Risk management and risk response have long been routine enterprise-wide processes for some industries such as manufacturing. Healthcare has been a bit slower to the table, having taken a more siloed approach and initially focussing risk management efforts on clinical risks around patient safety, and response to medical liabilities. Nowadays however, there are many moving parts in healthcare that are presenting multifaceted risks such as the increasing role of healthcare technologies; cyber threats; non-privacy information technology (IT) risks; value-based care; patient satisfaction, patient complaints, and performance scores; and revenue cycle management. As healthcare strives to balance the demands of patients, providers, payers, and the government, healthcare stakeholders are moving from clinical risk management and embracing a more holistic organization-wide view through enterprise risk management (ERM).
What is Healthcare Enterprise Risk Management and Why is it Important?
According to an article in the New England Journal of Medicine (NEJM) Catalyst, healthcare ERM is made up of “the systems and processes employed to uncover, mitigate, and prevent risks in healthcare institutions.” It takes into consideration all the components that contribute to the proper functioning of the healthcare organization – all departments, staff, IT resources, infrastructure, business associates, etc. – moving them out of the silos and into an integrated system. The Project Management Institute (PMI) in a publication refers to risk management as “the systematic process of identifying, analyzing, prioritizing, and responding to risk,” which is critical for any healthcare organization in the current climate.
Enterprise risk management in healthcare is not just about compliance, it is also important for helping organizations to predict their next steps in remaining competitive and financially viable. The NEJM Catalyst article further states that “by employing risk management, healthcare organizations proactively and systematically safeguard patient safety as well as the organization’s assets, market share, accreditation, reimbursement levels, brand value, and community standing.” A well-structured and robust healthcare ERM provides a comprehensive framework for making risk management decisions that will result in maximum value protection.
Risk Management Framework for Healthcare
To be successful at healthcare ERM, a proper framework is essential to ensure that all players are on the same page as to how to identify, manage, and mitigate risks. One such risk management framework is depicted below in Figure 1 and involves three (3) steps:
- Baseline – conduct a risk assessment to identify risks and determine the status of the organization in relation to potential vulnerabilities
- Remediate – manage and/or implement steps to mitigate the risks identified, including creating a remediation plan
- Monitoring – continually monitor for potential risks and vulnerabilities, removing and adding processes as required.
Risk identification is the first step in any risk management process. It is essential that risks be accurately identified for effective functioning of a healthcare ERM plan. The risk identification process must be proactive, include multiple employees, and must create value for and protect the organization. A healthcare ERM plan should clearly identify specific risk events, details of the risk scenarios, and descriptions of how each risk could impact the organization should the risk occur.
Implement Enterprise Risk Management Plan
Implementing enterprise risk management plan can be challenging if not handled properly. For some organizations this will represent a culture change and a total shift in the way things are done and thus must be approached delicately. To facilitate a smooth implementation process, here are a few best practices to follow:
- Ensure the ERM plan has the full support of the C-suite so that it gets integrated into the strategic plan of the organization
- Do not over-complicate the plan, a simple plan has a much better chance of success than a complicated one that is difficult to grasp
- Select a cross-functional team from across the organization to develop the ERM plan
- Develop a thorough and comprehensive list of all potential risks and vulnerabilities in the risk assessment/identification step of the process
- Use the risk assessment results to rank risks according to how critical they are, the likelihood of occurrence, and the impact should they occur
- Select risks that are most critical, likely to occur, and highest impact to be dealt with first and create risk mitigation plans for each
- Get buy-in from all staff and stakeholders in the organization
- Educate and train staff and relevant stakeholders
- Employ technology as a major player in the ERM process
- Continuously assess, monitor, and control risks
Enterprise risk management in healthcare is gaining traction in the industry. Healthcare stakeholders are realizing the need to identify, analyze, manage/mitigate, and monitor risks for compliance as well as for maintaining a competitive edge and remaining financially viable. Healthcare ERM is a process that requires proper planning and a robust framework for it to function efficiently and realize its full potential.