Listen on Apple Podcasts, Spotify and YouTube
Welcome to AccelPro Audit, where we provide expert interviews and coaching to accelerate your professional development. Today we’re featuring a conversation with Chris Chung, SVP Business Assessment and Chief Audit Executive at The Doctors Company, the nation's largest physician owned medical malpractice insurer.
Chung, who previously worked at PwC for seventeen years focused on enhancing governance, risk and compliance activities, has a comprehensive idea of risk assessment. Having worked across sectors, Chung recognizes that risk can’t be boiled down to a single number.
Auditors, he says, benefit from implementing a strategic approach to risk management that weighs impact, likelihood and other factors in a systematic way. That, he says, can help business leaders recognize why “risk and opportunity are two sides of the same coin.”
Listen on Apple Podcasts, Spotify and YouTube
Interview References:
Chris Chung’s The Doctors Company profile.
TRANSCRIPT
I.RISK ASSESSMENT AND STRATEGIC PLANNING
Alizah Salario, Host: Chris, you're currently at the Doctors Company, which is the nation's largest physician owned medical malpractice insurer. I'd like for you to start by telling us about how you approach risk assessment at the company.
Chris Chung: I think that understanding the company's strategic objectives and priorities really help us think about the specific risks and also the opportunities, which might be relevant to the organization and in our sector.
I know you asked about risks, but I like to use the term opportunity alongside risk, as I believe that they are really two sides of the same coin. By thinking about the organization's strategic objectives and priorities, we're able to focus our risks and opportunities on the things that matter, the things that are really relevant. And being integrated into the organization's strategic planning process is really instrumental to identifying the right risks.
But before I even talk about identifying those risks using the strategic plan, I like to think about the mission. At The Doctors Company, our mission is to advance, protect, and reward the practice of good medicine. We serve those who provide care, and knowing this really helps to create a common thread by which we think about our strategic objectives, and ultimately, that influences our risk management approach.
AS: So thinking about that mission to provide quality care, touch on the other controls that are related to managing risk. What criteria do you use for evaluating and prioritizing the risks that you find at the company?
CC: I like to think about controls to risks as what to do about the risk. Do we want to accept the risk, avoid it, transfer it, or perhaps even mitigate it? And while we can't always accept, avoid, or transfer risk, we can choose to create mitigating activities to reduce the risk to an acceptable level. And we find ourselves doing that quite a bit.
I'd like to talk a little bit about how we identify risk, and we do that through a series of meaningful conversations with our key stakeholders across the organization. Our annual enterprise risk assessment helps us to identify and prioritize risk, often using a measurement like impact or likelihood.
The impact of the risk might include both a quantitative and qualitative consideration, which is then assessed alongside the likelihood of a risk occurring to come up with an inherent risk score. This risk gives us a common baseline by which we can then assess the importance of key risks across the organization.
But like anything else, the score is just a number, and the best programs combine, I think, a combination of both the quantitative and the qualitative. You might call it both an art and a science, and ultimately we use all of that to make the appropriate determination on the significance of risk. Now, having said all of that, the one thing that I've learned over the years is not to get too hung up on the inherent risk score.
You're going to find a situation in which somebody in management, or on the board, or somebody that you're working with will look at the final risk map and go, you know what? I want that to be a little bit higher on the risk scale. We think that's a stronger risk, or we think that's a weaker risk. And ultimately, what you end up doing is you go back, and you re-manufacture the score to fit that result, which sort of defeats the purpose of the exercise.
So instead, I like to work with leaders to focus on four quadrants. I think about impact on the y-axis, and likelihood on the x-axis. The bottom left quadrant is low impact, low likelihood—basically, those risks we generally tend to be aware of, but may not have to do a lot about. Those that are high impact and high likelihood, the quadrant on the top right, are those that we should probably actively manage and monitor. And those in the other two quadrants are those that we would probably want to keep an eye on.
I find that the simpler way of thinking about risk management helps us prioritize more efficiently, and also provides a nice visual on those risks which might be emerging.
AS: It's really interesting that you have that visual, and one thing it makes me think about is trying to keep your risk assessment current and relevant.
CC: Of course, there are events which will undoubtedly change our initial assessment of a risk. Oftentimes, we don't know until that happens, but when it does, the most important thing that I think about is whether or not we have a process to adjust those risks, and have a process by which to do something about it.
Good examples of this include the bank failures from earlier in the year, the emergence and prevalence of AI more recently, and certainly unforeseen climate events. We also conduct something we call risk modeling, which we use both internally and provide to our outside regulators to assess our solvency. That's something that's particularly important for insurers.
AS: I want to circle back to something you said at the beginning about risk and opportunity being two sides of the same coin. We know that auditors are generally focused on identifying potential weaknesses and risks, but you suggest reframing this approach and looking at those opportunities, or areas of optimization instead. Can you unpack that a little bit?
