Managing Risk with Accurate Records Management

If you can’t prove it, it’s like it never happened. You may be doing everything right: → Asking the tough questions → Escalating red flags → Applying enhanced due diligence But if your record keeping is weak, it won’t matter. When regulators come knocking - or when something goes wrong - it’s not enough to say “we knew this was high risk.” Because when regulators review your AML controls, they don’t just want to hear what you did. They want to see the evidence behind it. And if you can’t show it clearly, consistently, and lawfully, you are at risk. I know documentation isn’t always easy. But strong record keeping is how you protect your firm, your decisions, and your team. Here’s are some good practices: Centralised and secure → All documents stored in one place, with access control. ↳ Case files that tell the full story → Risk identified, rationale for actions, who decided, when. ↳ Aligned with AML + data protection → Retain what’s required, no more. Protect it from misuse. ↳ Built for accountability → Anyone reviewing your files should understand your decisions without too much effort. Let your record keeping speak for your risk culture. Because the real test isn’t doing the right thing. It’s proving you did. Easier said than done?

The Impact of Accurate Documentation: Real-World Examples from an OIG Audit The importance of accurate condition capture and documentation in risk adjustment cannot be overstated. A recent OIG random review of EmblemHealth highlights just how much is at stake when conditions are incorrectly reported—or overlooked entirely. Here are three patient scenarios uncovered in the audit: Enrollee A • Submitted HCCs: 3 • Validated HCCs: 2 • Review Findings: The submitted HCC for Polyneuropathy was not supported by the medical record. • Impact: $1,992 overpayment to the plan. Enrollee B • Submitted HCCs: 2 • Validated HCCs: 2 • Review Findings: While the submitted HCC for Diabetes Mellitus (DM) with complications was not supported, the documentation did validate DM without complications. • Impact: $2,328 overpayment to the plan. Enrollee C • Submitted HCCs: 2 • Validated HCCs: 4 • Review Findings: Reviewers not only validated the submitted HCCs but also identified two additional HCCs that had not been submitted in claims. • Impact: $4,438 underpayment to the plan. The Takeaways The OIG review illustrates several key themes: 1. Documentation Gaps: Unsupported conditions can lead to overpayments, exposing plans to potential financial penalties and compliance risks. 2. Missed Opportunities: Inaccurate or incomplete submissions may result in underpayments, reducing the resources available to care for complex patients. 3. Importance of Proactive Reviews: Comprehensive reviews of documentation and coding practices can identify discrepancies before they escalate into larger issues. A Path Forward: Best Practices To mitigate risks and ensure accuracy: • Train Providers Continuously: Reinforce the importance of detailed documentation that supports all submitted diagnoses. • Conduct Pre-Bill Reviews: High-risk HCCs should undergo additional scrutiny before claims submission. • Leverage Retrospective Audits: These reviews can identify and address both unsupported claims and missed conditions, ensuring accurate risk scoring. The financial and compliance stakes are high. The EmblemHealth review revealed a $552,000 overpayment recommendation from the OIG, with 25% of submitted conditions unsupported by medical records. On the flip side, 65 additional conditions were identified but not submitted, representing missed opportunities for accurate risk adjustment. In risk adjustment, accuracy is everything. How does your organization close the gap between documentation and coding? Let’s connect and share strategies.

Dear IT Auditors, How IT Asset Management Impacts Audit Findings IT asset management shapes the accuracy of almost every audit conclusion. Weak asset records create blind spots that turn small issues into major findings. Strong records improve control design, testing quality, and risk decisions across the entire environment. 📌 Incomplete or Inaccurate Asset Inventory Auditors often find systems or devices missing from the inventory. When assets are unknown or mislabeled, you can’t assess their controls. This leads to scope gaps, inaccurate sampling, and higher residual risk. 📌 Unclear Ownership and Responsibility Every asset needs a defined owner who understands its role, data sensitivity, and risk exposure. When ownership is unclear, controls slip, patching, access reviews, and monitoring lose accountability. 📌 Gaps in Lifecycle Tracking Assets move through procurement, deployment, maintenance, and retirement. If these stages aren’t tracked, you lose insight into security posture and compliance. Orphaned assets are often missing patching, backups, or proper configuration. 📌 Unsupported or End of Life Systems Auditors frequently find applications and hardware running without vendor support. These systems increase the likelihood of vulnerabilities and outages. Document the risk and verify any compensating controls. 📌 Inconsistent Configuration and Patch Status An accurate asset list helps you confirm patch cadence and configuration standards. When asset records are wrong, patch compliance metrics become unreliable. This leads to findings tied to security hygiene and operational readiness. 📌 Licensing and Compliance Issues Poor tracking creates exposure to licensing penalties. Auditors should verify that software usage aligns with purchased licenses. Noncompliance increases financial and legal risk. 📌 Impact on Broader Audits Weak asset management affects ITGCs, cybersecurity audits, vendor assessments, and cloud reviews. You can’t test access, changes, or monitoring effectively when you don’t know what exists. Effective asset management strengthens audit accuracy. It gives you a clear map of the environment and reduces uncertainty in every engagement. #ITAudit #CyberVerge #AssetManagement #ITOperations #RiskManagement #InternalAudit #GRC #AuditLeadership #ITControls #TechGovernance #Assurance #CyberYard

