The Enterprise Risk Management (ERM) concept in healthcare may be familiar to some individuals and organizations, unfamiliar to others and/or perceived by still others as an overwhelming concept. Essentially, ERM is a strategy to increase the economic and noneconomic value of an organization.
ERM was first implemented in the financial services sector. Since then, more and more organizations across all industries began to imbed the concept of ERM into their culture.
Implementing an ERM strategy involves a systematic method of risk identification and prioritization of those risks. The risk identification and prioritization of risks evaluates the frequency of an event occurring and the impact to the entity’s ability to achieve its vision and mission.
All organizations face an array of risks in the normal course of doing business, both internally (administrative, operational and financial) and externally (economic, environmental, regulatory, legislative and taxes).
There are multitudes of ways an organization can address its risk exposure(s): accept the risk, spread the risk, segregate the risk, share the risk, completely eliminate the risk exposure and/or transfer the risk contractually through the purchase of insurance.
Traditionally, ERM categorizes risks into “domains” or “spheres of influence.” The overarching categories of risk an organization needs to be cognizant in addressing are defined as:
Strategic Risks: Do all stakeholders in an organization — from the top of the organization to the bottom — have a clear understanding of the organization’s vision, mission, goals and objectives?
For example, why are you in business in the first place? Where is the organization today? Where is the organization headed? What does the organization aspire to be in the future? How is the organization going to get there?
Hazard Risks: Risks that are traditionally attributed to a physical loss or a reduction in the value of an asset or real property. Hazard risks can be mitigated and managed through various loss-control techniques and/or through risk transfer, e.g., the purchase of insurance.
Examples of managing hazard risk through the purchase of insurance include medical professional liability insurance to protect a physician’s reputation and property insurance to protect an office/building and its contents. A non-insurance approach to mitigating loss-control risk would be to install cameras and a security system to better protect the safety of patients, employees and the physical office.
Operational Risks: The ERM process evaluates the efficiency and effectiveness of an organization’s administrative and operational processes that could potentially adversely impact the organization from achieving its goals due to inadequate or failed internal processes, people or systems.
For example, the advent of ERM systems is a prime example in mitigating operational risk. There are many benefits to the effective implementation and utilization of an EMR system: medical records are more secure, maintained in a consistent format, are easy to access and share with the appropriate parties and promote improved medical documentation in the treatment of patients.
Human Resources Risks: An organization needs to evaluate its ability to attract, develop and retain key individuals. Do we have the right number of people? Are those people in the right roles to leverage our strengths and mitigate our weaknesses?
The overall emphasis should be on having the appropriate mix of human capital in terms of staff size and the appropriate skill sets for an organization to achieve its vision and mission, e.g., to ensure the utmost in patient safety and care.
Financial Risks: How to succeed and thrive in an ultra-competitive global economy. An organization needs to take measures to leverage all of its resources: financial capital, human capital and competitive advantages to attain sustainable profitability; create balance sheet strength in order to generate positive cash flow during favorable and unfavorable economic cycles.
Examples for mitigating financial risks include: implementing expense management and cost containment programs; changing policies and procedures to improve the collection of accounts receivable; leveraging payment terms and discounts with vendors and suppliers.
Legal/Regulatory/Compliance Risks: With healthcare being a highly regulated industry, organizations must address risks from licensure, accreditation, legislative policy, regulations, case and common law as well as taxes.
Healthcare organizations need to have policies and procedures in place to demonstrate that they are in compliance with current legislation and regulations, e.g., HIPAA and Protected Healthcare Information guidelines. They also need to be agile in reallocating human capital and financial resources to address legislation and regulatory changes that are known and have yet to be fully implemented.
Ultimately, implementing and benefiting from an ERM strategy does not need to be complicated or expensive. Many of the methods to manage and mitigate the various risk domains described here have been available for years. An ERM strategy can be “right-sized” to benefit any size organization.
The direction, implementation and commitment to an ERM strategy must start at the top of the organization and needs to be communicated clearly and frequently to all levels and areas of the organization, e.g., corporate finance, human resources, operations, marketing and sales, legal, etc.
An organization must realize that all of the identified risks cannot be addressed at one time. Reductions in the frequency and severity to an organization’s risk exposures over time will result in incremental gains in both economic and noneconomic value.
As an organization successfully manages, mitigates and/or eliminates current risks, other risk factors will develop from internal and external events that were not previously identified or were unknown. ERM is a continual and evolutionary process that helps organizations manage more than their insurance risks.