Reprint of Healthcare Financial Management Association article discussing the importance of implementing enterprise risk management in a healthcare setting. 14 years later ERM in healthcare may now be critical to organizational survival.

1. An audit of a teaching hospital notes that not all funds
from a research grant were used for the project; these
funds were subject to unrelated business income tax, but
the tax was not paid.
A national competitor hires away the hospital’s most
highly regarded and profitable surgery team.
A health system receives a request from a congressional
task force for all records that might indicate excessive
Medicare charges.
Unexplained deaths occcur over a period of years in
different facilities; the only common denominator is the
nurse on duty.
These examples are just a few of a seemingly endless
list of possible business risks healthcare organizations
face. Each scenario can produce a ripple effect
resulting in both immediate and long-term exposures.
Many of these risks go well
beyond traditional insur-
able risk, such as the
potential for malpractice
when providing patient
care. Given the breadth and
complexity of potential
risks, hospitals need a
logical framework for iden-
tifying the true scope of
potential risks, measuring
risk exposure, and
responding to risks. Such
an approach benefits both the hospital and all its
stakeholders, including patients, staff (and their fami-
lies), vendors, and the community served. This holistic
approach is often called “enterprise risk management.”
Enterprise Risk Management Defined
Enterprise risk management (ERM) is the process by
which organizations develop a formal organization-
wide plan to identify, analyze, evaluate, manage or
mitigate, and monitor risk. ERM is a detailed,
tailored process that involves developing strategic
goals and objectives, and identifying both the
independent and interdependent risks of the
organization that could affect its mission.
One objective of ERM is to understand the organiza-
tion’s risks on a holistic basis. This view of risk goes
healthcare financial management association www.hfma.org
APRIL 2004 healthcare financial management
hfm APRIL 2004 1
Thomas Heim
COVER STORY
The search for business
risk will take you on
an enlightening journey
throughout your
organization.
searching for risk

2. COVER STORY
beyond avoiding actions—such as overbilling or
private inurement—that create obvious legal liability
for the organization. The view of risk should also
embrace the relationship between risk and opportu-
nity, such as the risks and opportunities an
organization encounters when it establishes a new
service line or makes a significant investment in a
new technology.
Similarly, the benefits of effective ERM are not
limited to avoiding financial or legal repercussions
(such as reducing potential fraud). Rather, the bene-
fits include increased management effectiveness,
increased stakeholder value, greater stability, repu-
tation safeguard, and board confidence.
Establishing Goals
Establishing goals for ERM is like planning a cross-
country trip. You need a map to determine your
route, and you need mileposts on the way to measure
progress. Questions that need to be answered on the
ERM “trip” include:
> What is our destination?
> Why are we going there?
> What vehicle will we use to get there?
> What route or routes are we going to take?
> What are we going to do once we get there?
> Who do we want coming along with us (staff,
patients, suppliers, community)?
> Who is responsible for bringing needed supplies?
> Who is going to drive and lead the exercise?
> Who has overall authority?
> How many miles will we go each day; what are our
measurable objectives?
> How long will the trip take, and when do we need to
get to our destination?
Too often, hospitals’ business risk assessment is
limited to a particular unit, department, division, or
subsidiary. Yet risk tends to transcend these bound-
aries and include not only the entire organization,
but also “external” constituencies such as vendors
and the community. ERM attempts to pull all
constituencies together.
Getting input across divisional and departmental
boundaries helps create an atmosphere of improved
communication with the goal of avoiding crisis
management in the event that a risk is triggered.
Hospitals can employ two broad methods to
identify risk:
> Internal—through facilitated brainstorming,
internal interviews, and employee surveys
> External—through research using peer groups,
industry benchmarks, and association statistics
Once potential risks are identified, they need to be
organized in a way to understand their basic nature.
For example, risks could be categorized as:
> Financial (e.g., credit rating, bad debt, market risk)
> Operational (e.g., risks associated with medication
administration and information management)
> Strategic (e.g., risks associated with a joint venture
or competition)
> Involving hazards (i.e., risks such as patient injury,
worker injury, and product malfunction that have a
specific financial risk to the organization and are
typically covered under liability insurance)
2 APRIL 2004 healthcare financial management
“The underlying premise of enterprise risk manage-
ment is that every entity, whether for profit, not-for-
profit, or a governmental body, exists to provide value
for its stakeholders. All entities face uncertainty, and
the challenge for management is to determine how
much uncertainty the entity is prepared to accept as it
strives to grow stakeholder value. Uncertainty pres-
ents both risk and opportunity, with the potential to
erode or enhance value. Enterprise risk management
provides a framework for management to effectively
deal with uncertainty and associated risk and opportu-
nity and thereby enhance its capacity to build value….
[ERM is] a process, effected by an entity’s board of
directors, management and other personnel, applied in
strategy setting and across the enterprise, designed to
identify potential events that may affect the entity, and
manage risks to be within its risk appetite, to provide
reasonable assurance regarding the achievement of
entity objectives.”
—CommitteeofSponsoringOrganizations(COSO),Enterprise
RiskManagementFramework(draft),2003.COSOisaninde-
pendentnongovernmentalbodyofpubliccompanies,independ-
entaccountingfirms,SecuritiesandExchangeCommissionoffi-
cials,andotherswhosemissionisimprovinginternalcontrolsand
corporategovernancewithintheUnitedStates.
WHAT IS ENTERPRISE RISK MANAGEMENT?

