Table of Contents
Part One: Defining Integrated ERM and Tracking its Growth
Part Two: Integrated ERM in Practice
Part Three: Riskonnect and Integrated ERM in Healthcare
The uncertain healthcare environment makes it difficult for healthcare organizations to predict the next steps they must take to be competitive and financially viable.
However, the speed of business today can’t wait for tomorrow’s regulations, legislation or other forces to determine how to proceed. That’s why more healthcare organizations are adopting Enterprise Risk Management (ERM)— an important step in proactively addressing risk across an organization.
Whereas traditional risk management in healthcare was borne out of protecting hospitals and doctors from the surge of malpractice and professional liability suits of the 1970s and 1980s, ERM shys away from addressing one hot button issue at a time.
It’s a broader approach to risk management, incorporating both strategic and operational risks—from mergers and acquisitions, and cybersecurity risks, to patient and employee safety risks.
Still, as transformative as ERM programs can be for healthcare organizations, uptake has been limited thus far because of conflicting priorities or mandates from regulatory bodies that don’t require ERM, and because of concerns regarding ERM implementation challenges.
However, greater adoption of ERM within other industries, and the resulting success, has led to invaluable lessons learned that healthcare organizations can capitalize on. Because of what are now tried and true frameworks that can be adopted, even for a unique industry like healthcare, implementation is: less time consuming, less mistake laden, and less expensive.
In addition, advances in cutting edge risk management technology have made transitioning to ERM much more attainable and seamless than in years past. Advanced technology also protects against managing risks in silos and losing out on opportunities to proactively manage, mitigate or even exploit business risks—a flaw of many ERM programs without the right tools to manage their more comprehensive view of risk.
With the evolution of technology, ERM has evolved into what is now being called Integrated ERM. While many healthcare professionals are aware of the term “integrated risk management” in the context of managing hazard-based risk beyond the inpatient care settings within their health systems, Integrated ERM is different.
Integrated ERM brings all risks from across the enterprise together to determine how they interrelate — uncovering insights that have previously been unobtainable so you can improve safety and quality; reduce costs; and improve the operational and financial health of your organization.
This article highlights how Integrated ERM differs from traditional risk management and its benefits; the lessons healthcare organizations can learn from other industries that have already implemented ERM and are evolving to Integrated ERM; and how technology can make your transition to ERM—as well as Integrated ERM — faster and easier.
Part One: Defining Integrated ERM and Tracking its Growth
Enterprise Risk Management (ERM), is considered comprehensive in scope and proactive in nature — looking across departments at operational, financial and strategic risks, in addition to anticipating one-off, unexpected risks.
Integrated ERM goes even further: It doesn’t just look across the organization for risks, it’s actually embedded in every part of the organization, including an organization’s decision-making process. Integrated ERM does not replace ERM, though. Nor does it necessitate retracting any progress healthcare organizations have made in developing their ERM programs. Instead, Integrated ERM will undoubtedly enhance any ERM program.
Traditional risk management, on the other hand, lives almost exclusively in the risk management department and focuses on reducing risk to an organization through securing insurance. It’s more reactive in nature and less likely to consider whether a risk is worth taking for the purpose of meeting larger strategic objectives.
Clearly, differences between traditional risk management, ERM and Integrated ERM exist, but how do those differences manifest themselves in the healthcare industry?
Traditional risk management in healthcare was spurred by a high volume of medical malpractice and professional liability claims in the 1970s and 1980s. Risk managers were laser focused on clinical issues and minimizing damages from such claims.
That laser focus resulted in a siloed approach to managing risks — meaning healthcare organizations were managing one risk at a time within isolated departments, rather than collaborating across the enterprise to determine how risks were connected, and how they could be solved as such.
And while isolated and unconnected risk management practices might have allowed healthcare organizations to survive the medical malpractice and professional liability storm 30 and 40 years ago, such practices are not sustainable in today’s tumultuous healthcare environment where risks are more diverse and complex than ever before.
Now, in addition to medical malpractice and professional liability risks, healthcare organizations also face challenges like the rapid advancement of technology, financial risk, evolving patient safety regulations, consolidation, aging facilities and infrastructures, and workforce shortages — just to name a few.
