Delta Dental: Modernizing Internal Audit through Collaboration

The Delta Dental plans are members of the Delta Dental Plans Association, a nationwide system of independently operated dental health service plans. Together, the plans provide coverage to more than 83 million Americans and operate two of the nation’s largest networks of participating dentists.

Delta Dental of Michigan and its affiliates provide easy, secure online access to benefits information 24/7, including eligibility, up-to-date benefits information, claims history and more. In 2020, Delta Dental of Michigan processed 14.4 million claims, with 98.7% processed within 10 working days.

That’s a lot of sensitive data, and making sure it all stays secure requires robust firm controls. After all, the technology powering all of that processing is the key to Delta Dental of Michigan’s industry-leading competitive position.

The responsibility for controls assessment falls to Delta Dental of Michigan’s Internal Audit Manager, Kyle Hebert. Kyle joined Delta Dental of Michigan in 2020 with over a decade of experience in internal audit (IA). His charge: Take Delta Dental of Michigan’s run-of-the-mill internal audit process and mature it into an industry-leading model of collaboration.

But as Kyle dug into Internal Audit’s processes, he saw a group with an identity crisis: IA had a multitude of responsibilities, but little authority. IA was not only expected to carry out their traditional, risk-based HITRUST and SOC audits, but they were also covering first- and second-line duties typically performed by compliance and operations teams at other companies. 

Despite that wide scope, they rarely got a seat at the table. Audit reports were regularly submitted and reviewed at the Audit, Finance, and Risk Committee without IA being invited to participate. And there was little followup or remediation of gaps or identified areas for improvement.

For Kyle, modernizing Delta Dental of Michigan’s Internal Audit meant overhauling his own group’s role and responsibilities along with those of Delta Dental of Michigan’s Compliance, Risk Management, and IT groups. He decided to use the Institute of Internal Auditors (IIA) Three Lines Model to improve the firm’s operations with better risk-based decision-making, cross-divisional collaboration, and greater accountability. But doing so would require a cultural shift in addition to the organizational shift.

Fortunately, he didn’t need to start from scratch: He’d accomplished the same thing in a previous role and was well-equipped to take on the challenge. He just needed the right tool for the job.

Leveraging IIA’s Three Lines Model 

In 2020, the Institute of Internal Auditors (IIA) replaced the traditional 'three lines of defense' model with a principles-based approach, recognizing that internal audit doesn’t operate effectively in a silo. 

“GRC is not meant to be done in silos — it requires silos to be broken.”

IIA recognized "risk-based decision-making is as much about seizing opportunities as it is about defensive moves." Their revised model focuses on more effective alignment, collaboration, and accountability. 

IIA recommends organizations employ three lines of defense to successfully manage risk and controls:

• First Line - Maintains operational management with day-to-day ownership of risks and controls
• Second Line - Supports management through their expertise and ensures risks and controls are properly managed
• Third Line - Independently provides assurance to senior management and the governing bodies that first and second lines’ efforts are consistent with expectations.

Although these three lines have different responsibilities, they must work together in order to achieve strong governance and risk management.

Shifting Mindsets and Getting Results

Given the maturity of Delta Dental of Michigan’s GRC program, the changes Kyle was seeking would be challenging to implement. For Delta Dental of Michigan to see the benefits of switching to the Three Lines model, Kyle would have to convince senior management, along with other GRC functions, that realigning roles was a change worth making — never an easy lift.

Kyle met with leadership and was able to obtain buy-in by explaining that his vision for an integrated GRC program at Delta Dental of Michigan would:

• Give senior management a complete, transparent view of the control environment
• Integrate the various GRC functions to effectively contribute to organizational success
• Improve operational risk management by understanding dependencies and linkages across the firm
• Embrace automation to eliminate manual entry, reduce duplicative work, and lower administrative costs 

“To get a seat at the table, we had to provide a value proposition, and ultimately implement this plan of creating a modern, efficient internal audit department.”

With senior management convinced of the need for change, Kyle’s next step was to get buy-in from other departments to use LogicGate’s Risk Cloud platform to identify and centralize all of the organization’s risks so that IA could focus on independent testing.

Since implementing Risk Cloud, audits that used to take six months could now be done in half the time. It wasn’t long before this improved efficiency and resource savings caught the eye of other groups, and the IA was able to expand Risk Cloud’s use cases across the organization. This allowed Kyle to fully implement the Three Lines Model.

IA could now rely on the Risk Management, Compliance, and IT groups to provide information and evidence it needed to maintain oversight right inside Risk Cloud, rather than getting into the weeds of tracking it all down themselves. With that extra time, Kyle’s team could focus on process improvement and adding value beyond risk-based assurance audits.

As Kyle shared, “If you don't have things mapped out correctly, it's hard to identify those emerging risks. But if they are mapped out correctly, you can be more proactive. And being proactive costs a lot less than being reactive.”

 

The Road Ahead

Today, Delta Dental of Michigan is expanding their use of Risk Cloud to get an integrated view of risk. The platform is powering Delta Dental of Michigan’s:

• Operational Risk Management 
• Audit Management
• Compliance Management
• Incident Management
• IT Risk Management
• Policy & Procedure Management 
• Claims Audit Management 
• Procurement 

With each new department brought into the Risk Cloud fold, Kyle identifies an owner for each application that he can rely on to drive the use case.

Risk Cloud’s ability to see the connections between different processes and areas of risk helps Delta Dental of Michigan reap the benefits of a modernized internal audit program and the power of collaboration through GRC. And, senior management is now able to make better decisions faster due to Risk Cloud’s customized dashboards, which display all the risk information leadership needs in one place.

Centralizing the work of IT Risk Management, Risk Management, Compliance and Internal Audit on the Risk Cloud platform has also allowed Delta Dental of Michigan to:

• Improve collaboration to remove silos between the second and third lines of defense
• Reduce duplication of efforts across audits
• Increase transparency, so teams can interact in real time
• Improve the efficiency of knowledge sharing and transfer as employees left the firm
• Reduce risks for first-line business management

Moving forward, Kyle’s team plans to continue to improve and connect Delta Dental of Michigan’s Risk Cloud applications to provide real-time insight into the control environment and more detailed dashboards to senior management, and to ensure each application maintains a subject matter expert to maintain the platform's workflows and reporting capabilities.

About LogicGate

LogicGate gives you an interconnected view of risk across the organization that you just can’t get from point solutions. After all, great companies are built not by avoiding risks — but by choosing the right ones.

Risk Cloud® and LogicGate Risk Cloud® are registered trademarks of LogicGate, Inc.®. All rights reserved.