Effective Vendor Oversight Strategies
Jennifer Mardosz
Chief Compliance Officer
Optum
Joe Keen
VP – Optum Compliance
Examination Management
Why Organizations Choose to Outsource
•
Many organizations are choosing to outsource administrative and ancillary
services to:
• Gain expertise
• Reduce administrative costs
• Increase capacity / competencies
• Increase speed to market
•
While organizations may choose to outsource certain administrative services,
they are responsible to ensure that the services are performed in compliance
with contractual and regulatory requirements
Propriety and Confidential. Do not distribute.
2
1
What is Vendor Oversight
•
Against the backdrop of heighted regulatory expectations and investigations
related to 3rd party vendors, many organizations are:
– Focusing on structured controls to ensure ongoing regulatory compliance
– Mitigating risk associated with the utilization of vendors
•
For example:
– The Centers for Medicare & Medicaid (CMS) require vendors to comply with Medicare
compliance program requirements, including fraud training, employee background checks, and
formal vendor monitoring and auditing programs
– The Federal Reserve is enhancing its oversight of vendors/suppliers to ensure that 3rd party
entities have confidentiality/ security controls in place and maintain financial stability
– The Federal Trade Commission is exercising its muscle and requiring organizations to ensure
that effective vendor oversight processes are in place and part of a broader Compliance
Management System
Propriety and Confidential. Do not distribute.
3
Industry trends and the need for vendor oversight:
Privacy & Security
Propriety and Confidential. Do not distribute.
4
2
Six elements of an effective vendor oversight program
1. Structured procurement process
2. Proper identification and classification
3. Communication strategy
PROCUREMENT
PROCESS
OFF-BOARDING
IDENTIFICATION
AND
CLASSIFICATION
RISK
MANAGEMENT
COMMUNICATION
4. Training & Education
5. Risk Management
6. Vendor Off-boarding
TRAINING AND
EDUCATION
Propriety and Confidential. Do not distribute.
5
Structured Procurement Process
•
Effective vendor oversight begins with formal procurement processes
including accountability for sourcing, contracting, and purchasing goods and
services from 3rd party vendors
•
Such processes include, but are not limited to:
– Formal engagement policies and procedures
– Formal sourcing review
– Formal contractual agreement between the organization and 3rd party vendor
– Use of a structured contract management system
Propriety and Confidential. Do not distribute.
6
3
Proper Identification and Classification
•
Organizations should have a formal process to properly identify and classify
3rd party vendors
•
Such identification and classification should include, but not be limited to:
– Designations of the specified delegated service
– Cost of delegated service
– Impact and level of access to the end consumer
– Access to Personally Identifiable Information (PII), Personal Health Information (PHI), or
Payment Card Industry (PCI)
– Relationship to government contracts
Propriety and Confidential. Do not distribute.
7
Communication Strategy
•
Effective communication between the organization and 3rd party vendor’s is
critical to ensure a successful relationship
•
Effective communication strategy should include, but not limited to:
– Your organization’s standards of conduct
– Policies and procedures directly related to the specified delegated service
– Main contacts for managing the relationship between the organization and 3rd party vendor
– Distribution of performance metrics
– Frequency of performance meetings
– Communication protocols for compliance concerns
Propriety and Confidential. Do not distribute.
8
4
Training & Education
•
When an organization delegates administrative functions to a 3rd party
vendor, they are not simply delegating a task, but are also sharing their
organization culture, mission and values
•
Such training and education should include, but not limited to:
– Organization’s standards of conduct
– General compliance information
– How to report suspected FWA and suspected compliance concerns
– Job specific roles and responsibilities
– Performance metrics and expectations
– Detailed procedures in support of delegated functions
Propriety and Confidential. Do not distribute.
9
Risk Management
•
Vendor performance should be monitored to ensure that expectations are
being met and that all delegated functions are being performed in accordance
with contractual and regulatory requirements
•
The types and frequency of monitoring activities vary among organizations,
but at a minimum, should include the following:
– Controls protecting PII, PHI & PCI
– Key performance measures
– Compliance with contractual with applicable regulatory requirements
• Many institutions are utilizing a survey approach of it’s 3rd
party vendors asking questions such as:
•
•
•
Code of Conduct training & education
General Compliance training and reporting of suspected
noncompliance
Employee background screening
• Such monitoring activities should include remediation
actions where performance and / or compliance
expectations fail to meet minimal thresholds
Propriety and Confidential. Do not distribute.
10
5
Vendor Off-Boarding (and Optimization)
•
While ensuring ongoing vendor management is important, effective offboarding of vendors is equally important.
•
Vendor off-boarding can be a result of performance, but also a strategic
consideration to “optimize” the vendor universe for enhanced purchasing
power and reduced oversight needs.
•
Failure to effectively “off-board” a 3rd party vendor can result in:
– Unnecessarily continuing to provide monetary compensation to vendor
– Exposure risk to PHI
– Reputational risk
Propriety and Confidential. Do not distribute.
11
What to do when YOU are the vendor
• Many organizations find themselves on both sides of the fence – the entity that
is contracting with the 3rd party vendor and the 3rd party vendor
• When you are the 3rd party vendor, strive to live up to the same expectations
that you place on those organizations in which you delegate certain
administrative functions.
• Ensure your compliance program:
– Meets the 7 elements of an effective compliance program
– Includes a formal delegate oversight function
– Trains employees on job functions and general compliance, including standards of
conduct, fraud, waste, & abuse and privacy
• Investigate and track all reported instances of suspected non-compliance and
FWA
Propriety and Confidential. Do not distribute.
12
6
Questions
Propriety and Confidential. Do not distribute.
13
7