Skip to Main Content

In light of the recent cyberattacks in higher education across the US, more and more institutions are finding themselves no longer immune to these activities. Security by obscurity is no longer an effective approach—all institutions are potential targets. Colleges and universities must take action to ensure processes and documentation are in place to prepare for and respond appropriately to a potential cybersecurity incident.

Best practices for financial institution contracts with technology providers

As the financial services sector moves in an increasingly digital direction, you cannot overstate the need for robust and relevant information security programs. Financial institutions place more reliance than ever on third-party technology vendors to support core aspects of their business, and in turn place more reliance on those vendors to meet the industry’s high standards for information security. These include those in the Gramm-Leach-Bliley Act, Sarbanes Oxley 404, and regulations established by the Federal Financial Institutions Examination Council (FFIEC).

Who has the time or resources to keep tabs on everything that everyone in an organization does? No one. Therefore, you naturally need to trust (at least on a certain level) the actions and motives of various personnel. At the top of your “trust level” are privileged users—such as system and network administrators and developers—who keep vital systems, applications, and hardware up and running.

Law enforcement, courts, prosecutors, and corrections personnel provide many complex, seemingly limitless services. Seemingly is the key word here, for in reality these personnel provide a set number of incredibly important services.

Best Practices for Educating Your Financial Institution’s Board of Directors on Cybersecurity

According to Cybersecurity Ventures, cybercrime will account for $6 trillion annually by 2021—that’s more than the global trade of all major illegal drugs combined.  Data breaches and other information security events adversely impact organizations through significant losses in revenue, erosion of customer trust, substantial remediation costs, increased insurance premiums, and more.

All teams experience losing streaks, and all franchise dynasties lose some luster. Nevertheless, the game must go on. 

The world of professional sports is rife with instability and insecurity. Star athletes leave or become injured; coaching staff make bad calls or public statements. The ultimate strength of a sports team is its ability to rebound. The same holds true for other groups and businesses.

Any sports team can pull off a random great play. Only the best sports teams, though, can pull off great plays consistently — and over time. The secret to this lies in the ability of the coaching staff to manage the team on a day-to-day basis, while also continually selling their vision to the team’s ownership.

A professional sports team is an ever-changing entity. To have a general perspective on the team’s fluctuating strengths and weaknesses, a good coach needs to trust and empower their staff to discover the details. Chapter 5 in BerryDunn’s Cybersecurity Playbook for Management looks at how discovery can help managers understand their organization’s ever-changing IT environment. 

Just as sports teams need to bring in outside resources — a new starting pitcher, for example, or a free agent QB — in order to get better and win more games, most organizations need to bring in outside resources to win the cybersecurity game.

It may be hard to believe some seasons, but every professional sports team currently has the necessary resources — talent, plays, and equipment — to win. The challenge is to identify and leverage them for maximum benefit.

It’s one thing for coaching staff to see the need for a new quarterback or pitcher. Selecting and onboarding this talent is a whole new ballgame. Various questions have to be answered before moving forward: 

For professional baseball players who get paid millions to swing a bat, going through a slump is daunting. The mere thought of a slump conjures up frustration, anxiety and humiliation, and in extreme cases, the possibility of job loss.

As the technology we use for work and at home becomes increasingly intertwined, security issues that affect one also affect the other and we must address security risks at both levels.

During my lunch in sunny Florida while traveling for business, enjoying a nice reprieve from another cold Maine winter, I checked my social media account.

Read this if you are a State Medicaid Director, State Medicaid Chief Information Officer, State Medicaid Project Manager, or State Procurement Officer—or if you work on a State Medicaid Enterprise System (MES) certification or modernization efforts.

You can listen to the companion podcast to this article now:


Over the last two years, the Centers for Medicare and Medicaid Services (CMS) has undertaken an effort to streamline Medicaid Enterprise System (MES) certification. During this time, we have been fortunate enough to have been a trusted partner in several states working to evolve the certification process. Through this collaboration with CMS and state partners, we have been in front of recent certification trends. 

