Whitepaper: Healthcare Risk Management Takes a Broader Perspective
Healthcare Risk Management
Takes a Broader Perspective
Using a comprehensive incident management system increases
efficiency and insight, reducing risk in the healthcare industry.
The heart of the matter:
Healthcare needs an enterprise perspective on risk
From fraud and theft to the challenge of meeting government regulations, businesses are at risk to numerous
factors that can have a negative financial and reputational impact. Keeping up with corporate governance,
risk management and legal compliance mandates promises to become relentlessly more complex in 2009 as
turbulent economic conditions continue to impact the business world. Employee misconduct is one compel-
Strikingly, nearly 75 percent of healthcare industry employees reported having witnessed misconduct at
work in the past 12 months, according to the KPMG Integrity Survey 2008-2009. More alarmingly, 57 per-
cent indicated that the observed misconduct was serious enough to cause a significant loss of public trust if
discovered. This is just one of a myriad of risks that are increasing both in complexity and severity. What can
be done to more effectively detect, manage and prevent these issues?
Currently, many healthcare organizations attempt to manage risks on a reactive basis, with each department
or business area trying to resolve issues in its own way. In reality, however, risk presents an overarching chal-
lenge that an organization is best equipped to face by taking a comprehensive, proactive approach.
Taking a broader perspective on risk management yields numerous, critical efficiencies. Specifically, using
a centralized incident management system – one that multiple departments can use to compile information
and collaborate among themselves – can help improve communication and insight, reduce and contain risk,
cut costs and add process consistency. Then, the availability of company-wide trending and analysis keeps
organizations a step ahead of the issues they face. The healthcare organizations that take a broader perspec-
tive on risk management will be the best equipped to navigate these turbulent economic conditions.
In the wake of the global economic crisis, risk in the healthcare industry is changing at an accelerated pace.
The most important financial and reputational risks in the healthcare industry in 2009 include compliance
with government mandates – including the Stark laws, anti-kickback statute, Healthcare Insurance Portabil-
ity and Accountability Act (HIPAA), the federal False Claims Act and Medicare/Medicaid regulation – along
with data privacy and employee misconduct or fraud.
Each of these factors has grown in significance and will become more severe in the coming years. Legal
compliance is especially complex in the heavily-regulated healthcare industry. With the government and
public demand ever-higher corporate ethics standards, Forrester Research predicts that “looming regulatory
mandates and oversight will mean greater strain on businesses already hurting from a weak economy,” ac-
cording to Trends 2009: Governance, Risk and Compliance Hit the Big Time. (Forrester, 2008) Compliance
with regulations is a costly endeavor, as are the penalties for failing to comply, but other risks can be just as
On average, companies lost seven percent of revenue to fraud in 2008, according to the Association of Certi-
fied Fraud Examiners (ACFE) 2008 Report to the Nation on Occupational Fraud and Abuse. In healthcare, the
median fraud loss was among the highest of any industry at $150,000 per incident – and most experts expect
the risk of fraud to rise in 2009 due to the pressures of a down economy.
Another major challenge for healthcare organizations is the responsibility to protect personally identifiable
information for patients and employees. HIPAA requirements were designed to protect patient privacy, and
severe penalties can be imposed if the rules are violated. That risk is on the rise as the number of data breach-
es in 2008 climbed almost 50 percent over 2007, according to the Identity Theft Resource Center (ITRC)’s
Security Breaches 2008 report.
The Ponemon Institute found that the average data breach in 2008 cost organizations $6.65 million per
breach; however, financial damage is only part of the equation. The annual study, Cost of a Data Breach:
Understanding Financial Impact, Customer Turnover, and Preventative Solutions found that the healthcare
industry experiences the highest customer loss rate after suffering a data breach (Ponemon, 2009).
Together, these risks threaten a loss of revenue and public trust that extends beyond the challenges posed
by the turbulent economy. Alone, each department and business area is ill equipped to manage the risks that
effect the organization as a whole. The traditional response to risk is too narrow to be effective anymore.
The Traditional Response
The healthcare community is well aware of these risks, and numerous others not mentioned. Every organiza-
tion has some set of policies and processes to address them. Historically, each area of risk was addressed
where the most impact was felt, so when Sarbanes-Oxley became a factor, accounting took responsibility for
complying with the rules; Stark laws were addressed by internal audit and security protected against data
It made sense for most risk management processes to begin in individual departments, such as legal, finance,
security, ethics and compliance, internal audit, human resources and any other department involved in risk
management. But over time the lack of a centralized starting point has led to disparate, duplicative effort and
unnecessary spending. Now, in some cases the same issue may be investigated by two departments using
different terminology and processes. Relevant trends and patterns can be easily overlooked because it never
occurred to one department to share certain information with another, making it difficult to study overall
While no issues are the direct responsibility of every part of the business, they are rarely limited to one, or
even two departments - especially when those issues involve financial and reputational risk to the company.
Yet current strategies keep information isolated among business areas.
All departments share a common starting point: most issues are discovered by employees, either through
policies, procedures and controls that are already in place, or when someone observes a potential problem
and reports it. And whether the issue is reported directly to a manager through the open door policy or anon-
ymously submitted via the phone or web, the ability to report incidents is an invaluable source of information.
In fact, nearly half of detected frauds are discovered through employee tips, which “…continue to be the most
effective means of detecting fraud” (ACFE, 2008).
