Enterprise Risk Management—ERM 101

I had such a great time on the ASHRM (American Society for Health Care Risk Management) Podcast this month. Stay tuned for the publication. Produced by ASHRM, the ASHRM Podcast provides an inside look at the issues and solutions faced by healthcare risk management professionals as they promote safe and trusted healthcare at their hospitals, practices and health centers. Bill Klaproth and I discussed “Proactivity and Transformative Risk Strategies in Healthcare.” The evolution of healthcare is driving a reassessment of how healthcare providers view and manage risk while providing quality care and a safe working environment. Direct care professional shortages, increased regulatory scrutiny and the changing needs patients and families especially in senior living, create new and different risks and opportunities for enterprise risk management and transformational, sustained changes.  Our topics included COVID response and recovery, risk management and litigation, navigating the staffing crisis and regulatory compliance. What can healthcare providers do proactively to meet the challenges ahead?

One of most compelling exchanges between Bill and I focused on Health Care Enterprise Risk Management (ERM) and embracing the concept that a long-term view of risk provides a complete perspective of all interrelated risks to the organization, rather than attempting to manage risk in silos. ERM allows for greater organizational capacity to manage uncertainty.

What is ERM?

ERM, is a top-down and bottom-up, holistic portfolio view of the most significant risks to achieving a health care organization’s strategic objectives. An enterprise-wide view would consider human capital risks stemming from inadequate training about privacy that, if not identified and treated properly, could lead to privacy breaches impacting legal and regulatory compliance. Inadequate training on the EHR could lead to delays in providing patient care and incomplete documentation of care. This may impact strategic risk related to inaccurate data capture, impacting reporting of key quality metrics and ultimately reimbursement for care related to the success of those metrics. When the holistic view is used to identify risk and treat it proactively, value can result in part through efficiency in patient care from a more satisfied work force, improved cybersecurity that minimizes risk of data breach, and accurate data collection and reporting of quality metrics.

Take a look at the ASHRM ERM Resources and you’ll note the following ERM Domains:

  • Operational

The business of health care is the delivery of care that is safe, timely, effective, efficient, and patient-centered within diverse populations. Operational risks relate to those risks resulting from inadequate or failed internal processes, or systems that affect business operations. Examples include risks related to: adverse event management, credentialing and staffing, documentation, chain of command, lack of internal controls, supply chain and identification of existing opportunities within management oversight.

  • Clinical/Patient Safety

Risks associated with the delivery of care to patients, residents and other health care customers. Clinical risks include: failure to follow evidence based practice, medication errors, hospital acquired conditions (HAC), serious safety events (SSE), health care equity, opportunities to improve safety within the care environments, and others.

  • Strategic

Risks associated with the focus and direction of the organization. Because the rapid pace of change can create unpredictability, risks included within the strategic domain are associated with brand, reputation, competition or failure to adapt to changing times (such as health reform or shifting customer priorities). Managed care relationships/partnerships, conflict of interest, marketing and sales, media relations, mergers, acquisitions, divestitures, joint ventures, affiliations and other business arrangements, contract administration, and advertising are other areas generally considered as potential strategic risks.

  • Financial

Decisions that affect the financial sustainability of the organization, access to capital or external financial ratings through business relationships or the timing and recognition of revenue and expenses make up this domain. Risks might include: capital structure, credit and interest rate fluctuations, foreign exchange, growth in programs and facilities, capital equipment, regulatory fines and penalties, budgetary performance, accounts receivable, days of cash on hand, capitation contracts, reimbursement rates, managed care contracts, revenue cycle/billing and collection.

  • Human Capital

This domain refers to the organization’s workforce. Included are risks associated with employee selection, retention, turnover, staffing, absenteeism, on-the-job work-related injuries (workers’ compensation), work schedules and fatigue, productivity, compensation, succession planning and labor unionization activity. Human capital associated risks may cover recruitment, diversity, retention, and termination of members of the medical and allied health staff.

  • Legal/ Regulatory

Risk within this domain incorporates the failure to identify, manage and monitor legal, regulatory, and statutory mandates on a local, state and federal level. Such risks are generally associated with fraud and abuse, licensure, accreditation, product liability, management liability, Centers for Medicare and Medicaid Services (CMS) Conditions of Participation (CoPs) and Conditions for Coverage (CfC), as well as issues related to intellectual property.

  • Technology

This domain covers machines, hardware, equipment, devices, wearable technologies and tools, but can also include techniques, systems and methods of organization. Health care has seen an escalation in the use of technology for clinical diagnosis and treatment, training and education, information storage and retrieval, and asset preservation. Examples also include Electronic Health Records (EHR) and Meaningful Use, financial and billing systems, social media and cyber security; cyber risks can be significant.

