governance

Article 10.19.2022 Dean Dorton

Anyone who hasn’t just arrived from the Stone Age recognizes the importance of maintaining a healthy cybersecurity program. Healthy things grow and so our cybersecurity efforts should be adapting to the ever-changing threats that are trying to push our organizations towards extinction.

Doing cybersecurity right isn’t cheap. Most colleges and universities have a dinoburger budget and can’t afford the brontosaurus ribs. How do you get the resources to protect your systems and data? One way is to communicate that some cybersecurity efforts are required and not doing them can result in loss of grant funding.

The Gramm-Leach-Bliley Act (GLBA) has been around for years, but only had a real impact on colleges and universities for the last 3 to 4 years. Like a cybersecurity program, data security laws have a need to evolve and adapt to changing threats. The standards for the safeguarding components of GLBA have been updated. Some of the updates revise prior rules while others are brand new.

Old Rule	New Rule
Designate the employee(s) responsible for coordinating the information security program.	A single “qualified individual” (QI) is designated to oversee, implement, and enforce the information security program. The QI may be an employee, affiliate, or service provider.
Perform a Risk Assessment	Perform a risk assessment and update it periodically.
	Risk assessment should include criteria for the evaluation and categorization of identifying risks. This is the use of a cyber security framework. I.E., NIST, ISO, CIS.
	Risk Assessment should include criteria for the assessment of the confidentiality, integrity, and availability of information including adequacy of existing controls.
	Risk assessment should include requirements identifying how risks will be mitigated based on the assessment and how the ISP will address risks.
Identify safeguards for each risk identified	Identify safeguards for each risk identified.
	Safeguards designed should cover – Access controls, Data inventory, Encryption, Secure application development, Multifactor authentication, Secure disposal, Change management and Monitoring and logging user activity
	Annual penetration testing and vulnerability scanning*
	Policies and procedures addressing – security awareness training and information security personnel are qualified and trained.
	Proper oversight of service providers addressing – selevtion process, contract wording and periodic assessment.
	Have a written incident response plan.*
	QI to prepare and present a written report to the board of directors, at least annually, on the status of the compliance with the information security program. *

There is a new exemption rule for small organizations. If you maintain student financial aid information for less than 5,000 students, some new rules are not required. Rules marked with an asterisk (*) are applicable to the exemption rule.

The date for having these controls in place is December 9, 2022. At a minimum, you should be able to demonstrate the new rules are being met before your next Single Audit is performed in 2023.

Subscribe to Dean Dorton Insights to stay up-to-date with the latest regulatory changes.

Explore IT Audit & Compliance Services

Kevin W. Cornwell, CPA | IT Audit Associate Director
kcornwell@deandorton.com
502.566.1011

Article 09.21.2022 Dean Dorton

Environmental, Social and Governance (ESG) programs have become an important topic for entities of all types. Stakeholders at all levels including investors, employees, and customers want to invest, work, and buy from sustainable entities that are both environmentally and socially aware. ESG programs bring structure to these consumer demands and allow businesses to both improve and boast successes in these areas.

What makes ESG programs unique? They work in any industry. Certain industries like healthcare and higher education have already seen great success by being on the forefront of these programs.

All ESG programs are built around four main pillars:

When establishing an ESG program entities should first review overarching goals and core values of the business and explore how those core values are tied to the four pillars of ESG. To get started many entities will research examples of successful, well established programs outside of their place of business, but we encourage you to search your operations internally as well. You may be pleasantly surprised at what programs and initiatives are already in-place, working towards ESG specific goals. When trying to establish your first program it’s best practice to explore sustainability programs on public company websites to get additional ideas. In fact, the Sustainability Accounting Standards Board (SASB) has industry-specific ESG metrics that can assist with establishing your first set of goals.

Measurements around greenhouse gas emissions, diversity (including employee, board, and suppliers), and safety statistics are basic ESG metrics that will help you get started. It’s important to first establish baseline metrics and then work to set goals that will improve those metrics moving forward.

Keys to Success

Here are a few things that are sure to get you off to a successful start in ESG:

Reinforce the entity’s mission – Mission alignment is critical when establishing or optimizing a new or existing ESG program. To gain buy-in from key parties within the organization, your program must align with the main values of the entity.
Make ESG a priority in reporting – Allocating resources to measure and report on ESG will help you leverage statistically backed marketing for stakeholders. Numbers drive business, and by prioritizing key metrics you will have a baseline of information to motivate teams to reach goals. To begin, start with one metric for each pillar. Once your program matures, you can add additional and more details tracking metrics.
Work with passion – Working towards environmental, social, and governmental goals can ignite the passions of your workforce. Keep your team involved and informed with your progress and you will see more impactful results.

Frameworks

As of now, most entities are not under required ESG mandates, in fact, entities have a lot of latitude in how and when they establish their plans. Due to the lack of regulation there are several reporting frameworks that currently exist, but there is belief that consolidation of reporting metrics and real regulations and requirements could be coming in the near future. In fact, on August 1, 2022, the IFRS Foundation completed a consolidation with Value Reporting Foundation as they move closer to comprehensive global sustainability disclosures for capital markets.

Accountability and Assurance

To date, most ESG programs have not been subject to third party assurance procedures. Without assurance validation the concept of “greenwashing” has emerged as entities use their ESG programs as a marketing vehicle to promote themselves without any regard for accountability. Embellishing numbers and tracking is unacceptable and could be subject to audit if new governmental requirements are established.

