Thomas Heim

The search for business risk will take you on an enlightening journey throughout your organization.

An audit of a teaching hospital notes that not all funds from a research grant were used for the project; these funds were subject to unrelated business income tax, but the tax was not paid.

A national competitor hires away the hospital's most highly regarded and profitable surgery team.

A health system receives a request from a congressional task force for all records that might indicate excessive Medicare charges.

Unexplained deaths occur over a period of years in different facilities; the only common denominator is the nurse on duty.

These examples are just a few of a seemingly endless list of possible business risks healthcare organizations face. Each scenario can produce a ripple effect resulting in both immediate and long-term exposures. Many of these risks go well beyond traditional insurable risk, such as the potential for malpractice when providing patient care. Given the breadth and complexity of potential risks, hospitals need a logical framework for identifying the true scope of potential risks, measuring risk exposure, and responding to risks. Such an approach benefits both the hospital and all its stakeholders, including patients, staff (and their families), vendors, and the community served. This holistic approach is often called "enterprise risk management."

Enterprise Risk Management Defined

Enterprise risk management (ERM) is the process by which organizations develop a formal organizationwide plan to identify, analyze, evaluate, manage or mitigate, and monitor risk. ERM is a detailed, tailored process that involves developing strategic goals and objectives, and identifying both the independent and interdependent risks of the organization that could affect its mission.

One objective of ERM is to understand the organization's risks on a holistic basis. This view of risk goes beyond avoiding actions-such as overbilling or private inurement-that create obvious legal liability for the organization. The view of risk should also embrace the relationship between risk and opportunity, such as the risks and opportunities an organization encounters when it establishes a new service line or makes a significant investment in a new technology.

Similarly, the benefits of effective ERM are not limited to avoiding financial or legal repercussions (such as reducing potential fraud). Rather, the benefits include increased management effectiveness, increased stakeholder value, greater stability, reputation safeguard, and board confidence.

Establishing Goals

Establishing goals for ERM is like planning a cross-country trip. You need a map to determine your route, and you need mileposts on the way to measure progress. Questions that need to be answered on the ERM "trip" include:

  • What is our destination?
  • Why are we going there?
  • What vehicle will we use to get there?
  • What route or routes are we going to take?
  • What are we going to do once we get there?
  • Who do we want coming along with us (staff, patients, suppliers, community)?
  • Who is responsible for bringing needed supplies?
  • Who is going to drive and lead the exercise?
  • Who has overall authority?
  • How many miles will we go each day; what are our measurable objectives?
  • How long will the trip take, and when do we need to get to our destination?

Too often, hospitals' business risk assessment is limited to a particular unit, department, division, or subsidiary. Yet risk tends to transcend these boundaries and include not only the entire organization, but also "external" constituencies such as vendors and the community. ERM attempts to pull all constituencies together.

Getting input across divisional and departmental boundaries helps create an atmosphere of improved communication with the goal of avoiding crisis management in the event that a risk is triggered.

Hospitals can employ two broad methods to identify risk:

  • Internal-through facilitated brainstorming, internal interviews, and employee surveys
  • External-through research using peer groups, industry benchmarks, and association statistics

Once potential risks are identified, they need to be organized in a way to understand their basic nature. For example, risks could be categorized as:

  • Financial (e.g., credit rating, bad debt, market risk)
  • Operational (e.g., risks associated with medication administration and information management)
  • Strategic (e.g., risks associated with a joint venture or competition)
  • Involving hazards (i.e., risks such as patient injury, worker injury, and product malfunction that have a specific financial risk to the organization and are typically covered under liability insurance)

Specific risks within those categories might be subdivided as internally driven (such as risks associated with gaps in accounting controls or inadequate supply chain management), or they could be externally driven (such as changes in Medicare payment or competitive pressure to adopt a new care procedure like drug-eluting stents). The specific method of categorizing risks will vary in each hospital.

Assessing Risks

Once risks are identified and grouped into some basic categories, an assessment is necessary to set priorities for action. An assessment requires both qualitative and quantitative information.

Qualitative information. Qualitative information helps describe the risk and what it entails. Qualitative information can include location, category, effect, trigger, and consequence. In this exercise, risk can refer to events that occur in the past, present, or future.

Quantitative information. Quantitative information helps provide specific information for comparative assessment. The quantitative information you need includes a "score" of risk probability and severity. The scores can be on a one-to-five scale. For example, risk probability might be scored as follows:

  1. Rare: event may only occur in exceptional circumstances
  2. Unlikely: event could occur at some time
  3. Possible: event will occur at some time
  4. Likely: event will probably occur in most circumstances
  5. Almost certain: event is expected to occur in most circumstances

Risk severity might be ranked as follows:

  1. Insignificant
  2. Minor
  3. Moderate
  4. Major
  5. Catastrophic

(This example assumes a risk is a threat. Risks that accompany opportunities would, of course, be assessed differently.)

With the risk probability and severity determined, multiplying the probability by the severity will yield a risk score. That risk score indicates the level of effect the risk holds for the organization, which in turn suggests the level of action the organization should bring to bear on the risk.

