1 Post-Conference Executive Workshop 28 July 20177th annual national public sector fraud AND corruption congress adopting a robust fraud-risk MANAGEMENT framework Post-Conference Executive Workshop 28 July 2017

2 Workshop Roadmap Introduction Workshop Objectives Topical ModulesCase Studies in Fraud-Risk Management Open Discussion Concluding Thoughts Addenda

3 Introduction (I) Fraud represents an insidious risk to the integrity of and erodes vital public trust in government programs at a time of significant fiscal pressures Public enterprise executives and managers are challenged to take a strategic approach to counter fraud risks and develop effective measures to manage these risks Workshop builds on themes and concepts introduced during keynote presentation and goes in depth for selected topics that are fundamental to effective fraud-risk management Focuses on the imperatives and intricacies of performing robust risk assessments, creating comprehensive risk profiles, and integrating them to inform executive decision-making

4 Introduction (II) Risk assessments and profiles are the principal underpinnings of a proactive, action-oriented fraud-risk strategy and its component objectives & activities Successful implementation of such a strategy is intended to offer reasonable assurance that a program’s mission is being met and that taxpayer investments are safeguarded Without getting the fundamentals right and sustaining them over time, fraud-risk strategies and related activities become unmoored in their purpose and effectiveness Ultimately, any fraud-risk management model must address how to reconcile delivering benefits timely with the need to safeguard program integrity & underlying investments

5 Workshop Objectives Acquire fundamentals for creating and implementing a comprehensive strategy to manage complex fraud risks Share and discuss common and unique experiences and glean lessons & insights to apply in future anti-fraud efforts

6 Topical Module OutlineModule I: Strategic Context Module II: Fundamentals of Successful Fraud-Risk Management Module III: Overview of GAO Fraud-Risk Management Framework Module IV: Principle #1—Prevention Module V: Principle #2—Detection Module VI: Principle #3—Response Module VII: Component #1—Commit Module VIII: Component #2—Assess Module IX: Component #3—Design & Implement (Strategy) Module X: Component #4—Evaluate & Adapt

7 Module I: Strategic ContextRe-frame and couch fraud-risk management within overarching, strategic context (“big-picture”) of program integrity Shift thinking on and “culture” of fraud-risk management from reactive (passive) to proactive posture Adhere to simple but key fundamentals, do them well, & firmly embed in enterprise’s overall business & risk models

8 Module II: Fundamentals of Successful Fraud-Risk ManagementUnequivocal executive policy choice supported by sustained high-level commitment & attention (tone-at-top) Aligned with enterprise-wide mission & strategy, with outcome-oriented, risk-appropriate metrics Embedded in core business model & ERM structure Coordinated across internal/external stakeholder universe (vertical, horizontal) Bundled with other approaches (e.g., deep data analytics, probing investigative techniques) as force multipliers Implemented in systematic, flexible/iterative manner to respond to dynamic operating environment & evolving risks (agility of response)

9 Module III: Overview of GAO Fraud-Risk Management FrameworkPrinciples Prevention Detection Response Components Commit Assess Design & Implement Evaluate & Adapt

10 Module III: Multilayer Representation of Fraud Risk Framework

11 Module IV: Principle #1—PreventionCost-effective, proactive posture versus reactive and ineffective “pay-and-chase” approach (prevailing)  Mitigate the risk from occurring Illustrative control activities include— Comprehensive anti-fraud strategy Fraud awareness training for employees at all levels Initial data analytics to verify program eligibility Segregation of duties, approvals, active supervisory chain Standards of conduct Transaction limits

12 Module V: Principle #2—DetectionQuick detection as deterrent effect, buttressed by likelihood of subsequent consequence  Discover potential fraud that has already occurred Illustrative control activities include— Detailed audits with appropriate investigative components Comprehensive follow-on data analytics combining matching, mining, prediction Document reviews and cross-corroboration from multiple sources Site visits & inspections and interviews with personnel

