ERM: Evolving From Risk Assessment to Strategic Risk Management
Changes in the healthcare system are bringing new risks, which hospitals and health systems need to manage effectively to remain competitive.
The U.S. healthcare ecosystem represents a $5 trillion market and is projected to grow to a $5.5 trillion market by 2025. a The exponential growth comes from several thematic drivers, including the shift from volume to value and the rise of the consumer, both of which are turning the industry on its head as new payment models and greater expansion of consumer options are being introduced to the marketplace. Other drivers include evolving mobile strategies, new entrants, an aging population, and continued uncertainty in political and regulatory environments. With medical device cybersecurity vulnerabilities being reported at record levels, it is evident that new risks are constantly threatening the quality of patient care and providers’ long-term prosperity. b
As the healthcare market expands and evolves, the inherent risks also are increasing, as shown in the sidebar.
Moving Beyond Risk Identification
Traditionally, the healthcare industry has exceled in risk identification and assessment. The industry has been less proficient at prioritizing and managing risk, however, and it has a vital need to tackle these areas. To do so, healthcare providers must invest more in building enterprise risk management (ERM) capabilities.
As a defensive strategy, a focus on avoiding risk may seem to hold promise, but no hospital or health system can avoid risk entirely. By giving an organization insight into how to take the right risks at the right time, an effective ERM program can help the organization more successfully execute its strategic imperatives.
Getting Beyond Basic Effectiveness
Despite the growing importance of programs today, and the raised awareness of their importance, many healthcare providers have been slow to adopt a more sophisticated approach. As shown in the exhibit below, the current state for most providers falls between “basic” and “evolving” maturities for ERM programs.
Levels of ERM Maturity
Organizations classified as basic recognize the implications of risk to achieving the organization’s objectives and are just beginning to have important discussions on the topics of risk. Often defined as hazards and considered only in the context of their adverse consequences, risks managed at a basic maturity levels are identified on an annual basis; risk mitigation and controls are seldom factored in, and reporting is seldom, most often biannually at best.
Organizations at basic maturity also may have disparate risk management processes that aren’t managed in a coordinated method (e.g., compliance, IT/cyber security, operations, and legal/insurance) and that exist outside normal management processes or cadences. Moreover, the internal ERM risk assessment is siloed from other risk assessments conducted in the organization.
Components for the risk assessment tend to be seen as requirements imposed upon the organization rather than as opportunities for proactive investment in the organization. As a result, the risk assessment often lacks substantive data and analysis, misses measurable monitoring, and does not align with the organization’s strategic vision and operational goals. It therefore is not surprising that ERM programs at the basic-maturity level often suffer from a lack of value creation in helping the enterprise manage risk to drive performance, and that they are rarely seen as anything other than “check-the-box” programs.
Organizations whose ERM programs are classified as “evolving” are on the way to having more enabled programs; they are able to conduct annual risk assessments within their health systems, but they do so with limited coordination or alignment back to strategy. Evolving ERM programs typically seek to help their organizations assess the broader risk universe, and they tend to drive toward a manageable list of 10 to 15 top, “enterprise” risks.
Risk owners within the organization are responsible for the mitigation of risks and development of risk action plans to do so, but many of them receive little oversight from an ERM program. Alignment between the risk management process and the business management process starts to form but is limited (usually involving strategy, planning, or finance). Risk-appetite statements may exist, but such statements tend to be formulated at a high aggregate level and may not always be relevant to management in helping mitigate individual risks. Risks often have an informal linkage back to strategic initiatives and performance expectations.
Establishing an Effective ERM Program: Key Components
An effective ERM program will help to drive greater relevance across the organization, to bring focus to promote a greater level of operational and strategic performance, and to build lasting value to the health system. Where a company focuses its resources and efforts is, of course, determined by its existing position and long-term strategy. If there is no process in place, organizations should begin working toward the basic level, focusing on building the foundational elements of a risk management framework. Those that have already established some risk protocols should aim for evolving maturity and concentrate on broadening organizational support and embedding and sustaining risk management throughout the enterprise. For example, effective ERM programs help an organization understand what must go right if the organization is to achieve its long term objectives, what the risks are to achieving those objectives, how well the organization currently mitigates risks and the identifies the gaps to continuing to improve on those mitigation efforts, and how it then can develop oversight and reporting processes to monitor risk management activities.
Regardless of the initial maturity level, an important starting point for developing the ERM program is to clearly define or review the program’s purpose and value proposition for key stakeholders. This exercise will help determine whether the current program is properly serving the organization and is well-positioned to drive the level of change needed while managing risk in a dynamic and complex environment. For example, ERM programs can help drive standardization in risk assessment processes, help to bring balance around risks related to business unit performance expectations as well as strategic objectives, and start raising the level of risk acumen in the organization.
To promote this new mindset, the organization must create a risk culture and governance in alignment with its strategic planning process and build out risk processes with the support of governance, risk, and compliance (GRC) technologies.
These activities, which are fundamental to establishing an effective ERM program, should have the following five key areas of focus.
