Corruption, Opacity, and Fraud Risk Management Subsystem of the National Superintendence of Health

The Corruption, Opacity, and Fraud Risk Management Subsystem (“SICOF”) is part of the Integrated Risk Management System applicable to certain organizations in the Health Sector.  Through its regulation, the National Superintendence of Health (“Supersalud”) aims to establish general administrative guidelines for the organizations under its supervision in the design and implementation of SICOF for the management of corruption, opacity, and fraud risks (the "Risks").

With the issuance of the External Circular 005-5 of 2021, Supersalud established instructions, applicability, stages, elements, and characteristics related to SICOF.

Supersalud has indicated that the implementation of SICOF is intended to focus the organizations’ efforts primarily on risk identification.  That is, on the implementation of strategies and policies regarding the inventory, recounting, and documentation of processes, as well as the analysis of the internal and external context of the organization (regarding direct and indirect counterparts) concerning the Risks.

The above notwithstanding the integral relevance of the remaining stages of SICOF, which are:

• Measurement: through which the detection of Risks is managed to work on their reporting and prevent their materialization, through an organizational culture where such reports are effective, efficient, and agile in uncovering possible irregular behaviors associated with Risks. All this, in consideration of the possibility of occurrence (of the event that generates the Risk) and its impact in case of materialization.
• Control: whereby effective measures are taken to control the Risks, through the designation of persons responsible for these activities, the definition of a minimum execution periodicity, the establishment of a control procedure, and actions to be carried out.
• Monitoring: this involves (i) developing a process for the effective detection and correction of deficiencies in SICOF, with a minimum periodicity of one (1) year; (ii) establishing descriptive indicators that evidence potential Risks; (iii) ensuring the adequate and timely functioning of controls; (iv) ensuring that residual risks are within the acceptance levels established by the organization; (v) periodically generating an internal report about Risk management, including the inherent and residual risk profile of the organization.

The elements that SICOF must include are as follows:

1. Policies: documents and/or principles for establishing general guidelines that organizations must adopt regarding SICOF. These policies should promote a culture of Risk prevention, establish duties for organs to control Risks, enable conflict resolution at different stages, and identify changes in controls and risk profiles. They must be designed by the board of directors or the main legal representative of the organization and approved by the highest social body. They should be communicated to all employees, partners, executives, administrators, and counterparts.
2. Procedures: to achieve the implementation and functioning of SICOF, procedures must be established to implement the different stages of SICOF, identify changes and evolution of controls, and adopt measures against non-compliance with SICOF.
3. Risk prevention manual: it is the document that contains the policies and guidelines that are part of SICOF, considering all its stages and including the procedures and methodologies for event recording, parameters to be implemented by control organs, policies for protecting those who report possible Risk cases, and the roles and responsibilities of those involved in the management of Risks.
4. Mechanisms: methodologies, models, and qualitative and quantitative indicators of technical value for detecting possible activities that involve Risks, as well as the person responsible for their analysis and results. The compliance officer or the organization's delegate must report these activities to the competent authority if detected.
5. Instruments: The instruments that organizations obliged to implement SICOF must have include: (i) red flags: situations, events, and indicators that are relevant to the organization, from which the possible existence of an event or situation outside the norm can be inferred; (ii) segmentation of Risk factors: supervised organizations must segment each risk factor based on particular characteristics, such as value, periodicity, and impact.
6. Organizational structure: obliged organizations must establish and assign functions about the stages of SICOF to the following bodies: (i) board of directors or its equivalent; (ii) legal representative; (iii) compliance officer or the organization's representative for SICOF execution; (iv) control bodies (audit and internal audit).
7. SICOF documents: including (i) the Risk prevention manual; (ii) documents and records of SICOF operation; (iii) reports from the board of directors/legal representative/control bodies; (iv) SICOF risk map; (v) methodology and instruments for Risk management; (vi) policies on information and communication management; (vii) analysis of the Risk event register.
8. Information disclosure and training: organizations must design an effective, efficient, and timely system for their reports, both internal and external, for the periodic disclosure of information and for information to be permanently available when required. For SICOF, it will be the duty of the compliance officer to report to the competent authorities according to their activity.

Scope of Application

External Circular 005-5 of 2021 and the obligation to implement SICOF, depending on classification criteria, are primarily directed at Health Promoting Organizations (EPS) of Contributory, Subsidized, Special, and Exceptional Regimes; Prepaid Medicine Companies (EMP); Ambulance Services (SAP); Territorial Entities (ET); Special Patient Transportation Services (SETP); and Health Providing Institutions (IPS) of Public, Private and Mixed nature; as well as the legal representatives, partners, shareholders, auditors, compliance officers, and highest social bodies of these organizations.

Relevant Facts

• The non-implementation of SICOF may not only lead to the imposition of fines of up to 8000 legal monthly minimum wages, but it can also constitute a crime.
• The omission of control in the health sector is established in Article 325-B of the Penal Code, stating that an employee or director of an organization supervised by Supersalud, who, to hide or cover up an act of corruption, omits compliance with some or all of the control mechanisms established for the prevention and fight against fraud, will incur a prison sentence of thirty-eight (38) to one hundred twenty-eight (128) months and a fine of one hundred thirty-three point thirty-three (133.33) to fifteen thousand (15,000) legal monthly minimum wages.
• Note that in this case, committing the crime with intent is not enough; it must be demonstrated that the employee or director had the intention of hiding or covering up an act of corruption
• For proper compliance in the implementation of SICOF, it is not mandatory to have a compliance officer. Another person appointed by the organization for the execution of SICOF may fulfill this role.
• SICOF can be integrated with SARLAFT, to the extent that both are part of the Integrated Risk Management System.
• The reporting of Risk acts can be made to the compliance officer or the delegate responsible for the implementation of SICOF, who, in turn, will make the corresponding reports to the competent authorities.