The current state of risk management in health care can vary greatly within each organization; however, the focus on managing risk should be an integral part of the board of directors’ ongoing discussions.
Some organizations are progressive and have risk management hardwired into the culture. These organizations will typically appoint a chief risk officer reporting directly to the hospital CEO. According to the 2017 Report on the Current State of Enterprise Risk Management, only 42% of organizations have designated a chief risk officer or equivalent.1 Other health care organizations may view risk management as a non-revenue producing “department” and not include risk leadership in strategic risk discussions.
The board is ultimately responsible for providing a “framework whose purpose is to integrate the process for managing risk into the organization’s overall governance, strategy and planning, management reporting process, policies, values and culture.”2 Boards of directors and executives face a tremendous challenge in identifying, assessing and managing risks that may affect, both positively and negatively, the organization’s strategic success.3 What should board members ask about risk management performance? A number of pointed questions can provide them with actionable data. The following are examples:
1. What are the most critical risks that need to be prioritized and addressed?
The ransomware attacks on the Presbyterian Medical Center, Titus Regional Medical Center, and Ottawa Hospital underscore malicious software or cyber extortion as a critical risk exposure. In health care in particular, regulatory risk and compliance have become an increasing concern requiring board attention. Each organization’s risks are different; it’s important for boards to understand what those top risk areas are, so they can respond in a targeted, focused and proactive manner.4
The goal of an effective enterprise risk management process is to identify, assess, prioritize and develop performance improvement plans for the most critical risks that could threaten the achievement of strategic and business objectives and the sustainability of the organization.
2. How is risk management involved in risk identification, assessment, analysis, mitigation, monitoring and communication of risk?
Just as risk management roles differ greatly among organizations, so does the sophistication of their enterprise risk management programs. Only 28% believe their organization have complete ERM processes in place.5 This percentage was derived from 432 completed surveys from senior executives mostly in financial roles across a variety of industries involved in the North Carolina State University ERM Initiative.
Having the necessary resources to develop a robust enterprise risk management program will improve the identification of risk, opportunities and threats and increase the likelihood that the organization will achieve its strategic objectives. When a board has actionable risk information, it can provide better strategic counsel and support.6
One way a board can receive actionable risk data is through the analysis of leading risk indicators. These performance metrics should be an analysis of key performance indicators (KPIs) and key risk indicators (KRIs). KPIs concentrate on the organization’s performance history. These metrics can assist with the identification of underperforming facets of the enterprise or areas that may require additional resources.
KRIs provide more of a real-time indication about emerging risks. A summary of these performance metrics can provide a board member with the necessary information for more focused, proactive, effective management of risk and for stronger risk management.
According to the Report on the Current State of Enterprise Risk Oversight, only 32% of organizations surveyed admitted to not being “at all satisfied” or “minimally” satisfied with the nature and extent of the reporting of key risk indicators.7 This is certainly an opportunity for improvement for many organizations. Without a full representation of the performance metrics, an organization is significantly limiting its ability to make effective decisions and to respond to risks in a timely manner.
3. Has risk management and the board defined a clear risk appetite statement to identify which risks are acceptable and which are undesirable?
Health care organizations are among the most complex to understand and manage. With all of the significant changes occurring in health care, these organizations need to not only understand their risks, but take acceptable or strategic risks to grow and thrive in the future.
Many health care organizations avoid risks because they fear the unknown. Others who keenly understand the importance of taking risks in a calculated manner invest the time and effort to analyze, measure and test whether a certain risk fits within the organization’s risk appetite.8
The risk appetite statement is the foundation of a successful risk management structure for aligning decision making and risk. Clearly defining the risk appetite statement is one of the most important processes for the board and the organization to understand their past risk-taking qualities and then to align their risk appetite/tolerance with their strategic vision and mission.
4. What is the state of the culture of risk awareness within the organization?
Every organization needs a clear understanding of the internal philosophy of the management of risk, and this philosophy must be distinctly and openly communicated within the appropriate levels of the organization. Everyone across the enterprise needs to be responsible for risk; it starts with the board and management exemplifying good risk practices. Boards should encourage management to provide training to all employees on the organization’s risk philosophy and best practices.9
5. How are the organizations with the more mature enterprise risk management programs successful in managing their risks?
A well-designed, mature enterprise risk management program can identify strategic opportunities, help the organization comprehend if objectives are being met, increase decision support, and minimize uncertainty by allowing for adjustments in strategy in response to changing environmental conditions. A robust ERM program evaluates risk on a real-time basis, communicates risk in a standardized nomenclature across the organization and is “continuously mapping risks to regulations, controls, processes and strategic outcomes.”
Successful organizations understand the risks they face and as such can maximize their performance by proactively managing their risk and will frequently achieve a competitive advantage for their efforts.
Conclusion
When engaged board members ask a few critical questions about the management of risk within their organization they will have a clearer understanding of the critical risks, the state of the enterprise risk management process, the risk appetite of the organization, the cultural awareness of risk and the performance metrics to judge success.
Board members who focus on getting answers to the above questions should then feel confident that they have met their fiduciary responsibility to the organization’s management of risk and it’s increasing success.
Sources
1 Mark Beasley, Bruce Branson, Bonnie Hancock, 2017 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices, 8th Edition, March 2017, pg. 17
2 Risk Management Principles and Guidelines ISO 31000;2009(E), pg. v.
3 Mark Beasley, Bruce Branson, Bonnie Hancock, 2015 Report on the Current State of Enterprise Risk Oversight, pg.
4 Agenda, Money-Media Inc., July 27, 2015, pg. 1.
5 Mark Beasley, Bruce Branson, Bonnie Hancock, 2017 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices, 8th Edition,March 2017, pg. 9
6 Agenda, Money-Media Inc., July 27, 2015, pg. 1.
7 Mark Beasley, Bruce Branson, Bonnie Hancock, 2017 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices, 8th Edition, March 2017, pg. 29
8 Ibid., pg. 1
9 Ibid., pg. 2
10 Ibid., pg. 2
The observations, comments and suggestions we have made in this report are advisory and are not intended nor should they be taken as medical/legal advice. Please contact your own medical/legal adviser for an analysis of your specific facts and circumstances.