Building a risk culture. When a strong risk culture exists within a hospital or health system, an ongoing awareness of risk is naturally embedded in the organization’s culture, from performance measurements to a company’s code of conduct, as well as training programs. Identifying, understanding, and managing risk is a priority and responsibility of all members of the management team.
A health system can be a leader in building a risk culture by embedding discussions on risk topics into day-to-day operations, including quarterly performance reporting, existing committee meetings, and executive team discussions.
Developing an organization’s risk culture also requires a companywide effort. Organizational risks should be defined more broadly than simply as events that result in challenges and issues that must be avoided. It is important that all stakeholders within the hospital or health system understand both the risks and opportunities presented, and the uncertainties that need to be balanced to make an informed decision on whether to pursue the opportunity. For example, a hospital may be considering a new form of care delivery that may create a significant revenue stream and leverage the greater suite of care facilities across the system but that adds a heightens the organization’s level of risk. By understanding what needs to go right to operationalize the new form of care delivery, what could prevent the organization from achieving that objective, and what level of current and future risk mitigation capabilities are needed, an organization can make a more well-informed decision on whether to pursue the opportunity.
Formalizing risk governance. Risk governance is well-defined when the board, senior management, and functional management have specific roles within the risk-management process and recognize their active roles within the risk-governance process. The organization also should provide these key stakeholders with the tools to fulfill those roles, ensuring proper knowledge and staffing of resources, including the GRC technology required to facilitate information sharing and coordination of risk management activities. All these individuals also should be accountable for their participation in the process, and guides and protocols should be created to clearly define when and how issues of risk are to be escalated.
For example, accountability in risk governance is a fundamental aspect of risk management for one national healthcare provider operating in more than 20 states. Risk owners are responsible for developing and monitoring risk response plans and for updating, identifying, and analyzing new and emerging risks. The information gathered through this process then is used to update the risk profile periodically.
Aligning ERM with strategic planning. Alignment of ERM to the strategic planning process is critical for establishing an effective ERM program. One Midwestern healthcare system, for example, links key risks to strategic initiatives when evaluating cost and ROI to determine whether the initiative falls within the organization’s risk tolerance.
To achieve greater alignment to the organization’s strategic planning process, organizational leaders should leverage the results of the risk assessment to promote a discussion around the implications of the risk profile. These conversations ultimately could lead to integration of the ERM processes within key functions such as planning, mergers and acquisitions, and program management for strategic initiatives. Another leading healthcare provider has found it effective to incorporate the process of linking all its top risks to the stated company strategy and underlying objectives, while also tying them back to risks identified in the company’s Form 10-K filed with the U.S. Securities and Exchange Commission.
Standardizing the risk management process. Efforts in this area include those focused on maintaining accountability in risk management processes. For example, the ERM program at one leading provider organization meets quarterly with risk owners one on one, with the goal of capturing changes in risk activity and discussing the effectiveness of risk action plans.
Data analysis is critical to standard risk management processes. Analytics define the qualitative and quantitative impact of risk on an organization’s ability to accomplish its strategic initiatives and execute its day-to-day business decisions. Organizational leaders should review all risk scenarios to understand the implications of changing business models, industry events and trends, and the interrelatedness and combined impact of risk. Using this information, as well as risk appetite, risk management professionals can embrace the tolerance changes over time and drive further resource allocation discussions.
Leveraging GRC technology to capture and coordinate risk management activities. As the risk environment evolves, enhanced and more sophisticated tools help to support an advancing risk management process and improve coordination of core risk management activities. These tools provide greater access to shared data and information across the organization and improve resiliency.
To optimize the use of GRC technologies, hospitals and health systems should identify existing tools by risk functions and obtain a clear understanding of how these tools are being used currently. Obtaining feedback from users on existing tools also can help in determining their effectiveness. Armed with this research, leaders can determine which tools will support an integrated risk management program and use that information to develop a GRC technology roadmap. This roadmap also should include a common framework, structure, and taxonomy to ensure the GRC technology solution implemented will support the integration of risk functions to align compliance, risk management, and operational initiatives.
The Upside of Risk
As the risk hospitals and health systems face in today’s healthcare environment increases and diversifies, these organizations have both an opportunity and a great need to advance along the continuum from basic risk management to a well-established ERM program. Having such an established program is essential to being able to add greater value. An effective ERM program encourages continuous improvement, aligns with strategic priorities, and enables organizational leaders to understand and take on the risks their organizations must assume to succeed, and then to effectively manage those risks. Such skills are more vital than ever in our evolving, yet risk-filled healthcare environment.
Terry Puchley is a risk assurance national health services leader at PwC, Chicago.
Chris Toppi is a director in PwC’s risk assurance - health services practice, Chicago.
a. “PwC, Surviving Seismic Change: Winning a Piece of the $5 Trillion U.S. Health Ecosystem , September 2016; Johnson, C.Y., “Why America’s Healthcare Spending Is Projected to Soar Over the Next Decade,” Workblog, The Washington Post, Feb. 15, 2017.