URAC Core 4.0 — The Risk Management Focus Area (C-RM)
Now that we have the history of URAC’s Core module behind us (see my previous posts,“The not so secret history of URAC’s Core module”, “Core isn’t as “core” as we thought”, “Let’s make Core flexible!”, “Version 4.0 introduces a whole new structure”, and “The New Scoring System”), we can dive into the content of the Core 4.0 standards. Naturally, I’ll leave the actual release of the standards, approved by the URAC Board of Directors in April 2017, to URAC. Currently accredited organizations can request a copy of the yet-to-be-officially-released standards from their contact persons at URAC.
What I’ll be doing in this and the subsequent postings is to talk about the Core 4.0 standards module-by-module, both as standards in and of themselves and in the historical context of their predecessor standards, where such predecessor standards exist.
Today we tackle the Risk Management (C-RM) standards.
Guiding Principles
As I mentioned in this post, focus areas and standards, in a sense, emerge in the context of guiding principles. In the case of the case of the C-RM standards, those guiding principles have to do with the promotion of consumer protection and regulatory compliance. As long as I’ve been in the world of URAC (which, as I write this in 2017, is about 19 years), these two principles have been at the foremost of URAC’s interests. What is different in Core 4.0 is that they are clearly expressed and related to the C-RM standards that comprise this module.
The principles also have evolved over the years. For example, while words such as “safety”, “effectiveness”, and “access” have been a clearly expressed aspect of URAC’s advocacy of consumer protection, new words and phrases have found their way into that expression in Core 4.0, such as “dignity” and “disclosure of pertinent information.” This is not to say those concepts are new to URAC, just that they’ve never been so explicitly stated. Similarly, we see a couple of new phrases in the Regulatory Compliance guiding principle: “preventing non-conforming processes” and “manage risks”. Again, not new concepts to URAC, but newly expressed.
Rationale
We also see, in URAC’s Rationale statement, a new emphasis on “value protection” and “proactively identifying, analyzing, preventing, and controlling potential risks.” There’s also a new expressed linkage between consumer protection and compliance that you did not see in earlier versions of Core.
Scope
URAC makes it clear that these standards are not limited to consumer-facing organizations, but, rather, apply to all types of organizations. Further, while the notions underlying risk management should be applied across an organization, URAC is clear that it will focus on the functions relevant to the scope of the particular accreditation being sought. This focus on the scope of accreditation excludes financial and strategic risk from the scope of these C-RM standards.
The Risk Management Standards and Elements of Performance
URAC starts this section with a rather general standard, C-RM 1, requiring appropriate risk management strategies and activities. As will be the case throughout the new URAC standard format, though, the meat will be found in the Elements of Performance (“EPs”).
Scope
The first EP in this module, C-RM 1–1, defines the required scope of the risk management program. In addition to those identified by the organization that relate to the functions covered in the applicable accreditation program (e.g., Specialty Pharmacy, Health Plan, Case Management), URAC requires that the risk management program explicitly tackles information, compliance, and business continuity. URAC also requires that this risk management program be more than theoretical, in that it informs choices about management processes.
URAC also throws in a term that is new to URAC, “Risk Intelligence.” Not only must risk data be used in analysis, treatment and planning, but it also sorts out the difference between risks to avoid and risks that provide a competitive advantage. This truly is a new notion for URAC, and will call upon many applicants to up their risk management game.
Structure
C-RM 1–2 defines the required structure for the organization’s risk management program. The written risk management program description must describe goals, strategies to achieve those goals, and the means by which the organization will assess the effectiveness of the program.
Implementation
C-RM 1–3 describes what URAC will want to see as evidence of implementation of the risk management program. The organization will need to present documentation that it collects and reviews relevant information, takes action on identified risk issues, and periodically reviews elements of that program, revising them when appropriate.
Evaluation
In C-RM 1–4 URAC fleshes out what it expects out of the program evaluation required by C-RM 1–3. Such evaluation must assess performance as compared to goals, the intra-organization integration of the risk management program, and the impact on and value to the organization. Note that this EP is entirely a “Leading Indicator”, and therefore will not be required to be met in order to achieve a Full Accreditation.
Information Systems
In C-RM 2 and its EPs, URAC outlines what is expected of risk management in the area of information systems. Veterans of the URAC world will recognize this as an expansion of some of the principles addressed in the existing Core 15 and PHARM Core 15 standards.
C-RM 2–1 fleshes out the details of the minimally acceptable IT risk management program. Risk assessment (now addressed in the current version of Core 15(a)) must address actual or potential risks in the data storage, gathering, and transfer functions. Such a risk assessment must include periodic assessment by an entity that has no stake in the outcome of the assessment. URAC doesn’t specify that this must be an external entity, which suggests that an independent internal entity may be allowed to conduct such an assessment.
This EP also requires that the organization must have risk prevention processes in place that address both access issues and incidents. The EP also describes the requirements to be met in the event of identified gaps or failures in privacy, security, and/or integrity, including analysis, action planning, managing corrective action plans, and periodic monitoring.
Regulatory Compliance
C-RM 3 and its sole EP, C-RM 3–1 turn our attention to regulatory compliance, currently the domain of Core 4 and, for Health and Dental Plan applicants, P-CP 1. URAC has made virtually no change to the compliance program requirements in the current Core modules, requiring:
- Compliance Officer;
- Tracking applicable laws and regulations;
- Internal monitoring and auditing;
- Prompt response to compliance issues; and
- Corrective action to prevent future compliance problems.
Business Continuity
The final risk management standard, C-RM 4, and its three EPs step into the shoes of the current Core 14, addressing business continuity. C-RM 4–1 describes the minimum components of the business continuity plan (“BCP”), and is presented in language identical to the current requirements. C-RM 4–2 is specific to organizations applying for any of the pharmacy programs, and specifies that the BCP must include a system to handle emergencies in connection with facilities, services, and products so that pharmaceuticals can be distributed in the event of an emergency.
Finally, C-RM 4–3 fleshes out the existing every-two-year BCP testing requirements, clarifying that both a table top exercise and live telecommunications testing are a part of that requirement. Naturally, URAC also expects that the organization will take the results of any BCP testing to fix issues identified in that testing. In connection with this EP, URAC provides a very helpful and detailed definition of what it means by “tabletop exercise”.
So, in sum, the Risk Management section of Core 4.0 is a blend of existing requirements and new concepts, as well as some fleshing out of older requirements.
The next blog post in this series will address the Consumer Protection and Empowerment standards. Stay tuned!