13 Module VI: Principle #3—ResponseDecisive action, with lessons-learned feedback loop to inform future prevention and detection posture  Investigate potential fraud, take corrective action, & remedy harm Illustrative control activities include— Follow-on in-depth investigations Prosecutions of well-developed cases Disciplinary actions Suspensions and debarments of vendors Payment denials and recoveries

14 Module VII: Component #1—CommitCreate and sustain organizational culture Establish an institutional environment that is welcoming and conducive to fraud-risk management—function of Clear & unambiguous policy choice and executive-level commitment & leadership (tone at top) as key long-term drivers Devolution to and embedding in all levels of enterprise and across stakeholder universe to establish ownership and common purpose Establish fraud-risk management structure Designate a well-resourced, empowered entity to implement proactive fraud-risk management—core functions include Understanding operational environment and inherent risks & controls Reporting directly to executive management with full authorities Performing assessments, creating strategy, & monitoring performance

15 Module VIII: Component #2—Assess Part 1: Risk AssessmentRisk assessment is the core driver for successful risk-mitigation response—key considerations and activities include (see Addendum 1 for further details) Tailor assessment to unique aspects of program design & complexity (e.g., regulations, rules, processes & procedures, volume of transactions, beneficiary & provider expectations, etc.) Conduct assessment at regular intervals to keep pace with changing operational circumstances and evolving risks Involve full slate of internal and external stakeholders with knowledge of the program and its intricacies Identify tools, methods, and sources for gathering & analyzing information on fraud risks, including specific schemes & trends

16 Module VIII: Component #2—Assess Part 1: Risk Assessment (Continued)Key considerations and activities (continued) Identify inherent internal & external fraud risks affecting the program from provider, beneficiary, administrative and other perspectives Determine likelihood, impact (quantitative & qualitative), and any cascading (downstream) effects of each risk identified Establish risk threshold (“appetite”) and tolerance for each and prioritize in order of actionable response Evaluate existing controls for suitability & extent of risk mitigation achieved, quantify net (residual) risks and prioritize them for action

17 Module VIII: Key Elements of Fraud-Risk Assessment

18 Module VIII: Component #2—Assess Part 2: Risk ProfileCompile risk profile by synthesizing and documenting results of assessment(s) as the vital precursor for crafting an effective anti-fraud strategy—key considerations and activities include (see Addendum 2 for further details) Inventory of fraud risks (portfolio) Description of risk factors Identification of risk owners Quantification of risk likelihood and impact Determination of risk significance Description of existing mitigation controls (response) Inventory of residual (net) risk Determination of significance of residual risk Description of new mitigation controls

19 Module IX: Component #3—Design & Implement (Strategy)Use results of risk assessment and risk profile to craft and implement a fraud-mitigation strategy (roadmap for action), with appropriate controls—key considerations and activities include (see Addendum 3 for further details) Communicate strategy to internal and external stakeholders and risk owners and obtain buy-in & commitment to success Establish outcome-oriented, risk-appropriate performance metrics to gauge impact of control activities (how will the needle move?) Evaluate costs and benefits of individual control activities and aggregate (systems of) controls Establish integrated networks to ensure meaningful vertical and horizontal collaboration with stakeholder community Create incentives (carrot-and/or-stick) to encourage action and sustain results over long term

20 Module X: Component #4—Evaluate & AdaptEvaluate effectiveness of strategy and adjust to respond to performance gaps & changing operational circumstances and emergence of new risks—key considerations and activities include (see Addendum 4 for further details) Monitor effectiveness in real time against performance metrics, focusing on outcomes achieved (has the needle moved?) Conduct periodic evaluations of all fraud risk-management components and identify material gaps Collect, synthesize, and leverage data & information to create knowledge feedback/learning loop [corroborate] Use evaluation results to, as necessary, adapt fraud-risk management activities and communicate to stakeholder community

