Risk-Based Vendor Management Welcome to Risk-Based Vendor Management Session and Presenter Outline: Denise Mainquist, IT Auditor & CEO of ITPAC Consulting, will provide a general overview of risk-based vendor management Jessica Johnson, Compliance Officer & Medical Staff Coordinator, Community Hospital, McCook NE, will tell the story of Community Hospital’s development of their vendor risk assessment and transition to an online platform Sara Moshman, CEO of MetaLogic, a software development and data management company, that offers a configurable vendor risk management platform called MetaCat, will briefly discuss the key benefits and examples of using an online platform.

Key Benefits of an Online Platform 1. Collaborative, Centralized Record and Document Management Access contracts online with click of a link Instant reports across all vendors Customized forms processing, workflow Manage any kind of data: vendors, contracts, tasks, issues, inventory, 2. Consolidated Dashboard with reports across all vendors 3. Smart Management Tools Automated system monitoring of various critical due dates Email notifications of upcoming deadlines Escalation alerts for missed due dates 4. Risk-based Guidance Configure for existing processes or use/modify built-in risk assessments Help with classifying contracts - business associates, or covered entities Compliance guidance with respect to incidents, events

Getting Started with an Online Platform 1. Start with Basic Contract Management: Upload existing data from spreadsheets, if available, or hand-enter vendors, contract info, etc. Digitize and upload contracts (not required, but valuable for ongoing for ease of access with click of a link. 2. Determine Access/Permissions Policies: Group-based permissions for what can be viewed/edited (need a system administrator who controls) 3. Incorporate Risk Management: Set hospital policies for vendor risk assessments – adjust as needed Rate contract risks based on hospital policies. Configure for existing risk assessments or use/modify built-in risk assessments Customize online forms and workflow for annual reviews, including approvals by management

System Monitoring Example in MetaCat Risk Management On 11/1/2019, system will email Service Reviewer that it’s time for the review. Copies prior year performance metrics for current review Sets up a “complete-by date” (ex: 12/1/2019 if configured for 30-day completion) System will change the “Next Service Review date” to 11/1/2020 automatically. (based on review frequency) to handle ongoing year-by-year reviews

Example from Community Hospital’s Annual Contract Review Form Select “Contract Review” to bring up review form

Contract Review Online Form Note Scroll bar Common evaluation metrics can be automatically added for all contracts, but initial setup may include need to determine contract-specific performance metrics based on risk level and contract details.

Online Form, Continued

Service Reviewer Workflow Step Online Form, Continued Service Reviewer Workflow Step When review is complete, the Service Review checks the “Review Complete, Ready for Approval” checkbox and Saves. System will send email notification to Service Review Approver 1, letting them know there’s a completed review awaiting their approval.

Approver Workflow Step Online Form, Continued Approver Workflow Step Service Review Approver 1 reads the report, advances workflow, makes any comments, and saves. If a second approver is required, system will then send email to Service Review Approver 2 prompting them that a review is awaiting approval.

Annual Reviews Summary in Dashboard Note: “Complete by Date” has passed In this case, Lab Director would be Getting alert emails of missed dates Escalation emails can also be configured

Example of Built-in Classification Guide Classifying Vendor per each contract (BA, Covered Entity, Other 3rd Party) 1. 2. 1. Select and contract and 2. Choose “Classify” from pulldown menu

Classification Wizard Step 1

Classification Wizard Step 2

Classification Wizard Step 3

Classification Wizard Step 4 System saves Vendor Classification, and also indicates Agreement needed such as BAA

Sample of Built-in Risk Ratings Scores automatically added to determine Risk Level for that category Risk Categories have separate assessments that combine to final Contract Risk Level