ERM: Evolving From Risk Assessment to Strategic Risk
Management
hfma.org/Content.aspx
Changes in the healthcare system are bringing new risks, which hospitals and
health systems need to manage effectively to remain competitive.
The U.S. healthcare ecosystem represents a $5 trillion market and is projected to grow to a
$5.5 trillion market by 2025. The exponential growth comes from several thematic drivers,
including the shift from volume to value and the rise of the consumer, both of which are turning
the industry on its head as new payment models and greater expansion of consumer options
are being introduced to the marketplace. Other drivers include evolving mobile strategies, new
entrants, an aging population, and continued uncertainty in political and regulatory
environments. With medical device cybersecurity vulnerabilities being reported at record
levels, it is evident that new risks are constantly threatening the quality of patient care and
providers’ long-term prosperity.
As the healthcare market expands and evolves, the inherent risks also are increasing, as
shown in the sidebar.
Moving Beyond Risk Identification
Traditionally, the healthcare industry has exceled in risk identification and assessment. The
industry has been less proficient at prioritizing and managing risk, however, and it has a vital
need to tackle these areas. To do so, healthcare providers must invest more in building
enterprise risk management (ERM) capabilities.
As a defensive strategy, a focus on avoiding risk may seem to hold promise, but no hospital or
health system can avoid risk entirely. By giving an organization insight into how to take the
right risks at the right time, an effective ERM program can help the organization more
successfully execute its strategic imperatives.
Getting Beyond Basic Effectiveness
Despite the growing importance of programs today, and the raised awareness of their
importance, many healthcare providers have been slow to adopt a more sophisticated
approach. As shown in the exhibit below, the current state for most providers falls between
“basic” and “evolving” maturities for ERM programs.
Levels of ERM Maturity
a
b
1/5
http://www.hfma.org/Content.aspx?id=60137
Organizations classified as basic recognize the implications of risk to
achieving the organization’s objectives and are just beginning to have
important discussions on the topics of risk. Often defined as hazards
and considered only in the context of their adverse consequences, risks
managed at a basic maturity levels are identified on an annual basis; risk mitigation and
controls are seldom factored in, and reporting is seldom, most often biannually at best.
Organizations at basic maturity also may have disparate risk management processes that
aren’t managed in a coordinated method (e.g., compliance, IT/cyber security, operations, and
legal/insurance) and that exist outside normal management processes or cadences. Moreover,
the internal ERM risk assessment is s.
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
ERM Evolving From Risk Assessment to Strategic RiskManageme.docx
1. ERM: Evolving From Risk Assessment to Strategic Risk
Management
hfma.org/Content.aspx
Changes in the healthcare system are bringing new risks, which
hospitals and
health systems need to manage effectively to remain
competitive.
The U.S. healthcare ecosystem represents a $5 trillion market
and is projected to grow to a
$5.5 trillion market by 2025. The exponential growth comes
from several thematic drivers,
including the shift from volume to value and the rise of the
consumer, both of which are turning
the industry on its head as new payment models and greater
expansion of consumer options
are being introduced to the marketplace. Other drivers include
evolving mobile strategies, new
entrants, an aging population, and continued uncertainty in
political and regulatory
environments. With medical device cybersecurity vulnerabilities
being reported at record
levels, it is evident that new risks are constantly threatening the
quality of patient care and
providers’ long-term prosperity.
As the healthcare market expands and evolves, the inherent
risks also are increasing, as
shown in the sidebar.
2. Moving Beyond Risk Identification
Traditionally, the healthcare industry has exceled in risk
identification and assessment. The
industry has been less proficient at prioritizing and managing
risk, however, and it has a vital
need to tackle these areas. To do so, healthcare providers must
invest more in building
enterprise risk management (ERM) capabilities.
As a defensive strategy, a focus on avoiding risk may seem to
hold promise, but no hospital or
health system can avoid risk entirely. By giving an organization
insight into how to take the
right risks at the right time, an effective ERM program can help
the organization more
successfully execute its strategic imperatives.
Getting Beyond Basic Effectiveness
Despite the growing importance of programs today, and the
raised awareness of their
importance, many healthcare providers have been slow to adopt
a more sophisticated
approach. As shown in the exhibit below, the current state for
most providers falls between
“basic” and “evolving” maturities for ERM programs.
Levels of ERM Maturity
a
b
1/5
http://www.hfma.org/Content.aspx?id=60137
3. Organizations classified as basic recognize the implications of
risk to
achieving the organization’s objectives and are just beginning
to have
important discussions on the topics of risk. Often defined as
hazards
and considered only in the context of their adverse
consequences, risks
managed at a basic maturity levels are identified on an annual
basis; risk mitigation and
controls are seldom factored in, and reporting is seldom, most
often biannually at best.