21 Control weaknesses underscore fraud risksCase Studies in Fraud-Risk Management (Takeaways from Recent GAO Audits) Control weaknesses underscore fraud risks Affordable Care Act (ACA) enrollment Medicare service-provider enrollment Applying Framework highlights capability gaps Social Security Administration disability benefits Immigrant-investor visa program (EB-5)

22 Case Study: Undercover Tests of ACA EnrollmentHighlights the role of investigative techniques to probe controls for three coverage years 10+ million enrollees, $60+ billion in annualized subsidies 53 of 55 undercover attempts at enrollment successful; 2 attempts intentionally abandoned $130,000 in subsidized health-care policies secured (annualized) Bottom line: ineffective controls across spectrum undermined program integrity

23 Case Study: Data Analytics of Medicare Provider EnrollmentHighlights the use of deep data analytics (matching, mining, mapping, visualizing) to uncover indicators and patterns of potential fraud About 1.8 million enrolled providers (physicians, hospitals, pharmacies, etc.) filing claims of $600+ billion annually for services and products Found ~ 24,000 of those sampled to be potentially ineligible based on various indicators (e.g., unconfirmed location, licensure status flags, etc.) Referred hundreds of potentially ineligible providers (from analytical sample) to agency for review & investigation Bottom line: Multiple control weaknesses allowed potentially ineligible providers to enroll in lucrative market

24 Case Study: Review of Social-Security Disability BenefitsHighlights GAO’s initial application of its Framework to SSA’s fraud-risk management model to gauge its maturity Focus on disability-insurance programs, totaling $200+ billion in annual expenditures, and millions of beneficiaries Found agency risk model to be evolving and not sufficiently mature to address multiple program risks Recommended actions related to risk assessment, anti-fraud strategy, and outcome-oriented risk metrics Bottom line: relatively unserious attempt at fraud-risk management undermines overall mission

25 Case Study: Review of Immigrant-Investor ProgramEB-5 grants US residency (“Green Cards”) to foreign nationals who invest in jobs-generating projects, primarily in economically distressed areas in the country Explosive growth in applications since “Great Recession,” combined with other enabling factors (e.g., corruption crackdowns in native countries) Program faces multiple internal and external risks (e.g., project-related securities fraud; lack of visibility into financial and personal backgrounds of applicants) Recommendations included performing risk assessments, expanding information collection & data-analytics, and reliably reporting on economic benefits Bottom line: mitigation efforts do not match up convincingly with multiple program & national-security risks facing EB-5

26 Open Discussion Revisit earlier matters for further explorationShare common experiences & insights Other matters of interest

27 Concluding Thoughts Sum up what transpired What does it all meanCharge going forward

28 Addenda Addendum 1: Risk assessment templateAddendum 2: Risk profile template Addendum 3: Fraud-risk strategy template Addendum 4: Evaluate-and-adapt (strategy) template Addendum 5: Most common schemes of health-care fraud in United States Addendum 6: GAO High-Risk List

29 Addendum 1: Risk Assessment TemplateRisk Assessment Process Identify inherent fraud risks affecting a program and component activities Define “inherent” risks as those that exist absent a management response Answer questions such as: what are specific risks, what makes them so (risk factors), and where could they occur? Quantify the likelihood and impact of inherent risks actually materializing Designate an appropriate quantification scheme of likelihood—e.g., scale of x to y (e.g., expressed as a percentage) Designate an appropriate quantification scheme of impact—e.g., financial, reputational Determine risk thresholds and tolerances Define threshold (AKA “appetite”) as the amount of risk an enterprise is willing to accept in its programs in terms of, for example, incurring financial losses; also, define extent of risk avoidance, sharing (transfer), and reduction Define tolerance as the deviation from the risk threshold an enterprise is willing to accept during course of program performance relative to achievement of objectives [see slide 30 for an example of what constitutes “tolerance”]