What is outcomes-based certification (OBC)? 

OBC (or streamlined modular certification) is a fascinating evolution in MES certification. OBC represents a fundamental rethinking of certification and how we measure the success of system implementation and modernization efforts. The prior certification approach, as many know it, is centrally focused on technical capability, answering the question, “Can the system perform the required functions?” 

OBC represents a shift away from this technical certification and toward business process improvement, instead answering the question, “How is this new technology enhancing the Medicaid program?” Or, put differently, “Is this new technology helping my Medicaid program achieve its desired outcomes?” 

What are the key differences between the MECT and OBC? 

To understand the differences, we have to first talk about what isn’t changing. Technical criteria still exist, but only so far as CMS is confirming compliance with core regulatory and statutory requirements—including CMS’ Standards and Conditions. That’s about the extent of the similarities. In addition to pivoting to business process improvement, we understand that CMS is looking to generalize certification under this new approach, meaning that we wouldn’t see the same Medicaid Information Technology Architecture (MITA)-tied checklists like Provider Management, or Decision Support Systems. Instead, we might expect more generalized guidance that would allow for a more tailored certification. 

Additionally, OBC introduces outcomes statements which serve as the guiding principles for certification. Everything, including the technical criteria, roll-up into an outcome statement. This type of roll up might actually feel familiar, as we see a similar structure in how Medicaid Enterprise Certification Toolkit (MECT) criteria rolled up into critical success factors. 

The biggest difference, and the one states need to understand above all else, is the use of key performance indicators (KPIs). These KPIs aren’t just point-in-time certification measures, they are expected to be reported against regularly—say, quarterly—in order to maintain enhanced funding. Additionally, it’s likely that each criterion will have an associated KPI, meaning that states will continue to be accountable to these criteria long after the Certification Final Review. 

How are KPIs developed? 

We’ve seen KPIs developed in two ways. For more strategic, high level KPIs, CMS develops a baseline set of KPIs heading into collaborating with a state on an OBC effort. In these instances, CMS has historically sought input on whether those KPIs are reasonable and can be easily reported against. CMS articulates what it wants to measure conceptually, and works with a state to ensure that the KPI achieves that within the scope of a state’s program.  

For KPIs specific to a state’s Medicaid program, CMS engages with states to draft new KPIs. In these instances, we’ve seen CMS partner with states to understand the business need for the new system, how it fits into the Medicaid enterprise, and what the desired outcome of the particular approach is. 

What should states consider as they plan for MES procurements? 

While there might be many considerations pertaining to OBC and procurements, two are integral to success. First—as CMS noted in the virtual MESC session earlier this month—engage CMS at the idea stage of a project. Experience tells us that CMS is ready and willing to collaborate with—and incorporate the needs of—states that engage at this idea stage. That early collaboration will help shape the certification path. 

Second, consider program outcomes when conceptualizing the procurement. Keep these outcomes central to base procurement language, requirements, and service level agreements. We’re likely to see the need for states to incorporate these outcomes into contracts. 

What does this mean for MES modularity and scalability? 

Based on our current understanding of the generalization of certification, states, and subsequently the industry at large, will continue to refine what modularity means based on Medicaid program needs. Scalability represents an interesting question, as we’ve seen OBC scaled horizontally across smaller, discrete business areas like pharmacy or provider management. Now we’re seeing the beginnings of vertical scaling of a more streamlined certification approach to larger components of the enterprise, such as financial management and claims processing. 

The certification landscape is seemingly changing weekly as states wait eagerly for CMS’ next guidance issuances. Please continue to check back for in-depth analyses and OBC success stories. Additionally, if you are considering an OBC effort and have questions, please contact our Medicaid Consulting team

Article
Considerations for outcomes-based certification

Read this is you are a business owner or an advisor to business owners.

