Transcription of Part One: Defining the concept, recognizing its value
1 1 JANUARY 2006 AMERICAN SOCIETY FOR HEALTHCARE RISK MANAGEMENTINTRODUCTIONT oday s health care organizations are complex entities facing newchallenges and emerging risks that pose threats to their financialand operational well being. enterprise risk management (ERM) istaking root spurred by globalization of business and financialmarkets, increased integration of capital markets and the insuranceindustry, development of sophisticated tools for risk modeling,increased regulatory controls, and greater interest in corporate governance. ERM provides a new approach to identifying and treating risksand to gaining advantage in the health care delivery marketplacethrough management of risks found across the organization. Theserisks go beyond the traditional focus of medical liability or safetyissues. Indeed, these risks are as diverse and fundamental as thebusiness operations of the health care organization itself.
2 They areevery bit as hazardous as unmanaged clinical , when risks are successfully recognized, managed andmitigated through a well-orchestrated ERM approach, they becomekey elements in a strategic plan and offer forward-thinking organi-zations a tool for achieving business success. WHAT IS enterprise RISK management ?ERM, as defined in the Risk management Handbook for HealthCare Organizations(4th ed.), is a structured analytical processthat focuses on identifying and eliminating the financial impact andvolatility of a portfolio of risks rather than on risk avoidance to this approach is an understanding that risk can be managedto gain competitive utilizes a process or framework for assessing, evaluatingand measuring all of an organization s risks . In essence, it is integratedrisk management . ERM quantifies risks to determine significance,groups them into components or domains looking for either inter-relatedness or inter-dependency and devises strategies to manage key principlesThe first essential principle of ERM is that it recognizes a broad rangeof risks confronted by the organization and acknowledges that thoserisks represent either sources of capital or potential for recognized as capital, risks can be viewed as havingeither a negative (that is, having only potential to adversely effect theorganization) or a positive (or upside) potential.
3 This recognition iscentral to the ERM premise because it stresses management of riskto exploit the upside possibilities of second essential principle is that a comprehensive, or holistic, approach is critical to managing diverse risks . An enterprise -wide view recognizes all of the potential threats to the organization sbusiness and strategic objectives. As explained in a Dec. 1-6, 2002,ECRI Risk management Reporterarticle titled enterprise RiskManagement takes hold in health care, this view requires awarenessthat risks are not isolated. While entities tend to organize themselvesoperationally into silos, their associated risks do not exist in example, the Emergency Department and the Legal or FinanceDepartment share easily crossed barriers. The risk of one is inter-related to, and possibly inter-dependent on, other areas as well as tothe organization s overall strategic inter-relatedness of these risk exposures is easily seen in theemergency department (ED).
4 Emergency Departments face significantregulatory and legal issues such as EMTALA on a daily basis and alsoENTERPRISE RISK MANAGEMENTPart One: Defining the concept , recognizing its valuecontinued on next pageFOREWORDThis three-part monograph series enterprise Risk management is available as three PDF documents on the Web site of the AmericanSociety for Healthcare Risk management ( , Resources).2 enterprise RISK management represent the single largest source of admissions to most ED can put a health care organization at risk for fines andpenalties for failing to meet the requirements of applicable laws andregulations. When operations in the ED do not run efficiently, waitingtimes can become extended and increase the risk that urgent careis not delivered promptly or worse, not at all. Patients who leavewithout treatment cause potential professional liability exposure aswell as loss of revenue significant financial impact in both short-and long-term views.
5 Organizational philosophyUnderstanding a health care organization s current view of risk is agood orientation for ERM s broader perspective. The organization soverall approaches to risk management and risk tolerance are keyfactors. Determining whether an organization views risk as somethingto be tackled proactively or responded to or reacted to gives a goodindication of its core philosophy toward risk tolerance is another indicator of how organizations viewrisk. Healthy, profitable organizations may be willing to toleratemore volatility than a less profitable organization. This can often be expressed in levels of self-insurance and retentions. Health careorganizations with a low tolerance for risk , risk averse areapt to limit their exposure by limiting the degree of risk retention or being aggressively proactive about mitigating domainsThe variety of risks facing a health care organization today can be appreciated by looking at the domains (detailed in the RiskManagement Handbook for Health Care Organizations) that ERM recognizes: Operational: Derived from the organization s core business,including its systems and practices.
