Kezia Farnham

Senior Manager

Enterprise risk management (ERM) in healthcare

Enterprise risk management (ERM) is critical for any modern organization. It’s the first line of defense against myriad risks, including hacks, breaches, bad actors and more. In healthcare — an industry with large quantities of highly sensitive data — ERM takes on a new meaning.

ERM in healthcare is a protective force for both healthcare organizations and their patients. Without it, sensitive and private data ranging from payment details to health information could easily fall into the wrong hands, and even patient safety could be at risk. This article will help healthcare organizations get it right by explaining:

• What ERM means in healthcare and why it matters
• Eight risk areas healthcare organizations need to know
• Steps to implement ERM healthcare now
• Best practices to more effectively manage healthcare risk

What does ERM mean in healthcare?

According to the American Society for Healthcare Risk Management (ASHRM), “ERM in healthcare promotes a comprehensive framework for making risk management decisions.”

That framework connects risk to total value, meaning that healthcare ERM requires a focus on developing responses to risk that maximize either value creation or value protection. ASHRM breaks healthcare ERM into four different steps:

1. Identification: Monitor the risk landscape to keep tabs on existing risks and detect emerging ones. Communicate those risks to relevant stakeholders.
2. Assessment: Consider the threat each risk presents, including how likely it is to happen, how it may be mitigated, and the value it offers.
3. Evaluation: Analyze your risk assessment to determine how to proceed. This can range from continuing to monitor the risk, acting to mitigate it, or even turning the risk into an opportunity.
4. Response: Take action on the risks you’ve identified according to your ERM strategy.
   

Why is ERM important for healthcare organizations?

On a recent episode of the Corporate Director Podcast, healthcare leader Dr. Bill Winkenwerder said, “Adversaries are knocking on the door every day.”

This is an observation from his time on the board of numerous healthcare organizations. But it’s also backed up by industry data. Healthcare organizations worldwide faced 1,463 cyberattacks per week in 2022 — a startling 74% increase from 2021. The threat is even more pervasive in the U.S., where the average healthcare organization suffered 344 breaches that year.

ERM benefits healthcare organizations because it's a strategic and comprehensive approach to ensuring those attacks remain unsuccessful.

Dr. Winkenwerder said, “It’s to set in place an infrastructure, so you have multiple layers of protection, and people are getting educated about how to minimize risk.”

Healthcare organizations with a mature ERM framework:

• Reduce the risk of costly breaches
• Build and maintain a trustworthy reputation
• Create value for patients, providers and shareholders
• Spark cross-functional collaboration
• Align risk strategy with organizational objectives
• Foster a culture of compliance

The 8 ERM healthcare risk domains

Many healthcare organizations face risks on all sides. The ASHRM categorizes those risks into eight different areas (or domains) most likely to impact healthcare organizations. An effective healthcare ERM strategy will consider how to approach risk in each domain.

The eight risk domains are:

1. Operations: The people, processes and systems that run the business fall into this category. Risks arise when those operations fail, whether that’s accidentally exposing private data or hosting a community event with dangers present.
2. Clinical Safety: Delivery of care can also introduce risks. This domain encompasses all those risks and can include incorrectly filled prescriptions or patients acquiring an infection while at the hospital.
3. Strategy: The healthcare landscape changes rapidly, challenging the company’s direction. When healthcare organizations struggle to adapt, don’t follow new marketing or media relations regulations or fail to maintain partnerships, risks can arise.
4. Finances: Anything that could threaten an organization’s bottom line is considered a financial threat. This could include anything from medical malpractice to insurance to rising inflation and equipment costs.
5. Human capital: At their core, healthcare organizations are people serving people. This is essential, but it also comes with risk. Human-related risks include employee recruitment and retention, workplace injuries and termination.
6. Regulations: Healthcare is a highly regulated industry and, as such, carries ample risk for organizations that fail to comply with regulations. The Health Insurance Portability and Accountability Act (HIPAA) is the most well-known and carries unique penalties, but regulatory risk also includes accreditation, licensure and more.
7. Technology: Healthcare is increasingly digital and even more so with the adoption of virtual appointments. It’s valuable but also risky, whether that’s technology for training, diagnosis, or managing Electronic Health Records (EHR).
8. Hazards: This domain encompasses risks that could impact physical locations. Think building age, any valuables on-site, and natural disasters like earthquakes or hurricanes.

How to manage risk in healthcare

The sheer number of risks healthcare organizations face can make ERM feel like a daunting task. While it may be tempting to launch full steam ahead, consider the maturity of your ERM program. You can start small and scale up your program to incorporate more components as your risk teams become more effective.

But no matter where your ERM maturity is now, ensure that your risk teams are:

1. Understanding organizational objectives: Most organizations have objectives, but risk teams don’t always know them. Yet, risk teams can use those objectives to filter through risks. Which are most likely to impact the bottom line, and which aren’t? That’s the question your ERM strategy should seek to answer.
2. Identifying risks: Use those objectives to identify risks. These should be risks the organization currently faces (a hospital will always have to worry about patients contracting infections while in their care) as well as those that may arise (using artificial intelligence to help with diagnoses will bring new risks).
3. Assessing risk: How an organization assesses risk depends on its risk tolerance. Some will be more willing to let risks unfold, while others want to mitigate them as quickly as possible. Categorize your risks according to whatever your tolerance is. Which risks will you avoid, which will you tolerate, and which will you use as an opportunity to create more value?
4. Prioritizing risks: Now, decide which risks you’ll respond to first. This will likely be a mix of risks that pose the greatest threat and those that offer valuable opportunities. For risks you can’t avoid, start developing a mitigation plan.
5. Building your ERM framework: How you mitigate those risks involves your unique ERM framework. You can choose an industry-standard framework or pull pieces from multiple frameworks to create an approach that suits your strategy. This will help structure the roles, responsibilities, and processes you use to review, measure, and report on risk.
6. Monitoring and reporting: Your work isn’t done once you launch an ERM healthcare program. Instead, the work of monitoring and reporting will kick off. Monitoring is two-fold, ensuring both that you never miss a risk and that you’re measuring ERM performance. Reporting then gives leadership the insight they need to make strategic, risk-aware decisions for the organization.

Stop healthcare risk in its tracks

Modern healthcare organizations cannot stop hackers and bad actors from knocking on the door. They can, however, put safeguards in place to ensure those doors don’t open.

Just like that risk won’t disappear, the call for ERM healthcare will never stop, either. A people-driven ERM program is the first step to a safer organization, but software is what will help you cross the finish line.

Modern ERM software monitors risk across the organization and pulls those insights into a single, customizable dashboard. That means more risks detected, more risks mitigated, and better visibility to help leadership protect their patients, providers, and profits. Learn more about Enterprise Risk Management, part of the Diligent One Platform.