With continued uncertainty in the business environment stemming from the COVID-19 pandemic, now may be a good time to utilize trust, gift, and estate strategies in the transfer of privately held business interests. 

As discussed in our May 26, 2020 blog post 2020 estate strategies in times of uncertainty for privately held business owners, there may be opportunity to free up considerable portions of lifetime gift and estate tax exemption amounts through transfers due to suppressed values of privately held businesses, and the uncertainty surrounding the impact of the 2020 presidential election on tax rates and future exemption and exclusion thresholds. 

An element to consider when building on this opportunity is the ability to transfer non-controlling interests in a business. These interests are potentially subject to discounts for lack of control and lack of marketability. This may further reduce the overall value transferred through a given strategy, potentially offloading a larger percentage of ownership in a business while retaining large portions of the gift and estate lifetime exemption. Let’s focus on the discount for lack of control (DLOC).

Discount for lack of control

In the context of a hypothetical willing buyer and willing seller, the buyer may place a greater value on an ownership interest with the ability to make changes at their discretion, compared to an alternative ownership interest lacking control. Simply put, buyers like to be in control, and they will pay less for the investment if the interest lacks these characteristics. 

When valuing non-controlling business interests there is an inherent discount to full value recognized to reflect the fact that the subject interest does not hold a controlling position. As a result of this discount, the value of a non-controlling interest in a company will differ from the pro-rata value per share of the entire company. DLOCs alone commonly reduce the value of the transferred interest by 5% to 15%.

All else being equal, a non-controlling ownership position is less desirable (valuable) than a controlling position. This is because of the majority owner’s right to control any or all of the following activities: managing the assets or selecting agents for this purpose, controlling major business decisions, asset allocation choices, setting salary levels, admitting new investors, acquiring assets, selling the company, and declaring/paying distributions.
 
Market-based evidence of proxies for DLOCs can be found within the following subscription-based databases (including, but not limited to): 

  • Control premium studies published in the Mergerstat® Review series by FactSet Mergerstat/Business Valuation Resources
  • Closed-end fund data
  • The Partnership Profiles, Inc. Minority Interest Database and Executive Summary Report on Re-Sale Discounts for applicable entity types

In addition to these resources, to fully assess the degree of discount applicable to a subject interest, consider company-specific factors when estimating the DLOC. The degree of control for a subject interest may be impacted by relevant state statutes and the governing documents of the subject company. These factors are analyzed in conjunction with the current operational and financial policies established and implemented in practice by management to establish a comprehensive view on the applicable degree of discount.

Conclusion

Hypothetical business owners are knowledgeable of the facts and circumstances surrounding a business interest. They take a close look at what they are buying before they make an offer. Like most people, they like to be in charge, and are therefore generally not willing to pay the pro-rata value for a minority interest in a business when the interest lacks control. To assess an appropriate discount for lack of control, consider resources such as those referred to above, then ensure the selected discounts are appropriate based on the factors specific to the company and interest being valued. 

Our mission at BerryDunn remains constant in helping each client create, grow, and protect value. If you have questions about your unique situation, or would like more information, please contact the business valuation consulting team.

Article
Discounts for lack of control and marketability in business valuations

Read this if you are a home health agency (HHA).

The Centers for Medicare & Medicaid Services (CMS) proposed rule, CY2021, was published on June 30, 2020. The proposed rule indicates that the Request for Advance Payment (RAP) currently permitted will be eliminated for all 30-day home health periods beginning on or after January 1, 2021. If adopted, this proposed rule will impact the timing of cash flow for HHAs. HHAs will no longer receive an advanced payment, but rather will not be paid until approximately 45-60 days after the period of care has begun. The change in timing of the payment should be considered as part of your HHA’s cash flow forecasting.

Note: Although the RAP payment has been eliminated, HHAs will still be required to submit a zero dollar RAP bill at the beginning of each 30-day period to establish home health services. 