  • Hazard

This ERM domain covers assets and their value. Traditionally, insurable hazard risk has related to natural exposure and business interruption. Specific risks can also include risk related to: logistics/supply chain, facility management, plant age, parking (lighting, location, and security), valuables, construction/renovation, earthquakes, windstorms, tornadoes, floods, fires and pandemics.

ERM Guiding Principles

The following guiding principles based on the framework adopted by the Council of Sponsoring Organizations of the Treadway Commission (COSO, 2017), in concert with ASHRM’s mission and vision have been developed as basic building blocks supporting the framework for ERM in health care:

  • Advance safe and trusted health care

  • Empower health care risk managers to mitigate risk and maximize value

  • Promote ethical and transparent decision-making

  • Improve patient safety through execution of ERM principles

  • Improve strategic decision making

Bill and I discussed how ERM Practices

  • Are continuous

  • Require a paradigm shift in how an organization identifies and manages risks and opportunities

  • Are “not a stop on the road, but a journey”

How is ERM Implemented?

Bill and I shared that it is not uncommon for senior living health care providers to be overwhelmed by the idea of transitioning from a traditional insurance-led, asset-protection risk management program to a fully matured ERM model and process. Our firm has developed tools and resources to determine the organization’s readiness for ERM. A gap analysis can be used to determine the breadth of the current state and actions required to achieve the desired state for your risk management program.

The Four Major ERM Implementation Steps as described by ASHRM are:

Planning

  • Know the organization’s mission, vision, objectives, and current strategic plan

  • Understand current practice regarding risk identification, analysis and reporting

  • Summarize the effectiveness and sustainability of previous root cause analyses and action plans. Learn how the organization identifies opportunities to create value

  • Identify organizational objectives for establishing ERM. (Why now? Is there a sentinel, triggering event such as a rating agency’s questions during a visit?)

  • Evaluate organizational readiness for ERM specifically as it relates to culture

  • Describe resources necessary for ERM implementation and identify whether those resources are external or internal to the organization and are available. Development

  • Draft clearly articulated goals and objectives. Include key risk indicators or other metrics where appropriate

  • Develop and deliver ERM education to board, senior leadership and medical staff leaders

  • Engage/deploy necessary resources. Develop risk appetite and tolerance statements for significant risks

Development

  • Draft clearly articulated goals and objectives. Include key risk indicators or other metrics where appropriate

  • Develop and deliver ERM education to board, senior leadership and medical staff leaders

  • Engage/deploy necessary resources

  • Develop risk appetite and tolerance statements for significant risks

  • Develop a framework for EMR decision-making including organizational guiding principles

  • Develop committee structure (ERM steering committee and ERM work group) identify membership as appropriate and draft committee charters

  • Draft the ERM plan and timeline

  • Identify success metrics to mirror articulated goals and objectives

Integration

  • Integrate ERM practices into the strategic planning process, business practices and business unit

  • Support and implement the steps to effectively and efficiently identify, assess, and respond to organizational exposure to loss including the techniques for: avoidance, retention, transfer, mitigation and value creation

  • Adopt risk champions for specific projects and as program supporters from among the board, senior leadership and medical staff leadership

  • Integrate the process throughout the organization by educating all employees on their role and responsibility related to ERM

  • Develop a communication plan to facilitate organization-wide integration

Monitoring/Evaluation - Proactively build criteria into each implemented risk strategy to identify how success will be measured, what metrics will be used, how often to report, in what format and to whom to report, and the identification of the assigned responsible party(s).

Prepare an annual ERM report for the board that includes:

  • Identified risks

  • Risk prioritization

  • Status of risk strategies implemented

  • Value creation opportunities

  • Goals for the next period

  • Challenges encountered

  • Recommended new projects and strategies

Periodic (monthly, quarterly, yearly) reviews of KPIs and KRIs also should be conducted to evaluate all risks identified and the effectiveness of chosen risk strategies.

This month’s article provides an overview of ERM, the guiding principles and risk domains as well as steps to implementation.

Adelman Advantage Recommendations: As health care professional liability defense attorneys and risk managers, our firm has engaged with a variety of health care risk and litigation management models. ERM encompasses the widest array of strategies to provide a proactive strategy for organizational risk mitigation that improves quality of care, resident safety, and controls financial and risk outcomes. We welcome connecting with you on how your senior living community is managing risk, litigation, and how ERM can be implemented with your teams.

 

America's Top 100 Civil Defense Litigators 2022 Badge
unnamed.png
AffiliatePartner_V2.png