Organizations at basic maturity also may have disparate risk
management processes that
aren’t managed in a coordinated method (e.g., compliance,
IT/cyber security, operations, and
legal/insurance) and that exist outside normal management
processes or cadences. Moreover,
the internal ERM risk assessment is siloed from other risk
assessments conducted in the
organization.
Components for the risk assessment tend to be seen as
requirements imposed upon the
organization rather than as opportunities for proactive
investment in the organization. As a
result, the risk assessment often lacks substantive data and
analysis, misses measurable
monitoring, and does not align with the organization’s strategic
vision and operational goals. It
therefore is not surprising that ERM programs at the basic-
maturity level often suffer from a
lack of value creation in helping the enterprise manage risk to
drive performance, and that they
4. are rarely seen as anything other than “check-the-box”
programs.
Organizations whose ERM programs are classified as
“evolving” are on the way to having
more enabled programs; they are able to conduct annual risk
assessments within their health
systems, but they do so with limited coordination or alignment
back to strategy. Evolving ERM
programs typically seek to help their organizations assess the
broader risk universe, and they
tend to drive toward a manageable list of 10 to 15 top,
“enterprise” risks.
Risk owners within the organization are responsible for the
mitigation of risks and development
of risk action plans to do so, but many of them receive little
oversight from an ERM program.
Alignment between the risk management process and the
business management process
starts to form but is limited (usually involving strategy,
planning, or finance). Risk-appetite
statements may exist, but such statements tend to be formulated
at a high aggregate level and
may not always be relevant to management in helping mitigate
individual risks. Risks often
have an informal linkage back to strategic initiatives and
performance expectations.
Establishing an Effective ERM Program: Key Components
An effective ERM program will help to drive greater relevance
across the organization, to bring
focus to promote a greater level of operational and strategic
performance, and to build lasting
value to the health system. Where a company focuses its
resources and efforts is, of course,
5. determined by its existing position and long-term strategy. If
there is no process in place,
organizations should begin working toward the basic level,
focusing on building the
foundational elements of a risk management framework. Those
that have already established
2/5
some risk protocols should aim for evolving maturity and
concentrate on broadening
organizational support and embedding and sustaining risk
management throughout the
enterprise. For example, effective ERM programs help an
organization understand what must
go right if the organization is to achieve its long term
objectives, what the risks are to achieving
those objectives, how well the organization currently mitigates
risks and the identifies the gaps
to continuing to improve on those mitigation efforts, and how it
then can develop oversight and
reporting processes to monitor risk management activities.
Regardless of the initial maturity level, an important starting
point for developing the ERM
program is to clearly define or review the program’s purpose
and value proposition for key
stakeholders. This exercise will help determine whether the
current program is properly serving
the organization and is well-positioned to drive the level of
change needed while managing risk
in a dynamic and complex environment. For example, ERM
programs can help drive
standardization in risk assessment processes, help to bring
6. balance around risks related to
business unit performance expectations as well as strategic
objectives, and start raising the
level of risk acumen in the organization.
To promote this new mindset, the organization must create a
risk culture and governance in
alignment with its strategic planning process and build out risk
processes with the support of
governance, risk, and compliance (GRC) technologies.
These activities, which are fundamental to establishing an
effective ERM program, should
have the following five key areas of focus.
Building a risk culture. When a strong risk culture exists within
a hospital or health system,
an ongoing awareness of risk is naturally embedded in the
organization’s culture, from
performance measurements to a company’s code of conduct, as
well as training programs.
Identifying, understanding, and managing risk is a priority and
responsibility of all members of
the management team.
A health system can be a leader in building a risk culture by
embedding discussions on risk
topics into day-to-day operations, including quarterly
performance reporting, existing committee
meetings, and executive team discussions.
Developing an organization’s risk culture also requires a
companywide effort. Organizational
risks should be defined more broadly than simply as events that
result in challenges and
issues that must be avoided. It is important that all stakeholders
7. within the hospital or health
system understand both the risks and opportunities presented,
and the uncertainties that need
to be balanced to make an informed decision on whether to
pursue the opportunity. For
example, a hospital may be considering a new form of care
delivery that may create a
significant revenue stream and leverage the greater suite of care
facilities across the system
but that adds a heightens the organization’s level of risk. By
understanding what needs to go
right to operationalize the new form of care delivery, what
could prevent the organization from
3/5
achieving that objective, and what level of current and future
risk mitigation capabilities are
needed, an organization can make a more well-informed
decision on whether to pursue the
opportunity.