Once these reports come in, they are traditionally filed in a local database and tracked in a spreadsheet. As a
result, the wrong people may be involved in the investigation and resolution process. More importantly, the
organization misses the opportunity to see overarching trends and to minimize risk before issues become
Time for a New Approach
How can an organization begin to cut excess costs and increase the effectiveness of its overall risk manage-
ment program? An ideal approach to ethics and compliance would include not only a phone and web-based
reporting feature and efficient incident management system, but a commitment to encouraging a business
culture of good conduct, along with analysis tools, policies, procedures and protocols for responding to any
incidents when they happen.
Such a comprehensive ethics and compliance commitment may not be feasible for every organization, but
there are benefits to taking first steps. According to a study by Saugatuck Technology, SaaS vs. On-Premise
Solutions: The ROI of Proactive Case Management, “coordinating risk management across legal, HR, finance,
IT, and business operations requires a centralized and systematic approach - with defined roles and respon-
sibilities by organizational unit and in cooperation with a centralized risk management function.” (Saugatuck,
In practice, a centralized incident management system is one part of a comprehensive plan, and it can keep
the entire organization involved in how relevant issues are handled. However, this does not require excessive
additional meetings and planning because relevant departments can rapidly communicate through the sys-
tem, determine case assignments and goals, and report results consistently to senior management. Taking
the first step toward coordinating risk management across the organization will lead to measurable results.
> Cut Excess Spending
As the situation now stands, resources and attention tend to be divided between separate risk management
strategies in various functional business units. The effect is duplicated effort and inefficiency when depart-
ments purchase separate systems despite having related goals and overlapping objectives.
To cut those unnecessary costs and boost productivity, the Ethics Resource Center’s 2007 National Business
Ethics Survey advises that businesses “streamline escalating compliance and risk management costs and
gain insight for better strategic decision-making.” (ERC, 2007).
These escalating costs and inadequate insight derive from an overall lack of coordination in risk
management programs. Embracing collaboration eliminates spending excesses and can dramatically in-
crease efficiency. Organizations can experience time savings of between 25 and 75 percent due to increased
productivity (Saugatuck, 2009). Overall, streamlining these processes helps multiple departments commu-
nicate and collaborate among themselves more efficiently.
> Communicate and collaborate
Enterprise-wide communication about risk issues is currently limited. However, every risk matters to orga-
nizations as a whole even if individual issues do not seem relevant to certain business functions. Coopera-
tion may be facilitated through a centralized, comprehensive incident management system that facilitates
consistency and communication on relevant issues. The resulting “tone from the top” can have a significant
“Ethics risk is significantly minimized when a concerted enterprise-wide commitment to the highest ethical
standards and culture is in place.” (ERC, 2007). The result is a 75 percent reduction in misconduct, which
has direct financial implications.
A centralized incident management system facilitates automated communication and case routing. When
any incident is reported a notification can be sent, based on the nature of the report, to appropriate depart-
ment leaders who then use the system to communicate and determine the appropriate next steps. This re-
sults in increased transparency and oversight, as well as consistent incident resolution across the business.
> Reduce and Contain Risk
Successfully implemented, a comprehensive strategy can lead to clear benefits through cost avoidance, cost
containment and time savings. While some analysts’ estimates of over 1300% return on investment (ROI)
may seem exaggerated, it is clear that preventing one data breach and detecting one fraud would more than
pay for the investment in a comprehensive risk management system – on the basis of cost avoidance and
preservation of public confidence alone.
If a data breach does occur, a coordinated response plan is the most measurably effective way to reduce
negative effects (Ponemon, 2008). The Ponemon Institute concludes that organizations should “take a holis-
tic approach to data protection.” Post-breach response processes and procedures can be established within
the incident management system, keeping the organization prepared for quick, coordinated action. When a
data breach is recorded, communicated and managed effectively, companies can save 75 percent per event.
In addition to cost avoidance and containment savings, a comprehensive system can help avoid or contain
shrinkage, theft, discriminatory lawsuits, product liability and other class actions, and physical damages to
property and equipment through negligence or sabotage. Although risk reduction and containment are fi-
nancial boons for healthcare organizations, efficiencies can also be gained in how the organization’s risk
management functions can begin operating on a proactive basis.
What can be done to more effectively detect, manage and prevent risk issues? The traditional, reactive ap-
proach is obsolete. Today’s increasingly challenging risk environment demands collaboration – standardized
policies, procedures, processes and terminology. Supported by a comprehensive incident management sys-
tem, this will help take a proactive approach to the issues healthcare organizations face.
Trends and patterns begin to appear when company-wide metrics are tracked with consistency and col-
laboration. In particular, if the company is analyzed by functional unit and location there is a deeper level of
insight that can keep the organization a step ahead of regulatory requirements. Then, when incidents do oc-
cur, each step is tracked and recorded in the safe, centralized database of the incident management system,
demonstrating investigative due diligence if necessary.
A shared incident management system is a strong first step toward a comprehensive risk strategy. It takes
a broader perspective for healthcare organizations to streamline disparate spending, facilitate collaboration
and consistency, and become proactive in the face of a challenging regulatory environment – but in return,
those organizations with a proactive approach will be best equipped to manage risk in the midst of economic
Questions? Comments? Contact our healthcare industry