Cleveland Clinic rolled out a process that is helping the respected health system continuously protect its brand and mission from major strategic and operational risks.

Cleveland Clinic leaders had discussed the need to do something about enterprise risk management (ERM) for years, said Charles Kolodkin, JD, executive director of enterprise risk and insurance for the health system. But the physician-driven organization did not amass the momentum necessary to launch a formal ERM process until the Great Recession hit.

Seeing this as a wake-up call, Cleveland Clinic’s CFO and chair of the board’s audit committee pushed their fellow executives to adopt a more formal process for identifying and managing strategic, operational, and other types of enterprise risks and opportunities. “Without high-level support, there would not have been as much ‘oomph’ behind this,” said Kolodkin at ANI: HFMA’s Annual National Institute in June.

Launched in 2010, Cleveland Clinic's ERM process is helping the health system successfully navigate the changing healthcare environment. The organization completed a full risk management cycle in 2012 and is now working to ensure a continuous and sustainable ERM approach (see the exhibit below).

Exhibit 1 Cleveland Clinic ERM Article

“ERM has been very successful,” said Kolodkin. “Now that we are anticipating risks, we are no longer constantly defending our brand against unexpected risks. We are doing a better job―for example, before we sign contracts with vendors―at thinking through the ramifications of business opportunities.” 


A Six-Step Approach

A common concern about ERM is that it can become a worthless exercise (i.e., complete a risk assessment and file the documents away). Another concern is that ERM programs tend to melt away after the initial momentum is lost. To ensure that its ERM process provides value and is sustainable, Cleveland Clinic developed a six-step approach.

Establish the ERM structure and provide training. A steering committee was established with representatives from operations, accounting, risk management, legal, internal audit, and continuous improvement, as well as two physician leaders.

Exhibit 2 Cleveland Clinic ERM Article

The steering committee then created work teams of four to eight employees to “do the heavy lifting,” or conduct detailed assessments on specific risks, said Kolodkin. “We tried to create cross-discipline teams with someone from finance, operations, and maybe legal, as well as others who could provide insights into the specific risk being assessed. This way we made sure there was someone on the team with analytical skills, as well as other needed skills.”

Each of the work teams has two executive sponsors (one physician leader and one non-physician leader) who serve as a sounding board for the team.

Comprehensive training on ERM concepts and techniques was provided to members of the steering committee and all the work teams. “Many of these people, including the physicians involved, were not familiar with ERM. So we spent a lot of time on what we are trying to accomplish, how we define ERM, etc.”

Identify risk categories and top risks. The steering committee spent time upfront determining how it wanted to categorize different types of risks to the organization, finally settling on six categories:

  • Strategic
  • External
  • Financial
  • Operational
  • People
  • Compliance 

“One of things we’ve struggled with is the high value that we place on our brand and our reputation,” said Kolodkin. “We weren’t sure if ‘reputational risk’ should be a separate category of risk. In the end, we decided that reputational risk should transcend everything we do in ERM, versus just being one category of risk. Our reputation touches operations, strategy, etc. We want people to be constantly cognizant of protecting our brand.” 

Another major step in the ERM process was identifying Cleveland Clinic’s top risks under each of the six risk categories. The health system's consultant started this process by interviewing high-level leaders across the health system about potential threats to the organization’s reputation and livelihood.

From these interviews, the consultant came up with a list of more than 100 potential risk areas. The steering committee then narrowed this list down to seven high-priority risks for which to deploy work teams:

  • Ability of the business model to respond
  • Mergers and acquisitions consistent with strategy and culture
  • Impact of healthcare reform
  • Maintenance of a high level of clinical quality and safety
  • Maintenance of environmental and operational safety
  • Prioritization of initiatives and ability to address opportunities and challenges
  • Training and succession planning 

Conduct detailed risk analyses. A work team was assigned to each of the seven risks. The teams conducted “deep dive” analyses of each risk. First, sub-risks were identified for each risk. For example, for the risk “mergers and acquisitions consistent with strategy and culture,” the work team identified three sub-risks: 

  • Merger or acquisition is inconsistent with business model
  • Due diligence is inadequate 
  • Completed deals result in unanticipated operational, financial, or reputational risk 

The work teams then conducted detailed risk assessments of each sub-risk, breaking each sub-risk into logical components, gathering needed data and information, and making assessments or judgments. 

Determine how to mitigate and respond to risks. Kolodkin and two other leaders served as mentors to the teams, helping them sort through the risks and challenging them to consider questions such as the following:

  • What is the impact of that risk component to the health system? 
  • What are we doing now to mitigate this? How do you know we’re doing a good job or not? 
  • What would lead you to believe that we are mitigating this risk or that we are very vulnerable and things aren’t happening? 
  • What metrics or indicators can we use to track this risk?

The teams then developed a report to share with senior leaders about each sub-risk, using a template that is integrated with data from Excel files (see the exhibit below). These reports spell out the impact of the risk, planned mitigation activities, and metrics for monitoring each sub-risk. The reports also include a heat map that visually classifies each sub-risk by potential impact and likelihood.

Exhibit 3 Cleveland Clinic ERM Article

In some cases, the mitigation plans simply involved documenting what was already being done. “One of our top risks is clinical quality and safety. But we already had all types of risk indicators and processes in place to track and ensure quality. So for that work team, they mostly just had to document what we were already doing.”

Continually monitor and report. The ERM steering committee makes regular reports (typically twice a year) to Cleveland Clinic’s leadership team and the audit committee about all the ERM activities.

“Our reports to the board are high-level summaries of our top-risk areas and what we are doing about them,” said Kolodkin.

Embed risk management in business. The health system plans to repeat this detailed risk assessment process every few years. “We don’t need to do the 50 interviews with high-level leaders again,” said Kolodkin. “We don’t want to reinvent the wheel. To guide our ERM initiative, we will use some of the work that our internal audit department does as well as the information we gather during various strategic assessments.”

In addition, the health system is working to make risk assessment part of every leader’s job. One step is asking all service line and physician group leaders to identify major risks as a part of their quarterly business reviews, said Kolodkin. “We are now trying to challenge them to be prepared to talk about the major risks that are facing their groups and how they are measuring those risks.”

A Continuous Process

Finding the resources to carry out ERM is a key challenge, said Kolodkin. “We did not create a new department, said Kolodkin. Instead of adding FTEs, Kolodkin borrowed some FTEs (e.g., financial analysts) as needed.

While this helped Cleveland Clinic manage costs, it has been a continuous struggle. “It’s a huge thing to manage your personnel. You are asking existing people to do more. So it’s a balancing act. To be successful, you cannot stretch your people too much or they will feel stretched and then they’ll just go through the motions and you won’t get a valuable product.”

Another challenge is dealing with constant change. “When our work team was in the middle of assessing our business model, our business model changed. So we have to be continually responsive to changes and conduct new risk assessments when a risk is altered.”


Maggie Van Dyke is HFMA’s managing editor, Leadership, newsletters, and Forums. 

Quoted in this article:

Charles Kolodkin, JD, executive director, enterprise risk and insurance, Cleveland Clinic, Cleveland. 

Publication Date: Thursday, September 26, 2013