How ERM Can Protect Healthcare Organizations Against Complexity of Risks


By Pete Reilly


Managing risk in the increasingly complex healthcare environment has become like a game of whack-a-mole. For every risk that’s brought under control, another exposure (and probably more) pops up in its place. 

The coronavirus only dialed up the pressure, blowing processes and controls out of the water even as it gave rise to new risks that had never been remotely anticipated: A lack of personal protective equipment (PPE), unstable supply chains for equipment, an inability to isolate outbreaks amid staffing challenges.

Even before the pandemic, healthcare risk management tended to lack the capacity, in terms of talent, flexibility of the organization and technology, and the time to stay ahead of the growing scope of risks. One 2019 study asked healthcare chief financial officers and risk leaders to rank what they expected to be their biggest concerns in three years. The biggest was technology and digital business transformation (79%), followed by consumer engagement (69%) and cybersecurity (64%). 

The disruption of a sustained global pandemic wasn’t a survey choice, but its impact made the point. Especially with the insurance business under pressure, traditional coverage by itself may not be sufficient for mounting claims. Enterprise risk management (ERM) has never been more important to healthcare organizations, and the time to start working on a strategy is now.

Understanding ERM

Adopting an ERM mindset and strategy takes time, resources and a committed leadership. It requires adopting a holistic perspective (versus the more typical siloed risk management approach) of organizational risk and how different risks are interconnected. It’s not just operational risks that must be anticipated and managed, but strategic ones, too. 

An ERM strategy entails a journey that many in healthcare struggle to complete. The process – structured, consistent, continuous and, yes, enterprise-wide – aims to identify, assess, respond to, report on and manage risks that could arise to threaten the organization. This integrated understanding of risk, acquired through data gathering and analysis, has such benefits as: 

  • Improved predictability of the costs of risk.
  • Greater investment in expanded healthcare services.
  • A greater focus on mitigation practices, lessening financial losses.
  • A better risk story for insurers, leading to more competitive premiums.

Atlantic Health System (AHS), headquartered in Morristown, N.J., began an ERM program in 2016, an initiative encompassing its 400+ sites of care, from hospitals to ambulatory sites to skilled nursing facilities, serving half the state of New Jersey. 

Its ERM framework was built around 17 risk categories (like clinical, technology and medical staff), which were aligned with AHS’ principles and goals. A risk algorithm was created to then evaluate and prioritize the risk impact, likelihood and control measures for each category. Team leaders developed and executed mitigation plans for the highest priority risks, and the program undergoes regular review and refinement. It’s a work in progress. Early reviews found that despite strong engagement from the top down combined with effective risk ownership, steps needed to be taken (and were) to better balance the organization’s operational and strategic risk focus.

The effectiveness of ERM was displayed during the pandemic, listed as a “top ten” risk long before COVID-19. The program led to a response that exemplified ERM in action. Risks and mitigation tactics were documented in real time and ultimately formalized. They spanned 17 categories, from equipment/PPE shortages to mental health issues. This effort informed the creation of 30 playbooks by clinical and operations teams, ensuring AHS’ readiness for the second surge – or any mass outbreaks that might occur in the future.

A framework for ERM programs

An effective ERM strategy needs buy-in from the organization’s leadership and clear and consistent communication across the organization. Healthcare organizations should consider these four activities key to building an ERM framework:

  • Conduct a business impact analysis. This involves gathering data on critical business operations along with the associated resources needed to manage risks and ensure operational resilience. This leads to the projected costs of disruptions, including service delivery, recovery time objectives and recovery point objectives. 
  • Develop a business continuity plan. The ability to manage unplanned disruptions is absolutely critical to healthcare organizations. Preparation requires a business continuity plan that outlines procedures and guidelines for operating in the face of unexpected disruption. The plan should covers every aspect of the business, from business processes and assets to human resources and business partners. 
  • Test the plan. Management and employees need an opportunity to practice the procedures outlined in the business continuity plan so they understand their roles and to see if the plan is effective. Many organizations do tabletop exercises and other drills to learn what works and refine the plan.
  • Take a team approach. It’s critical to develop a team of dedicated risk management experts to focus on risk, stay on top of emerging trends and educate employees. Brokers can help healthcare organizations develop risk management teams.

Healthcare organizations are increasingly complex, and so are the multitude of risks they must manage during uncertain times. The multidisciplinary, holistic approach of Enterprise Risk Management will ensure organizational readiness for the challenges ahead, but it takes a rigorous approach and a sustained focus to fully realize the benefits.

About the author:

Pete Reilly is the practice leader and Chief Sales Officer of global insurance brokerage Hub International’s North American healthcare practice.  In this role, he directs and coordinates HUB’s healthcare planning, growth and strategic initiatives. He also works with other leaders and experts within HUB to develop and introduce proprietary products that will help healthcare organizations and providers across the care delivery spectrum. 

Healthcare Business Today is a leading online publication that covers the business of healthcare. Our stories are written from those who are entrenched in this field and helping to shape the future of this industry. Healthcare Business Today offers readers access to fresh developments in health, medicine, science, and technology as well as the latest in patient news, with an emphasis on how these developments affect our lives.