Of late, healthcare organizations have also experienced the challenges associated with expanding the variety of provider types or care settings they offer in order to generate additional revenue — a strategy that was once used in the past but fell by the wayside when it proved too expensive and challenging to be lucrative. This time around, healthcare organizations have been relying on “integrated risk management” — managing hazard-based risk beyond the inpatient care settings within their health systems — to ward off the challenges that previously set them back. But it’s not enough.
Healthcare organizations should be looking toward ERM and Integrated ERM to weather the healthcare industry’s changing landscape.
Taking into account the risk domains established by the American Society for Healthcare Risk Management is a good start. The risk domains include operational, human capital, technology, hazard, strategic, clinical/patient safety, legal/regulatory and financial risks.
But from there, healthcare organizations then need to integrate all these risks in order to protect against solving for them individually.
By integrating their risks, they can instead solve for any underlying issues causing multiple risks, as well as factor in the potential upsides of risks that could actually create value–like expanding provider types or care settings to generate revenue.
The idea of managing uncertainty, while also creating and protecting value at the strategic and business level, has obvious appeal to risk managers and top leaders at healthcare organizations. As such, becoming increasingly familiar with Integrated ERM is critical to understanding its benefits in a healthcare setting.
The often cited benefits of adopting Integrated ERM at healthcare institutions include: higher quality patient care; increased compliance; resilience to change; better decision making around investments and capital allocations; and improved processes. These benefits can come to fruition in a multitude of ways.
For instance, many healthcare organizations are switching from fee-for-service or volume-based payment models to value-based payment models, whereby healthcare providers are incentivized based on the level of quality care they provide patients.
Such a shift isn’t as simple as merely adjusting payment or invoicing practices, though. It involves tweaking, and even overhauling a variety of processes and practices that stretch across all eight ERM risk domains. After all, it’s not just a new method for payment. It’s really a new method for care.
That’s why taking the Integrated ERM view of the shift to valuebased care — or any other critical healthcare issue — is so important. Managing risk in a vacuum can cause organizations to overlook other critical risks that could be costly, or refrain from taking risks that have a tremendous upside, which could be even more costly.
Healthcare organizations that lack the data, tools, processes and frankly, the mission to take an Integrated ERM approach could face even greater failure in the form of business disruption or financial losses.
1. High-quality patient care In addition to effectively highlighting patient safety issues that can then be resolved, Integrated ERM also enables healthcare organizations to more easily adopt increasingly popular patientcentered value-based care models.
2. Compliance While Integrated ERM is not about managing risk to compliance, compliance is often a benefit of taking risks out of silos, obtaining a comprehensive view of those risks, and uncovering a plan of action that goes well beyond compliance standards.
3. Resilience Because Integrated ERM accounts for both the upsides and downsides of risk, it can help organizations to better withstand hazards, as well as thrive in the wake of a changing marketplace when value-enhancing risks are taken.
4. Proper Investment Integrated ERM hinges on well-founded data that can rank your risks and offer insight on where to invest. Whether you invest in risk mitigation activities or value-incented risktaking activities, you can feel confident about your spend.
5. Improved Processes Integrated ERM can eliminate redundancies that often transpire due to operating in silos. The resulting transparency and collaboration means less likelihood of creating additional problems in one area after solving for a problem in another area.
While the benefits of ERM are getting attention in the healthcare industry — at least anecdotally, according to healthcare experts — adoption is slow. Further, adoption of mature ERM programs — or Integrated ERM — is even slower.
While most healthcare providers today have completed an ERM assessment — a step in the right direction, but a far cry from implementing a robust program that aligns risk with strategic planning — many providers are still struggling with next steps.
The slow adoption could be attributed, in part, to the lack of a single regulatory body mandating healthcare organizations institute ERM practices — as was the case for other highly regulated industries like financial institutions and even higher education that were under great pressure to join the ERM movement and did so as a result.
While competing requirements within HIPAA, CMS rules and EEOC guidelines are the perfect reason to adopt Integrated ERM — reducing risk for non-compliance and generating valueadd programs that go beyond aligning with regulations — they tend to be a distraction from Integrated ERM instead.
That’s why healthcare organizations have to decide from within that ERM is a priority — a decision that’s much easier to make once the business case for Integrated ERM becomes clear.
Part Two: Integrated ERM in Practice
While the healthcare industry faces a multitude of unique risks and challenges that don’t apply to any other industry, it can still benefit from the lessons learned by other industries that adopted ERM in its more fledgling state, years ago.
