Establishing a robust enterprise risk management (ERM) method is essential to managing risk within any organization and should be an integral component of any health care provider’s standard business procedures. Because financial, operational and strategic risks, among others, continue to increase for the health care industry, it is now critical, more than ever, to ensure that there is an effective risk management method in place for the year ahead, which could result in substantial cost savings for providers.
What is ERM?
ERM is a framework that assists organizations in strategically managing risk by first taking a holistic and top-down approach to identifying risk, assessing it in terms of likelihood and magnitude of impact, determining a response strategy, and then establishing a monitoring process. In order to be comprehensive, an effective ERM considers all risks, including financial, compliance and strategic.
Integrated ERM calls for multiple perspectives from key stakeholders throughout the organization and should be representative of the full continuum of care, says Ryan Haggerty, RSM US’s national leader for the health care internal audit, regulatory compliance and enterprise risk practice.
“Integrated ERM in health care is more complex than other industries due to the fact that the top risks frequently cross over each of the clinical, operational, strategic, regulatory and technology risk domains,” he said. “This requires shared responsibility across the organization not only to identify and prioritize risks, but also to understand how the risks interrelate, honestly assess the organization’s vulnerabilities associated with each risk and to determine which data should be monitored as key risk indicators.”
Components of ERM
The Committee of Sponsoring Organizations (COSO) of the Treadway Commission published the ERM framework in 2004 (Enterprise Risk Management Integrating with Strategy and Performance Executive Summary, ©  Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission.). The purpose was to assist entities in protecting and enhancing stakeholder value. The framework is used worldwide and is a tool that management and boards, in exercising their oversight responsibilities, can use to develop their ERM practices. The framework is organized into five interrelated components:
- Governance and culture
- Strategy and objective-setting
- Review and revision
- Information, communication and reporting
The five interrelated components are supported by a set of principles, as defined in the ERM framework, that describe practices that can be applied in different ways for different organizations, regardless of size, type and sector. These principles provide organizations a guide to manage risks associated with their strategy and business objectives.
Once an organization identifies its risks, there are several options to deal with these challenges which range from acceptance to avoidance. How an organization, including health care systems and providers, decides to respond to any given risk will depend on a variety of factors, some of which include an organization’s risk tolerance, the strength of the risk mitigation strategies and the likelihood of an adverse outcome.
The benefits of ERM in health care
One benefit of an effective ERM framework for health care providers is that it creates an awareness throughout the organization of the risks at hand, which allows for a more effective response to threats. This ultimately will help prevent damage and loss, which is vital to any business enterprise. An ERM framework also provides additional benefits, including:
Increases the range of opportunities: By considering positive and negative aspects of risk, management organizations can identify new opportunities and unique challenges associated with current opportunities. For instance, a health care organization expanding its telehealth capabilities could assess and mitigate the risks of this expansion via ERM.
Reduces performance variability: ERM allows organizations to anticipate the risks that would affect performance and enable them to put in place the actions needed to minimize disruption and maximize opportunity. For instance, as organizations assess the risks associated with cybersecurity threats, ensuring sufficient insurance coverage and educating the workforce are two mitigation strategies. ERM helps manage and assess these strategies for an organization, including health care providers, especially as it relates to protecting sensitive patient information.
Improves resource deployment: A possible implication associated with every risk is that it will require additional resources. Appropriate risk assessment allows management to anticipate required resource needs, prioritize resource deployment and enhance resource allocation, which is critical, especially during this time of labor force scarcity. An organization can use ERM to assess and mitigate risks and prioritize deploying precious resources to areas of the organization where they most are needed. For example, ERM can help organizations improve decision making and anticipate resource shifts and staffing needs, something especially applicable for health care with its ongoing challenges around nursing shortages and other resource management concerns.
Enhances enterprise resilience: As the environment becomes more complex, an organization’s ability to anticipate and respond to change will be critical to its survival. ERM is a tool that helps equip management with what they need to manage change into 2023 and beyond.
Health care organizations will continue to face a future full of volatility, complexity and ambiguity. A key component of managing and prospering during challenging times as an organization is establishing an effective ERM framework with ongoing monitoring and evaluation of it by key stakeholders and decision-makers. The benefits derived from ERM could far outweigh the costs, and if managed effectively, will help provide organizations with the ability to handle future risks.
Lori Kalic is a health care senior analyst with RSM US LLP.