When enterprise risk management met internal audit

Parkview Health is a 15-hospital health system based in Fort Wayne, Indiana. Parkview historically ran its enterprise risk management and internal audit departments as two separate, distinct functions with little coordination between the two. 

That changed in 2023 when Holly Lee joined the health system as its new Vice President of Internal Audit. Lee began her journey to integrate the two disciplines with the goal of the two working hand-in-glove to elevate the performance of each.  

We spoke with Lee about the disadvantages of the past, current state of the integration, and the advantages of the future that will come from operating enterprise risk management and internal audit as one unit. 

Eesley: Tell us a little about how Parkview operated these two big areas—enterprise risk management and internal audit—in the past. What did that look like before you arrived? 

Lee: Both of them were fully functioning programs that operated for the most part independently. When I joined Parkview, Internal Audit had recently transitioned to reporting under the Chief Legal and Compliance Officer. This aligned Internal Audit with Compliance, Legal, and Risk Management, which were already part of that structure. Prior to the transition, Internal Audit reported directly to the CEO, and each function largely operated independently, within its own scope and cadence. 

Bellelo: Tell us about some of the disadvantages of that previously siloed structure. 

Lee: Insights from enterprise risk management and internal audit did not consistently come together as a unified enterprise view. Connections across clinical, operational, financial, and market perspectives were often addressed independently rather than holistically. 

Eesley: How did that disconnect manifest itself? Can you give us an example? 

Lee: Fragmentation was the main challenge. Before I became an internal audit leader, I was in operations. One of the most frustrating things to deal with was to be audited on the same thing by different groups. Having multiple parties reiterate the same information, insights you already know or initiatives already underway, can be both frustrating and inefficient, ultimately limiting the value of the engagement. It often raises the question of why these perspectives were not aligned beforehand. 

That’s part of my approach coming into Parkview, having been audited more than I've audited. I want to bring people together in a formal way. Not just talking or sharing, but really decreasing disruption and increasing value by working together and coordinating what we do. Collaborating in a formal, more meaningful way. Turning down the noise that assurance activities can create for an organization, which in itself is a risk.

Bellelo: Can you describe this new integrated assurance model you’ve moved to? What are some of its most important attributes? 

Lee: Integrated assurance is not new. It’s rooted in the IIA’s (Institute of Internal Auditors’) global internal audit standards. What we did that may be a bit different is that we’re using that term—integrated—intentionally. Integrating so we’re coming together to create a shared environment—shared risk register, shared risk language, shared scoring, shared risk assessments. Take internal audit, take ERM (enterprise risk management), take compliance. Three areas that, when you go into revenue cycle, the three components are there. They’re present. Why not bring them to the party all at once? 

We’re integrating the assurance work in a very intentional way. I've talked with other organizations. They have ERM, and they have compliance and internal audit, and they collaborate. But we’re truly intentional when we use the word ‘integrated.’ It’s not just the name for what we’re trying to do. 

Eesley: How are you operationalizing your integration? What are the vehicles in which this integration is taking place? Weekly meetings? Regular calls? Shared IT systems? Shared dashboards? 

Lee: We’re in the very early stages. We want to build a solid foundation before adding technology and dashboards. We started with something simple; we formed an integrated assurance collaborative. It’s a formal working group that meets regularly. We’ve partnered with Kodiak to build an enterprise risk assessment tool as part of that foundation. This would be one risk assessment that supports compliance and internal audit and ultimately feeds into ERM. 

When you look at standards for integrated assurance—risk taxonomy, risk register, mapping of assurance activities—they are foundational. Let’s connect rather than duplicate them. You don’t need separate risk assessments for ERM and internal audit. If we’re truly integrated, we can use the same risk assessment for multiple purposes and turn down that noise that interferes with operations. 

Bellelo: You said you’re in the very early stages of this integration. How far along are you on this journey? Ten percent? Twenty percent? And when do you think you’ll be fully operational? 

Lee: Very early. We started pulling this all together last year, especially given the growth that Parkview is experiencing. How do we maximize the value we deliver with the resources that we have? Often, that’s reducing duplication and gaining synergies and efficiencies in the work we’re already doing. We’re at the building block stage with the collaborative. We’re working with Kodiak to reimagine risk assessment and leverage that with our assurance partners: compliance, internal audit, and ERM. 

The work we’re ready to do now is possible because we’ve built relationships, seeking to understand the pain points that our organization, other providers, and our partners have. So, 10% if I put a percentage on it. Our goal is to open 2027 with fully functioning integrated assurance being the foundation of our ERM program. 

Eesley: When your integration is fully functioning next year, what new capabilities, or superpowers, do you think you’ll have? What are some of the things that you’ll be able to do that you couldn’t do before? 

Lee: The biggest thing we’re seeking to achieve is moving from a reactive to a proactive posture. That’s the main superpower we want to gain through this enterprise-wide risk lens: the ability to anticipate risk, align assurance earlier, and support leadership before issues evolve. To have earlier visibility into patient safety, access, and regulatory risk because we're bringing all of the risk intelligence to the table at one time. 

The other superpower would be the ability to destroy duplication. No one likes to duplicate work that’s already been done. Proactive risk identification and the elimination of duplication: Those will be our two biggest superpowers. We want to move from finding out what’s happening to seeing it coming and only doing that once. 

Bellelo: What are the benefits of your new capabilities? How are you going to use your superpowers? What are you going to see first? 

Lee: We’re a growth organization right now. We want to use our new superpowers to get ahead of some of the challenges that come with growth. Those are some of the risks we want to see coming first. They could be related to financial headwinds, market expansion, and access. They could be related to patient safety. They could be related to workforce.  

As we grow, we need to understand and assess all relevant potential risks. If we can build that into our decision-making process, we can make our decisions that much stronger. That’s what I see as the first benefits of our new capabilities. 

Eesley: How do you plan on measuring the success of the integration? What KPIs are you going to use to see if your superpowers are generating the desired benefits? 

Lee: We don’t have anything formal yet, but first and foremost, we want to focus on value—the value we’re bringing to the teams, to our leadership, to other stakeholders, and to our organization. We would capture that through surveys with those we’re engaging with. We can say we’ve accomplished this or reduced that by a certain percentage, but none of that matters if we’re not creating value for the people we serve. And if what we’re doing doesn’t align with a strategic priority of the organization, then we probably shouldn’t be doing it. 

Bellelo: What role is Kodiak playing in all of this? Why did you partner with us? 

Lee: We reached out to Kodiak because of the long history and successful partnership we’ve had with you through RCA (Revenue Cycle Analytics). Internal Audit needed a partner who can build the plane and fly the plane at the same time. You’ve proven your data analytics capabilities in the industry. Your reimagined risk assessment is exactly what we needed. We knew this would be both a comfortable and successful partnership.

The time to shift from risk assessment to risk intelligence is now. Contact us to learn more.