Leading the field

What makes an enterprise risk management program truly effective? Steven Minsky, CEO of LogicManager and author of the RIMS Risk Maturity Model, outlines the top five characteristics of leading healthcare ERM programs.

The basic purpose of enterprise risk management (ERM) is to prevent surprises. Organizations use ERM programs to identify and prioritize risks, design mitigation activities, and monitor risk indices over time. By granting senior leadership an accurate, panoramic view of difficulties and opportunities, such programs preserve resources and encourage innovation.

The existence of a risk management effort, however, is not enough. In order to be effective, it needs to be integrated across the enterprise. Successful integration is composed of two elements: one, all departments are involved in the process, from the front lines up to senior management. Two, each department uses the same scales, criteria, and language, enabling communication and eliminating unnecessary redundancy.

ERM is about far more than software—it’s an organizational mindset enabled by a tool. Companies with ERM programs develop risk-aware cultures, meaning all employees (not just risk managers, auditors and compliance officers) incorporate risk into their daily job descriptions. That knowledge is used to inform both everyday and strategic decisions.

Healthcare sector needs ERM

Healthcare organizations face unique challenges when implementing risk management programs. They face many of the same risks shared by organizations across a range of industries, but they contend with many other risks as well. For one, healthcare companies are the caretakers of millions of confidential records. This makes them a prime target for cyber attacks. Personally identifiable information (PII)—which includes social security numbers, health conditions, financial records, credit card numbers, and more—is low-hanging fruit for hackers, particularly when densely concentrated in one system.

“Centralizing incident management lowers labor costs, improves incident resolution, and prevents repeat incidents by identifying root causes.”

Unfortunately, history has shown that many healthcare organizations have not been able to bolster their defenses in proportion to their vulnerability. The simple truth is that employees in hospitals and other care centers tend not to prioritize ERM best practices, which can seem unfamiliar and tedious. Other risks unique to healthcare include the possibility of treatment errors, on-site infection transmissions, and defective (or even infected) equipment acquired from vendors.

In one such case, hundreds of patients were infected with a lethal member of the Enterobacteriaceae family, which was living on defective hospital endoscopes. The hospitals that used the devices, although not directly responsible, should have detected the defect and appropriately cleaned the equipment. Instead, their third-party risk management and internal policy oversight protocols were ineffective. A risk-based vendor screening process, for example, can be pushed to all relevant parties, ensuring the objective evaluation of third-party equipment or services. A standardized cleaning procedure (with testing) is a second line of defense; together, the two processes make it easier to identify the root cause and prevent an incident.

Insurance is not a replacement for effective risk management

Insurance, despite being a necessity, is not a fail-safe. When an organization experiences an incident, an insurance policy acts like a safety net catching a falling climber; it may prevent death (complete business failure), but it may also leave the climber with entirely avoidable conditions such as broken bones and a long recovery period (disrupted operations, regulatory penalties, and a damaged reputation). Worse still is the very real possibility that the organization will find itself ineligible to collect a claim.

Consider the case of Cottage Health System, a non-profit that runs multiple hospitals in California. In 2013, Cottage Health system suffered a data breach that compromised more than 30,000 confidential medical records. The insurer, a CNA Financial Corp unit, alleged it was not responsible for the $4.1 million claim filed by Cottage Health, on the grounds that the company and its vendor(s) did not practice appropriate data governance. This financial loss, and the breach itself, would have been avoided with a forward-looking approach, ie, ERM. ERM would have identified the governance issue and monitored the implementation of correction measures. It therefore could have ensured Cottage Health the insurance coverage it was actually expecting.

This being said, what actually defines a successful ERM approach? How can healthcare organizations integrate those characteristics into their own processes?

• Five signs of effective risk management
• Truly effective ERM has five core attributes:
• Centralized risk governance structure;
• Effective risk identification and prioritization methods;
• Actionable risk tolerance guidelines;
• Centralized mitigation and monitoring activities; and
• Forward-looking, dynamic reports.

Centralized risk governance structure

A centralized governance structure is the foundation for the other four; without a centralized hub, a risk management effort cannot be standardized and adopted effectively. An ERM platform extends from senior management down to the front lines, cascading objectives and aggregating risks.

