Enterprise risk management (ERM) in healthcare
Enterprise risk management (ERM) is critical for any modern organization. It’s the first line of defense against myriad risks, including hacks, breaches, bad actors and more. In healthcare — an industry with large quantities of highly sensitive data — ERM takes on a new meaning. Ransomware attacks on U.S. healthcare organizations caused nearly 19 days of downtime since 2023, translating to over $14 billion in monetary losses, according to Statista.
ERM in healthcare is a protective force for both healthcare organizations and their patients. Without it, sensitive and private data, from payment details to health information, could easily fall into the wrong hands, and even patient safety could be at risk. This article will help healthcare organizations get it right by explaining:
- What ERM means in healthcare and why it matters
- Eight risk areas healthcare organizations need to know
- How to manage risk in healthcare
- Common challenges in healthcare ERM implementation
- ERM maturity in healthcare organizations
- How AI-powered technology transforms healthcare ERM
What does ERM mean in healthcare?
According to the American Society for Healthcare Risk Management (ASHRM), “ERM in healthcare promotes a comprehensive framework for making risk management decisions.”
That framework connects risk to total value, meaning that healthcare ERM requires a focus on developing responses to risk that maximize either value creation or value protection.
ASHRM breaks healthcare ERM into four different steps:
- Identification: Monitor the risk landscape to keep tabs on existing risks and detect emerging ones. Communicate those risks to relevant stakeholders.
- Assessment: Consider the threat each risk poses, including its likelihood, how it may be mitigated, and the value it offers.
- Evaluation: Analyze your risk assessment to determine how to proceed. This can range from continuing to monitor the risk, acting to mitigate it, or even turning the risk into an opportunity.
- Response: Take action on the risks you’ve identified according to your ERM strategy.
Why is ERM important for healthcare organizations?
On an episode of the Corporate Director Podcast, healthcare leader Dr. Bill Winkenwerder said, “Adversaries are knocking on the door every day.”
This is an observation from his time on the board of numerous healthcare organizations. But it’s also backed up by industry data. As of 2024, 67 percent of healthcare organizations worldwide experienced ransomware attacks in the past year — nearly double the 34 percent reported in 2021, according to a Statista study.
ERM benefits healthcare organizations because it's a strategic and comprehensive approach to ensuring those attacks remain unsuccessful.
“It’s to set in place an infrastructure, so you have multiple layers of protection, and people are getting educated about how to minimize risk,” Dr Winkenwerder added.
Healthcare organizations with a mature ERM framework:
- Reduce the risk of costly breaches
- Build and maintain a trustworthy reputation
- Create value for patients, providers and shareholders
- Spark cross-functional collaboration
- Align risk strategy with organizational objectives
- Foster a culture of compliance
The 8 ERM healthcare risk domains
Many healthcare organizations face risks on all sides. The ASHRM categorizes those risks into eight different areas (or domains) most likely to impact healthcare organizations. Understanding these domains enables healthcare leaders to structure risk oversight appropriately and ensure no critical areas escape attention.
The eight risk domains are:
1. Operations domain
The people, processes and systems running the business fall into this category. Operational risks arise when these elements fail, whether through accidental data exposure, process breakdowns or safety hazards at community events.
Risk management focuses on maintaining reliable, efficient healthcare delivery while protecting patients, staff and organizational assets.
2. Clinical and patient safety domain
Healthcare delivery itself introduces risks. This domain encompasses all risks related to patient care, including incorrectly filled prescriptions, hospital-acquired infections, diagnostic errors and treatment complications.
3. Strategic domain
The rapidly changing healthcare environment challenges organizational direction. Strategic risks emerge when healthcare organizations struggle to adapt to new care delivery models, fail to follow marketing regulations, lose key partnerships or miss market opportunities.
4. Financial domain
Anything that could threaten an organization’s bottom line is considered a financial threat. This could include anything from medical malpractice to insurance to rising inflation and equipment costs.
5. Human capital domain
Healthcare organizations depend on people serving people. This is essential, but it also comes with risk. Human-related risks include recruitment and retention challenges, workplace injuries, workforce development gaps and termination issues. The current healthcare staffing shortage intensifies human capital risks across the industry.
Get Healthcare ERM Tools
Implement systematic risk management tools designed for healthcare organizations managing complex regulatory and patient safety requirements.
Learn about healthcare ERM solutions6. Legal and regulatory domain
Healthcare is a highly regulated industry and, as such, carries ample risk for organizations that fail to comply with regulations. The Health Insurance Portability and Accountability Act (HIPAA) is the most well-known and carries unique penalties, but regulatory risk also includes accreditation standards, licensure requirements, state-specific regulations and evolving privacy laws.