A single IT contract could have cost my friend’s company millions in compliance fines. Let’s talk about someone today. Let’s call him David. David once shared how his company nearly signed a deal for new IT software. And at first, it seemed like the perfect solution! It promised: ✅ Increased efficiency with automated workflows ✅ Cost savings compared to competitors ✅ Seamless integration with existing systems ✅ An impressive demo that checked all the right boxes But before signing, they took one crucial step that exposed major risks hiding beneath the surface. They ran the software through their records management checklist—and what they found was alarming. 🚨 The system failed to meet their data retention standards. 🚨 The contract didn’t clearly define who owned the data created in the software. 🚨 There was no guarantee of secure data disposal after use. Long story short, they dodged a massive bullet. That one checklist helped them avoid a contract that could have exposed them to compliance risks and data governance nightmares. Flashy IT solutions mean nothing if they don’t align with governance and compliance standards. If you don’t have a checklist for incoming IT requests and contracts, start with the basics: ✔️ Data retention policies – Ensure compliance with legal and industry standards. ✔️ Privacy and security measures – Verify encryption, access controls, and secure storage. ✔️ Regulatory compliance – Confirm the software aligns with local and international regulations. A checklist isn’t a formality—it’s your best defense against IT disasters. What’s one red flag you’ve seen in an IT deal? Let’s discuss in the comments! #datagovernance #compliance #recordsmanagement -------------------------------------------------------------- Opinions are my own and not the views of my employer. -------------------------------------------------------------- 👋 Chris Hockey | Manager at Alvarez & Marsal 📌 Expert in Information and AI Governance, Risk, and Compliance 🔍 Reducing compliance and data breach risks by managing data volume and relevance 🔍 Aligning AI initiatives with the evolving AI regulatory landscape ✨ Insights on: • AI Governance • Information Governance • Data Risk • Information Management • Privacy Regulations & Compliance 🔔 Follow for strategic insights on advancing information and AI governance 🤝 Connect to explore tailored solutions that drive resilience and impact

Why is the Records and Information Management Function Crucial to Good AI Governance? The RIM function is crucial to effective AI governance due to its integral role in managing the lifecycle of information, which forms the backbone of AI systems. Key reasons why RIM is indispensable for robust AI governance: 1.     Data Quality Assurance: AI systems depend on the quality of data they process. RIM ensures that the data feeding into AI systems is accurate, complete, and reliable. By maintaining high standards for data quality, RIM helps ensure that AI outputs are based on the best available information, reducing the risk of errors and enhancing the system's reliability. 2.     Compliance with Data Regulations: AI systems must comply with various data protection regulations such as GDPR, HIPAA, or CCPA. RIM manages these aspects by ensuring that data is handled in compliance with legal and regulatory requirements, thereby safeguarding the organization from legal risks and penalties. 3.     Information Lifecycle Management: RIM professionals are experts in managing the lifecycle of records from creation, use, storage, and retrieval to disposition. In AI governance, managing the lifecycle of datasets used for training and operationalizing AI is crucial. This ensures that data is retained only as long as necessary and disposed of securely to prevent unauthorized access or breaches. 4.     Facilitating Audits and Transparency: RIM helps in creating an audit trail for data and decisions made by AI systems. This is essential for transparency, allowing stakeholders to understand how decisions are made. Audit trails also facilitate compliance checks. 5.     Risk Management: By managing records and information properly, RIM reduces risks associated with information mismanagement, such as data breaches, loss of data integrity, and failure to comply with retention policies. This is particularly important in AI systems where data sensitivity and security are paramount. 6.     Supporting Data Accessibility and Retrieval: AI systems require seamless access to relevant data. RIM ensures that data is organized, classified, and stored in a manner that facilitates easy retrieval and efficient use. This not only enhances the efficiency of AI systems but also supports scalability and management of data resources. 7.     Enhancing Ethical Considerations: Ethical AI governance involves ensuring that data usage respects individual rights and societal norms. RIM contributes to ethical governance by managing personal and sensitive information in line with ethical standards and best practices, thus supporting the ethical deployment of AI technologies. By integrating RIM into AI governance frameworks, organizations can ensure that their AI initiatives are responsibly managed, legally compliant, and aligned with broader business and ethical standards. Learn more at InfoGov World https://lnkd.in/gRwtkExh