Risk managers/compliance officers: Is it possible for us to get along?
Good relationship possible if you avoid turf battles
Compliance officers have taken on increasingly important and visible roles in healthcare organizations, and that role can lead to ruffled feathers when that person and the risk manager disagree on their authority and responsibilities. The result, too often, is an internal spat that prevents either party from doing their jobs well and exposes the provider to liability.
It doesn't have to be that way, says Roy Snell, CHC, CCEP, CEO of the Healthcare Compliance Association (HCCA), a professional group for healthcare compliance officers in Minneapolis and a former Mayo Clinic administrator, consultant and compliance officer. Snell has seen that kind of turf battle and says it can be avoided by having the parties clearly understand how their roles are different.
Despite the fact that some risk managers are saddled with compliance duties in their organizations, compliance and risk management aren't just two terms for essentially the same thing, he says.
"For these people to work well together, they have to understand the difference between a compliance risk assessment and a non-compliance risk assessment," Snell says. "Risk managers traditionally study risks to the company: losing investments, fire, lawsuits, things that will cause trouble to the company. Compliance officers look at the risk of what trouble the organization will cause to others, and they shouldn't be spending any time on risks to the company other than the penalties assessed by breaking the law or being unethical."
A problem can arise when the risk manager insists on being responsible for risk assessments but misses the risks posed by the company to others, Snell says. By the same token, the compliance officer should not be involved with internal risks no matter how hot the topic or how much the compliance officer feels skilled in that area, he says.
"Risk managers should not be offended if the compliance officer conducts a risk assessment on their own," Snell says. "It's all about what risks you're assessing. The government expects compliance officers to do risk assessments. Given the fact that we are the most fined industry in the history of planet Earth because we have not adequately dealt with regulatory and ethical issues, people with turf problems should go away."
Compliance officers' turf battles aren't always with risk managers, Snell points out. He recalls a time when he was a compliance consultant and needed to conduct an audit of a hospital's program. The head auditor at the hospital said he should do it himself because he had performed compliance audits for 20 years. When asked exactly what he had been auditing, the man replied that he had been auditing timecards and looking for vendors who double billed the hospital.
"If the auditor who is only looking for threats to the company says 'this is my turf,' then that organization is in big trouble," Snell says. "The CEO only wants to hear about the money being stolen from the company, and they don't want to hear about problems you're causing others. That attitude is what led the press, the public, and politicians to be fed up and insist on more compliance programs."
Failure to work well together can threaten the success of both offices and lead to more liability in both areas, Snell says.
Proactive approach is best
So how do the two parties define their turf? Communication is the key, says Charla Prillaman, CPCO, CPC, CPC-I, CCC, CEMC, CPMA, CHCO, southeast regional director for AAPC Physician Services, a company in Salt Lake City that provides education and professional certification to medical coders. Compliance is a significant part of coder education, and Prillaman has seen turf battles arise because risk managers and compliance officers never clearly defined their roles.
"Both people need to understand that they serve an important role for the company, and if they don't work well together, that won't equal a good business plan," she says. "You can take great care of your patients and avoid lawsuits, but if you don't follow all the regulatory rules, you're out of business. If you obey all the regulatory rules and fail to provide patient safety and good medicine, you're out of business."
Prillaman recommends that the risk manager and compliance officer should acknowledge the potential for overlap and disagreement, and she says that they should sit down to discuss solutions before problems arise. A calm, proactive approach will be better than trying to hash out the problems in the midst of a crisis or a high priority task.
"They're not really at odds, but sometimes it feels that way," Prillaman says. "In the heat of an argument, it's easy to say that it's more important not to kill our patients than to make sure we don't overbill. That sounds good at the time, but in the end, both sides of this equation are important. Try not to denigrate the other person's position just because you feel passionate about your own."
One important issue is terminology, Prillaman says. Sometimes the two parties can be using the same terms such as "reducing risk" but mean different things. It can sound as if you're on the same page, when actually you're not, she says. Take the time to define terms, and be willing to hear what concerns the other person has. Work out ways to avoid conflicts.
See other person as a resource
Different backgrounds are one reason that the two parties can butt heads, notes Vickie Patterson, CPA, CIA, CHC, an associate director with the healthcare practice of Protiviti, a consulting company in Tampa, FL. Risk managers often come from a nursing background, for example, which gives them reason to stand their ground when discussing clinical issues with a compliance officer who has a financial or legal background.
"Recognizing those differences and seeing them as resource points, rather than reasons to clash, can make a big difference," Patterson says. "The fact is that your backgrounds and skill sets might be very different, but you can both use that to your advantage by calling on each other for assistance with your own investigations. See the other person as a potential benefit rather than writing them off as not knowing what you know."
The differences in the two roles are why Timothy E.J. Folk, a producer with The Graham Co., a healthcare consulting company in Philadelphia, always recommends that they be held by different people. Particularly in larger organizations, it is difficult for one person to take on both roles and do them well, he says.
"There are regulatory bodies and sub-bodies, and new regulations and rules coming out every day that the compliance officer has to stay on top of," he says. "Meanwhile, the risk manager has to focus on the safety committee, the physical plant, claims and loss control, and coverage for claims. There's overlap but also very different concerns."
Folk also notes that understanding the compliance officer's duties, and particularly how they are different from your own, can work to your benefit if the organization ever looks to eliminate one of the positions for financial reasons. (See the story on p. 88 for more on that possibility.)
For the benefit of the provider and the risk manager's career, Snell says risk managers and compliance officers must make a concerted effort to work well together. It is not enough to decide that you will have a good attitude and work well with the compliance officer, he says. A proactive approach to collaboration is needed, he says. "I acknowledge that there are many who are doing this correctly, but there are many who are doing it poorly, and it is hurting all of us," he says. "To get the government to go away and focus their enforcement efforts on some other industry, we have to overcome the problem of those who are doing it poorly."
Timothy E.J. Folk, Producer, The Graham Co., Philadelphia. Telephone: (215) 701-5231. Email: firstname.lastname@example.org.
Vickie Patterson, CPA, CIA, CHC, Associate Director, Healthcare Practice, Protiviti, Tampa, FL. Telephone: (813) 348-3407.
Charla Prillaman, CPCO, CPC, CPC-I, CCC, CEMC, CPMA, CHCO, Regional Director, Southeast, AAPC Physician Services, Salt Lake City, UT. Telephone: (800) 200-4157 Ext. 310. E-mail: email@example.com.