The 2024 cyberattack on Change Healthcare devastated the U.S. healthcare ecosystem. It showed that while the sector’s enterprise risk management (ERM) practices have come a long way, they are not necessarily adequate for a fast-changing and increasingly complex risk environment.
The data breach, costing UnitedHealth Group, Change’s parent, over $3 billion, exposed flaws in healthcare cybersecurity practices, underscoring the need for more rigor in vendor controls and response planning. More, it pointed to the need for improved integration of cybersecurity specifically and ERM generally throughout organizations’ systems.
Enterprise risk management is intended as a holistic approach to identifying and managing risks, based on the interconnectedness of risks and their impacts across the organization.
Some 98% of large healthcare organizations are believed to practice ERM in some form, but among businesses overall, only 33% have complete ERM practices in place. In fact, a recent survey by HUB International found that only a fraction of companies surveyed assesses critical risk; just 22%, for example, include political risk in their ERM programs.
An increasingly unpredictable world of risks makes an ERM strategy critical for healthcare concerns, especially given their greatest vulnerabilities in the areas of patient safety, staff welfare and retention and organizational resiliency.
Here’s what’s important to know.
Build the team, be data driven and break down silos
Done right – with an eye toward full integration across every department – a thoughtful and robust ERM program will effectively embed risk awareness and accountability into the organization’s culture.
It takes a top-down commitment, with hospital leaders – board members and senior executives – and department heads all walking the talk. The shared goal is to move beyond a reactive approach to risk identification and management to a proactive one that emphasizes continuous improvement and learning through open and shared communication.
The ERM framework can be developed utilizing an organization’s own data and internal systems, which effectively helps break down silos and create a unified understanding of potential threats. This full-spectrum perspective enables a quick and decisive response by teams in the face of disruptions. An insurance advisor knowledgeable in healthcare can provide invaluable guidance.
A comprehensive ERM program also enhances an organization’s insurability. In positioning organizations more favorably with underwriters, it can lead to broader coverage, more competitive terms and a lower total cost of risk. It can also open the door to alternative risk financing options, such as captives, for organizations looking to self-insure.
What’s needed for an effective ERM strategy
That top-down commitment is the essential starting point for an agile, organization-wide risk framework. Here’s how the team should proceed from there:
- Define your ERM objectives and identify key stakeholders. It’s essential to ensure that diverse perspectives are represented and incorporated into the strategy. That requires the active contributions of leaders from every business function, from patient care and diagnostic services to human resources and information technology.
- Leverage existing tools and resources. Many companies are sitting on valuable data and existing risk protocols; they just need help organizing, analyzing and deploying that information. A streamlined methodology helps balance strategy with execution.
- Plan for consequences beyond specific events. How will your people respond to a disruption? What happens to your supply chain? Which critical systems need to stay online? Running through such scenarios in advance equips the organization with the “muscle memory” to enable a quick and effective response to disruptions.
- Conduct ongoing enterprise-level assessments. Your broker will be invaluable in continuously evaluating all business risks. This ensures potential exposures are identified before they become a problem.
- Partner with specialists who understand dynamic and evolving risks. Specialists with deep knowledge of healthcare and its risks should be enlisted to contribute to the ERM program. Whether financial and legal/compliance specialists or IT and cybersecurity resources, such guides are essential for their deep knowledge of specific threats and what tailor-designed solutions will fit with organization’s unique risk profile.
Done right, an ERM program should be imbedded into daily operations and supported with proactive risk strategies and continuity planning. That’s how to move from reactive to resilient in an increasingly complex environment for risk.
Peter Reilly
Pete Reilly is the practice leader and Chief Sales Officer of global insurance brokerage Hub International’s North American healthcare practice. In this role, he directs and coordinates HUB’s healthcare planning, growth and strategic initiatives. He also works with other leaders and experts within HUB to develop and introduce proprietary products that will help healthcare organizations and providers across the care delivery spectrum.
Pete has been a featured speaker at numerous professional conferences, including ASHRM, the Bermuda Captive Conference as well as having been a guest lecturer on topics of insurance and risk management at The Wharton School, a Metzger-Conway Fellow at his alma mater, Dickinson College and he has been twice recognized as Med Pro Group’s Buffett Award winner. Additionally, Pete has served on numerous insurance carrier Agency Advisory Councils and various ASHRM National Advisory Committees.
He holds a Bachelor’s degree in Political Science from Dickinson College, a Master of Science in Organizational Dynamics from the University of Pennsylvania, as well as an Associates in Claims and Associate in Risk Management designation from The Insurance Institute of America.
