June 19—The 2008 recession was part of the impetus for launching a formal enterprise risk management (ERM) process at Cleveland Clinic. But the real catalyst came in the form of a high-level sponsor: the chair of the board’s audit committee. Cleveland Clinic’s CFO was also very engaged. “Without high-level support, there would not have been as much oomph behind this,” said Clinic’s Charles Kolodkin, JD, executive director, enterprise risk and insurance at a Tuesday ANI session.
From the beginning, Cleveland Clinic wanted to ensure that its ERM approach would be sustainable. “When you speak about ERM, many people worry about the value you get out of it, said Angela Hoon, principal, KPMG, who co-presented with Kolodkin. “How do you keep it sustainable so that it’s not just, ‘Do a risk assessment, check the box, and we’re done’?”
To create a long-term, ongoing approach to risk management, Kolodkin and his colleagues went through six steps.
Establish a structure. A governance committee was established with representatives from operations, accounting, risk management, legal, internal audit, and continuous improvement, as well as two physicians. The governance committee then created work teams to “do the heavy lifting,” or conduct detailed assessments on specific risks, said Kolodkin. Each of these work teams had an executive sponsor who served as a sounding board for the team.
“We did not create a new department, Kolodkin said. “Instead, we tried to use our existing resources.” Instead of adding FTEs, Kolodkin borrowed some FTEs (e.g., financial analysts) as needed.
Identify top risks. After interviewing high-level leaders across Cleveland Clinic about potential threats to the organization’s reputation and livelihood, a consultant came up with a list of 300 plausible risks. The governance committee then narrowed this list down to seven high-priority risks:
- Ability of the business model to respond
- Mergers and acquisitions consistent with strategy and culture
- Impact of healthcare reform
- Maintenance of a high level of clinical quality and safety
- Maintenance of environmental and operational safety
- Prioritization of initiatives and ability to address opportunities and challenges
- Training and succession planning
Conduct detailed risk analyses. A work team was assigned to each of the seven high-priority risks. The teams conducted a “deep dive” analysis of each risk, which involved identifying sub-risks, conducting various types of analyses on these sub-risks, and predicting the impact and likelihood of each sub-risk.
Determine how to mitigate and respond to risks. The work teams also outlined ways to mitigate each of the sub-risks. In some cases, this simply involved documenting what was already being done.
Continually monitor and report. Regular reports to Cleveland Clinic’s leadership team and board audit committee helped ensure the teams followed through on plans to address the various risks.
Embed risk management in business. The initial detailed risk assessment process was completed in 2012. Cleveland Clinic plans to repeat this detailed process (minus the executive interviews) every few years.
In addition, the health system is working to make risk assessment part of every leader’s job. One step is asking all service line and physician group leaders to identify major risks as a part of their quarterly business reviews, Kolodkin said.
Publication Date: Wednesday, June 19, 2013