Beyond risk identification


Beyond risk identification

In today’s environment, enterprise risk management programs need to evolve to deliver value. Terry Puchley, PwC risk assurance health industries leader, Stephen Zawoyski, PwC risk assurance enterprise risk management leader and Chris Toppi, PwC risk assurance director explore how this can be achieved.

New forms of competition, changing regulatory requirements, technology advances, rapidly evolving patient expectation, and the move from volume to value-based healthcare are all conspiring to drive immense change in the healthcare landscape and introducing new risks to long-term prosperity.

Recognizing the risks associated with managing change, healthcare providers continue to make investments in enterprise risk management (ERM). However, in today’s environment, ERM programs must continuously evolve and seek new ways to bring relevant information and drive value to their key stakeholders.

In 2015, through a series of in-depth interviews with a select group of leading US healthcare providers focused on governance, risk management process, culture, and infrastructure, PwC found that while many provider programs are comparable to their peers, there are additional opportunities to further enhance the risk management investments providers have made. If providers are going to effectively manage risks and meet their stakeholders’ increasing expectations for risk management, it is important to consider how ERM programs can evolve to keep pace.


The need to move beyond risk identification

To remain competitive in this evolving landscape, many healthcare providers recognize the need to move beyond traditional risk management, historically focused on risk identification and avoidance. Looking ahead, these providers see value in taking a more proactive approach to risk management, one that supports the business in achieving its strategic objectives.

In recent years, providers have invested in risk management, progressing toward building and formalizing their ERM programs to identify and assess risk. In some instances compliance program structures and focus areas are also being evaluated to align with changing regulatory requirements and the expectations of regulatory agencies. In PwC’s experience, we’ve found that effective ERM programs go beyond addressing compliance-related risk, and incorporate strategic, operational, technological, financial, and emerging risks.

“ERM programs can help to manage the risks associated with a provider’s growth strategies instead of avoiding them.”

Taking a siloed view of risk can create inertia across the organization and lead to a negative perception of risk. At the same time, an aggregated, summary view of risk tends to make organizations cautious about their strategies, such as getting into new markets or care delivery. ERM programs can help to manage the risks associated with a provider’s growth strategies instead of avoiding them. Understanding the correlation and interdependencies of risks will help drive providers toward better strategic decision-making.

Where healthcare providers are today

Despite the growing importance of effective risk management, our interviews confirmed that many healthcare providers are slow to adapt an ERM approach that is well integrated with in the business and management processes. The current state of providers’ risk management capabilities can be categorized as basic, evolving, or established, as described in Figure 1.

Figure 1: Healthcare providers’ ERM capabilities


PwC’s assessment of the ERM attributes identified in our interviews places healthcare providers primarily in the basic or evolving maturity level. For example, in many healthcare organizations, a governance, risk, and compliance (GRC) structure to coordinate and simplify the various risk functions and processes does not exist.

10 key findings from our interviews with leading healthcare providers:

  1. In approximately 70% of participant organizations, responsibility for ERM-related activities fell under Internal Audit.
  2. The ERM process is not consistently integrated into existing management processes and information does not typically flow back to help manage the business. 
  3. Opportunities exist to use GRC technologies to support ERM or integrate risk management processes.
  4. When a GRC technology is used, it is typically not used as an integrated risk management capability.
  5. For almost all study participants, the ERM function performs an annual risk assessment which stands alone, outside of the normal management process. 
  6. The scope of the risk assessment is typically limited to the identification and assessment of top risks from a risk-avoidance perspective. A robust methodology and necessary data to accurately calculate risk measures often lacks substance. 
  7. Management capabilities, risk intersections, risk consequences, as well as risk appetite and tolerances are not considered in the assessment, evaluation, or management plans. 
  8. Monitoring of risks was often limited, with only a small group citing that risk owners provide annual updates to the board on risk mitigation plans progress. 
  9. Risk monitoring primarily focuses on the development of remediation plans and high level tracking of progress. 
  10. None of our study participants reports the incorporation of testing of management’s risk action or mitigation plan progressions into the ERM program capabilities. 

With this assessment as context, there is progress occurring in advancing ERM within the healthcare provider sector. ERM teams are starting to educate management on the purpose of ERM—which is to assist them in seeking ways to build an understanding of the organization’s risk, how those risks are to be managed, and how risks will be managed and tracked to facilitate proper allocation of resources to support business objectives.

Evolving ERM to help achieve growth

Given the state of ERM represented by our research, healthcare providers have the opportunity to evolve their ERM programs to drive greater relevance, performance, and value for management. From PwC’s experience, the programs that have a continuous improvement process to help uncover new opportunities to enhance their program and drive value to the organization tend to be the most resilient.

An important starting point in evolving an ERM program is to clearly communicate the program’s purpose and value proposition to key stakeholders. Overall, ERM should be positioned to drive the level of change needed for organizations to reach their goals while managing risk in a dynamic and complex environment. To do so, it must see its role as more than performing an enterprise risk assessment and tracking its status. Key components and behaviors needed to establish an effective ERM program include:

  • Build a risk culture: when a strong risk culture exists, a focus on risk has been embedded in the culture through the code of conduct and performance measurements. There are ongoing awareness and training programs designed to explain and reinforce employee roles and responsibilities. Identifying, understanding and managing risk is a priority and responsibility of all members of the management team.
  • Formalize risk governance: when risk governance is well-defined the board and senior management have specific roles and the three lines of defense are established, with ERM coordinating and driving consistency across the various risk assessment, monitoring and testing activities that occur across the three lines. 
  • Align to strategic planning: alignment of ERM to the strategic planning process empowers risk management to become a strategic enabler. Across strategic initiatives, ERM can enable better business decision making by providing a broader understanding of risks, identifying the challenges and opportunities they present, and facilitating deeper analysis and management discussion. 
  • Standardize risk management processes: as ERM matures, consistent definition and application of risk rating criteria (impact, likelihood, management effectiveness, velocity) as well as a standard approach and format for monitoring and reporting risk management activities used across risk functions facilitate a coordinated process. This also presents an opportunity to embed risk management activities into the regular management process and cadence of the organization.
  • Leverage GRC technology to better capture and coordinate risk management activities: as the risk environment evolves, enhanced and more sophisticated tools help support and sustain an advancing risk management process. GRC technologies improve coordination of core risk management activities such as risk assessment, testing and reporting across risk functions that include compliance, internal audit, billing, quality, policy management, privacy, business continuity management and ERM. In addition, it provides greater access to shared data and information across the organization and improved resiliency. 

Capitalizing on the upside of risk

Healthcare providers have an opportunity to evolve their ERM programs so that they add greater value to their organizations. The evolution journey is rooted in continuous improvement and enhancement.

As healthcare providers progress along this journey, they can shift ERM from a focus on avoiding risk to one of successfully managing risk. They can link risk management with the strategic objectives of the organization to enable them to take the right risks to succeed and manage them effectively. And, they can demonstrate greater relevance and create value for management as they operate in an increasingly complex and risk-filled environment.

Terry Puchley is PwC Risk Assurance Health Industries Leader. She can be contacted at:
Stephen Zawoyski is PwC Risk Assurance Enterprise Risk Management Leader. He can be contacted at:
Chris Toppi is PwC Risk Assurance Director. He can be contacted at:

PwC, US, Terry Puchley, Healthcare, Risk management, Stephen Zawoyski, Chris Toppi, ERM, Technology, IT, Data, Crisis management, Special report