In fact, healthcare organizations that are just now adopting the ERM process may have a considerable advantage: They might be able to avoid the growing pains early adopters experienced and implement industry-neutral ERM best practices “off the shelf,” rather than invent or reinvent the wheel. Further, healthcare organizations might be able to advance to a more mature Integrated ERM program sooner — meaning they could see bigger benefits faster.
The lessons that healthcare organizations can take away from those industries that have already adopted ERM include:
Risk in the supply chain
End users (in this case, hospitals) need to be asking their vendors where they get the key components of the products they are selling. The end users then need to compare this list with the similar lists provided by other vendors, spot a common source, and set in place a plan to get alternative supplies. The supply chain is not just the tier 1 vendors (those who send the bill) but often flows down to multiple layers to sometimes just one or two vendors on whom the industry has come to rely for reasons of pricing and capabilities. Ignore these and the supply chain will one day be broken. The resulting reputation damage and other losses could be overwhelming, if not for the business, then for the executives who made the purchasing decisions.
With technology today it has become practical to ask down the supply chain who provides what key components, and then determine the relationships between all these vendors to identify potential hot spots that may require a plan or process to maintain adequate supplies — and might even create opportunities to provide goods or services when your competitors are hampered.
ERM goes beyond compliance
Compliance should be a benefit of ERM — not its sole driver. That’s why it’s listed as only one of eight healthcare ERM domains: On it’s own, compliance management solely takes into account the hazards of risk, not the potential upsides that could add value to the business or create a competitive advantage. Look across all eight risk domains to formulate a robust program that will deliver on minimizing uncertainty and maximizing value.
Risk cultures start at the top
ERM is not a one-time process. It’s an ongoing program that can only be sustained if it’s ingrained in an organization’s culture and is supported at the top. If leadership isn’t pushing you to implement ERM, you will need to push them. Relaying the benefits of ERM, alone, probably won’t be enough. Cater your pro-ERM message to the interests and roles of the leaders from whom you need support. Solid communication, morale-building and negotiation skills will be needed to influence leadership.
Risk governance should be formalized
Leadership needs to be more than just engaged and supportive of ERM. They need to be accountable. Executives, board members, and leaders from departments that represent each of the eight risk domains should be assigned roles and responsibilities related to ERM, and expected to execute within whichever ERM framework your organization elects to implement. Risk management activities should be coordinated, and they should adhere to the processes and workflows that have been agreed upon.
Risk Management processes should be standardized
While every industry — and even every healthcare organization — is unique, there are standardized frameworks and tools you can select from as a starting point for establishing a customized ERM program. Selecting from frameworks that have already been proven, and then modifying accordingly, will save time and energy when launching a program. Further, supplemental tools like risk registries, risk inventories and risk heat maps don’t discriminate against industries
ERM and Integrated ERM are obviously enterprise-wide initiatives and therefore should involve stakeholders from across the enterprise. When developing such programs, risk managers should seek support internally from the top-down, as well as across business units, departments and health systems if their healthcare organization is made up of multiple types (i.e. hospitals, ambulatory care centers and doctor’s offices)
Still, oftentimes it takes outside resources to establish ERM and Integrated ERM programs at a healthcare organization. Perspective from outside service providers can help to create programs that aren’t built off internal biases or politics, but instead based on outside vendors’ diverse knowledge, as well as the best practices and successes they’ve witnessed from their other similar clients.
Common external vendors that can help healthcare organizations develop their ERM and Integrated ERM programs include consultants and software vendors.
Consulting firms with ERM services can be especially helpful when it comes to analyzing the full spectrum of risks facing healthcare organizations; evaluating the risk management practices they already have in place; and developing risk roadmaps and sustainable ERM processes going forward. This benefits large and small organizations alike — large organizations because of their complexity and small organizations because of their lean resources.
Integrated risk management technology vendors can take your ERM process to the next level by capturing and automating that process — as well as generating analytics to further inform and evolve your ERM program — all within in a single system. Vendors that are familiar with ERM processes — and not just bells and whistles technology — can help ensure the system models your ERM framework for consistency and effectiveness during implementation. They can also make sure you are in fact getting the benefits of always up-to-date and innovative technology.