3. Specific risks within those categories might be subdi-
vided as internally driven (such as risks associated
with gaps in accounting controls or inadequate supply
chain management), or they could be externally
driven (such as changes in Medicare payment or
competitive pressure to adopt a new care procedure
like drug-eluting stents). The specific method of
categorizing risks will vary in each hospital.
Assessing Risks
Once risks are identified and grouped into some
basic categories, an assessment is necessary to set
priorities for action. An assessment requires both
qualitative and quantitative information.
Qualitative information. Qualitative information
helps describe the risk and what it entails. Qualita-
tive information can include location, category,
effect, trigger, and consequence. In this exercise,
risk can refer to events that occur in the past,
present, or future.
Quantitative information. Quantitative information
helps provide specific information for comparative
assessment. The quantitative information you need
includes a “score” of risk probability and severity. The
scores can be on a one-to-five scale. For example,
risk probability might be scored as follows:
1. Rare—event may only occur in exceptional
circumstances
2. Unlikely—event could occur at some time
3. Possible—event will occur at some time
4.Likely—event will probably occur in most
circumstances
COVER STORY
hfm APRIL 2004 3
RISK LEVELS
Consequences
1. Insignificant 2. Minor 3. Moderate 4. Major 5. Catastrophic
1. Rare Low - 1 Low - 2 Low - 3 Moderate - 4 High – 5
Likelihood 2. Unlikely Low - 2 Low - 4 Moderate - 6 High - 8 Extreme - 10
3. Possible Low - 3 Moderate - 6 High - 9 Extreme - 12 Extreme - 15
4. Likely Moderate - 4 High - 8 Extreme - 12 Extreme - 16 Extreme - 20
5. Almost certain High - 5 Extreme - 10 Extreme - 15 Extreme - 20 Extreme - 25
RISK RANKS
In this model, each risk is assigned a score from 1 to 5 to indicate likelihood and another score from 1 to 5 to indicate severity or impact. Multiplying the two
scores yields a total, which suggests priority.
RISK MAP
Consequences
Low 1 2 3 4 5 High
High
5
4
3
2
1
Low
Likelihood
1
2
3
4
5
6
7
The organization’s risks can be consolidated in a risk map, with the identified risks plotted
to illustrate priority. This tool is especially useful for giving boards and senior management
an at-a-glance view of organizationwide risk.
The color code shows a way of ranking action based on the score.
Risk level Risk Responsible group Time frame
description for action
Red Extreme Board 2 days
Yellow High Senior management 5 days
Blue Moderate Division management 90 days
Green Low Department/unit management 180 days

4. 5. Almost certain—event is expected to occur in most
circumstances
Risk severity might be ranked as follows:
1. Insignificant
2. Minor
3. Moderate
4.Major
5. Catastrophic
(This example assumes a risk is a threat. Risks that
accompany opportunities would, of course, be
assessed differently.)
With the risk probability and severity determined,
multiplying the probability by the severity will yield a
risk score. That risk score indicates the level of effect
the risk holds for the organization, which in turn
suggests the level of action the organization should
bring to bear on the risk.
The total score of each risk can also be represented
graphically in what is commonly called a risk map. A
risk map is the process in which previously identified
risks are prioritized based on their likelihood of occur-
rence and the impact they would have on the entity.
Mitigating the Risks
After the risks have been identified, analyzed, and
ranked, you need to determine the most effective way
to deal with them. Risks can be treated or mitigated
either prospectively or retrospectively. Techniques of
dealing with risks can be categorized as risk retention
or risk transfer.
Although a thorough discussion of these categories is
beyond the scope of this article, a brief explanation
will help distinguish the approaches.
Risk retention. Risk retention is the process of using
the organization’s working capital to pay for losses.
Retained losses can be considered either unfunded
or funded. According to Christopher L. Culp’s book
The ART of Risk Management (Wiley, 2002), “Unfunded
retention is the retained risk of a firm for which any
losses are financed as they are incurred, whereas
funded retention involves the allocation of specific
funds to carrying particular losses.”
Risk transfer. Risk transfer involves an unaffiliated
third party assuming the responsibility for payment
of the risk usually in exchange for a premium. This
transfer can occur contractually via indemnification
clause, or through the use of an insurance company.
Healthcare organizations typically use several types of
risk-retention models, including self-insured reten-
tion, self-insured trusts, and single-parent captives.
In health care, the most popular type of funded reten-
tion program is the single-parent captive. A captive is
a special-purpose company formed by its parent
company to provide coverage to its subsidiaries, its
employees, or others, as opposed to obtaining insur-
ance directly from the traditional insurance market.
Premiums are paid to the captive rather than to a
traditional insurer. The captive then invests the
premiums and uses the money to pay out claims as
and when they occur. The various structures used for
a single-parent captive include a reinsurance
company, an insurance company, and a self-insured
funding mechanism.
Since the 1970s, single-parent captives have been
the preferred method to fund the medical malprac-
tice risks of many of the largest national health
systems (both not-for-profit and for-profit) and
many of the largest regional integrated healthcare
systems. Over the past 30 years, the number of
regional and rural systems creating these facilities
has made the single-parent captive the formalized
funding mechanism of choice. As many of the older
facilities continue to “mature,” many of these
systems have begun to realize the functionality of
their captive in helping them establish a formalized
funding mechanism for other risks.
COVER STORY
4 APRIL 2004 healthcare financial management
Since the 1970s, single-parent captives
have been the preferred method to fund the
medical malpractice risks of many
of the largest national health systems.

