Enterprise Risk Management

Building an ERM Framework for Value-Focused Health Care

March 30, 2018 9:40 am

Appropriately identifying and reconciling risks and opportunities tied to performance-based payment is essential for success and survival under value-based care models.

Healthcare organizations have long employed various approaches to risk management to prepare for risks that are unique to healthcare delivery settings, such as adverse events that pose harm to patients, visitors, and employees. However, with the advent of the Affordable Care Act (ACA), which mandates the tethering of clinical and financial operations together into value-based systems, traditional risk management approaches have become inadequate.

With this change, it has become imperative for a healthcare leader to think in terms of the entire system, performing an ongoing in-depth analysis of risk and taking proactive steps to build a safer, more cost-efficient healthcare environment. Recently, enterprise risk management (ERM) has emerged as a preferred risk management approach for businesses across many industry sectors, including aviation, construction, public health, international development, energy, finance, and insurance. Healthcare organizations, too, have begun adopting ERM as a means for adapting to the uncertainties of the changing healthcare landscape.

However, building and implementing an ERM framework for value-focused health care is not without considerable challenges. This effort requires a top-down approach involving key stakeholders to create a risk-focused architecture within the hospital or health system that aligns with the organization’s strategies and initiatives.

Before addressing questions of how to build an ERM framework for value-based care, it is helpful first to review traditional healthcare risk management approaches under the volume-based payment model and then consider the ways in which the shift in focus from volume to value requires a new approach.

Sidebar: Federal and Other Initiatives That Are Transforming Provider Risk

Traditional Healthcare Risk Management

Risk management has always been especially important in health care because human lives are on the line. Traditionally, the role or purpose of risk management has been regarded as “protection from loss” in narrow insurable categories, such as medical malpractice, general liability, property loss, and directors’ and officers’ risk. Thus, the ideas of risk and insurance have tended to be directly linked.

As part of their evolution, many risk management programs began to include early patient safety efforts, relying on voluntarily reported events and incidents to identify risk. As such, these programs’ activities tended to be reactive and retrospective. Risk management program success was measured based on insurance premiums, reserves, and losses and reported incidents, and the assessments did not consider lost opportunities, sacrificed value, and evaluation of nonclinical risk. a

The tethering of clinical and financial performance, discussed in greater detail below,  is one of the key elements that differentiates the new ERM framework from traditional and other evolving risk management approaches.

Understanding the Forces Reshaping ERM

Regulations established under the ACA, emerging malpractice reforms, changes to prospective payment systems (PPSs), and the shift to value-based payments all have dramatically transformed the care delivery and risk management profile for most healthcare providers. Even as many entities remain focused simply on limiting underwriting risks as part of risk management strategies, some have started down the path to implementing ERM to prepare for these new payment risks.

As clinical and financial performance are increasingly tied to one another in value-based healthcare delivery and payment models, the key to managing and avoiding risk moving forward will be to thoroughly understand the emerging new payment methodologies that are designed to change provider behavior and the ways these changes impact patients’ entry into and movement through the healthcare delivery system. 

Risk Management Across a Spectrum

As the healthcare industry continues its movement from the volume-based, fee-for-service (FFS) payment model to the value-based payment model, hospitals and health systems face major challenges and opportunities in transforming their clinical, financial, and operational models to align with new value-based payment policies, while still living in a volume-based environment. Important among the risks that must be managed across various types of value-based arrangements are the potential financial impacts associated with the transition, such as decreases in emergency department (ED) patient volume, hospital admissions, and inpatient length of stay and admissions at skilled nursing facilities that result from better management of chronically ill and high-risk populations.

Spectrum of Risk in Value-Based Arrangements

In one-sided risk arrangements, such as certain alternative payment models (APMs) and shared savings models, providers and healthcare delivery organizations assume the up-front costs to acquire and deploy resources for their participation without accepting downside financial consequences. 

By contrast, in two-sided risk arrangements—such as bundled payments, partial capitation, and full capitation—providers and healthcare delivery organizations share savings and losses with insurers. Optimizing payment in two-sided arrangements requires a significant focus of care coordination, care management, and high-risk case management. If successfully implemented, two-sided risk models are a means to align interests across payers and providers, improve population health management, and empower and encourage providers to deliver high-value care.