Also included in the proposed rule is a transition from a RAP to a Notice of Admission (NOA) in 2022. This is similar to the Notice of Election under the hospice benefit, since there will no longer be a RAP. It is proposed that HHAs would submit a one-time NOA that establishes care in place of the RAP for the patient until discharged. 

There will be a payment penalty if either the zero dollar RAP in CY2021 or NOA in 2022 is not submitted within five calendar days from the start of care. The penalty is proposed to be a payment reduction of 1/13th to the wage and case-mix adjusted 30-day period of care reimbursement for each day late until submitted, reducing the total reimbursement for patient care. HHAs should be monitoring the timeliness of RAP submissions to be prepared for this proposed change and avoid potential reimbursement reduction if this proposed rule is passed. Read the entire proposed rule.

Please contact a BerryDunn Home Health team member to assist you with evaluating the cash flow impact these proposed changes may have to your organization. 

Article
Medicare Home Health Notice of Admission Proposed Rule CY2021 and its cash flow impact

Read this if you or your government agency may be interested in project management or a project management office.

You may think that PMO stands for Project Management Office, Program Management Office, or Portfolio Management Office, and you would be correct. However, when establishing your PMO priorities, think:
1.    P – Planning and Processes
2.    M – Motivation
3.    O – Operations

Determining where your organization will focus your efforts is fundamental to the successful functioning of the PMO, whether the PMO is well established or just getting started. With multiple competing projects and initiatives, spending some time planning and developing your PMO priorities in the short term will save you time and effort moving forward. 

According to the Project Management Institute’s (PMI’s) research, they reported that "aligning projects and strategic objectives has the greatest potential to add value to an organization.” 

The “value” here must be determined by each organization, but through establishing your PMO priorities early, you promote a culture of project management in order to gain greater experience in project management practices and personnel. This allows for more efficient processes, more focused and flexible project managers, greater scope, schedule, and budgetary control, and ultimately more successful projects implemented.

Planning and processes

The first step in establishing the priorities for your PMO requires planning and evaluating existing processes. Identifying all projects for the upcoming year is an excellent place to start. For each project or initiative, you will want to pull together information that will assist you in the prioritization process. This may include items such as type of project, expected outcomes, aligned strategic objective(s), targeted length of the project, targeted start date, funding sources, types of approvals needed, resource capacity, and risk versus reward analysis. Each organization can make the determination of what kind of information is necessary in this step to make prioritization more streamlined and specific to their current structure and processes.

As new team members enter and exit project work, there is a risk that knowledge transfer of the PMO processes get lost, or deviations in processes begin to occur. PMI notes “high-performing organizations succeed through a strategic focus on people, processes, and outcomes” and 74% of these high-performing organizations are supported by a PMO. Taking the opportunity for continuous process improvement―to review and share the PMO processes and templates with the organization on a reoccurring basis―helps to ensure consistency across programs within the organization. With consistency comes efficiency, allowing your project teams to focus on the work at hand, and not recreate processes. Consistency and efficiency will help streamline administrative activities, improve resource estimates, and increase the likelihood that projects will come in on time and on budget.

Motivation 

The second step in establishing PMO priorities is motivation. Having a working knowledge of your organization will help in this step―knowing what excites or drives them to succeed. Motivating factors may vary for different organizations. For example, if you’re a government entity, the deciding factor in priority may be a legislative mandate. Early identification of your organization’s motivating factors allows you to expedite the prioritization efforts and increase planning time for high-priority projects, including aligning resources sooner. Here are a few ideas to consider when thinking about finding what motivates people in your organization:

  • Durations/meeting timeframes
  • Legislation/mandates
  • Strategic plans and goals
  • Recognition
  • Policy
  • Outcomes/potential impacts
  • Level of risk
  • Return on Investment (ROI)

Operations

The third step in establishing PMO priorities is operations. By outlining operational aspects of the projects before establishing your PMO priorities, you can see the big picture and organizational strategy. Per PMI, organizations which “align their PMO to strategy report 38% more projects meet the original goals and business intent, while 33% fewer projects are deemed as failures.” This allows you to understand dependencies between projects, identify possible duplication or gaps, and plan for resources earlier. Below are a few examples to consider with this step:

