• How to Optimize Enterprise Risk Management Strategy in Health Care

    By Elizabeth Barker Mar 22, 2018

    Engaging staff, assessing risk, and employing rapid-response plans, healthcare organizations are cross-functionally implementing enterprise risk management strategies to enhance the value of their services.

    Thinking holistically and working across departments to determine areas of vulnerability, healthcare organizations have taken an integrated approach to risk. With the transition to value-based care calling for providers and health plans to demonstrate increased efficiency and control costs, enterprise risk management (ERM) offers the opportunity to consolidate resources and avoid repetition

    When composing a risk management strategy, “You can’t do it in a siloed fashion anymore,” says Claudia Douglass, managing director for Advisory Life Sciences and Health Care with Deloitte. “It has to be an enterprise view informed by the strategy, with operations making it real.”

    According to the American Society for Healthcare Risk Management (ASHRM), key components of an ERM strategy include identification and management of uncertainty, assessment, employing data to prioritize risk, creating a culture of accountability and readiness, and incorporating risk appetite in the organization’s overall strategy. 

    ERM demands ongoing cultivation, with domains involving operations, finance, strategy and reputation, human resources, legal and regulatory, IT, and hazards—as well as a clinical domain for healthcare organizations.

    Key Players and Plan Components

    When compiling risk plans, organizations utilize dashboards to assess, identify, and monitor risk, and they develop response plans. Providers and health plans should engage leadership and content experts to offer regular feedback on risk appetite and strategy.

    Who should be involved. Organizations with sufficient resources can build teams that are dedicated to ERM. For instance, multiple industries have seen an increase in the position of chief risk officer since the early 1990s, according to Deloitte. Those with more limited resources may build ERM responsibilities into current staff positions.

    “The biggest thing is having an engaged board and leadership team and making sure you engage staff people who are dealing with customers, including patients and consumers, on a regular basis and who know where your day-to-day risks are,” Douglass says.

    Serving 230,000 members throughout 58 Wisconsin counties as a not-for-profit HMO, Security Health Plan began developing its ERM strategy in 2014 while fulfilling compliance requirements. It has not hired full-time staff to manage this strategy but has established an ERM committee. The committee organizes quarterly meetings to gather feedback from staff who represent various departments and are in positions to identify key risks. The committee regularly communicates information back to leadership.

    Enterprise Risk Management_Krista Hoglund“We try to make sure there are enough members of leadership that are involved up front so that nothing is coming as a surprise to them. In case one of these risk events happens, everyone has been sufficiently briefed on it,” says Krista Hoglund (pictured at right), director of actuarial and risk adjustment services at Security Health Plan. The organization also expects every employee to assume some level of ERM responsibility; for instance, employees should notify the appropriate contact when observing a possible risk event such as a safety hazard or potentially fraudulent claim.

    Based in Danville, Ind., Hendricks Regional Health has been building its ERM strategy over the past five years. Composed of two hospitals that are licensed for 166 beds, the county-owned organization engages leadership to champion a continuous, coordinated approach.

    Enterprise Risk Management_David Petrous“If I don’t have support from leadership, implementation of an ERM program would be close to impossible because there’s not going to be the authority or support behind it,” says David Petrous (pictured at right), risk manager/safety officer at Hendricks Regional Health.

    Though the organization does not have a full ERM program, Hendricks Regional Health’s leadership, risk manager, and staff across departments utilize ERM methodology for decision making based on organizational goals and other drivers to ensure a high quality of care and protect the health system.

    Selecting staff to own and respond to risk helps organizations address events more effectively. “With a rapid-response team concept, you go through scenario planning so that if you have a situation come up, you have options, and you’re not making up a response on the fly,” Douglass says.

    Similar to the way rapid-response teams address a clinical emergency in a hospital, ERM rapid-response teams strengthen organizations’ ability to identify, monitor, and respond to risk. Some team members’ positions are dedicated to risk full-time; other staff, in positions ranging from clinical to financial to marketing, are taking on these roles in addition to other responsibilities. The success of these teams depends on having expertise in various risk domains, ongoing communication, and a dynamic ERM strategy.

    ERM plan procedures and elements. “You need to clearly define what scenarios you’re concerned about,” Hoglund says. Using a heat map and regular communications, such as through quarterly committee meetings, Security Health Plan monitors 21 key risks that fall under 10 risk categories. 

    At least one executive is assigned to a risk category, and each key risk includes an explanation, risk assessment, monitoring process, and mitigation strategy that consists of a trigger, response, and follow-up after the event. For example, the organization has designated a financial-risk category that covers risks related to pricing and liquidity, with the controller and chief actuary as responsible parties. The ERM committee regularly discusses possible scenarios ranging from cybersecurity to financial to legislative changes, and how the organization would respond.

    Central components of Hendricks Regional Health’s ERM strategy include an identified owner of a particular risk scenario, projected scenarios and data on likelihood, key performance indicators to be monitored, plans of action to respond to each scenario, and follow-up after risk events. Using tools such as heat maps (click on the exhibit below) or other matrices to identify risk, Hendricks also draws from quality improvement data, financial reports, and risk events themselves to evaluate risk categories regularly.