6 Examples include clinical servicesand outpatient care. Financial: risks related to the organization s ability to earn,raise or access capital as well as costs associated with its transfer of risk. Examples include bonds and insurance premiums. Human: Relates to the risk related to recruiting, retaining andmanaging its workforce. Examples include worker s compensation,employee turnover and absenteeism, unionization and discrimination. Strategic: risks related to the ability of the organization togrow and expand. Examples include joint ventures, mergers, prof-itability, customer satisfaction and financial performance. Legal/Regulatory: risks related to health care statutory andregulatory compliance, licensure and accreditation. Examplesinclude HIPAA compliance, OSHA regulations, Medicare-deemedstatus and JCAHO accreditation. Technological: Risk associated with biomedical and informa-tion technologies, equipment, devices and telemedicine.
7 Examplesinclude clinical information systems such as computerized physicianorder entry and radiology picture archiving and communicationsystems and off-site monitoring of critical care VS. TRADITIONAL RISK MANAGEMENTT raditional health care risk management takes a clinically focusedapproach and examines risks individually. This model defines risksin terms of the probability that adverse events will occur and resultin financial losses. The risk manager s responsibility under such amodel is focused on protecting the assets of the management activities center on ways to mitigate the impactof adverse events on operations and finances. The risk manager worksto implement techniques to avoid, control, reduce or contractuallytransfer financial losses. Through the use of risk financing techniques,financial losses resulting from adverse events are retained or trans-ferred.
8 This theory, outlined in the Risk management Handbook forHealth Care Organizations,maintains that risks are best managedwithin the functional silos of finance, insurance, human resourcesand safety, and holds that shareholder value is maximized throughpartial or full risk transfer. However, this approach fails to appreciate relationships amongrisks and lacks the optimization of collective risk evaluation andmanagement through an enterprise approach. It also lacks a commondefinition of risk and universal measurements to gauge the effectivenessof risk management efforts. Instead of handling risk in functionalsilos where measurements of success are variable, ERM strives to usecommon metrics across risk domains to determine the effectivenessof risk management approaches. With an integrated, enterprise -wide view of risk, the risk managerhas a much more strategic position, focusing on opportunities aswell as risks .
9 The growth of ERM has resulted in the emergence ofthe chief risk officer (CRO, as detailed in Part 3 of this monograph)as the executive responsible for leading the team of senior managersfrom operations, finance, human resource and other key areas inaligning risk management strategies with the organization s businessstrategies aimed at maximizing shareholder value . Under ERM,managers as well as front line staff understand and promote a commonorganizational risk management strategy as the way of doing is incorporated into the culture of the organization as a sharedset of beliefs necessary to achieve its mission. The following example contrasts one aspect of risk management risk identification using a traditional with an integrated approachunder ERM. It exemplifies the advantages of the latter using newtechnology in the shift from a silo-centric, reactive focus to an inte-grated, proactive identification under ERME vent reporting and trending has been a keystone element of riskmanagement in the identification of events and incidents that exposethe organization to the risk of loss, especially liability , event reporting systems have been used to notify therisk manager of adverse and potentially compensable events and tocatalog reported the continuing development of electronic event reportingsystems comes the ability to generate aggregate reports of events for23 JANUARY 2006 AMERICAN SOCIETY FOR HEALTHCARE RISK management trending purposes.
10 While aggregate data report support monitoringof the frequency of events, pertinent event-specific information ortrends may or may not be available in a timely manner to those inthe best position to analyze and act on the information. This resultsin a time lag between the event s occurrence and the interventionsnecessary for mitigation of future adverse effects. In addition, thebenefit of multiple perspectives on implications of adverse eventsand trends across the organization is not realized. New technologies such as real-time, electronic risk managementidentification systems (RMIS) can be employed in an integrated, enterprise -wide risk management program allowing information tobe shared across functional disciplines. With multiple perspectivesfrom diverse individuals and support for collaboration betweengroups, more effective management of risks across the organizationcan be example, the patient complaint handling process presents akey opportunity for risk management across the enterprise throughservice recovery and prevention of similar complaints in the use of an integrated RMIS to report, communicate and act on apatient complaint involving a delay in notification of diagnostic testresults can alert involved clinicians and departments as well as keyindividuals to a problem.