  • High-level strategy (will the work be delivered in phases or at the end of the project)
  • Approximate Full-Time Equivalents (FTEs) required
  • Skill level needed for the resources
  • Organizational charts and reporting relationships
  • Approximate cost for the project/initiative

Now that you are aware of the three steps―planning and processes, motivation, and operations, you are ready to begin establishing your PMO priorities. Evaluating all three steps helps ensure you’ve considered everything before prioritizing the work, although some items may clearly have more weight than others. There is no magic formula for establishing PMO priorities, and given the same projects, different organizations would have different priorities. One organization may define and identify project work as high, medium, or low, while another PMO may number projects, with number one being the first project to start. Either way is right. 

The important take-away is for your PMO to develop a consistent methodology as you are establishing priorities now and in the future. 

Does your organization need help establishing your PMO processes, prioritizing, or developing strategic plans? Contact our Medicaid Consulting team for more information on how we can help.

Resources cited

Project Management Institute. PMI’s Pulse of the Profession: The High Cost of Low Performance. PMI.org. Accessed July 8, 2020. https://www.pmi.org/-/media/pmi/documents/public/pdf/learning/thought-leadership/pulse/pulse-of-the-profession-2014.pdf?v=eb9b1ac0-8cad-457f-81ec-b09dbb969a38 
Project Management Institute. PMI’s Pulse of the Profession – 9th Global Project Management Survey: Success Rates Rise – Transforming the High Cost of Low Performance. PMI.org. Accessed July 8, 2020. https://www.pmi.org/-/media/pmi/documents/public/pdf/learning/thought-leadership/pulse/pulse-of-the-profession-2017.pdf 

Article
The 1, 2, 3s of establishing your PMO priorities

Read this if you are a member of a State Medicaid Agency’s leadership team.

Monday’s NESCSO-hosted conversation was a breath of fresh air in our COVID-19 work-from-home experience. Seeing familiar faces presenting from their home offices reminded me that, yes, we are truly all in this together—working remotely, and focused on how best to foster an efficient and effective Medicaid program for our state clients and members. Over the past several years I have written a “Reflections” blog, summarizing the week-long MESC event while flying home. Today, I am posting my reflections on the first forum NESCSO sponsored in lieu of their August conference that was cancelled this year due to the global pandemic. Following are my major takeaways.

The main speakers were Karen Shields, Deputy Director from the Center for Medicaid and CHIP Services, and Julie Boughn, Director, Data Systems Group also for the Center for Medicaid and CHIP Services. There were several other guests that joined in this two-hour forum, some from the Data Systems Group, and some from the states.

Crisis as a learning tool

Karen Shields reinforced that we will be better and stronger as a result of the crisis that faces us, and encourages us to use the current crisis as a learning tool. She stressed the importance of how we are leveraging our creativity and innovation to keep moving forward. She said to start with the end in mind, be a team player, and keep in mind these three important points of focus for CMS:

  1. Share what works, share what doesn’t. Prioritize.
  2. Systems development needs to be agile. Partnership is critical. States needs to be “elbow deep” with others. Everyone is allowed to speak. 
  3. Re-usability is key! Push back on those who say we cannot reuse.

During the Q&A session, Karen discussed how to maintain consistency by turning to action and using lessons learned. Resist the urge to “fall back.” Let’s keep moving forward. She underscored how they will continue the all-state calls as there are lots of topics and conversations needed to explore deficits of need. 

Support systems and policies

Julie Boughn opened by stressing what an important layer of support systems provide policies. She said COVID is not a system issue—the systems supporting the approach to address the virus are working and a big part of contributing to helping alleviate the issues the pandemic presents. She noted an appropriate quip that “Without systems, policies are just interesting ideas on pieces of paper.”

