The route to successful ERM


The route to successful ERM

How can you make the most of enterprise risk management? Ken Felton, National Health Care Practice, Willis Towers Watson and Elizabeth Osgood, Strategic Risk Consulting, Willis Towers Watson, outline the keys to an effective ERM approach for your hospital/health system.

As Republicans prepare to take over the White House, healthcare organizations are preparing for more shifts and potential volatility in the regulatory landscape. This environment requires an increasingly proactive enterprise risk management (ERM) approach to address unforeseen and emerging risks.

Hospitals in particular bear an extraordinary burden of government regulation, insurance requirements and constant uncertainty about federal compensation. At the same time they are under tremendous pressure to improve quality and safety of care, and control cost. The complexity of these risks has only increased with the current economic challenges.

Identifying the risks

Every year, the American College of Healthcare Executives (ACHE) completes its annual survey of hospital CEOs to identify the top issues confronting hospitals. In each of the past 13 years, financial challenges ranked number one (Table 1).

While CEO focus is often understandably dominated by financial challenges, effective risk management requires a more holistic view across an enterprise. To capture a broader picture, Willis Towers Watson employs a dynamic enterprise risk assessment process, utilizing our proprietary RAPIDSM tool (Risk Assessment Probability and Impact Diagnostic). The process identifies risks to strategic or other organizational objectives across an entire organization.

“Key risk indicators should be identified and monitored to reduce the likelihood of surprises, and so that management and the board can take proactive steps to control risk.”

Table 2 shows a sample set based on an aggregate analysis of results we obtained through the RAPID process. While some of the risks identified are similar to the ACHE list above, there are significant differences. For instance, the data also uncover additional types of risk, such as cyber breaches.

Using this ERM approach, we break down risk into four component parts: triggers, underlying vulnerabilities, consequences and current controls. This promotes deeper understanding, more thorough assessment and prioritization, and development of targeted risk mitigation strategies.

The ultimate goal of an effective enterprise risk assessment is to identify, assess, prioritize and develop performance improvement plans for those risks that could potentially threaten the achievement of organizational strategic or business objectives.


Connecting the dots

The steps for dealing with emerging risks can and should fit seamlessly within an organization’s existing risk management framework. This means setting time aside to have an open and analytical conversation about emerging risks at the highest level—especially important when setting business objectives or making major changes in the organization. Embracing a systematic approach to identifying, assessing and responding to relevant emerging risks will dramatically reduce the chances of being caught unaware.

ERM and robust strategic planning are essential to the achievement of a hospital’s strategic objectives. To that end, management and the board of directors should analyze the links between various options and the risks they entail when entering into a strategic planning process.

To understand game-changing events, the organization must be highly aware of evolving conditions. It must also assess each risk’s impact, and appreciate its connection with other risks and its impact on achieving the enterprise’s strategy and objectives. This understanding is essential to organizational endurance and the identification of future opportunities.

Effective ERM also requires an organization to be proactive rather than reactive. Key risk indicators (KRIs) should be identified and monitored to reduce the likelihood of surprises, and so that management and the board can take proactive steps to control risk. Reacting to risk is more spontaneous and typically more disorganized. Simply reacting to risk as it occurs will guarantee greater volatility than had the risk been foreseen and controlled proactively.

Key risk indicators

To develop an effective set of KRIs, you need to identify relevant metrics that provide useful insights about potential risks that could have an impact on achieving the organization’s objectives (Figure 1).

The selection and design of effective KRIs start with a firm grasp of those objectives and risk-related events that might affect their achievement.

When designed properly, reported timely and measured reasonably, KRIs provide a predictive warning of potential issues that may adversely affect the business. KRIs can be applied to any process that the business may determine has sufficient risk of failing or causing another process to fail, resulting in financial losses, non-monetary damages or both. Businesses can use KRIs in all their operational processes to assist in predicting potential risk events.

KRIs also support the identification of underachieving aspects of the enterprise and those areas of the organization that may require additional resources.

Effective KRIs:

  • Are based on established standards;
  • Are quantifiable (number, dollars or percentages);
  • Are easily applied and understood by the end users; and
  • Validate or invalidate management decisions and actions.

Mapping key risks to core strategic initiatives helps identify the most critical metrics that can serve as leading KRIs to assist management in the execution of those initiatives. And linking top risks to core strategies helps pinpoint the most relevant information that might serve as an effective leading indicator of an emerging risk.

Utilizing an ERM process to identify, assess, fully articulate, prioritize, mitigate and communicate risk is the key to organizational endurance and ability to capitalize on strategic opportunities. Mapping relevant risks to strategic initiatives and selecting effective KRIs are essential to the achievement of overall organizational objectives.


Who doesn’t need a competitive advantage in today’s volatile, uncertain healthcare environment?

The most effective way to achieve a competitive advantage is to develop practical performance improvement plans for the major risks identified in the articulation and prioritization process. Improvement planning captures the actions, deliverables, timelines and accountabilities, and the measure of success necessary to reduce the likelihood and impact of each risk.

The improvement process provides a clear understanding of the strategies for improving the most relevant risks across the entire organization. This arms the organization with a formalized plan to improve strategic decision making, optimize resource allocation, maximize performance and achieve the overall organizational objectives.

Hospitals are challenged now more than ever before with significant internal and external changes that require an increasingly proactive ERM approach to address unforeseen and emerging risks. Now is the time to consider implementing a more dynamic ERM approach to ensure the greatest opportunity for success.


National Health Care Practice, US, Willis Towers Watson, Elizabeth Osgood, Strategic Risk Consulting, Healthcare, Risk, Crisis management, Insurance, ERM