The total score of each risk can also be represented graphically in what is commonly called a risk map. A risk map is the process in which previously identified risks are prioritized based on their likelihood of occurrence and the impact they would have on the entity.

Mitigating the Risks

After the risks have been identified, analyzed, and ranked, you need to determine the most effective way to deal with them. Risks can be treated or mitigated either prospectively or retrospectively. Techniques of dealing with risks can be categorized as risk retention or risk transfer.

Although a thorough discussion of these categories is beyond the scope of this article, a brief explanation will help distinguish the approaches.

Risk retention. Risk retention is the process of using the organization's working capital to pay for losses. Retained losses can be considered either unfunded or funded. According to Christopher L. Culp's book The ART of Risk Management (Wiley, 2002), "Unfunded retention is the retained risk of a firm for which any losses are financed as they are incurred, whereas funded retention involves the allocation of specific funds to carrying particular losses."

Risk transfer. Risk transfer involves an unaffiliated third party assuming the responsibility for payment of the risk usually in exchange for a premium. This transfer can occur contractually via indemnification clause, or through the use of an insurance company.

Healthcare organizations typically use several types of risk-retention models, including self-insured retention, self-insured trusts, and single-parent captives.

In health care, the most popular type of funded retention program is the single-parent captive. A captive is a special-purpose company formed by its parent company to provide coverage to its subsidiaries, its employees, or others, as opposed to obtaining insurance directly from the traditional insurance market.

Premiums are paid to the captive rather than to a traditional insurer. The captive then invests the premiums and uses the money to pay out claims as and when they occur. The various structures used for a single-parent captive include a reinsurance company, an insurance company, and a self-insured funding mechanism.

Since the 1970s, single-parent captives have been the preferred method to fund the medical malpractice risks of many of the largest national health systems (both not-for-profit and for-profit) and many of the largest regional integrated healthcare systems. Over the past 30 years, the number of regional and rural systems creating these facilities has made the single-parent captive the formalized funding mechanism of choice. As many of the older facilities continue to "mature," many of these systems have begun to realize the functionality of their captive in helping them establish a formalized funding mechanism for other risks.

One of the major benefits afforded by the captive is that its owners have the ability to look at the individually identified risks of the organization in a concise fashion using premiums paid into the facility as an estimated representation of the value associated with the risk. By assigning a dollar amount to the identified risk, the owner can then apply traditional capital and cash-flow management techniques to more effectively deal with the financial implications associated with each risk.

Monitoring, Reviewing, Optimizing

Only through established lines of communication and documented policies and procedures can the organization fully monitor, review, and optimize risk.

The organization's internal and external stakeholders need to have access to different information to fulfill their roles in managing risk. Internal stakeholders include the board of directors, senior executives, department directors, and staff. Risk communication standards that articulate risk-related duties and responsibilities need to be developed and implemented for each set of stakeholders.

The Association of Insurance and Risk Managers, in its Risk Management Standard, places ultimate responsibility for establishing a process for monitoring, reviewing, and optimizing risk with the board of directors.

The Journey and the Destination

The destination of ERM is undeniably important: identifying and mitigating risk throughout the organization. Yet the journey toward that destination is equally important.

Along the way, you will discover innumerable opportunities to better understand and manage your organization's processes, yielding not just reduced risk, but also improved efficiency and outcomes-including patient and staff satisfaction. Another reason the journey is important is that risks emerge and transform constantly. Consider the list at the beginning of this article-clinical research, competition, billing practices, patient safety. When you put down this article and turn to your e-mail box, you may well find a new proposed regulation, initiative, press report, or financial finding that constitutes a potential business risk for your hospital. The journey to identify and mitigate risk never ends.

Thomas Heim is senior vice president, Palmer & Cay, Charlotte, N.C.

Questions and comments about this article may be sent to the author at

What Is Enterprise Risk Management?

"The underlying premise of enterprise risk management is that every entity, whether for profit, not-for-profit, or a governmental body, exists to provide value for its stakeholders. All entities face uncertainty, and the challenge for management is to determine how much uncertainty the entity is prepared to accept as it strives to grow stakeholder value. Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management provides a framework for management to effectively deal with uncertainty and associated risk and opportunity and thereby enhance its capacity to build value…. [ERM is] a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."

-Committee of Sponsoring Organizations (COSO), Enterprise Risk Management Framework (draft), 2003. COSO is an independent nongovernmental body of public companies, independent accounting firms, Securities and Exchange Commission officials, and others whose mission is improving internal controls and corporate governance within the United States.

When to Use a Single-Parent Captive

Single-parent captives may be suitable for risks associated with:

  • Contract physicians
  • Managed care
  • Clinical trials
  • Products and services
  • Contractual liability
  • Workers' compensation
  • Brand, image, reputation, press relations
  • Federal and statutory regulations
  • Management liabilities
  • Employment practices
  • Environmental issues
  • Internet/cyber-liability

Publication Date: Thursday, April 01, 2004

Login Required

If you are an existing member, please log in below. Username and password are required.



Forgot User Name?
Forgot Password?

If you are not an HFMA member and would like to access portions of our content for 30 days, please fill out the following.

First Name:

Last Name:


   Become an HFMA member instead