From the board’s perspective, the motivation for this type of infrastructure is simple: since 2010, when the SEC’s Proxy Disclosure Enhancement was enacted, boards have been responsible for their organizations’ ERM effectiveness. Inadequate risk management, if not disclosed, is considered either fraud or negligence. Both carry the same penalty.

Risk-based infrastructure enables everyone to incorporate risk into their daily job responsibilities and boosts an organization’s three “lines of defense”. This starts with process owners (nurses, doctors, technicians, etc), who execute daily procedures. This infrastructure allows them to support existing responsibilities, identify risks, document control procedures, and “link” those procedures to strategic objectives. It also makes it easy to notify a manager if and when an incident occurs. Centralizing incident management lowers labor costs, improves incident resolution, and prevents repeat incidents by identifying root causes.

The second line of defense is the risk management function. Risk managers, unlike medical and administrative staff, hold cross-functional roles. Supported by software, they ensure that mitigations (such as vendor screening) and risk analysis occur. They maintain the effectiveness of the risk process and acquire an understanding of enterprise risk from nurses, doctors, and other process owners. The risk team makes it easy for the third line of defense—internal audit and senior management—to determine the most critical areas.

Effective risk identification and prioritization methods

Risk identification and prioritization is the first tangible component of ERM. Identification and prioritization are best achieved with formalized risk assessments, which should cascade from senior leadership down to front-line managers, who collect and aggregate feedback, as discussed above. In this way, assessments focus on corporate-level objectives (what risks are associated with expanding a facility or offering new types of treatment?). The organization also gains an accurate risk picture by capitalizing on process owners’ hands-on expertise.

The most effective risk assessments home in on root causes, or “drivers” of risk. In other words, they identify risk sources, not symptoms. The five basic root-cause categories are: “external” (outside people and entities), “people” (members of the organization), “process” (execution of business operations), “relationships” (connections to third parties), and “systems” (medical equipment, physical and IT security).

Actionable risk tolerance guidelines

According to ISO 31000, a risk appetite is “the amount and type of risk that an organization is prepared to pursue, retain or take”. All organizations have a risk appetite, but not all organizations make it actionable, and this distinction is the third of ERM’s five main attributes. Risk appetite is a high-level statement, such as “the hospital does not support the acquisition of medical equipment that, if found defective, would significantly interrupt daily operations”.

Although this considers a broad level of acceptable risk, it doesn’t set an easily measurable level of performance variation. That is provided by a risk tolerance, such as “the hospital does not acquire equipment from suppliers that have not undergone company vetting policies or that, if defective, would cost more than $15,000 to replace”.

Centralized mitigation and monitoring activities

Once root causes are identified and prioritized, the organization needs to determine the effectiveness of related mitigations and controls. Key risks and processes not covered by existing mitigation activities should drive the design of new controls. Again, targeting controls at root causes enables positive downstream effects throughout the organization.

Just as important is monitoring the effectiveness of controls by regularizing risk assessments. Is a risk’s “index,” or multiplication of impact and likelihood, decreasing over time? If it is level or increasing, the associated control may be ineffective or obsolete.

Forward-looking, dynamic reports

The last characteristic of ERM, demonstrability, helps build support for the program. A risk program can’t be maintained unless risk managers demonstrate performance to senior management, the board, and regulators. On a general level, the board has a fiduciary duty to understand how risks might roll up and impact objectives.

Three types of dashboards can help communicate this info to the board:

• The risk heat map, which displays all risks across functions and levels, ranked by impact and likelihood.
• The enterprise view, which is similar to the heat map but allows risks to be organized by strategic objective.
• The ERM progress dashboard, which measures efficiency (percentage of risks identified vs. risks assessed) and transparency (all risks above a certain threshold, plus associated controls).

In combination, these five characteristics distinguish effective, maintainable, and unobtrusive ERM.

In the healthcare industry, where organizations must preserve patient and staff safety, comply with strict regulations, protect extremely sensitive data, and maintain facilities, it is vital to manage these elements by boiling them down to their common denominator: risk.

---

To read about a specific case study of a healthcare customer successfully leveraging ERM, download LogicManager’s free report, Integrating Risk and Incident Management.