A crystal ball revealing which risks will turn into reality would prove helpful to any business. Although varied in nature, all organizations constantly face a multitude of risks that could derail their goals if unmanaged.
This content is sponsored by Willis Towers Watson.
In fact, 60 percent of nonprofit business leaders reported being affected by an operational surprise "extensively" or "mostly" within the last five years, according to the results of a survey released in March 2018 by the Raleigh-based North Carolina State University ERM Initiative and the American Institute of Certified Public Accountants. Additionally, 55 percent of nonprofit respondents noted risk complexity and volume had changed "mostly" or "extensively" in that same timeframe.
Unfortunately, no such risk-revealing crystal ball exists, and organizations are left to their own devices to manage potential dangers. However, 39 percent of the survey respondents said their organizations have minimal or no formal assessment of emerging strategic, market or industry risks, leaving a lot of room for unmanaged risk.
One strategy to address changing and complex risks that is gaining traction in many industries is enterprise risk management (ERM), which is a systematic approach designed to identify, manage and communicate risk throughout an organization.
At the Becker's Hospital Review 9th Annual Meeting in Chicago, April 11, Todd Williams, director of strategic risk consulting at Willis Towers Watson, asked 25 healthcare executives if their organizations have had ERM programs in existence for more than five years.
He said it would be a surprise if organizations had longstanding ERM programs in place, noting the lack of raised hands among the group of hospital CEOs, CFOs, quality directors and other healthcare leaders gathered for an executive roundtable discussion about ERM.
Elizabeth Osgood, consultant of strategic risk consulting at Willis Towers Watson, and Ken Felton, senior vice president of national healthcare practice at Willis Towers Watson, joined Mr. Williams in delivering a presentation on how to implement a performance improvement plan for effectively managing the top risks faced by healthcare organizations.
Top 10 healthcare enterprise risks
Just like other businesses, healthcare organizations face many and multifaceted risks. In healthcare, these risks are continuously changing as the industry strives to meet new demands from patients, providers, payers and the government.
Willis Towers Watson compiled the following top 10 risks for healthcare organizations based on the company's engagements in the last 18 to 24 months.
- Physician alignment, integration and relationships
- Loss or departure of key individuals; unable to attract and retain employees
- Patient satisfaction, patient complaints and performance scores
- Cyber risks
- Non-privacy IT risks
- Payment reform and revenue cycle management
- Competitor strategic actions
- Catastrophic events
- Access to capital and funding
- Failure to effectively develop or execute strategy
State and federal regulatory and legislative changes also fall in the top risks faced by healthcare organizations.
How to implement an enterprise risk assessment
Healthcare organizations may find managing these critical risks a challenge because they don't have a consistently implemented approach to risk management. This is where ERM comes into play.
Mr. Williams emphasized ERM doesn't need to be a complicated process to be effective. "In fact, the simpler you make it for your stakeholders, the more buy-in you'll get," he said.
A successful ERM requires C-suite support, first and foremost, so that the process is embedded into the hospital's strategic planning. The director of risk management at a two-hospital integrated health system in the Midwest agreed with this point, sharing that CEO buy-in was the greatest challenge for ERM implementation at her organization.
"[The CEO] couldn't differentiate between strategic planning and enterprise risk. It took a lot of training and education with the senior team," she said. "Since then, our current CEO and CFO are on board, and we have an active enterprise risk management subcommittee that is comprised of key leaders."
A hospital's leadership should only focus time and capital on the 10 to 15 risks that prove most critical, and deploy a combined qualitative assessment with quantitative measurement.
Organizations can choose among three approaches to assess enterprise risks: surveys, interviews and workshops. Ms. Osgood said Willis Towers Watson uses the workshop method, as it "gives the best results in terms of surfacing that underlying risk information, building consensus and identifying those emerging risks."
Here is how Willis Towers Watson deploys an enterprise risk assessment at an organization:
- Defines the scope of assessment with a timeline of at least two years.