Formalizing risk governance. Risk governance is well-defined
when the board, senior
management, and functional management have specific roles
within the risk-management
process and recognize their active roles within the risk-
governance process. The organization
also should provide these key stakeholders with the tools to
fulfill those roles, ensuring proper
knowledge and staffing of resources, including the GRC
technology required to facilitate
information sharing and coordination of risk management
activities. All these individuals also
8. should be accountable for their participation in the process, and
guides and protocols should
be created to clearly define when and how issues of risk are to
be escalated.
For example, accountability in risk governance is a fundamental
aspect of risk management for
one national healthcare provider operating in more than 20
states. Risk owners are
responsible for developing and monitoring risk response plans
and for updating, identifying,
and analyzing new and emerging risks. The information
gathered through this process then is
used to update the risk profile periodically.
Aligning ERM with strategic planning. Alignment of ERM to
the strategic planning process
is critical for establishing an effective ERM program. One
Midwestern healthcare system, for
example, links key risks to strategic initiatives when evaluating
cost and ROI to determine
whether the initiative falls within the organization’s risk
tolerance.
To achieve greater alignment to the organization’s strategic
planning process, organizational
leaders should leverage the results of the risk assessment to
promote a discussion around the
implications of the risk profile. These conversations ultimately
could lead to integration of the
ERM processes within key functions such as planning, mergers
and acquisitions, and program
management for strategic initiatives. Another leading healthcare
provider has found it effective
to incorporate the process of linking all its top risks to the
stated company strategy and
9. underlying objectives, while also tying them back to risks
identified in the company’s Form 10-
K filed with the U.S. Securities and Exchange Commission.
Standardizing the risk management process. Efforts in this area
include those focused on
maintaining accountability in risk management processes. For
example, the ERM program at
one leading provider organization meets quarterly with risk
owners one on one, with the goal of
capturing changes in risk activity and discussing the
effectiveness of risk action plans.
Data analysis is critical to standard risk management processes.
Analytics define the
qualitative and quantitative impact of risk on an organization’s
ability to accomplish its strategic
initiatives and execute its day-to-day business decisions.
Organizational leaders should review
all risk scenarios to understand the implications of changing
business models, industry events
and trends, and the interrelatedness and combined impact of
risk. Using this information, as
well as risk appetite, risk management professionals can
embrace the tolerance changes over
time and drive further resource allocation discussions.
4/5
Leveraging GRC technology to capture and coordinate risk
management activities. As
the risk environment evolves, enhanced and more sophisticated
tools help to support an
advancing risk management process and improve coordination
10. of core risk management
activities. These tools provide greater access to shared data and
information across the
organization and improve resiliency.
To optimize the use of GRC technologies, hospitals and health
systems should identify existing
tools by risk functions and obtain a clear understanding of how
these tools are being used
currently. Obtaining feedback from users on existing tools also
can help in determining their
effectiveness. Armed with this research, leaders can determine
which tools will support an
integrated risk management program and use that information to
develop a GRC technology
roadmap. This roadmap also should include a common
framework, structure, and taxonomy to
ensure the GRC technology solution implemented will support
the integration of risk functions
to align compliance, risk management, and operational
initiatives.
The Upside of Risk
As the risk hospitals and health systems face in today’s
healthcare environment increases and
diversifies, these organizations have both an opportunity and a
great need to advance along
the continuum from basic risk management to a well-established
ERM program. Having such
an established program is essential to being able to add greater
value. An effective ERM
program encourages continuous improvement, aligns with
strategic priorities, and enables
organizational leaders to understand and take on the risks their
organizations must assume to
succeed, and then to effectively manage those risks. Such skills
11. are more vital than ever in our
evolving, yet risk-filled healthcare environment.
Terry Puchley is a risk assurance national health services leader
at PwC, Chicago.
Chris Toppi is a director in PwC’s risk assurance - health
services practice, Chicago.
Footnotes
a. “PwC, Surviving Seismic Change: Winning a Piece of the $5
Trillion U.S. Health Ecosystem,
September 2016; Johnson, C.Y., “Why America’s Healthcare
Spending Is Projected to Soar
Over the Next Decade,” Workblog, The Washington Post, Feb.
15, 2017.
b. PWC, Top Health Industry Issues of 2018: A Year for
Resilience Amid Uncertainty, 2017.
Publication Date: Sunday, April 01, 2018
5/5
mailto:[email protected]
mailto:[email protected]
https://www.pwc.com/us/en/health-industries/health-research-
institute/publications/pdf/pwc-hri-health-industry-changes.pdf
https://www.pwc.com/us/en/health-industries/assets/pwc-health-
research-institute-top-health-industry-issues-of-2018-report.pdf
Copyright of hfm (Healthcare Financial Management) is the
property of Healthcare Financial
Management Association and its content may not be copied or
emailed to multiple sites or
12. posted to a listserv without the copyright holder's express
written permission. However, users
may print, download, or email articles for individual use.