She underscored that healthcare and all that goes with supporting it is never static. The Medicaid arena is in a world of increasing change, requiring the supporting systems to adapt to make payments correctly and facilitate the provision of benefits to the right people. CMS has been focused on, and continues to bring our focus to outcomes, especially in the IT investments being made. Promote sharing and re-use of those investments.

During the Q&A, Julie reinforced the priority on outcomes and spoke to outcomes-based certification (OBC). There was a question on “What happens to modularity in the context of OBC?” She said that they are completely compatible and naturally modular, and to think about how a house can be built but not be completely done. Build the house in chunks of work, and know what you’re achieving with each “chunk”. Outcomes are behind everything we do.

Engage with your federal partners

In the next presentation, CMS modeled a dialogue that demonstrated how states can engage with their federal partners. CMS wants to continue changing the relationship they have with states. They also reminded the audience of what CMS is looking for; as Ed Dolly, the Director for the Division of State Systems within the Data and Systems Group said during the conversation, “Do you understand the problem trying to be solved?” Define your final outcome, and understand that incremental change drives value. In addition to communicating the problem, focus on speed of delivery (timeliness), and engage in back and forth exchange on what best measures can be used, as well as the abilities to capture the measures to report progress. The bottom line?  “When in doubt, reach out!”

The remainder of the forum featured representatives from the State System Technology Advisory Group (S-TAG), Private Sector Technology Group (PSTG), and Human Services Information Technology IT Advisory Group (HSITAG). They discussed a variety of IT topics.

Technology outlook

The S-TAG had representation from an impressive list of states—West Virginia, Washington, Wyoming, Vermont, and Massachusetts. They spoke to how they envision their technology response to changes in policy now and in the next 12-18 months. There was too much to present here, and I recommend reviewing the recording once NESCSO posts it. Initiatives included: Provider enrollment, electronic asset verification, electronic visit verification, integrated eligibility systems, modularity implementations, migration to the cloud, pharmacy systems, system integrator, certification, strategic planning, electronic data interchange upgrades, payment reform, road map activities, case management, care management, T-MSIS, and HITECH.

HSITAG spoke about the view across the health and human services spectrum—Where are we today? Where will we be tomorrow? COVID has tested our IT infrastructure and policy. Is there an ability to quickly scale up? Weaknesses in interoperability became exposed and while it seemed Medicaid was spared in the headlines, the need to modernize is now much more apparent. Modularity showed its value in more timely implementations. There is concern over an upcoming increase in the Medicaid population. Are we equipped for the short term?

For the long-run, where we will be “tomorrow” in the 12-18 month view, there will be a bigger dependency on the interrelations between all programs. Medicaid Enterprise Systems can and should look at whole systems, focusing on social determinants of health. Data and program integrity will be key, as the increased potential of fraud in the midst of challenging state budgets. We will need to respond quickly with limited resources.

Keep relationships strong

PSTG spoke of how when COVID hit, it caused them, like the rest of us, to modify their goals. They spoke about relationships and the importance of maintaining them with clients and colleagues, questions of productivity, what things that we have learned will we carry into the post-pandemic era, will we remain flexible, and how will we “unwind” all the related changes that will not be carried forward. Looking forward, PSTG wants to support the growing of the outcomes-based culture, evolve the state self-assessment (currently an active workgroup), and how to be less prescriptive to allow for more flexibility on “how” vendors get to solutions.

I was grateful to be able to join this event, and hear that we are in this together—we will get through it and we will keep moving forward. I felt this was a good start to what I hope will be the first of many MESC 2020 forums. The session felt like it ended too quickly even though we covered a lot of ground. I am excited about the thought of hearing about new ideas, improving our understanding of upcoming changes CMS is sponsoring, and engaging in the innovative thought that will keep us moving toward a better tomorrow. Thanks to NESCSO for sponsoring this event and bringing us together.

Please contact our Medicaid Consulting team for more information on if you have any questions.

Article
MESC 2020: Where we are today and where we will be tomorrow