Cost Effectiveness of Health

5 ways the ERM playbook for health systems is due for a rewrite

March 29, 2022 2:21 pm

David Burik

Dennis Butts, Jr.

As the healthcare industry moves from stability to volatility, enterprise risk management (ERM) strategies are evolving from check-the-box compliance exercises to key areas of focus for health system leaders.

Already in the spring of 2021, it was clear that the characteristics that define business risk in healthcare were beginning to look markedly different.a Threats such as the move toward digital care delivery, well-capitalized disruption, lack of agility among legacy organizations and increased demands for price transparency all required a more urgent and complete approach to identifying and responding to business risk.  

Today, the level of volatility in the healthcare industry is bigger than anyone anticipated.

Distressed organizations are on the rise, half of health system leaders are unsure they will meet budget in 2021, and more than 40 million patient records have been compromised due to cybersecurity incidents. Meanwhile, although findings of a recent survey suggest organizations across industries are dedicating greater funding to ERM, just one in four respondents said they believe they manage risk “well” or “very well” across the enterprise.

ERM is a leadership challenge. It is virtually impossible to predict all material variables accurately and with precision at the pace required by a rapidly shifting market. In 2022, it is important that leaders make investments that help them more effectively anticipate, mitigate and manage business risk. Five areas of focus should be top of mind.

1 Labor shortages

This topic is being discussed in virtually every C-suite: Staff are stressed, overworked and in high demand, and health systems are struggling to find creative solutions to lessen the load. Nurse turnover rates alone average 17.2%, while 43% of physicians are considering early retirement. Moreover, when new graduates enter the workforce, they are unprepared to deliver the level of care the pandemic has required of providers.

But there’s another workforce shortage that is vexing hospitals: the shortage of nonclinical frontline staff and lower-wage clinical workers who can get paid more at Target, Walmart or Whole Foods — and experience less grief than at a hospital. Experts predict healthcare organizations could face a shortage of more than 3 million lower-wage clinical workers by 2026.

All of this is happening at a pace unimagined just eight months ago — potentially putting patient safety and retention at risk. While some organizations, such as Summa Health, have explored creative strategies to combat workforce shortages — such as reducing inpatient hospital beds by more than 20% to give short-staffed teams a reprieve — the surge of COVID-19 cases ultimately made this impossible.

“It was an aspiration at the time, but right now, it’s hard to even answer the question [around volume] day to day,” Cliff Deveny, MD, CEO, Summa Health, told the Akron Beacon Journal.b

This phenomenon flips traditional thinking about workforce management on its head. Typically, we look to healthcare workers to create scale and broaden growth. These levers enable growth and strengthen performance under value-based contracts. Now, with fewer resources in place, leaders must create the means to reduce healthcare consumption.

6 prerequisites for health systems in addressing healthcare’s labor shortage

How can leaders implement ERM strategies related to labor? And how can they balance these strategies with the mission to meet community health needs, even in the presence of economic headwinds? Here are six emerging prerequisites:

  • Reshape the workforce to adapt to near-term demand. 
  • Look for opportunities to reduce consumption of services — clinically and operationally — through improved efficiency, throughput and capacity management.
  • Double down on strategies that navigate patients to the right care setting.
  • Get creative in recruiting talent. 
  • Investigate the number of healthcare training slots in your community, the percentage of slots that are filled and whether there are enough to fill routine needs.
  • Automate workflows to improve the employee and customer experience.  



2 Capital planning

Most capital plans were created in more stable times. Those funded with bonds include a risk section that reflected a stable operating environment.

Now, healthcare leaders must examine not just whether they have the right capital plan for an evolving environment, but also whether the financial covenants in their bond documents, combined with their operating performance, might put their organizations at risk of default. (For example, they could violate a debt covenant by failing to meet the minimum required debt service coverage ratio or liquidity requirements, such as days cash on hand.)

In instances where health systems are spending less on capital even with massive influxes in cash flow, there is also the business risk associated with lack of investment in innovation amid a period of disruption in healthcare.

One example is the move toward remote patient monitoring, a market projected to reach $4.1 billion by 2028. This phenomenon, which stems from increased demand for home care capabilities during the pandemic, forces leaders to consider whether they are overleveraging physical facility assets and how they might best right-size in-person care to match current demand.

Further, a hospital or health system’s future financial position could be adversely affected by legislation, regulatory actions, economic conditions, increased competition from other providers, changes in demand for healthcare services and demographic changes. Any of these business risks could have a material adverse effect on the organization’s financial health, which could affect its ability to make payments under loan agreements.

ERM likely will impact health systems” capital finance agendas, especially if they are tax-exempt. The imperative for leaders: Balance financial risk with your organization’s mission imperative to invest in care delivery and resources.

Doing so demands a more strategic, integrated approach to cost containment — one that prioritizes the goals that matter most, operationalizes improvement and automates measurement.

3 Energy consumption and social determinants of health (SDoH)

More and more, consumers view a health system’s efforts to reduce energy consumption as a sign of its commitment to its mission to improve community health.

