There are ways to boost risk management effectiveness to meet the demands of today’s fast-changing healthcare market. Terry Puchley, risk assurance health industries leader at PwC, reports.
Change is roiling today’s healthcare industry. Empowered by greater access to information, consumers are taking control of their health decisions and demanding more sophisticated, transparent, convenient, affordable, and personalized care. Agile companies, both inside and outside of the traditional healthcare model, are meeting this demand by launching retail walk-in clinics and other non-traditional care-delivery channels.
Additionally, technology, retail, consumer products, and telecommunications companies are among those expanding the industry by developing products and mobile technologies to support remote patient care and monitoring. Traditional healthcare providers, seeking to articulate their value and boost their brand in this evolving and increasingly competitive new health economy, are diversifying their core business portfolios and turning to affiliations, joint ventures, and partnerships with best-in-class health systems.
And all of this—from the disruptive changes themselves to healthcare providers’ countervailing strategies—brings heightened organizational risk. While healthcare providers have generally invested in risk management solutions at a level commensurate with other industries, many may not be evolving their programs in ways that will be necessary to meet the challenges of today’s environment, and tomorrow’s.
"Companies should examine their total risk exposures and measure them against their corporate risk appetite and risk tolerance levels."
As part of our 2016 Risk in Review study, we examined survey responses from healthcare providers to determine how the sector performs on two parallel competencies that companies need for sustained success: risk agility, the ability to quickly adapt risk management infrastructure to changing market conditions; and risk resiliency, the ability to leverage solid risk management processes, controls, and tools/techniques to withstand business disruption. Healthcare providers scored low on both these measures, with their overall risk-agility score among the lowest of all sectors we surveyed.
Our study yielded five key findings related specifically to healthcare providers, and suggests ways of boosting risk management effectiveness to meet the demands of today’s fast-changing healthcare market.
1. Many healthcare providers lack confidence in their risk management capabilities
For healthcare providers, industry change is generating both enormous opportunities and unprecedented risks. Healthcare providers in our study expressed notable confidence in their ability to identify those opportunities ahead of competitors (beating respondents from other industries 53 percent to 45 percent); however, these same respondents lagged other sectors 56 percent to 71 percent in expressing confidence in their ability to manage risks well.
For today’s challenges, providers should have confidence that their risk management practices are resilient enough to act as a foundation for sustainable growth. They should integrate culture and strategy considerations into their risk management practices to enhance their ability to avoid or recover from crisis and capitalize on change. Providers should recognize risk management’s value as a core enabler for acting on emerging opportunities, and elevate risk awareness across the organization to move from a defensive to a proactive position.
2. Providers need an agility boost to meet new business challenges
In our study, only 25 percent of healthcare providers reported that they have the agility quickly to change their business processes and organizational structures to meet new market needs—a score that places providers near the bottom among industry sectors we surveyed.
Healthcare providers need to do better, because risk agility is more than just being aware of changing or emerging risks. In today’s world, it’s being able to quickly alter or adapt their operations and risk management functions to address evolving markets, patient population needs, healthcare delivery models, and government regulations, all while promoting continuity of patient care and protecting patient privacy.
3. Advanced risk management tools can help providers take control of change
Our study results suggest that healthcare companies are less likely than companies in many other sectors to employ data analytics, scenario planning, risk aggregation, and similar advanced risk management tools and techniques. These types of tools and techniques can help healthcare organizations identify emerging risks, determine the impact on the organization in the context of corporate strategy and risk appetite, and quickly deliver the appropriate response, all while improving the organization’s overall efficiency and effectiveness.
Data analytics, for example, can improve an organization’s efficiency in managing its work flows and establishing reliable audit trails that monitor system activity and evaluate improvement initiatives. Moving from periodic manual controls testing to continuous, data-driven, full-population testing can help mitigate revenue leakage, charging errors, workflow inefficiencies, interoperability challenges, medical device connectivity issues, compliance issues, and more.
4. Cybersecurity challenges demand an enhanced focus on IT security protocols
As healthcare companies move toward ever-greater use of electronic health record (EHR) systems and internet-connected medical devices, associated security and privacy risks are raising the stakes for development of robust cybersecurity measures. Yet according to our study, only
28 percent of healthcare providers currently employ well-defined IT security protocols.
Effective security protocols must ensure the protection and encryption of patient data in EHR systems, databases, connected medical devices, and other touchpoints in organizations’ data ecosystems. Since EHRs contain a trove of personal data that can facilitate identity theft and fraud, hackers have healthcare organizations in their sights, and failure to adopt robust security protocols vastly increases the risk of data breaches.
Meanwhile, issues around connected medical devices, home-care devices, and mobile apps reach beyond data security to actual physical security. A compromised medical device could, for example, deliver an incorrect dosage of medication or allow hackers to gain access to hospital networks, endangering patient safety on a wider scale.
When making decisions around deploying IT security protocols to address data exposure risks and prevent potentially damaging breaches, companies should examine their total risk exposures and measure them against their corporate risk appetite and risk tolerance levels.
5. Boosting organizational alignment can help drive performance
With providers challenged every day to manage their patient caseloads, it’s understandable that many see risk management as a secondary priority. But today’s challenges require more.
In our Risk in Review study, only 26 percent of provider respondents report tight alignment between risk management, business strategy, and business continuity management. Further, only 44% of providers report alignment between their risk management and business units, and only 48 percent report alignment between their risk management and strategic planning functions.
As the healthcare industry strives for greater cost containment and more consolidation, active alignment across an organization can be a significant driver of long-term success, helping providers build organizational efficiency, agility, and resiliency, while setting them up for successful joint ventures, collaborations, and affiliations.
To boost alignment, healthcare organizations should begin by appointing and empowering a C-level executive to oversee risk across the organizations and support clear linkages between risk and strategy. This critical role can reinforce first-line-of-defense ownership of risk by the business, build an effective second-line-of-defense model for risk management, apply proactive risk management techniques, and foster enterprise-wide risk awareness.
Empowering the organization through proactive risk management
In a business environment characterized by rapid and profound change, healthcare providers should embrace leading risk management practices, tools, and techniques to help them build agility and resilience, mitigate emerging risk, anticipate their patients’ needs, position themselves to capitalize on opportunities, and drive efficiencies throughout the organization.
Here are a few areas to get you thinking about how risk management can empower your organization:
- The aggressive rollout of EHR systems presents significant opportunities for providers to incorporate patient data into provider- and patient-friendly platforms for managing and anticipating health risks. Providers can emphasize patient engagement to enhance gains.
- Healthcare consumers have more incentives and more opportunities to shop for the best service and value. Adopting customer-centric strategies can help providers maintain or enhance quality while evolving to meet emerging business needs and opportunities.
- Changing patient expectations will require institutions to partner with new players, invest in key technologies, and get ahead of cultural shifts in data ownership and customer service.
- To remain relevant to new and evolving risks, opportunities, and regulations, leading providers are regularly reassessing and adapting their risk management frameworks.
- With healthcare moving rapidly to a digital ecosystem, it is imperative that organizations’ long-term risk management strategies include robust solutions for the security and privacy concerns associated with EHR, Internet-connected medical and care devices, and developments in genomics and personalized medicine.
Terry Puchley is a partner and risk assurance health industries leader at PwC. She can be contacted at: email@example.com
PwC, US, Terry Puchley, Healthcare, Insurance, Risk management, Technology, IT, Data analytics, Cyber risk, Crisis management