South Florida Hospital News
Sunday May 26, 2019

test 2

March 2014 - Volume 10 - Issue 9



Effective Enterprise Risk Management for Healthcare Institutions

In September 2004, the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) published an Executive Summary entitled “Enterprise Risk Management-Integrated Framework.” The Executive Summary defines ERM as a process aimed at (1) making an organization more profitable by creating a single view of all risks, internal and external, and (2) creating an executive level management strategy to deal with those risks (COSO 2004). The key to ERM is analyzing multiple risks “across the enterprise” rather than in silos, while elevating risk management as a strategic partner in achieving institutional goals.
Since the COSO report was published, many healthcare institutions have established ERM programs. Some organizations may have found success with their ERM program, while others may be struggling to implement it. For those that have ERM, is it an effective program? Does it incorporate the strategic plan and goals for the hospital or health care system? Is it supported and promoted by the Board and senior management, so that ERM is part of the institutional culture? Are the identified risks monitored and reported consistently, with action plans instituted for emerging risks? Or, alternatively, does the institution have an ERM program that is merely pulled off the shelf every quarter so that key risk metric boxes are checked off as a matter of routine? The latter, of course, is not an effective ERM program.
Under the traditional risk management approach, leadership is consumed with “putting out fires” and is typically reactive, rather than being proactive and growing the business. If your organization has not yet incorporated ERM and is managing under traditional risk management principles, then your focus is probably only on hazard or after-the-fact risks, without consideration of other threats, such as environmental or reputational risks. These non-traditional threats, when under-valued, can impede the success or growth of the organization.
An effective ERM program starts at the top with the Board and senior management and it becomes part of the organization’s culture. ERM provides enterprise-wide solutions across various departments within the institution, thereby doing away with silos or “camps,” which are consistent with traditional approaches to risk management. Consider a healthcare institution’s various departments, such as Clinical Quality & Patient Safety, Human Resources, Information Technology, Legal/Compliance, Finance, and Leadership/Governance. In the traditional risk management world, each department plans and manages its own risk without consideration, or an appreciation of, other departmental risks and their impact on the organization as a whole. Under an ERM model, departmental and subject matter expertise is maintained, while risk identification, planning, and mitigation is cross-functional across the organization.
In today’s healthcare market, ERM provides an organization with the infrastructure necessary to survive emerging changes and challenges. Effective ERM programs include the following key principles:
• Identify. Timely identify significant risks to the organization.
• Monitor and Plan. Develop risk indicators to monitor the identified risks and have action plans ready to implement should a risk emerge.
• Incorporate. Incorporate risk management into strategic planning.
• Communicate. All pertinent risk information is shared with organizational leaders and the Board.
Failures in ERM programs often come about due to a lack of one or all of the four guiding principles. The key to success is to develop the ERM infrastructure so that risks can be managed effectively and proactively, with collaboration among the “risk” subject matter experts, senior leadership, the Board, and the institution as a whole.
Linda A. Epstein, former Vice President of Risk, Chief Litigation Counsel, Health Management Associates, Inc. can be reached at (239) 595-6317 or
“Enterprise Risk Management – Integrated Framework.” Commission of Sponsoring
Organizations of the Treadway Commission (COSO) Executive Summary and Complete
Report, September 2004.
Share |