30 Addendum 1: Illustration of Risk Tolerance Definition

31 Addendum 1: Risk Assessment Template (Continued)Risk Assessment Process (Continued) Examine suitability of existing risk-mitigation controls Determine whether current controls & measures are appropriate in design and placement for the risks they are expected to mitigate Prioritize residual fraud risks Identify remaining risks, i.e., net of mitigation of inherent risks Quantify likelihood and impact and prioritize for action Compile and synthesize information gleaned from assessment process Array analyses, key findings, conclusions, and action items in preparation for creating a risk profile Assessment insight: analyze risks within the context of a program’s relation to an enterprise’s strategic, operational, reporting and compliance objectives; which may occasionally overlap

32 Addendum 1: Risk Assessment Template (Continued)Considerations for Risk Assessment Customize assessment to unique attributes & complexity of target program—one size does not fit all! Perform systematically at regular intervals; go “out-of-cycle” as events warrant—this is not a one-and-done proposition! Leverage what is known (quantitative & qualitative information from prior analyses, investigations, etc.) Make informed judgments about potential “hidden” and future risks (i.e., speculative extrapolation from known facts) Identify and interpret any linkages between risks and determine cascading effects that exacerbate original risk

33 Addendum 1: Risk Assessment Template (Continued)Considerations for Risk Assessment (Continued) Involve all stakeholders who “touch” program in a substantial way and are familiar with its risks and incorporate input as part of vertical/horizontal integration—avoid silos! Corroborate, to the extent feasible, testimonial evidence with data & documentation; employ “reasonable assurance” standard and note analytical limitations and their implications Quantify impact, in terms of program funds or other quantitative measures at risk; qualify impact, in terms of erosion of institutional reputation & public trust Create feedback loop to inform future decision-making

34 Addendum 1: Risk Assessment Template (Continued)Key Questions to Inform Assessment Is the program (or components) new to the agency and what is the level of institutional maturity? Does the program have a history of fraud risk, including actual adverse events and deficiencies with material impacts? Has an Inspector General or other independent entity found and reported on program risks and instances of fraud? How has the agency responded to such findings and recommendations for remediation? Impact of actions taken?

35 Addendum 1: Risk Assessment Template (Continued)Key Questions to Inform Assessment (Continued) How complex is the program? [Consider as principal driver of risk] What is the stakeholder universe and how does it interact during program transactions (e.g., beneficiaries, providers, suppliers, administrators, etc.)? What are the program’s “mechanics” (e.g., implementing regulations, eligibility rules, administrative processes & procedures, volume of transactions, service & payment velocity, etc.)? In addition to any basic control activities in place, what is the program’s internal/external oversight & accountability structure and how engaged is it (e.g., reviews, approvals, etc.)? What are some intangibles—e.g., how frequently do program rules/authorities change, how well aware of and trained are staff on fraud-risk responsibilities, to what extent can management override controls, etc.)

36 Addendum 2: Risk Profile TemplateA risk profile is the essential element for crafting a comprehensive fraud-risk strategy which will drive the mitigation actions necessary to manage risks in a proactive manner Creating a detailed profile enables risk owners to, among other things, understand linkages between various risks and any interacting/cascading (downstream) effects and craft targeted responses

37 Addendum 2: Risk Profile Template (Continued)Risk Profile Components & Some Key Questions Inherent fraud risks—what fraud risks does the program face? Provide detailed descriptions of origins, manifestations, trends, etc. Risk factors—what conditions (internal and external) yield fraud risks? Describe extent to which these factors interact to exacerbate risk Risk owners—which individuals and/or entities who “touch” a program are responsible for addressing its risks? Establish chain of command Likelihood & impact—what is the probability of a risk occurring and what are the effects? Use an appropriate scale for each (%, $, L-M-H, etc.) Significance—what is the relative importance (criticality) of the risk to the proper functioning of the program? Use an appropriate scale to describe

38 Addendum 2: Risk Profile Template (Continued)Existing controls—what controls are already in place to help reduce the likelihood and impact of each risk? Map out placement/sequencing & identify gaps Residual risk likelihood & impact—what is the risk net of the mitigating effect of controls in place? In addition to effect, evaluate control design and placement Risk significance—what is the relative importance of the net risk to the proper functioning of the program? Use an appropriate scale to describe Risk response—what additional controls are needed to close gaps & mitigate net risk? Measure against risk threshold and tolerance levels established earlier