7. Technology domain
Healthcare is increasingly digital and even more so with the adoption of telehealth appointments and AI-powered diagnostics. It’s valuable but also risky, whether that’s technology for training, diagnosis, or managing Electronic Health Records (EHR).
8. Hazard domain
This domain encompasses risks that could impact physical locations. Think building age and condition, valuable equipment and supplies, and natural disaster exposure like earthquakes or hurricanes. Healthcare organizations must maintain facility safety and operational continuity even during physical disruptions.
How to manage risk in healthcare
The sheer number of risks healthcare organizations face can make ERM feel like a daunting task. While it may be tempting to launch full steam ahead, consider the maturity of your ERM program. You can start small and scale up your program to incorporate more components as your risk teams become more effective.
But no matter where your ERM maturity is now, ensure that your risk teams are doing the following:
1. Understanding organizational objectives
Most organizations have objectives, but risk teams don’t always know them. Yet, risk teams can use those objectives to filter through risks. Which are most likely to impact the bottom line, and which aren’t? That’s the question your ERM strategy should seek to answer.
2. Identifying risks
Use those objectives to identify risks. These should be risks the organization currently faces (a hospital will always have to worry about patients contracting infections while in their care), as well as those that may arise (using artificial intelligence to help with diagnoses will bring new risks).
Effective risk identification also requires input from frontline staff, department leaders and executive stakeholders across the enterprise.
3. Assessing risk using standardized methodology
How an organization assesses risk depends on its risk tolerance. Some will be more willing to let risks unfold, while others want to mitigate them as quickly as possible. Categorize your risks according to whatever your tolerance is. Which risks will you avoid, which will you tolerate, and which will you use as an opportunity to create more value?
"Keep it practical. Keep the ERM program practically designed and not overly complex, through the entire lifecycle of the ERM process," says Maurice L. Crescenzi, Jr., Industry Practice Leader at Moody's. "High, medium, low are good enough."
4. Prioritizing risks based on organizational capacity
Now, decide which risks you’ll respond to first. This will likely be a mix of risks that pose the greatest threat and those that offer valuable opportunities. For risks you can’t avoid, start developing a mitigation plan to reduce the likelihood or limit the potential impact.
5. Building your ERM framework
How you mitigate those risks involves your unique ERM framework. You can choose an industry-standard framework like COSO ERM or customize approaches that suit your specific strategy, organizational structure and risk profile. This will help structure the roles, responsibilities, and processes you use to review, measure, and report on risk.
6. Establishing clear governance and accountability
Define which roles own specific risk categories and who has the authority to make risk-related decisions. Healthcare ERM requires participation from clinical leadership, operational management, information technology, finance and legal teams. Board-level oversight typically occurs through dedicated risk committees that receive regular reports on enterprise risk posture.
7. Creating feedback loops and continuous improvement
ERM programs should evolve as organizations learn from near-misses, incidents and changing risk landscapes. Establish regular reviews of risk management effectiveness, capture lessons learned from risk events and adjust frameworks based on new threats or changed circumstances.
8. Monitoring and reporting
Your work isn’t done once you launch an ERM healthcare program. Instead, the work of monitoring and reporting will kick off. Monitoring is two-fold, ensuring both that you never miss a risk and that you’re measuring ERM performance. Reporting then gives leadership the insight they need to make strategic, risk-aware decisions for the organization.
9. Fostering a risk-aware culture
Technology and processes enable risk management, but culture determines whether ERM succeeds. You should embed risk awareness into daily operations through regular communication, training programs, recognition of risk management contributions and leadership modeling of risk-aware decision-making. When staff at all levels understand their role in risk management, the organization becomes more resilient.
Common challenges in healthcare ERM implementation
Healthcare organizations face predictable challenges when building ERM programs. Anticipating these obstacles enables more successful implementations:
- Resource constraints: Healthcare organizations operate on tight margins, making dedicated ERM resources difficult to justify. Successful implementations demonstrate value quickly through risk reduction and efficiency gains.
- Competing priorities: Patient care demands immediate attention while ERM provides longer-term benefits. Leadership commitment ensures ERM receives appropriate priority alongside operational demands.
- Siloed information: Clinical, operational, financial and technology systems often operate independently, fragmenting risk data. Effective ERM requires integration across these silos to provide comprehensive risk visibility.
- Resistance to change: Healthcare professionals focus on patient care, sometimes viewing risk management as an administrative burden. Engaging frontline staff in risk identification and demonstrating how ERM improves patient outcomes reduces resistance.
- Complexity management: Eight risk domains, multiple facilities, diverse stakeholder groups and complex regulatory requirements create substantial implementation complexity. Starting with focused pilot programs and expanding systematically manages this complexity.
