight. And even with our IT audit we're doing sort of a refresh…a white paper…because we want to assess where we have coverage. And in terms of your point on exchanges - we're doing a number of security control audits out at different MMIS systems - the Medicaid Information System - to check their security as a back drop to the relationship to the exchanges.
[Emily Kopp] So what you're talking about is approach - the risk assessment approach - it seems like you are advocating for more time or more resources spent on the planning and preparation perhaps than on the actual execution. So if people have to make a choice on where to put the resources do a lot of the preparation upfront, is that right?
[Tom Salmon] We are really trying to make a very intentional upfront efficient funnel for our work because we have a work plan that has to go through a vetting process as well so there is a lot of informal and formal risk assessment that happens at the job idea. And a lot of our folks get some great ideas out in the field also based on other jobs. One recently where they were looking at some of the coding at a hospital and they realized there were charges to 'kwashiorkor,' which is basically malnutrition, bloated stomach, that happens in other countries. So that led to some work. There is all kind of work that is out there that is part of the risk assessment process where you're already in high risk areas.
[Tom Temin] It sounds like when you're looking for things as fine grained as a charge on some disease that rarely exists in the United States that's where your big data systems can come into handy to help you do the evaluation?
[Tom Salmon] Well you brought me to another point. We were recently in Kansas City and the USDA is hosting a data center and we are moving some of our terminals over there so that we can be more, not only security protected and efficient, but you're seeing people really making an intentional step in Federal government to share services and really get in front of data systems. We got questions at the event yesterday about where are we going to be in five years related to eligibility and whether the information that the IRS has is similar to the eligibility on HHS programs because we have over 300 programs. And really, creating a data web to prevent deceivers. And as a CPA and a certified fraud examiner, we have got to create the perception that people are being watched - we have to - real and imagined. And some of the risk assessment steps are the risk of not having great relationships with our OPDIVs, and our state auditors and our partners. Because at AGA yesterday, that's all three levels - federal, state and local. It's amazing how people behave when they think that those three parties are working together.
[Emily Kopp] Just briefly, is Health and Human Services taking the same tactics as well?
[Tom Salmon] Well Health and Humans Services is being proactive. In fact they're engaging us on questions related to work that their doing related to cloud computing. They have so much data and Frank Baitman, the CIO over there, and he's trying to take steps to advance some of their systems. And he's very cognizant of risk, and our people are at the table with them.
[Tom Temin] Tom Salmon is the Health and Human Services Assistant Inspector General for Audit Services. Thanks so much for joining us today.
[Tom Salmon] Thanks Tom, thanks Emily. Have a great day.
Let's start by choosing a topic
Unimplemented OIG recommendations summarized.
FY 2014 Work Plan
OIG projects planned for 2014.
Significant OIG activities in 6-month increments.