The power of ERM


The power of ERM

With enterprise risk management now a key initiative for many US hospitals, Michelle Foster Earle, president of OmniSure Consulting Group, explores how it can enhance strategic decisions.

The advancement of enterprise risk management (ERM) has been a key initiative for many hospitals, medical facilities, senior care organizations, and health systems in the past few years. This may be because it was part of the American Society for Healthcare Risk Management’s (ASHRM) Strategic Plan in 2014-2015, but it is clearly evidenced by the growing number of calls and requests for expertise seen by OmniSure and other risk management service partners.

ERM is a process of setting a strategy across an entire enterprise that identifies perils, events, or potential events that could affect the organization, and then manages the risk according to the company’s risk appetite and overall objectives. Risks in healthcare organizations can be clinical, regulatory, legal, financial, operational, and reputational.

ERM recognizes the synergistic effect of risk across the organization and continuum of care. The goal is to promote patient safety, promote employee safety, improve compliance, protect assets, reduce uncertainty, and maximize the return on investment in risk management through the best and more effective and efficient use of resources.


ERM requires a culture of safety. The culture of safety within healthcare is an essential component of preventing or reducing errors and improving overall healthcare quality. Healthcare is inherently complex, yet hospitals and other healthcare organizations are expected to function like high reliability organizations, which consistently perform according to a set of expectations and standards while minimizing adverse events.

“The process for implementing ERM starts with a strategic plan that includes specific, measurable, achievable, realistic, and timed objectives.”

To achieve this there must be a commitment to safety at all levels, from frontline caregivers and providers to departmental managers and executives. This requires an acknowledgment of the high-risk nature of the facility’s services and a focus on improving systems over punishing people. In fact, high reliability healthcare organizations almost always have a blame-free environment where individuals are able to report errors or near misses without fear of punishment.


In order to build a successful health care ERM program, it’s important to start with a foundational framework and a structure that is both flexible and sustainable. ASHRM has published a whitepaper and a tool with a sample structure than can be utilized and modified by any risk-management professional as the developmental foundation of an organization-wide ERM program.

There are a number of excellent resources published by other organizations as well, including the American Health Lawyers Association, and the Health Care Compliance Association. In most cases, the organization will want to start with guiding principles, participation from all levels of the organization, and oversight by a governing body.


The process for implementing ERM starts with a strategic plan that includes specific, measurable, achievable, realistic, and timed objectives. Most often, the process includes four steps: risk identification, risk assessment, risk response, and a system to review, evaluate, or monitor the risk and response.

Tools used for risk identification can include consultant surveys, regulatory reports, quality outcomes, satisfaction surveys, committee reports, event and near miss event reporting, financial reports, internal and external data, lists, performance expectations or checklists for various domains of risk (such as operations, clinical services, finance, regulations, and technology). It’s also important to look at emerging risks, and opportunities.

Risk assessments can be prioritized based on those identified risks or domains with the most exposure, likelihood of occurrence, and potential impact. There are a number of resources to help ERM professionals measure and rank the likelihood and impact of events in each domain, in order map out a plan. OmniSure uses a “heat map” matrix approach to help clients places a value on the urgency of recommendations in each risk area/domain: green is good to go (low risk), yellow is caution (moderate risk), orange requires action (significant impact/very likely), and red requires immediate action (critical).

Responses to the risks identified usually fall into two categories: risk control and risk financing. Because the organization is looking at risk organization-wide, and not in silos, there are many ways to enhance the value of specific techniques. A fall prevention program, for example, can reduce adverse patient events, improve quality outcomes, result in fewer employee injuries, fewer visitor injuries, reduce costs related to patient care, human resources, and insurance premiums, affecting multiple risk domains.

Across the organization, an ERM program will manage risks by avoiding, preventing, reducing, or segregating some, and transferring others either contractually or through risk financing. The key is that the risk response is strategic, based on an analysis of the organization as a whole, so that decisions are made and resources used in the most efficient, rewarding manner.

Finally, the ERM process requires continuous review, evaluation, and monitoring. Are all significant risks to the healthcare organization identified and addressed? Are the techniques previously implemented still working, or can there be additional and continuous improvement? Are there unanticipated issues, changes to the organizational structure, or trends that need to be evaluated? Are there new regulations or other external factors to consider?

Because healthcare organizations differ depending on their setting, method of delivery, and services, no two ERM programs will look exactly alike. However, one thing that all ERM programs can do is take advantage of the services and support provided by their insurance partners. Professional liability carriers may provide access to clinical risk management and patient safety specialists. A workers’ compensation partner may have employee safety experts. A cyber liability and/or regulatory liability partner may be able to help with compliance and data security. An employment practices and directors and officers liability partner may have a helpline or resource center.

About the author

Michelle Foster Earle is the president of OmniSure Consulting Group, a risk management firm working with some of the nation’s leading medical professional liability insurance companies, medical practices, hospitals, healthcare facilities and providers of healthcare and social services nationwide to help reduce risk, improve performance and avoid lawsuits. She has earned designations in healthcare management, is licensed general lines property and casualty agent in Texas, and is an Associate in Risk Management. She is a frequent speaker and author for industry associations and publications.

OmniSure Consulting Group, US, Michelle Foster Earle, Healthcare, Risk management, Insurance, Technology, IT, Data, Regulation, ERM, Crisis management