Building an ERM Framework for Value-Focused Health Care

As a strategic discipline, ERM supports the identification, assessment, and management of risks, uncertainties, and opportunities that may affect an organization’s strategy, economic position, or operating performance. A comprehensive and sustainable ERM framework addresses all the major categories of risk exposure, including environmental, competitive, strategic, financial, regulatory, and operational risk, as well as the risk associated with technology and an organization’s reputation.

Various ERM approaches are available, some of which are more specifically structured to accommodate the risk management needs of selected industries or stakeholders. A mature ERM program supports the entire organization in the evaluation and treatment of risk.

Developing the ERM framework provides the essential foundation for any ERM strategy and risk management plan, particularly in a value-based payment environment. Such a framework generally encompasses a series of qualitative and quantitative tools and methods for identifying, examining, and prioritizing risks and for making informed decisions on how to handle them.

A practical approach to creating an ERM framework begins with the following fundamental steps:

  • Assess, analyze, and understand what risk prevention policies and processes are already in place.
  • Develop a roadmap of how much risk the organization is willing to take on outside of its original risk parameters and what is needed to assume this added risk.
  • Involve senior leadership, including the CEO, chief nursing officer, chief medical officer, CFO, and other key cross-functional leaders, such as risk managers, to steer the development of the framework.

An organization also should address both when it intends to implement its framework, keeping in mind that most ERM frameworks require 18 or more months for full implementation, and why it is doing so—for example, to manage downside versus upside risk or a change in organizational culture, or as a response to market, financial, or regulatory pressures.

An ERM framework can be developed, articulated, and set for implementation by the healthcare organization’s board and senior management. The organization’s appetite for risk and tolerance of risk are closely linked with its strategic plan and provide the foundation for the ERM program. Every organization embodies different levels, amounts, and types of risks taken on to achieve specific results, which usually are expressed in qualitative and quantitative measures and can be altered to reflect ongoing changes in strategy.

Key Risk Indicators and Measures of Five Medicare Quality-Improvement and Performance-Reporting Programs

The leadership structure of the healthcare organization also will be influenced by factors such as the organization’s mission, size, complexity, and governing body. Assuming that key leaders will review and approve the ERM plan and offer guidance when needed, other committees will further refine roles and responsibilities. These groups may include the board of directors, department leadership teams, specially convened ERM committees, steering committees, oversight committees or workgroups, and/or those responsible for strategic planning, internal audit compliance, risk management, capital budgets, mergers and acquisitions, and development. Responsibilities can be assigned to specific leaders, including the chief risk officer, CFO, CIO, and CEO.

The Evolution of Risk Frameworks in Health Care

Most traditional healthcare risk frameworks consist of segmented structures that organize specific types of risks as part of disparate risk domains (e.g., “Regulatory,” “Finance,” “Operations”). Changes in payment structure are assumed to constitute financial risks in traditional risk management frameworks. However, because payment amounts are not susceptible to measures of quality or other measures of clinical performance in traditional FFS models, the risk management frameworks for these models have not been designed to fully reconcile the relationship between clinical and financial risks across risk domains. 

For example, the American Society for Healthcare Risk Management (ASHRM) ERM Framework identifies medication errors and hospital-acquired conditions (HAC) as risks allocated only to a Clinical/Patient Safety Risk Domain; it does not recognize HACs as examples of clinical or financial risks as part of its other risk domains. b

As defined by ASHRM in its framework, the Financial Risk Domain comprises financial risks tied to decisions that affect areas such as the financial sustainability of the organization, access to capital, external financial ratings through business relationships, and the timing and recognition of revenue and expenses.

Under value-based payment, however, HACs have implications for both clinical and financial risk, given that HACs are the subject of measurement in the Hospital-Acquired Conditions Reduction Program (HACRP) administered by the Centers for Medicare & Medicaid Services (CMS), which potentially reduces hospital payment by 1 percent of total Medicare billings. Given their financial implications in this case, HACs presumably should be accounted for as examples of financial risks in the ASHRM ERM Framework’s Financial Domain.

The ASHRM ERM Framework also includes a Human Capital Domain, which refers to the organization’s workforce and includes risks associated with recruitment, employee selection, retention, turnover, staffing, absenteeism, on-the-job work-related injuries (workers’ compensation), work schedules and fatigue, productivity, compensation, and termination of members of the medical and allied health staff.  HACs are not identified as examples of human capital risks in the Human Capital Risk Domain.