- Chooses the ideal cross-functional team of workshop participants from across the organization.
- Gathers an organization's previous assessment information and calls on industry experts to provide information about emerging trends.
- Develops a pre-workshop survey based on the collected data, asking participants to articulate how serious they think each of the 100 listed risks are, on a scale of one (negligible) to five (catastrophic). Each risk possesses four components:
- Trigger: The future event that may occur, such as a natural disaster.
- Underlying vulnerabilities: Events happening currently within the environment, making an organization vulnerable to the risk, such as a hospital located in a disaster-prone area.
- Consequences: Bad events that will occur if the trigger happens, such as patient harm.
- Current controls: What an organization is doing currently to mitigate the risk.
- Hosts a full-day workshop, identifying and assessing the top 15 to 20 risks
- Hosts a half-day workshop the following day, creating risk mitigation plans for the top 10 risks.
The Willis Towers Watson risk assessment will create an executable risk improvement plan with assigned accountability, and leverage tools to communicate those risks across the organization.
"We think of [the ERM process] as a funnel, starting at the top with a survey of 100 risks, quickly filtering that down to your most critical risks," Ms. Osgood said. "At the end of the workshops, you should have risk mitigation plans developed for your most critical risks."
With the process in mind, the 25 executives worked through a hypothetical risk articulation and improvement planning process during the roundtable. They emphasized "human capital" as a problem area and focused the risk assessment accordingly.
The group identified the inability to fill positions as the trigger, with loss of key employees in high-impact positions, lack of succession plans and market competitiveness as underlying vulnerabilities. If the trigger occurs, the executives saw loss of clinical service, reputation damage and process deterioration as potential consequences. They pinpointed current controls as relationships with recruiters, leadership development programs and employee satisfaction surveys.
The executives then brainstormed possible actions to mitigate the risk. The CEO of a nonprofit critical access hospital in the Midwest said the hypothetical company should "create a formalized succession plan program." The CFO of a VA healthcare system on the West Coast said the company should "implement a long-term incentive plan."
As they worked through the risk assessment, some executives expressed curiosity regarding the effectiveness of ERM at mitigating risk. Although difficult to quantify, an ERM program will mature and allow organizations to "identify specific quantifiable metrics that you can track over time associated with your key risks," said Ms. Osgood.
The previously mentioned director of risk management from the Midwest agreed: "[Risk] is a moving target. Years ago, when we first started, cyber was down on the list. When we reevaluated two years later, it bumped up to the top five."
If executed effectively, ERM can realize the following eight benefits:
- Reduction of financial result variability and operational surprises
- Identification, management and communication of greatest risks
- Efficient allocation of resources and management time
- Better capitalization on risk opportunities
- Improved or preserved market reputation
- Aligned with governance, regulatory and credit rating requirements
- Increased organizational value
- Managed regulatory and legislative changes
How to keep ERM on target
While ERM offers a variety of benefits, some hospitals fall prey to common pitfalls.
The Willis Towers Watson team recommended against presenting 100-plus risks to the board of directors every quarter, noting the board should only ever see 10 to 15 well-defined risks at a time. Hospitals will fail to use ERM effectively if they assign the task to one person instead of a team or focus on just checking the box instead of reducing volatility.
Above all, hospitals should ensure they follow through with risk mitigation after completing a risk assessment. The market CFO of an acute care hospital within a three-hospital system in the Southwest knows all too well about this pitfall. Her facility is in a joint venture, and she said the C-suites at all of the facilities complete risk surveys annually to send to corporate, but they never hear any response. She thinks her organization is missing the opportunity to report the results back to its campuses, ambulatory surgery centers and physician practices to drive change.
Mr. Williams responded, "So, it's a negative ERM ROI." He said if the organization took that same process they have in place at the enterprise level and funneled it down to the location level, facilities would see positive results in risk management. "That's where the rubber meets the road; that's where the value comes in."