All of the value of an ESG program will be lost if the program is used without regard to integrity, further stressing the importance of establishing reliable tracking earlier in your program launch.

Bill Kohm, CPA, MBA| Assurance Director
bkohm@deandorton.com
859.425.7625

Article 01.7.2022 Dean Dorton

Environmental, Social and Governance (ESG) has transformed the landscape for health systems over the past few years. Stakeholders have expanded their expectations beyond financial results. Healthcare facilities should be proactive and identify meaningful ESG metrics that will resonate with their stakeholders and employees, which will vary depending on your size, location, and more.

Human resource departments should play an active role in this endeavor as ESG should be used as a retention and recruitment tool. People want to work for institutions that have a sustainable future. Additionally, the purchasing department needs to be part of the ESG team due to the impact of the supply chain on ESG metrics. Your healthcare organization needs to ensure that your third parties share in your commitment to ESG to maximize the benefits as well. For example, you may choose to place product orders with other groups that also have ESG programs, versus those who do not.

Here are some ESG areas that healthcare facilities should consider measuring and reporting:

“Environmental” refers to the impact of the facility’s operations on the environment. This includes environmental factors such as energy use, waste management, and water conservation. By tracking and reporting on these metrics as part of their ESG strategy, healthcare facilities can identify opportunities to reduce their environmental impact, improve sustainability, and enhance their reputation among stakeholders.

Some of the key environmental metrics that healthcare facilities should consider measuring and reporting on to support their ESG initiatives include:

Greenhouse gas emissions
Water consumption
Recycling
Materials, including plastic use

The “S” in ESG stands for “Social” and refers to a company’s commitment to ethical and social responsibility. It includes areas such as employee welfare, community involvement, diversity and inclusion, and human rights.

In the healthcare sector, social responsibility is particularly important as it involves the care and well-being of patients and the impact healthcare organizations have on the communities they serve. By addressing social factors, healthcare facilities can enhance their reputation, improve employee retention and recruitment, and ultimately improve patient outcomes.

Below are some of the social factors that healthcare facilities can include within their ESG framework:

Safety
Community impact and integration
Diversity and inclusion
Investment policies

The “G” in ESG stands for “Governance” and refers to a company’s commitment to transparency, accountability, and ethical leadership. In the healthcare industry, governance is critical and is probably already a part of most organizations’ everyday monitoring. This includes the responsible management of resources and maintaining high standards of patient care in health services.

By addressing governance factors, healthcare facilities can strengthen their relationships with stakeholders, improve financial performance, and ensure regulatory compliance. Included within these governance factors are:

Supply chain management
Board diversity
Policies
Long-term strategy

Examples of ESG Principles at Work in Healthcare

Institutions have begun to update investment policies to divest from fossil fuels, divert funds to green initiatives and focus on investments that lean towards diversity measures.

Baptist Health South Florida has focused on sustainability. Their green initiatives include:

Green building practices
Recycling more than 20 tons of waste per month
Paperless purchases
Sustainability educational and training events
Community outreach to market the importance of sustainability activities

UnitedHealth Group’s Sustainability Report has the following social pillars:

Expanding access to care – 85% of members to receive preventive care services annually by 2030
Improving health care affordability – 55% of outpatient surgeries and radiology services will be delivered at high-quality, cost-efficient sites of care by 2030
Enhancing the health care experience – established a training program with the American Academy of Family Physicians to help family physicians change the culture of health care organizations and improve physician wellness using operational improvements and change management tactics. 200 family physicians will undergo training to lead change for improved clinical well-being.
Achieving better health outcomes – close 600 million gaps in care for members by the end of 2025
Advancing health equity including equity and diversity in the health workforce – actions include funding scholarship programs for students of color pursuing careers in healthcare, supporting STEM programs in high schools focused on girls and Black and Hispanic/Latino students and using innovation to help hard-to-reach communities receive needed care including improved access to telehealth, mobile medical units, home visits and school-based care programs.
Building healthier communities – committing funds to build new homes for seniors and families, all with connections to health and wellness services and social supports.

UnitedHealth Group has a variety of ESG metrics in 2020 including:

6 million employee volunteer hours
41% people of color (U.S. workforce)
37% of female in top management positions
627 diverse suppliers with average spend of $849,000 per year
2 directors of color out of 10 directors
6,709 metric tons of waste transferred
19,647 MWh renewable energy use (5% of total energy consumption)

No matter what ESG direction you choose, you need to ensure that your ESG metrics align with your institution’s mission. Additionally, boards should hold management accountable to measuring ESG metrics accurately and for providing regular ESG reports to the board.

Wondering how to get started with ESG for your hospital, physician practice, or medical clinic? Contact us to learn more.

Sources: https://baptisthealth.net/non-indexed-content-folder/old/greening-our-future
https://www.unitedhealthgroup.com/content/sustainability/en.html

Adam Shewmaker, FHFMA | Healthcare Consulting Director
ashewmaker@ddafhealthcare.com
502.566.1054

Lexington, KY

Louisville, KY

Louisville, KY

Ft. Wright, KY

Cincinnati, OH

Blue Ash, OH

West Chester, OH

Indianapolis, IN

Raleigh, NC