39 Addendum 3: Fraud-Risk Strategy TemplateKey elements of an anti-fraud strategy—delineate (see “leading practices”) Why is fraud-risk management important Who is responsible What is being done When is implementation Which are the areas of focus

40 Addendum 3: Fraud-Risk Strategy Template (Continued)Leading practices for crafting an effective strategy Drawing from the risk profile, perform the following Set clear, achievable mitigation objectives; synced w/mission Determine resource allocation commensurate with risk Establish clear roles &responsibilities for implementing strategy Create plan to communicate strategy to stakeholders Establish milestones and timelines for implementation Establish outcome-oriented, risk-appropriate performance metrics Highlight key linkages among prioritized risks & implications Place anti-fraud strategy in context & link with other risk efforts (ERM) Focus on preventative controls and weigh costs/benefits Design controls and place/sequence them appropriately

41 Addendum 3: Examples of Control Activities by Core Principle

42 Addendum 3: Fraud-Risk Strategy Template (Continued)Leading practices for crafting an effective strategy Align controls & related activities along the following integrated categories Verification processes & procedures Data analytics Fraud awareness Reporting mechanisms Employee integrity Develop plan for responding to detected instances of potential fraud Refer instances to Inspectors General, law enforcement, or prosecutors for additional action, resolution & disposition

43 Addendum 4: Evaluate & Adapt TemplateLeading Practices for Evaluating & Adapting Fraud-Risk Initiatives Monitor & evaluate all components of fraud-risk management activities Review risk assessments, profile, strategy, controls Analyze data from reporting mechanisms, instances of detected fraud Consider changes in internal & external operational environments Engage with stakeholder community to obtain 3rd-party insights Measure outcomes against metrics established in strategy Track and benchmark outcomes against metrics (as function of activities & outputs)—did the “needle” move in the right or expected direction Ensure sufficiency of relevant data and corroborating testimonial & documentary evidence to help reach definitive conclusions

44 Addendum 4: Evaluate & Adapt Template (Continued)Leading Practices for Evaluating & Adapting Fraud-Risk Initiatives Adapt activities across full spectrum of risk management process Use monitoring and evaluation results (e.g., analyses, detected fraud, investigations, adjudications, etc.) to update design & implementation of entire complement of fraud-risk management initiatives Communicate & explain results to all relevant owners & stakeholders Help maintain engagement and ownership of fraud-risk management process

45 Addendum 4: Illustration of “Evaluate & Adapt” Process

46 Addendum 5: Most Common Schemes of Health-Care Fraud in United StatesHealth-care fraud in federal programs is focus of extensive audit & investigative activity in United States Top schemes (often in combination with multiple schemes, thus % do not = 100) (239 total individual schemes, based on 2010 data) Billing for services or supplies not provided (43%) Billing for medically-unnecessary services (25%) Falsifying records in support of a scheme (25%) Paying kickbacks to scheme participants (21%) Improperly obtaining controlled substances/misbranding prescription drugs (21%) Extent of complicity Service providers complicit in 62% of cases Beneficiaries complicit in 14% of cases

47 Addendum 6: GAO High-Risk ListThe GAO HRL is a biennial compilation of US federal programs at heightened risk for fraud/waste/abuse/mismanagement The 2017 iteration includes 34 distinct program areas in need of significant risk mitigation through a combined function of Leadership commitment Agency capacity Action plan (strategy) Monitoring Demonstrated progress

48 Addendum 6: GAO High-Risk List (Continued)Selected HRL areas of interest Management of IT acquisitions & operations Government environmental liabilities Strategic human capital management Defense financial management Defense weapon system acquisition Oversight of food safety NASA acquisition management Enforcement of tax laws Medicare & Medicaid health programs