The benefits of Enterprise Risk Management (ERM) are getting a lot of attention in the healthcare industry these days, but adoption still appears to be slow. Further, adoption of mature ERM programs — or Integrated ERM — is even slower.
The slow adoption could be attributed, in part, to the lack of a single regulatory body mandating healthcare organizations institute ERM practices — as was the case for other highly regulated industries like financial institutions and even higher education that were under great pressure to join the ERM movement and did so as a result.
Even though competing requirements within HIPAA, CMS rules and EEOC guidelines are the perfect reason to adopt Integrated ERM — reducing risk for non-compliance and generating value-add programs that go beyond aligning with regulations — they tend to be a distraction from Integrated ERM instead.
That’s why healthcare organizations have to decide from within that ERM is a priority — a decision that’s much easier to make once the business case for Integrated ERM becomes clear.
Lessons learned from other adopters of Integrated ERM
While the healthcare industry faces a multitude of unique risks and challenges that don’t apply to any other industry, it can still benefit from the lessons learned by other industries that adopted ERM in its more fledgling state, years ago.
In fact, healthcare organizations that are just now adopting the ERM process may have a considerable advantage: They might be able to avoid the growing pains early adopters experienced and implement industry-neutral ERM best practices “off the shelf,” rather than invent or reinvent the wheel.
Further, healthcare organizations might be able to advance to a more mature Integrated healthcare ERM program sooner — meaning they could see bigger benefits faster. Four lessons that healthcare organizations can take away from those industries that have already adopted ERM include:
- ERM goes beyond compliance: Compliance should be a benefit of ERM — not its sole driver. That’s why it’s listed as only one of eight healthcare ERM domains: On it’s own, compliance solely takes into account the hazards of risk, not the potential upsides that could add value to the business or create a competitive advantage. Look across all eight risk domains to formulate a robust program that will deliver on minimizing uncertainty and maximizing value.
- Risk cultures start at the top: ERM is not a one-time process. It’s an ongoing program that can only be sustained if it’s ingrained in an organization’s culture and is supported at the top. If leadership isn’t pushing you to implement ERM, you will need to push them. Relaying the benefits of ERM, alone, probably won’t be enough. Cater your pro-ERM message to the interests and roles of the leaders from whom you need support. Solid communication, morale-building and negotiation skills will be needed to influence leadership.
- Risk governance should be formalized: Leadership needs to be more than just engaged and supportive of ERM. They need to be accountable. Executives, board members, and leaders from departments that represent each of the eight risk domains should be assigned roles and responsibilities related to ERM, and expected to execute within whichever ERM framework your organization elects to implement. Risk management activities should be coordinated, and they should adhere to the processes and workflows that have been agreed upon.
- Risk management processes should be standardized: While every industry — and even every healthcare organization — is unique, there are standardized frameworks and tools you can select from as a starting point for establishing a customized ERM program. Selecting from frameworks that have already been proven, and then modifying accordingly, will save time and energy when launching a program. Further, supplemental tools like risk registries, risk inventories and risk heat maps don’t discriminate against industries.
Who can help build your ERM and Integrated ERM programs?
ERM and Integrated ERM are obviously enterprise-wide initiatives and therefore should involve stakeholders from across the enterprise. When developing such programs, risk managers should seek support internally from the top-down, as well as across business units, departments and health systems if their healthcare organization is made up of multiple types (i.e. hospitals, ambulatory care centers and doctor’s offices).
Still, oftentimes it takes outside resources to establish ERM and Integrated ERM programs at a healthcare organization. Perspective from outside service providers can help to create programs that aren’t built off internal biases or politics, but instead based on outside vendors’ diverse knowledge, as well as the best practices and successes they’ve witnessed from their other similar clients. Common external vendors that can help healthcare organizations develop their ERM and Integrated ERM programs include consultants and software vendors.
Brokers and consulting firms with ERM practices—especially those firms that use ERM models from the American Society for Healthcare Risk Management or the RIMS—can be helpful when it comes to analyzing the full spectrum of risks facing healthcare organizations; evaluating the risk management practices they already have in place; and developing risk roadmaps and sustainable ERM processes going forward. This benefits large and small organizations alike — large organizations because of their complexity and small organizations because of their lean resources. Healthcare organizations can even engage
Software vendors, particularly integrated risk management technology vendors, can take your ERM process to the next level by capturing and automating that process — as well as generating analytics to further inform and evolve your ERM program — all within in a single system.
Vendors that are familiar with ERM processes — and not just bells and whistles technology — can help ensure the system models your ERM framework for consistency and effectiveness during implementation. They can also make sure you are in fact getting the benefits of always up-to-date and innovative technology. Just make sure you’re considering vendors that are focused on security, scalability, performance and integrating all your data.