    Heat Map for Assessing Risk at Hendricks Regional Health

    Enterprise Risk Management_Exhibit 1

    “We go through this exercise of coming up with a risk score to let us know what’s likely going to happen, and that’s what we focus our education and training on,” Petrous says. “We then practice having risk events such as code blues and disaster exercises to know how to respond.”

    Risk Management Scenarios

    Regularly examining risk scenarios and fine-tuning risk plans as needed empower organizations to understand vulnerability and take a proactive stance when facing risk.

    Security Health Plan has applied its risk strategy to scenarios such as risk adjustment for Affordable Care Act (ACA) filings. Historically, the filing deadlines for ACA health plans to the Wisconsin Office of the Commissioner of Insurance and the Centers for Medicare & Medicaid Services have fallen on dates prior to the release of final risk adjustment information for the completed calendar year. For instance, the 2018 premium was set in mid-2017 before the organization confirmed its final financial performance for 2016.

    In the past, because of the condensed timeline between the release of final risk adjustment information and the deadline to make changes to the submitted ACA filing, the organization would make decisions without being able to perform in-depth analysis on the risk adjustment results. If it set a premium too low going into a year, Security Health Plan was unable to increase the premium until the following year, presenting potential financial risk.

    To better respond to filing requirements, Security Health Plan developed a timeline with key dates on when information is released and when different components of the filing are due (click on the exhibit below). “Because we planned ahead of time, giving our consultants a heads-up, we were able to turn everything around much quicker than by waiting for the day the information was released,” Hoglund notes.

    Rate-Filing Timeline for Security Health Plan

    Enterprise Risk Management_Exhibit 2

    For its ACA filing, Security Health Plan has determined risk adjustment thresholds and the corresponding pricing responses. For instance, if risk adjustment is a certain percent less than assumed in pricing, it would produce a particular response, such as an adjusted premium. The organization then schedules meetings to correspond with the release of the risk adjustment information and designates key decision makers, including the chief marketing officer and chief actuary, allowing for a shorter turnaround time.

    “If you plan ahead about how you’re going to react, or you know who the team is that needs to respond, it empowers people to be able to quickly make decisions and move on to the next item,” Hoglund says.

    In February, as part of an Endoscopy/Wound Therapy service line expansion project, Hendricks Regional Health oversaw a medical gas shutdown that impacted the ICU, Pediatrics, Childbirth Center, Radiology, Endoscopy, PT/OT, and Cardiopulmonary. The response required participation from a range of team members including administration, nursing leadership, affected departments, contractors who performed the work, and infection control.

    “We discussed the timeline of what’s going to happen,” Petrous says. “We wanted to make sure everyone knew when we would flip the switch and about the backup system being used during this time frame.”

    In addition to a safe handling of the shutdown, the response team—including the house supervisor, the director of respiratory therapy, nursing directors, an infection preventionist, contractors, engineering staff, the chief nursing officer, and the executive director of professional services—focused on developing alternative plans in the event that the project encountered problems or could not be completed. The risk plan accounted for ways to deliver care during the shutdown, including via portable suction machines, and to reroute patient care processes.

    Although the project was completed as anticipated and Hendricks Regional Health had response plans in place for events that arose, there remains an understanding that the unexpected may occur. “When you’re developing a plan, you have to have flexibility, agility, and resilience,” Petrous says. “Those common themes play across any type of policy, procedure, or protocol because you can’t imagine things that haven’t happened yet.” 

    Practice is crucial for Hendricks Regional Health, which regularly implements exercises to ensure staff are prepared for actual risk events. For instance, the organization sends out test emails to mimic messages with viruses and examines staff responses. Noting the number of staff who click on suspicious links, Hendricks continues to test and has seen the numbers decrease.

    The Outlook for ERM in Health Care

    Implementing an ERM strategy helps healthcare organizations not only to prepare for events that could be harmful but also to improve the consumer experience through more effective communication and coordination of services.

    “Any time we can reduce the means and resources that are needed to provide a higher level of care, the patients ultimately benefit in the areas of cost and quality,” Petrous says.

    Working across departments to proactively mitigate risk reflects industry efforts to increase the value of care. “With value-based care, the key is you’re working as a coordinated system,” Douglass says, noting a recent increase in provider and health plan requests to learn about creating leadership roles for ERM strategy.

    While healthcare organizations have demonstrated efforts to build ERM plans, ASHRM notes opportunities for growth. As providers and health plans continue to develop strategies, they will be able to incorporate those into organization-wide initiatives to enhance the value of care and reduce variation.

    “If you have a rapid-response team that has a plan and knows the steps to be taken in a certain scenario, you are more efficient and less likely to have a mistake that’s costly to the organization,” Hoglund says. “It should result in fewer wasted resources, which provides better care at a lower cost.”


    Elizabeth Barker is a digital communications professional and freelance writer in Chicago.

    Interviewed for this article: Claudia Douglass, managing director, Advisory Life Sciences and Health Care, Deloitte; Krista Hoglund, director of actuarial & risk adjustment services, Security Health Plan, Marshfield, Wis.; David Petrous, risk manager/safety officer, Hendricks Regional Health, Danville, Ind.

ADVERTISEMENTS