When selecting a software vendor to help with your healthcare organization’s Integrated ERM needs, take into account the following considerations to ensure you’re partnering with the best service and software provider.
Healthcare data is sensitive. Make sure you’re engaging with vendors that offer end-to-end security in the form of password policies, security roles, encryption and audit logs. Vendors with a cloud-based platform should be able to offer insight into how the data centers they employ are secured, redundant and guarded. They should also be auditing their data centers on a regular basis. Learn about the seven standards of cloud computing service delivery in our white paper.
Look for a system that is fast and reliable. You need technology that provides information on demand — with essentially no wait times for returns on queries, searches, maneuvering in claims, reporting, etc. Further, emerging risks don’t wait on system downtime. Make sure you invest in a system that has minimal system downtime, and that your vendor will offer up-to-the-minute information on planned maintenance.
Because healthcare is always changing and risks are always evolving, consider giving priority to a system that can grow with your needs — one that can be fine-tuned continuously, just like you’re continuously fine-tuning your ERM program. The right vendor will offer a system that is scalable and easy to evolve, without major overhauls that are costly and time consuming.
Look for a system that goes beyond checking boxes and only offers a multitude of disparate point solutions — from patient safety, to incident management, to return to work. You of course want those solutions, but you want them to be integrated and capable of talking to each other. This will result in more powerful analytics and improved decision-making.
What you need to know about Healthcare Data Security
For organizations involved in U.S. healthcare, HIPAA adds one excruciating migraine to the growing cluster of headaches already posed by cybersecurity threats.
These companies want and need to protect their payment card, employee, IP, and other data like any other business venture. But regulations governing protected patient data under the Federal Health Insurance Portability and Accountability Act of 1996 add layers of rules — and risk — that are unique to this industry, why it is vital to know how to provide good healthcare data security. This isn’t new, as the HIPAA privacy rule was implemented more than 13 years ago. Most if not all of the policies, procedures and compliance training around it, however, have focused on internal risks.
Can your current and prospective IT vendors help you? And what should you be asking them to divine whether or not they can?
- Are they data-security certified? Keep in mind that there is no federal standard for HIPAA certification of vendors, but established standards for data security, including HIPAA, do exist. Look for partners who are SSAE-16 (Type 1 and Type 2) certified, as well as SOC-2, and HIPAA AT-101. Go ahead, ask your IT lead to decipher these for you. I did. Or check out www.aicpa.org
- In the unfortunate environment where cyber attacks are “when” more than “if” events, do your vendors have cyber security response teams? Do your partners have their own cybersecurity insurance coverage? What are your vendors doing to be prepared for new threats? It’s great to be certified, but continuous quality improvement is not only for patient care.
You should also be asking your internal IT leadership these same difficult questions. Ironically, after satisfying the vendor data privacy and security requirements for our clients, we’ve occasionally found that these clients don’t meet those same requirements in important data processes. Learn more about the need to keep patient data safe in our white paper.
Part Three: Riskonnect and Integrated ERM in Healthcare
Riskonnect is the trusted, preferred source of Integrated ERM technology. We offer a growing suite of solutions on a world-class cloud computing model that enable healthcare clients to elevate their risk management programs by addressing risks across the entire enterprise.
Riskonnect’s highly configurable technology is ideal for forward-thinking healthcare organizations facing increased scrutiny and accountability for corporate governance, strategy and strategic risk. Our solutions facilitate the ability to plan for and respond intelligently to all risks that could potentially harm an organization and its competitive position, damage corporate reputation and restrict srategic growth.
We help our healthcare clients to holistically understand, manage and control risks. We deliver on our mission by offering SaaS technology that automates processes, simplifies analysis and streamlines collaboration — facilitating true Integrated ERM within healthcare organizations in the most efficient and cost effective way possible.
- It pulls a wide range of patient safety, insurance and risk management data into a centralized and interactive system
- Data input automatically triggers real-time analysis of a wide range of patient safety-, insurance- and risk-related information.
- Data input automatically triggers a wide range of patient safety-, insurance- and risk-related workflows and activities.
- It acts as both a repository for patient safety- and risk-related data, and a launching pad for Integrated ERM activities.
- It standardizes data from varied sources into common formats that can “talk to each other” — spurring risk management activity or analysis.
- Mobile capabilities allow front lines of healthcare organizations to enter pertinent data with speed and ease.