Such an omission is problematic, however, given that CMS uses patient safety indicators (PSIs) established by the Agency for Healthcare Research and Quality (AHRQ) in its HACRP scoring methodology, and that the AHRQ defines the PSIs as being a set of measures designed to screen for adverse events that patients experience as a result of exposure to the healthcare system and that could be prevented by changes at the system or provider level.

A value-based healthcare ERM framework addresses these issues by placing financial performance at the center of the framework, enabling organizations to more effectively identify and reconcile the impact and magnitude of losses or opportunities that could occur as a reflection of clinical performance under emerging value-based payment and delivery models. Value-based ERM frameworks assume that performance risks exist across risk and opportunity domains, that such risks are predictable, and that any particular risk may have a measurable impact on the economic position and/or financial sustainability of the organization.

This important structural difference between traditional risk management frameworks and value-based ERM frameworks is illustrated in the exhibit below.

Comparison of Traditional and Value-Based Healthcare Enterprise Risk Management (ERM) Frameworks

Value-based ERM frameworks are structured to identify the variable sources of clinical and financial performance risks as key risk indicators (KRIs), so that the anticipated financial consequences of such variability can be measured and reconciled across risk and opportunity domains. KRIs can be derived from key performance indicators (KPIs), benchmarks, and implications on payment determination associated with measures used in various quality improvement and performance reporting programs, and from measures used as part of risk-sharing contracts and arrangements across the provider or healthcare delivery organization’s payer mix.

How to Identify, Qualify, and Prioritize Risks Using a Value-Based ERM Framework

The simple fact is that having an ERM framework that is well-designed for effectively managing risk under value-based payment is imperative, and creating such a framework requires understanding how it differs from traditional healthcare risk management. A recent report by RSM US LLP provides a helpful perspective on the components of an ERM framework, noting that, in addition to determining the organization’s capacity for accepting risk (i.e., its “risk appetite”), it should include the following:

  • Risk governance
  • Enterprisewide risk management processes (e.g., identifying risks, assessing and measuring risk, monitoring risks and acting to address those risks, managing risk through controls and risk responses, and reporting risk)
  • Integration with business decision making
  • Establishment of a strong risk culture c

As previously stated, under value-based payment, HACs have implications for both clinical and financial risk. CMS recently released the final FY18 adjustments for the HACRP, which ties payments to performance on patient safety issues such as infections, bed sores, and post-operative blood clots. Under the program, Medicare payments were cut for 751 hospitals by 1 percent in FY18 for having the highest rate of HACs. d   This point underscores the importance of implementing an ERM program that not only manages the risk for that organization but also maximizes financial performance by avoiding penalties.

A Process Tailored to Circumstances

Value-based ERM approaches and associated frameworks effectively account for elevated financial risks and opportunities linked to quality and other clinical performance measures across the continuum of care. Moving forward, the key to preventing and managing risk will be to understand the relationship between clinical and financial performance. Because there is no one-size-fits-all approach to value-based payment, value-based ERM frameworks can be adjusted to account for a provider’s organizational classification, such as hospital or health system, including risks and incentives associated with its participation in specific value-based arrangements, risk appetite, organizational capabilities and culture, and market and policy forces.

In today’s healthcare environment of increased uncertainty, complexity, and continuous change, traditional risk management approaches can be ineffective. The transition in focus from volume to value has necessitated a shift in how hospitals and health systems identify, evaluate, refine and mitigate risks. The optimal approach is to adopt a comprehensive system that considers all aspects of risk across the entire organization and to monitor and address emerging risks before they become significant events. By employing ERM practices that are more accountable to the implications of value-based payments, healthcare provider organizations can better anticipate, recognize, and address the myriad risks and opportunities to deliver safer, higher-quality care.

Paul Tuten is a senior vice president, Quantros, Milpitas, Calif. 


a. Enterprise Risk Management for Boards and Trustees: Leveraging the Value, American Society for Healthcare Risk Management, accessed March 8, 2018.

b. See ASHRM, Enterprise Risk Management (ERM) Resources, www.ashrm.org/resources/ERM-Resources.dhtml.

c. RSM US LLP, Enterprise Risk Management in Health Care, April 27, 2017.

d. See Rau, J., “Medicare Penalizes Group of 751 Hospitals for Patient Injuries,” Kaiser Network News, Dec. 21, 2017. 


googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text1' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text2' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text3' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text4' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text5' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text6' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text7' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-leaderboard' ); } );