Today, air quality and water quality are considered SDoH, given their effects on gastrointestinal, neurological, respiratory and even reproductive health. Among nonprofit healthcare organizations, which must conduct community health needs assessments (CHNAs) every three years to maintain tax-exempt status, the call for CHNAs to reflect their organizations’ work around eliminating SDoH is gaining steam. It’s not hard to imagine a time when an organization’s work toward reducing its carbon emissions will become a focal point in CHNA review.

Developing a robust plan for energy efficiency and sustainability also makes good business sense, given that energy use constitutes 51% of facility expenses. At Robert Wood Johnson University Hospital Somerset, a $5.7 million investment in energy efficiency improvements is projected to save more than $600,000 annually.

However, as trailblazers in this area can attest, this work is not easy. It takes long-term investment and a shift in culture to reduce energy consumption. For 2022, health systems should consider the following steps:

  • Perform an analysis to take stock of the organization’s environmental activities, pressures and impacts.
  • Use the data from this analysis to develop a game plan for energy efficiency.
  • Once a course of action has been determined, work to secure organizational buy-in and the necessary funding.
  • Develop a targeted communication plan to keep the momentum going.
  • Ensure the processes and tools are in place to capture and report on the organization’s efforts.

4 Cyber risk

Data is the new oil, but access to that data via more consumer-centric channels heightens cyber risk.

Healthcare organizations now have more IT assets per employee than any other industry in the world, with 10 to 20 devices per employee. This situation creates the largest attack surface of any industry, with the least dollars spent per device on cybersecurity, making it the easiest target to attack.

The currency of consumer data contained in patients’ health records — from social security numbers to financial and demographic data — also makes healthcare a prime target for cyberattack. In 2021 alone, 82% of health systems were the victim of cyberattack.

In 2022, healthcare leaders must become more strategic about developing a cyber defense. Here are a few ways to start.

Remember that cybersecurity is not just a technology issue. Security must be built into everything an organization does, not bolted on. As new processes are rolled out, the organization should hire new personnel and implement new technology. Cybersecurity should be incorporated into each element of its daily thinking.

Strengthen security of connected resources. Interconnected resources increase efficiency, but they also expose an organization to higher levels of business risk. Before plugging in a new interconnected asset, it is vital to understand how the asset will help the organization meet its mission, the ways in which that asset can be secured, where it can be placed within the organization’s security architecture and the risks that the asset presents.  

Conduct an annual assessment of your cyber posture. A cyber-maturity assessment should be performed annually to provide deep insight into the organization’s cybersecurity gaps and to generate a road map for measuring and improving cybersecurity maturity. Such a practice is vital to managing enterprise risk.   

5 Increased pricing transparency

When the price transparency regulations took effect in January 2021, many in the industry thought they could just pay the fine and it would pass. As a result, one month after the regulations took effect, 30% of hospitals were not in full compliance with either aspect of the price transparency rule.

Meanwhile, the focus on price transparency has not dissipated. Instead it has expanded beyond a matter of compliance to an area of operational concern under the “No Surprises Act,” which became effective on Jan.1. Organizations that lack controls to support compliance with this act leave themselves vulnerable to enforcement action.

The stakes regarding consumer trust and loyalty and the organization’s market position are too high for leaders not to put their organization’s best foot forward. To make a good faith effort to achieve compliance, leaders should ask the following questions:

  • Scheduling: How well do we validate in-network versus out-of-network coverage for non-employed providers? Do we perform provider enrollment checks?
  • Billing: How effective are our processes for adjusting or reviewing patient liabilities that fall outside the good faith threshold?
  • Insurance verification/eligibility: Do we maintain strong processes around certification of benefits and eligibility? Are we comfortable with our price estimate process?
  • Case pricing: Does our negotiating team have the appropriate support to navigate the independent dispute resolution process?
  • Contract negotiations: Where does our organization stand relative to the market median for our geographic location?

A new enterprise risk playbook for 2022

It will take strong ERM muscle to mitigate these threats this year and beyond. Executive support is crucial. In fact, findings from Guidehouse’s previously cited 2021 survey corroborate that executive support for ERM presents the most impactful improvement that organizations can make to anticipate and respond to volatility.

The challenge that now lies before healthcare organizations is to effectively transform ERM from a check-the-box compliance exercise to a fundamental component of doing business in a rapidly evolving environment. This effort requires three big steps:

  1. Integrating ERM into management processes
  2. Developing well-established mechanisms for risk identification and response
  3. Creating a culture that accepts enterprise risk as part of everyday business.


a. Burik, D., and Butts, D.K., “Rising risk due to COVID-19 requires a nimble response from health systems,” hfm, April 2021.

b.  Lin-Fisher, B., “’They’re stressed. They’re overwhelmed’: Akron area hospitals try to ease staff shortages” Akron Beacon Journal, Dec. 6, 2021.



googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text1' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text2' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text3' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text4' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text5' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text6' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text7' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-leaderboard' ); } );