Enterprise Risk Management

Engaging in risk management to safeguard strategic priorities

October 29, 2020 9:29 pm

The middle of a pandemic seems like an apt time to discuss risk management. One of the key lessons from the past year is how quickly an unexpected event can fundamentally disrupt day-to-day activities, upend financial margins and derail strategic plans. Although healthcare organizations can’t turn back time to change their initial level of COVID-19 preparedness, they can commit to anticipating, planning for and mitigating risks going forward, whether those relate to the virus’s continuing evolution or other large-scale events.

By embracing an enterprise risk management (ERM) strategy, an organization can establish a framework for identifying potential risks, assessing their likelihood, forecasting the magnitude of their impact and determining response tactics that take into consideration the full complement of the organization’s departments. Hospitals and health systems that commit to developing and executing this type of strategy can better prepare for surprises and reduce the chances that crises will derail short- and long-term organizational objectives.

A carefully considered approach is a key success factor

An ERM initiative is a multifaceted endeavor that should follow an efficient, yet methodical road map designed to foster robust leadership participation and garner critical insights across the enterprise. Following are a few essential steps involved in the process. 

Assign ownership. To start, organizations should create an executive leadership committee (ELC) that owns the ERM process and provides overarching insight and direction. “A key task for the ELC is to tap a facilitator team, which is often made up of members of the internal auditing department,” says Angie Fearon, senior manager, risk and accounting advisory services for Plante Moran. “The facilitator team’s function is to design, implement, expedite and maintain the ERM. In many ways, the success of the initiative rests with this group. It is up to them to keep things moving efficiently, making sure the exercise stays on course and does not take too much senior leader time while still garnering detailed information.”

Select senior leaders to participate. Next, the ELC and facilitator team must decide who in the organization should be interviewed about enterprise risks and the threats they pose. Speaking with a range of leaders can generate the broadest perspective and ensure that key viewpoints are not overlooked. Some good candidates for interviews include members of the C-suite as well as hospital, physician enterprise and post-acute leaders that deal with finance, technology, clinical care, pharmacy, revenue cycle, supply chain and facility operations.

Set the stage for an effective discussion. Once participants are determined, the ERM facilitator team sends out information in advance of the interviews to help participants think through possible risks. “Called a ‘risk universe,’ this information delineates the general risk purview, prompting and reminding leaders of risk areas to consider,” says Fearon. “For example, a pharmacy operations leader may receive a risk universe that encourages thought around inventory management, billing, reporting, 340B, drug diversion, supply chain, revenue cycle, charge description master (CDM) and potential system downtime.”

Conduct in-person interviews. Facilitators meet individually with leaders and talk through each area in the risk universe. “These meetings are meant to be efficient, taking about 30 minutes at most,” says Fearon. “The conversation delves into the leader’s strategy for their area and any risks to achieving their goals. The facilitator uses ‘what if’ scenarios to pull threads on possible risks and uncover themes. The conversation also explores the department’s relationship to other organizational areas and its perspective on the broader risk universe.” During the interview, the leader and facilitator score identified risks by gauging impact, likelihood and velocity — the speed with which a risk would impact a given event or multiple events.

Discuss results. Once all the interviews are complete, the facilitator team hosts a group session with the ELC to go over information gleaned from the meetings. “During this time, the facilitator team may use a heat map to illustrate the identified risks by impact, likelihood and velocity,” says Fearon. “A heat map is a two-dimensional representation of data, in which values are denoted by different colors. For example, if an event is highly probable and could be highly impactful, it would be assigned the color red on the heat map. An event that is low probability and low impact would be assigned blue or green. When all the color-coded events are included on one matrix, the ELC can see patterns and identify where the organization needs to allocate time and resources for prevention and planning.”

Assign responsibility for risk mitigation. As the process unfolds, the ELC establishes governance committees that own the identified risks and work collaboratively to develop action plans and monitoring strategies. These groups meet regularly throughout the year to review progress, address roadblocks and keep work moving forward.

Lessons from the field

Earlier this year, ChristianaCare — a nonprofit academic health system serving Delaware, Maryland, Pennsylvania and New Jersey — participated in an ERM exercise. “We wanted to be sure we had a solid understanding of what could go wrong as we worked toward our strategic goals,” says Rob McMurray, CFO for ChristianaCare. “Having a clear picture of possible threats and how we should respond to them will help us weather the unexpected while continuing to execute on our strategic plan.”

ChristianaCare found it beneficial to look at risks from an enterprise-wide perspective and not just at the department or function level. “We all participate in our own risk management in everyday activities,” says McMurray. “But these efforts do not always keep others in mind. When you implement an enterprise risk management strategy, you collectively talk about things that could derail the ability to execute on organizational aims. This is so important in healthcare because our business is changing rapidly and from many directions. If we maintained a siloed approach to risk management, a department could develop mitigation activities that would work within its purview but may have a detrimental effect on other areas without realizing it. Also, enterprise risk management does a good job at identifying the low-probability, high-impact events that could disrupt our forward progress the most.”

Since embracing an ERM approach, ChristianaCare has seen several benefits. “Our ERM strategy is always evolving, and it’s definitely a work in progress,” says McMurray. “That said, we already have greater confidence that the plans we have in place can effectively lessen the effects of potential risks. More importantly, the initiative has enhanced the dialogue between members of our organization, breaking down silos and enabling a stronger ability to plan. While many of the risks we address could be considered highly unlikely, the exercise has heightened our awareness and helped us understand what the next steps could be. Now if something were to happen, we would know who to involve in the response and what to do.”

As ChristianaCare has worked through its ERM initiative, they have discovered some valuable lessons along the way. “It’s human nature to ignore low-probability, high-impact events,” says McMurray. “And while our fundamental nature may explain this lack of foresight, it doesn’t excuse it. Organizations need to commit to pursuing this kind of strategy to ensure long-term viability. The good news is that the required investment is relatively low, especially when you consider the financial ramifications of an unforeseen crisis. My advice to other organizations is that you can’t eliminate all risks, but you can prepare for and aim to control them. By understanding the cost-benefit of preparing for identified risks, you can take action on those where a little prevention could save considerable time and resources should the emergency come to pass.” 

Angie Fearon is senior manager, risk and accounting advisory services for Plante Moran. Rob McMurray is CFO for ChristianaCare. This article is based on an August 2020 presentation to HFMA’s Strategic CFO Council. For more information about the council, contact Chuck Alsdurf, HFMA director of finance policy, operational initiatives, at [email protected] and learn about upcoming programs.

About Plante Moran

Plante Moran’s is the 16th largest audit, tax and business advisory firm in the country. Our integrated healthcare practice brings the collective experience of more than 225 specialists to over 2,100 healthcare clients across the continuum. We serve hospital and health systems, senior care and living organizations, and physician practices across the nation with high-touch client service and strategic partnerships that provide long-lasting value and long-term success. In addition to financial and accounting services, Plante Moran professionals deliver strategic planning, reimbursement, operations improvement consulting, revenue cycle, IT consulting, M&A support, and real estate strategy services.


googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text1' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text2' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text3' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text4' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text5' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text6' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text7' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-leaderboard' ); } );