We also believe institutions are looking to do more to manage their risks effectively. They are challenged to manage across silos and to anticipate and prevent risk before they surface as problems. But the question arises: how should they accomplish this?

Many non-profit health care institutions have been looking at approaches public companies take in their compliance with the Sarbanes-Oxley (SOX) Act of 2002 and the New York Stock Exchange’s requirement for audit committees to be responsible for oversight of an enterprise’s risk assessment and risk management processes. The non-profit health care industry has the opportunity to learn from the experiences of public companies and take a slightly different path toward achieving a broader and more comprehensive view of risks across the enterprise and more effective internal controls.

Although not mandated, boards and management of non-profit health care providers are expressing interest in the requirements of SOX and assigning responsibility for risk oversight to the audit committee or another committee of the board. There appears to be a growing commitment to tighten up the controls around financial reporting and to consider broader approaches to enterprise risk management.

The three major bond rating agencies that cover non-profit health care all view a "404 controls assessment" as a good practice and would look favorably upon it. "In light of the changing environment affecting for-profit corporations and the proposals at the state and federal level for greater oversight of not-for-profit organizations," stated Moody’s Investors Service in June 2005, "We believe that governance will continue to be an important dimension of credit quality in the not-for-profit healthcare sector. We also anticipate that the growing complexity of the organizations whose debt we rate, especially in the areas of operations and debt, will lead us to ask for greater participation by board members in the credit evaluation process. We will continue to review and modify our analytical approach in response to evolution in governance practices."

In August 2005, Fitch Ratings recommended non-profit health care institutions focus on internal-controls issued by voluntarily adopting provisions of SOX section 404. If the institutions do not, "Fitch will question why section 404 has not been adopted and what steps have been taken by boards and management teams to document, assess, and improve internal controls."

And according to Standard & Poor’s, "Implementing appropriate SOX reform measures may lead to several important and positive byproducts for not-for-profit hospitals and health systems, including streamlining communication and decision making surrounding financial matters; upgrading investments in information technology to create more efficient business processes; developing an enterprise-wide risk management program; and promoting greater understanding on the part of boards and management with respect to how their hospital and health care-related companies are legally organized."

One lesson learned in the first year of SOX is the cost associated with complying with the law reflects a comprehensive approach to assessing controls. Public companies and their advisers chose to assess controls company-wide, in-depth and end-to-end. Typically, they did not deploy a risk-based approach that focused on the processes and controls, which are the most costly and likely to occur.

As an alternative, nonprofit health care institutions may want to consider an approach that acknowledges there are controls embedded in their reporting but not tested to the extent required by SOX. If organizations undertake a comprehensive risk assessment, consider business risks and financial reporting risks, focus their scarce resources on the most significant risk areas and underlying processes, they may be able to cover the majority of their financial risks.

In the aftermath of SOX implementation, public companies and their audit committees are increasingly discussing whether to adopt a more risk-based approach to SOX, including an effort to gain greater insight into risk and controls for the company.

The following are five practical methods for effective controls, strong risk management, and mitigation:

Non-profit health care may be a business where the 80/20 rule applies. That is, roughly 20 percent of the key processes involved in running a non-profit health care institution may represent about 80 percent of their most significant risk area. By focusing on the top 20 percent, the organization is able to address its key risks appropriately and more effectively than with a 100 percent coverage model.

There are a myriad of benefits from this journey, but perhaps the most significant is the ability of organizations to establish a reporting model that can assess and attest to the quality of care and stewardship over resources. If such a process can help health care providers demonstrate their quality of patient care and stewardship, they should be better positioned to protect and preserve their reputation.

Terri L. Desiris, CPA is a partner in charge of KPMG’s Wisconsin health care practice. She can be reached at (414)226-1211 or tdesris@kpmg.com.