Enterprise Risk management: What’s It All About? · PDF fileCash flow programs Retro dividend ... enabling them to call upon outside experts when necessary. ... Enterprise Risk Management:

Enterprise Risk Management: What’s It All About?

Roberta Carroll, RN, Arm, MBA, CPCU, CPHRM, CPHQ, HEM, DFASHRM, LHRM

Senior Vice President

Aon Healthcare

2Enterprise Risk Management: What’s It All About

Setting the Stage

The focus of risk management has changed, expanding to identify and assess risks proactively in tandem with other risks, involving the highest levels of the organization (Board and C‐Suite) requiring the collaborative effort of all employees. No longer can healthcare risk management simply react to clinical risks and hope that patient safety is achieved; efforts must focus on risks that affect the entire organization and not just one aspect of operations.


What has Changed?

Sarbanes Oxley Act

COSO

Rating Agencies


ERM as a decision Making Process

The risk management process includes the following steps:

1) risk identification and analysis of an organization’s

exposures to loss,

2) examining alternate risk techniques,

3) selecting the best technique,

4) implementing the technique chosen and

5) monitor and makes changes as necessary.


ERM Defined

“Enterprise risk management can best be described as an on‐going business decision‐making process instituted and supported by the healthcare organization’s board of directors, executive administration and medical staff leadership. ERM recognizes the synergistic effect of risks across the continuum of care, and has as its goals to assist theorganization reduce uncertainty and process variability, promote patient safety and maximize the return on investment (ROI) through asset preservation, and the recognition of actionable risk opportunities”


Domains/Centers of Risk

Operational

Financial

Human capital

Strategic

Legal / regulatory

Technology

Hazard


Risks related to the business operation that results from inadequate or failed internal processes, people or systems (medical professional liability)

Information SystemsQuality Initiatives– P4P

– Variability Documentation Adverse event management Chain of commandCredentialing and staffing DisclosureMedication errors Patient SafetyTransparency

Operational Risks


Risks that affect the profitability, cash position, access to capital or external financial ratings through business relationships or the timing and recognition of revenue and expenses

Access to capital Billing and collection

Credit and interest rate fluctuations Capitation contracts

Foreign exchange Days of cash on hand

Growth in programs and facilities, Accounts receivable

Capital equipment MMSEA/MSP

Corporate compliance (fraud & abuse) HACs, RACs, & Never Events

Financial Risk


Environmental

– Wrongful termination

– Sexual harassment

– Discrimination– Morale– Diversity– Fatigue– Appropriate staffing

– Safety / Ergonomics

Hiring practices– Competency

– Literacy

– Criminal background checks

– Substance abuse

– Employee handbook– Orientation & continuing education

Breach of contract

Human Capital Risk

An explosive area of exposure in today’s tight labor market including employee selection, retention and turnover, absenteeism, and compensation


Strategic Risks

Managed care relationships

Antitrust

Conflict of interest

Marketing and sales

Advertising

Insurance coverage

Media relations

Business ventures

M&A&DContract administration

Brand and reputational risks and risks associated with business strategy, failure to adopt to changing health care environment, changing customer priorities and competition


Legal & Regulatory Risk

Statutes, standards & regulations

– EMTALA – NPDB– HIPAATJC & LicensureCMS / DHHS /OIG

Hazardous waste disposal

Integrity programs

3rd party reports

External reviews

Stark I & II safe harbors

Private inurement

Incorporates risks arising out of licensure, accreditation, product liability, management liability, as well as issuesrelated to intellectual property.


Technology in Healthcare

CPOE / Bar CodingEMR / EHRRFIDRoboticsSimulationTelehealth– PACS– TeleradiologyeICU

RFID surgical sponge

Remote robotic surgery

Those risks associated with the use of machines, hardware, equipment, devices and tools, but can also include techniques, systems and methods of organization. Health care has seen an explosion in the use of technology.


Risks attributable to physical loss of assets or a reduction in their value. Traditionally insurable risk related to natural hazards and business interruption

Facility management Valuables

Plant age Earthquakes

Parking (lighting, location, security) Windstorms

Valuables Tornadoes

Construction/Renovation

Natural/Hazard Risks

12.26.04 Indonesia Tsunami

ERM Framework

1. IdentifyRisk

II. Analyze Risk

III. Prioritize Risk

V. Continuous Improvement

Quantify impact

Opportunities

Risk finance

Cost benefit

“low-hanging” efforts

Resource conservation

FormalInformalExternalInternal

Monitor-Risk-Environment-Organization

Change

IV. Solutions & Strategies

Initiatives

Work groups

Reporting

Carroll R - 2007


Frameworks, Tools and Solutions

FrameworksEnterprise Risk Management Process

ToolsRisk Scoring, Risk Mapping, Interviews, Claims Analysis

SolutionsSafe Practices, PSET, NPSG, CPOE, RFID

Frameworks are analytical methods that can be used to define and evaluate complex business

problems.

Tools are techniques, both quantitative and qualitative, to analyze data to

develop risk strategies and

solutions.

Solutions are techniques that

mitigate identified risk exposure to promote patient

safety.


Risks Relationships

There are generally considered to be twotypes of risk:

– Speculative risk ~ which offers both the potential for loss as well as gain. The best example is the stock market or gambling.

– Pure risk ~ which creates only the potential for loss. Not all pure risks will necessarily result in a loss but, there will never be the opportunity for gain. Pure risk maintains the status quo at best and in the worst case scenario, creates a loss.