CC: A mentor told me that risk and opportunity are two sides of the same coin. And when I heard that, it took me a minute to process it. But eventually, once I understood what that meant, it really helped shape my thinking about how we approach risk management overall.
Oftentimes risk conversations used to focus on questions like, what keeps you up at night? But this thinking about risk and opportunity shifted that question into those like, tell me about your specific goals for the year? What do you need to be successful? By asking questions in that way, we begin to shift the conversation.
Instead of a point in time reaction where the particular participant remembers the downside risk of what they're thinking about in the moment, it’s a conversation about their goals, which is obviously grounded in the organization's strategic objectives and priorities. The conversation becomes much more engaging, the details are more rich, and the outcome is a longer list of those things needed to achieve success.
We can now ask the inverse question, which is generally, “What are the inhibitors to achieving success?” which essentially become your risks. So, two sides of the same coin. We just went about it in a different way that allowed people to feel comfortable to open up and talk about them.
AS: You bring up a really good point about inhibitors to achieving success. Can you break that down for us? What are some of those things that people might not see, but that become clear when you conduct a risk assessment?
CC: Let’s really simplify it. If I were to ask you what one of your priorities for this year is, you might tell me that one of them is to successfully execute these interviews, and do it with high quality content. If I were then to flip that on its head and ask you, “Well, what might inhibit you from doing that?” You might say the participant not being prepared, the interview not going as planned, or even technology issues. Those are essentially the risks you face when conducting this interview, and you can choose what to do about those risks.
For example, you might mitigate the risk of the participant not being prepared by ensuring that both of you are aware of the topics and have set aside some time for preparation. You might transfer the risk of technology issues by working closely with an audio engineer before, during, and after the session. And because you put those guardrails into place, you could take more risks. And as a result of taking those risks, the outcome is positive. The outcome is strong. While I know that's not specific to the industry, it provides a practical and tactical perspective on how to apply the idea.
—
II. COMMUNICATION AND PARTNERSHIPS
AS: Sometimes auditors and executives speak a different language. When an auditor is trying to communicate this risk-related information to relevant stakeholders, to management, and the board, how can they articulate it in a way that resonates and actually creates change?
CC: It's a great question because while auditors, by their function, need to try and understand the business at large, I think that's not necessarily the mandate of the business to do the same. I think that we try to find a common language through sharing awareness of the function as it might be perceived, as an audit function, and then build on that.
We start with this idea of audit, or at least try to clarify what audit means—I like to refer to it as assurances. And then once we've shared what that role is, we then start to shift to the other things we do.
And every organization is different. To break the perspective that we're just auditors, the vision and strategy for building and enhancing the function starts with the perspective that we bring assurance, advisory, and risk management capabilities to the company. Assurance is about audit, doing the things that are required from a regulatory or compliance perspective, and also reviewing things for operational purposes to enhance how the business runs.
Advisory is about providing consultative advice. And sometimes that's an assessment and recommendation for a specific area, and other times that's building programs from the ground up. And of course, we've talked about risk management quite a bit.
Finally, I find that the most common language that is well understood across the organization is the organization's strategic objectives and priorities.
AS: We can't talk about this field without talking about technology and how it's changed the way the company manages risk. Can you be specific about how that works at The Doctor's Company? How does technology play into your own approach to risk management?
CC: Technology can be incredibly helpful, in particular because we have so many risks, and what we call so many mitigating activities. It becomes overwhelming to try to track all that manually. And many companies do, but technology instantaneously accelerates and organizes, and in many ways, streamlines how we approach and manage our risks.
It enables us to sort risk information, respond to it, and have some dashboarding capability. So it really supports a lot of that risk management, but also supports what we do in our audits.
Our company partners with AuditBoard, which is led by a hands-on, customer-obsessed CEO. And what's great about AuditBoard is that they're willing to partner with their customers to build a strong technology platform based on the common needs of the audit and risk practice, and they also work with us to develop new ideas.
AS: I want to shift our focus to governance. Can you provide some examples of how you implement these risk management tools so that risk oversight and integrity, and even the efficacy of the function is maintained?
CC: Like many organizations, internal audit and risk management here has a dual reporting function: first to the audit committee chair and also to a management executive. Like a three legged stool, it's really important that there's enough strong support and balance between the audit committee, the management executive, and the audit leader to ensure that the function can achieve its goals—to be able to support the weight on the stool, if you will.
This model not only provides clear oversight to enhance governance over the function, but also its efficacy through alignment on key directives. We have an exceptional board, and our Audit Committee Chair, Ellen Masterson, not only brings her collective experience in serving clients in her former role as a PwC partner, but she's also a great advisor, an advocate, and a partner of the internal audit function.
—
III. PROFESSIONAL DEVELOPMENT
AS: Like many in the field, you hold various certifications and I'm curious about your professional development and why it's important to you and how it makes the company more resilient?
CC: I do believe that certification is important, but I also think that staying relevant through continuing professional development can be just as, or more, important. It keeps you informed and allows you to engage with stakeholders from a position of awareness and understanding, and also to stay current.
I'm a big believer in learning for the sake of being curious first, then for the benefit of your interactions. If done right, I believe that the credential will follow. In other words, the certification becomes more of what you are already doing versus the certification being the thing that you're trying to achieve.
In addition to continuing professional education, I'm a huge fan of staying connected and learning from your peers. Those may be peers in industry or the profession, but engaging with them on a regular basis is important. They give us perspectives outside of our own thinking and the organization.
AS: I want to dig into your experience at PwC. There, you focused on enhancing governance, risk, and compliance activities. How specifically does that inform your work now at The Doctor's Company?
CC: I feel like I had so many different jobs or experiences while at PwC from auditor, to consultant, to risk practitioner, and even a bit of strategic finance.
And what I learned is that I don't have all the answers. What may work for one client may not work for the next. Each client's perspective, the differences in organizational makeup, the management philosophies. The culture that I mentioned before really exhibits a unique DNA, and that unique fingerprint allows audit and risk practitioners to learn and glean insights, and build on that knowledge to bring a better perspective to the next interaction.
AS: Let's talk about that diversity for a moment. How can companies approach recruitment to bring in a greater diversity of talent? And right now, there might be some barriers to attracting candidates of different backgrounds. Do you think there's a better way to create that diversity?
CC: Diversity is so important to building strong teams and resilient organizations. Much like the example of working with diverse clients, hiring diverse talent, I think, can make all the difference. And when building the teams, I look for individuals that can share my point of view, but more importantly, also those that I can often share disagreements with. I look for diversity in a more broader sense, which often helps bring differing backgrounds and experiences to create a more interesting and high-performing team.
I think that oftentimes, the challenge for candidates is trying to figure out whether they will have advocacy on the diverse perspective, or whether they'll fade into a normative culture. Advocacy done in the right way is absolutely a must, and, I think, an accelerator to grow future leaders, one that brings a holistic point of view, whether that is at the highest levels leading an organization, or as part of a team to solve problems.
AS: That makes me think about the importance of not only advocacy, but having mentors. It sounds like you're a mentor to others, but I'm curious about who has mentored you and who you turn to when you're facing a dilemma.
I've had the opportunity to work with professional career coaches, both inside and outside of the professional space, informal mentors and peers that I've connected with. But the one that really stands out in my mind is a gentleman named Tim Ryan.
Tim was until recently the U.S. firm leader of PwC. And as you can imagine with that title and role, it meant that he had scarcity of time. I was several layers removed from him at the time and so with that context, it was unfathomable that he would have the time or be in a position to coach or mentor me.
But I had an opportunity to work with him on a common client where he was a senior relationship partner. And around the same time, my then coach and mentor transitioned to another market. In many ways, it was a perfect time to ask whether or not he had the time or the interest in taking on another mentee.
Naturally, I was prepared for him to say, “Thanks for asking, but here's why I can't.” I was absolutely surprised in a pleasant way when he said, “Yes,” without hesitation. I told myself that we'd have to work around a schedule and if I could be flexible enough, that this could be a tremendous opportunity to learn from a leader with so much experience.
I was particularly impressed that he always found the time, and that often meant my evening on the West coast and even later on his East coast. However, what I remember most was his level of commitment, investment, dedication, and passion for coaching and mentoring and providing candid perspectives, which I asked for, of course, made all the difference.
What I learned from him in the years working with him has helped shape my career and thinking today. And I hope that one day I can continue to do the same for others.
AS: Finally, when you're not thinking about audit, what do you like to do?
CC: Like many, I picked up golf during the pandemic. I love that it's always green, it's outdoors, and as you might not expect anything less coming from an auditor or a risk management professional, it's a self-governing sport. You know if you don't count every stroke, if you cut corners. And interestingly enough, there's a ton of risk and opportunity trade-offs. Do I want to hit the ball over the water and accept the risk of it going in? Do I mitigate that by using a longer club? Do I avoid that altogether by going around it? I suppose I didn't realize that I’m practicing risk management in my game, but there you have it.
Listen on Apple Podcasts, Spotify and YouTube.
This AccelPro audio transcript has been edited and organized for clarity. This interview was recorded on November 2, 2023.
AccelPro’s expert interviews and coaching accelerate your professional development. Our mission is to improve your day-to-day job performance and make your career goals achievable.
Send your comments and career questions to questions@joinaccelpro.com. You can also call us at 614-642-2235.
If your colleagues in any sector of the audit field might be interested, please let them know about AccelPro. As our community grows, it grows more useful for its members.