Building ERM maturity in healthcare organizations
Healthcare organizations exist at different ERM maturity levels, from basic reactive risk management to sophisticated predictive risk intelligence. Understanding your current maturity level helps set realistic implementation goals and demonstrate progress over time.
- Reactive: Organizations respond to risks after incidents occur, with limited systematic risk identification or assessment.
- Compliant: Organizations meet regulatory requirements but lack comprehensive risk visibility across all domains.
- Integrated: Risk management processes coordinate across departments with consistent frameworks and reporting.
- Strategic: Risk intelligence directly informs strategic decisions, with board-level oversight of enterprise risk posture.
- Optimized: Continuous risk monitoring, predictive analytics and automated risk intelligence enable proactive risk management that creates competitive advantages.
Most healthcare organizations operate between compliant and integrated maturity levels. Moving toward strategic and optimized maturity requires investment in both processes and technology that enable more sophisticated risk management capabilities.
How AI-powered technology transforms healthcare ERM
Healthcare organizations managing enterprise risk across multiple facilities, eight risk domains and complex regulatory requirements need technology infrastructure that provides visibility while reducing administrative burden.
Manual spreadsheet-based risk tracking cannot scale to meet healthcare's complexity or provide the real-time intelligence boards and executives require for effective oversight.
For healthcare organizations starting their ERM journey or operating with resource constraints, Diligent’s AI Risk Essentials provides rapid program deployment.
The platform enables organizations to launch ERM programs in under seven days through AI-powered peer benchmarking that identifies relevant risks from 180,000+ real-world risks disclosed in public company SEC filings.
This eliminates the need for expensive consultants while ensuring healthcare organizations address industry-specific threats from cyberattacks to clinical safety and regulatory compliance.
Healthcare organizations with more sophisticated requirements can implement Diligent ERM for comprehensive risk management across business units, facilities and subsidiaries.
The platform centralizes risk identification, assessment and monitoring while providing real-time dashboards that surface critical risks before they escalate.
AI-powered analytics correlate risks across departments, enabling healthcare leaders to understand interconnected threats like the relationship between staffing shortages, clinical safety and patient satisfaction.
This technology infrastructure enables healthcare organizations to shift from reactive, time-intensive risk compilation to proactive risk intelligence.
The result: Earlier threat detection, better-informed board oversight and risk teams focused on strategic mitigation rather than spreadsheet management.
Ready to elevate your healthcare risk management program? Schedule a demo to discover how Diligent's AI-powered platform delivers the comprehensive risk visibility healthcare organizations need.
FAQs about enterprise risk management in healthcare
What is the difference between ERM and traditional risk management in healthcare?
Traditional risk management in healthcare typically focuses on specific risk categories in isolation, such as clinical safety or regulatory compliance. On the other hand, enterprise risk management takes a comprehensive, organization-wide approach that examines how risks interact across all domains.
This holistic perspective enables healthcare organizations to identify interconnected risks that siloed approaches miss, such as how cybersecurity threats affect clinical safety by compromising medical devices.
How do healthcare boards oversee enterprise risk management?
Healthcare boards typically oversee ERM through dedicated risk committees that receive regular reports on enterprise risk posture. Effective board oversight requires clear reporting that highlights material risk changes, emerging threats and risk mitigation progress.
The board's role centers on strategic oversight rather than operational risk management, asking challenging questions about whether management has identified the right risks and is responding appropriately.
What are the biggest cybersecurity risks facing healthcare organizations?
Ransomware attacks represent the most immediate cybersecurity threat to healthcare organizations, with attackers increasingly targeting hospital systems to disrupt patient care and extract payment.
Additionally, phishing attacks compromise employee credentials, while medical device vulnerabilities create entry points for attackers to access hospital networks.
How long does it take to implement an ERM program in healthcare?
ERM implementation timelines vary based on organizational size, complexity and current risk management maturity. Organizations starting with basic risk tracking can launch initial ERM frameworks in under a month using AI-powered platforms that accelerate risk identification and assessment.
Building more comprehensive programs typically requires 3-6 months to establish frameworks, assign responsibilities, implement technology and train stakeholders. Healthcare organizations should view ERM as a continuous improvement journey rather than a one-time implementation project, with capabilities evolving as the organization gains experience and sophistication.
What role does the chief risk officer play in healthcare ERM?
The chief risk officer (CRO) oversees enterprise-wide risk strategy, frameworks and governance in healthcare organizations. The CRO aligns risk management with organizational objectives and board oversight while ensuring compliance with regulatory requirements.
This role coordinates risk activities across departments, translates complex risk data into actionable intelligence for leadership, and champions a risk-aware culture throughout the organization.
Discover how leading healthcare organizations build comprehensive risk frameworks that protect patients while ensuring organizational resilience. Request a demo today.
