Protiviti Healthcare Management Consulting



To supplement the 10 questions provided in Issue 128 of Board Perspectives: Risk Oversight, the following additional questions are offered to directors serving on boards of healthcare organisations. We have organised these questions into seven groups: (1) funding/financial controls/labour; (2) revenue integrity/enhancement and compliance; (3) technology, security and automation; (4) supply chain; (5) demobilisation and recovery; (6) patient/employee experience and reputation; and (7) strategy.


Funding/Financial Controls/Labour

  1. Are teams in place to seek out all possible funding sources and, equally as important, ensure the documentation and tracking exists to withstand the rigor of an audit from the OIG or GAO later?
  2. Are our financial controls continuing to operate, and are we staying on guard for increased fraud attempts?
  3. Are processes in place to make sure cash is monitored and that debt covenants are not in jeopardy of being violated? If potential issues exist with respect to covenants, have we requested appropriate waivers?
  4. Have we analysed the COVID-19 financial impact on the organisation, including its cost of capital and borrowing capacity and availability?
  5. Are we ensuring that all furlough strategies are considered and that no duplication exists?
  6. Have we considered how the pandemic’s disruption in the labour market may make it harder to attract and retain the staff we need, especially as we ramp up volumes and shift more healthcare from the traditional hospital setting?


Revenue Integrity/Enhancement and Compliance

  1. Are there processes in place to ensure revenue integrity (clinical documentation, coding, billing, claim nonpayment identification and analysis, analytics to identify revenue leakage, etc.)?
  2. Are we prepared for government/payer audits to defend classification, documentation, coding and billing of COVID-19 patient encounters?
  3. Are we taking advantage of the opportunity to increase telehealth services, and is the technology platform we’re using scalable to meet the spikes in demand?
  4. Are processes in place to ensure compliance when 1135 waivers expire and to produce documentation to support the use of waivers?
  5. How are we monitoring value-based care/risk-based care contracts currently, with the objective of avoiding any potential emergent cases down the road?


Technology, Security and Automation

  1. Are processes in place to monitor for and stop increased cyber attack attempts, especially in new or modified technology environments such as telehealth that have not been tested previously?
  2. Have we implemented processes to safeguard protected health information (PHI) in accordance with HIPAA privacy and security requirements, even in instances where regulators have announced enforcement discretion during the public health emergency (e.g., telehealth, community-based testing centers and business associates disclosing PHI to public health authorities)?
  3. Have large IT projects been put on hold (e.g., ERP, EHR, etc.), and, if so, what is the process to get these back underway if they are mission-critical to our future?
  4. Has our organisation’s IT help desk been able to keep up with demand given the remote workforce’s needs? If not, what are we doing to ensure our people have what they need to do their jobs?
  5. Do our organisation’s IT resources have the right tools/capabilities to address all the personnel changes that may have happened over the last three months and what may likely occur over the next few?
  6. Have we considered the use of robotic process automation or bots to perform duties that are manual in nature to ensure control environments remain stable (e.g., nurse/clinician credentialing, employee and vendor exclusions screenings, etc.)?
  7. Have we considered where we can leverage automation to help free up resources to support critical operations or gain efficiencies, including any new business processes that may have been created in response to the pandemic?
  8. Have we considered how the pandemic can inspire innovative solutions for improving the effectiveness and efficiency of the healthcare delivery model going forward (such as telehealth)?


Supply Chain

  1. Do we conduct risk assessments of third-party vendors prior to onboarding and on an ongoing periodic basis thereafter to ensure we limit our reliance on international and sole source suppliers?
  2. Do we have a supply chain resiliency plan, and if so, are we in the process of updating it to include considerations for securing an adequate stockpile of testing supplies, PPE, treatments and vaccinations, once available, for the ongoing COVID-19 response?


Demobilisation and Recovery

  1. Are solid processes in place to demobilise and recover effectively and to ensure after-event analysis is performed to update emergency preparedness efforts, as needed, in anticipation of the next surge or pandemic event, should it come?
  2. Have we started updating our business continuity plans for every department affected by the current pandemic?
  3. As restrictions lift, how are we prioritising elective procedures, and what does that timeline look like relative to the demand for such procedures?
  4. Have workarounds that were implemented to get through the crisis (e.g., limited coding, reduced purchasing approval requirements, relaxed privacy standards, etc.) been revisited and a plan developed to return to normal operations?
  5. What patient service line disruptions are permanent vs. temporary? Which of these disruptions will thrive going forward, and are we scaled accordingly?
  6. Have we begun processes to document after-event reporting to CMS? Can we get a high-level summary of the reports?


Patient/Employee Experience and Reputation

  1. Is our organisation championing an ethical and compliant corporate culture in the aftermath of COVID-19?
  2. Have we analysed the impact on our reputation, including patient experience, and are there plans in place that allow us to be viewed as a leader in transforming the way healthcare is delivered?
  3. How do we reassure patients that we have a safe environment in which to serve them (e.g., waiting rooms, dining areas, air circulation, enriched oxygen, etc.)?
  4. How are we ensuring the health, safety and well-being of our employees and caregivers?



  1. Have we considered expanding our healthcare delivery footprint through acquisition of smaller physician practises, ambulatory surgery centers, etc., that are interested in being part of a larger organisation in order to better position/prepare themselves for a COVID-19 resurgence (or some other future disruptive event such as another pandemic or dynamic policy changes to our healthcare system introduced by the next administration)?


Microsite Download View: 

Board Perspectives: Risk Oversight

Board Perspectives Promo Hero