5. One of the major benefits afforded by the captive is that
its owners have the ability to look at the individually
identified risks of the organization in a concise fashion
using premiums paid into the facility as an estimated
representation of the value associated with the risk. By
assigning a dollar amount to the identified risk, the
owner can then apply traditional capital and cash-flow
management techniques to more effectively deal with
the financial implications associated with each risk.
Monitoring, Reviewing, Optimizing
Only through established lines of communication and
documented policies and procedures can the organi-
zation fully monitor, review, and optimize risk.
The organization’s internal and external stakeholders
need to have access to different information to fulfill
their roles in managing risk. Internal stakeholders
include the board of directors, senior executives,
department directors, and staff. Risk communication
standards that articulate risk-related duties and
responsibilities need to be developed and imple-
mented for each set of stakeholders.
The Association of Insurance and Risk Managers, in
its Risk Management Standard, places ultimate
COVER STORY
hfm APRIL 2004 5
WHEN TO USE A
SINGLE-PARENT
CAPTIVE
Single-parent captives
may be suitable for risks
associated with:
• Contract physicians
• Managed care
• Clinical trials
• Products and services
• Contractual liability
• Workers’ compensation
• Brand, image, reputation,
press relations
• Federal and statutory
regulations
• Management liabilities
• Employment practices
• Environmental issues
• Internet/cyber liability
RISK-RETENTION MODELS
Self-Insured Retention
Self-Insured Trust
Single-Parent Captive
Does not impair working capital
No start-up expenses
Typically no requirement for
adequate or appropriate funding
Usually no collateral requirement
Not deemed insurance
Ability to unbundle services
Minimal start-up expenses
Timely implementation
Does not impair working capital
Usually no collateral requirements
Formalized funding mechanism
Not deemed insurance
Vendor selection
Formalized funding mechanism
May be deemed insurance
Direct access to reinsurance
Premium smoothing
Underwriting surplus and invest-
ment income build-up
Unaffiliated or profit business
Risk management elevation
Retention flexibility
Less reliance on commercial
insurance
Greater coverage flexibility
Vendor selection and management
Must qualify for certain
coverage lines
No direct access to reinsurance
Set-aside funds could be
depleted for other uses.
Only to be used for certain
coverage lines
Usually first-party coverages
only
Often irrevocable
May require appropriate
funding
Potential dividend and
investment issues
Capital and surplus
requirements
Cost of capital
Minimum actuarial funding
levels
Regulatory restrictions
Long-term strategy
Management time and
oversight
Limited spread of risk
May not be deemed insurance
Mechanism Advantages Disadvantages

6. responsibility for establishing a process for moni-
toring, reviewing, and optimizing risk with the board
of directors.
The Journey and the Destination
The destination of ERM is undeniably important:
identifying and mitigating risk throughout the
organization. Yet the journey toward that destination
is equally important.
Along the way, you will discover innumerable oppor-
tunities to better understand and manage your
organization’s processes, yielding not just reduced
risk, but also improved efficiency and outcomes—
including patient and staff satisfaction. Another
reason the journey is important is that risks emerge
and transform constantly. Consider
the list at the beginning of this
article—clinical research, competi-
tion, billing practices, patient
safety. When you put down this
article and turn to your e-mail box,
you may well find a new proposed
regulation, initiative, press report,
or financial finding that constitutes
a potential business risk for your
hospital. The journey to identify and mitigate risk
never ends.
COVER STORY
ReprintedfromtheAprilissueofHealthcareFinancialManagement.
Copyright2004byHealthcareFinancialManagementAssociation,TwoWestbrookCorporateCenter,Suite700,Westchester,IL60154.
Forreprintinformation,call1-800-252-HFMA.
6 APRIL 2004 healthcare financial management
The destination of ERM is undeniably important:
identifying and mitigating risk throughout
the organization. Yet the journey toward that
destination is equally important.
About the author
Thomas Heim