Risks Correlations

Risks can be positively correlated ‐ as the probability of one risk increases so does that of an associated risk

Risks can be negatively correlated ‐ the probability or impact of increasing one risk, decreases that of an associated risk.


Responsibility for ERM

The Board of Directors is ultimately responsible for the Enterprise Risk Management Program

– Role in on‐going, continuous

Commitment from senior leadership and medical staff is critical


Organizational Risk Appetite

Risk Adversity

Risk Taker

GuaranteedCost

SelfInsurance Captives

Cash flow programsRetro dividend programs


Risk Identification and Analysis

The identification and analysis of risk is management’s attempt to determine what risks can impact strategy and the achievement of organizational goals.

Both formal and informal methods are used to identify organizational risk.

Risk can be internal within an organization or external to it.

Risks can be identified retrospectively, concurrently, pre‐interventional and prospectively.


Risk Assessment & Evaluation

Once all organizational risks have been identified, and analyzed, the next step is to:

Understand and attempt to quantify the potential magnitude

or materiality of each identified risk

Considers the positive and negative consequences of events

underlying identified risks across an organization

Incorporate at least two dimensions of risk: likelihood and

severity

Recognize that there may be a range of possible results

associated with an event


Risk Scoring

Once an exhaustive list of risks is assembled, evaluate the importance of one risk vs. another. Develop a score/rank for each risk.

Scores are used to place risks in priority order.

The results might then be arrayed graphically for easy viewing. This process is known as risk mapping.

Sample Formula Calculating a Risk Score

(Probability + Time to Impact) x Severity = Risk Score


Risk Map Im

pact

Likelihood

O1

S1S2 O2

L1

L2

O3

O5O4

S3

O6

S4

H1

T1

O7

S5

L3

O8S6H2

F1 H3

O9

H4

H5

S7H6

T2 L4

L5 L6

L7S8

F2H7

O10

S9

F3T3

T4

S10S11

H8

O11

Legend

= Critical risk

= Moderate risk

= Relatively low risk

O12


Heat Map

5 2.10 2.2

4 2.9, 3.4,4.5, 4.6,

6.4

1.5, 2.7,2.8, 5.3

1.4, 2.5,2.6, 5.2

1.1, 1.2, 1.3,2.3, 2.4, 3.1,3.2, 4.1, 4.2,

5.1, 6.1

2.1

3 3.7, 6.6 1.6, 2.9,3.3, 3.5,4.5, 4.7,

6.3

4.3, 4.4,6.2

2 4.8 2.11, 3.6,6.5

1 5.6 5.5 2.12, 5.4

2 3 4 5 6 7 8Frequency +Time

Seve

rity


Strategy Setting and Solutions

Low‐Hanging Fruit

Resource allocation and availability

– Human capital

– Financial/cost

– Time to complete

– Expertise needed – internal/external

– Frequency and severity of risk


Barriers to Implementation

Territorial turf

Cultural incompatibility

Inability to team and effectively communicate

Limited use and availability of technology

Inadequate senior‐level support

No commonly accepted risk metrics

Length of time to implement

Limited understanding of ERM principles


Barriers to Implementation cont…

Difficult to quantify results or return on investment (ROI)

No follow through

Inflexible process

Establishing solution before defining root cause of problem

Not including users in development


Benefits of Enterprise Risk Management

ERM allows the Organization to step back from the minutia of risks and take a global or strategic perspective. This new top‐down view should result in:

– A strategic, organizational framework for managing risk

– Understanding relationships (correlations) between risks

– Efficient and effective treatment of risk

– Risk prioritization

– Ability to understand and assess future risks

– A common risk taxonomy


Benefits of Enterprise Risk Management cont…

– Promotes transparency

– Supports board educational initiatives and framework for

meeting financial disclosure requirements

– Encourages better decision‐making

– Allows for allocation of limited resources

– Enhances success of regulatory and compliance initiatives

– Creates formal linkages


Success Factors

The following are considered success factors when implementing an ERM program:

– Leadership support and a positive culture

– Broad‐based employee involvement

– Consistencyin assessment

in scoring measurement

– Quantify and benchmark results

– Decreased variability through evidence‐based practice (EBP)

– Monitoring and evaluationInternal

External


Future of the Risk Management Professional

The evolution of enterprise risk management is redefining the “scope of practice” for the professional charged with risk management responsibilities. Risk management professionals need to be facilitators of change, action seekers and well‐networked within their own organizations and externally, enabling them to call upon outside experts when necessary. Changing risk management into organizational‐wide strategies to address ERM is not for the “weak at heart”. Increased responsibilities require enhanced skills.


In Summary

Enterprise risk management is charged with the protection and preservation of organizational assets [people, property, money, etc.]. The best way to accomplish this task in healthcare is to deliver quality patient care in an environment that is safe, equitable and efficient for all [visitors, patient, staff, employees, volunteer, etc.] with minimal practice variation. As healthcare advances so do the risks associated with those changes. The development, implementation and support of an enterprise risk management program will meet the challenge of addressing organizational risk proactively.


Questions

Questions


For More Information

Roberta Carroll, RN, ARM, MBA, CPCU, CPHQ, CPHRM, HEM, LHRM

Senior Vice President

Aon Healthcare

Tampa, Fl. 33556

Phone: (813) 926‐8069

Fax: (813) 926‐8084

E‐Mail: ([email protected])

Documents

Enterprise Risk management: What’s It All About? · PDF fileCash flow programs Retro dividend ... enabling them to call upon outside experts when necessary. ... Enterprise Risk Management: