enterprise risk management emhs experienceenterprise risk management (“erm”) is a discipline...
TRANSCRIPT
Enterprise Risk Management &
theEMHS Experience
April 27, 2017George F. Eaton, Esq.
Deputy General Counsel & Senior Governance Advisor
Together We’re Stronger
Agenda
• EMHS History of ERM• ERM Defined• ERM Principles• ERM Risk Domains• ERM Process• ERM Benefits• Tools• Risk Appetite • Implementation Advice & Challenges• Wisdom
2
Together We’re Stronger
Early EMHS ERM Projects
• Migrate and expand online contract management through the MediRegs' contract relationship manager system
• Reduce risk by restructuring current professional and general liability process
3
Together We’re Stronger
History of ERM
• “Pure risks”- loss or no loss - hazard risks - insurance • 1970’s – Emergence of financial risk concepts
(primarily banking)• Exponential increase in complexity of enterprise:
regulation, technology, global economy, competition, etc.
• Accelerating pace of change• Multiplicity of uninsurable risks that can cause
irreparable damage• ERM in response to need to identity the most
important risks and properly manage them4
Together We’re Stronger
DefinitionEnterprise Risk Management (“ERM”) is a discipline focused on identifying and managing the operational and financial impact and volatility of the myriad of material risks, regardless of source and nature, across an entire enterprise, in order to align risk-taking with strategic priorities, perpetuate enterprise-wide sustainability, and maintain competitive advantage.
5
Together We’re Stronger
Definitions of ERM
• ASHRM*:– Enterprise risk management in healthcare promotes a
comprehensive framework for making risk management decisions that maximize value protection and creation, by managing risk and uncertainty and their connections to total value.
– Comprehensive framework – organization-wide; broad perspective; covering many domains; emphasizes the importance of the whole and the interdependence of its parts; synergistic effect; discipline; practice; process
* American Society for Healthcare Risk Management
6
Together We’re Stronger
Definitions of ERM (cont.)
• COSO:– A process effected by an entity’s board of directors,
management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
*Committee of Sponsoring Organizations of the TreadwayCommission, “Enterprise Risk Management – Integrated Framework – Executive Summary” 2004
7
Together We’re Stronger
Definitions of ERM (cont.)
• RIMS* – Enterprise Risk Management (“ERM”) is a strategic
business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio.
– ERM represents a significant evolution beyond previous approaches to risk management in that it:Encompasses all areas of organizational exposure to
risk (financial, operational, reporting, compliance, governance, strategic, reputational, etc.);
*Risk & Insurance Management Society
8
Together We’re Stronger
Definitions of ERM (cont.)
Prioritizes and manages those exposures as an interrelated risk portfolio rather than as individual “silos”;
Evaluates the risk portfolio in the context of all significant internal and external environments, systems, circumstances, and stakeholders;
Recognizes that individual risks across the organization are interrelated and can create a combined exposure that differs from the sum of the individual risks;
9
Together We’re Stronger
Definitions of ERM (cont.)
Provides a structured process for the management of all risks, whether those risks are primarily quantitative or qualitative in nature;
Views the effective management of risk as a competitive advantage; and
Seeks to embed risk management as a component in all critical decisions throughout the organization
http://www.rims.org/resources/ERM/Pages/WhatisERM.aspx
10
Together We’re Stronger
Definitions of ERM (cont.)
• AHLA*:– ERM recognizes the synergistic effect of risks across
the continuum of care, and has as its goals: to assist the organization to reduce uncertainty and process variability; promote patient safety; and maximize the return on investment (ROI) through asset preservation and the recognition of actionable risk opportunities
*Enterprise Risk Management Handbook for Healthcare Entities – Second Edition, Editor-In-Chief Robert Carroll, American Health Lawyers Association, 2013
11
Together We’re Stronger
ERM Principles:
• Enterprise-Wide View• Supported by Board and Executive
Management• Across Risk Domains• Risk Appetite• Ongoing Assessments• Multidisciplinary Approach
12
Together We’re Stronger 13
RiskDomains
Together We’re Stronger
Risk Domains:
• Operational– risks related to the business operations of a
healthcare organization– risks that result from inadequate or failed
internal processes, people, or systems– patient-related– examples: adverse patient events, chain of
command issues, quality initiatives, supply chain issues, business relationships, fraud & abuse
14
Together We’re Stronger
Risk Domains:
• Financial– risks that affect the financial position of
an organization– not just the balance sheet / income
statement, financial projections, capital planning
– examples: billing and collections, bond ratings, changes in reimbursement
15
Together We’re Stronger
Risk Domains:
• Human Capital– risks relating to the healthcare
organizations workforce– includes employed and not employed
professionals– examples: unionization, disruptive
behavior, discrimination, morale, staffing, compensation, absenteeism and turnover
16
Together We’re Stronger
Risk Domains:
• Strategic– risks associated with business
strategy– risks that affect brand and reputation– examples: managed care
relationships, changing legislation, media and publicity, business ventures
17
Together We’re Stronger
Risk Domains:
• Legal/Regulatory– risks arising out of laws and regulations that impact
healthcare organizations– risks associated with licensure and accreditation,
conditions of participation, and intellectual property– examples: HIPAA (privacy), EMTALA (emergency
medical treatment), CMS (medicare / medicaid),TJC (the Joint Commission), OIG (Office of Inspector General), Stark (physician referrals), IRS, State & Local Laws / Regulations
18
Together We’re Stronger
Risk Domains:
• Technology– risks associated with the use of
machines, equipment, devices and other tools
– ensuring safety and security of the technology
– examples: EMR’s, CPOE, robotics, simulation, telemedicine, information security
19
Together We’re Stronger
Risk Domains:
• Hazard– risks attributable to physical loss of
assets or reduction in use or value– natural disasters and business
interruption– examples: hurricanes, flood, ice storms,
fire, facility management, construction
20
Together We’re Stronger
ERM Process
• identify the organization’s exposure to specific risks / losses
• prioritize the importance of addressing identified risks
• evaluate alternate risk mitigation techniques• select optimal techniques to implement• implement the selected risk techniques• monitor the techniques, making changes as
necessary
21
Together We’re Stronger
ERM Benefits
• methodology for assessing future risks• comprehension of cost to enterprise• strategic approach for managing risks• using risk as competitive edge• enhancement of compliance initiatives• development of risk identification / classification
(“taxonomy”) used across the organization• identification of risk interdependencies/clusters• Financial markets, lenders, regulators
22
Together We’re Stronger
Some ERM Management Tools
• Risk Identification– brainstorming– focus groups– questionnaires– surveys– interviews– organization wide: bottom up / top down;
quantitative / qualitative; controllable/ non-controllable; low likelihood / high impact (crisis); micro / macro
23
Some ERM Management Tools
• Risk Inventory
*
*American Health Lawyers Association Webinarsee references on last slide
24
Some ERM Management Tools (cont.)
• Risk Assessment Scales– Risk Assessment Map
Example: Confidentiality / data security*
*American Health Lawyers Association Webinar see references on last slide
25
Some ERM Management Tools (cont.)
– Risk Prioritization
*American Health Lawyers Association Webinar see references on last slide
*
26
Together We’re Stronger
Enterprise Risk Appetite1
Together We’re Stronger
Defining Risk Appetite• Risk appetite: more than a policy statement.• Ongoing process • Helps the board and management:
– understand and manage exposures and – make appropriate risk based strategic
decisions.• Creates a consistent message for
stakeholders
28
Together We’re Stronger
Working Definition of Risk Appetite
The amount of risk an organization is willing to accept in pursuit of strategic objectives.
29
Together We’re Stronger
Risk Appetite: Profile, Capacity, Tolerance, Attitudes
30
Source: COSO, Understanding and Communicating Risk Appetite, Rittenberg & Martens, January 2012
Together We’re Stronger
Appetite, Capacity, Tolerance
31
Source: Deloitte, Risk Appetite Frameworks - 2014
Acceptable range for
risk profile
ObjectiveUnder threat
Desired range
Escalation ObjectiveUnder threat
unviable
Profile
CapacityCapacityCapacityCapacityCapacity
Upper limit
Upper trigger
Lower trigger
Lower limit
Profile
Profile
Profile
Profile
Appetite Appetite Appetite AppetiteAppetite
Risk profile is less than the lower
limit. Corrective action must be
taken
Risk profile exceeds than the
lower limit. Corrective action
must be taken
Risk profile is between the
upper and lower triggers
Risk profile is between the
upper trigger and limit. Escalation
to consider corrective action
Risk profile exceeds risk
capacity. EMHS must enact its
Recovery & Resolution Plan
Together We’re Stronger
Risk Appetite Framework
32
Source: Deloitte, Risk Appetite Frameworks - 2014
1. Set strategic plan & objectives, risk strategy, risk mitigation strategy and risk
capacity
4.Control
and Correct
Communicate
Together We’re Stronger
Risk Appetite Process• Explicit enough to drive behavior and
strategic decision-making.• Developed in general terms at a high level
and followed by more definition for specific strategy objectives or business activities.
• Tolerance levels are generally defined for specific risks and can vary based on the importance of the strategic objectives and the relative cost/benefit of achieving the objective.
33
Together We’re Stronger
Role of Board in Overseeing Risk Appetite• Regular substantive discussion about risk
appetite and strategic objectives.• Monitor implementation of risk appetite
process.• Be informed when tolerance limits are either
exceeded (meaning too much risk is being taken) or not obtained (meaning too little risk may be taken).
• Understand the changes in strategic objectives and risk profile brought about by new strategies and changes in the business environment.
34
Together We’re Stronger
Example: Healthcare Organization
35
The Organization operates within a low overall risk range. The Organization’s lowest risk appetite relates to safety and compliance objectives, including employee health and safety, with a marginally higher risk appetite towards its strategic, reporting, and operations objectives. This means that reducing to reasonably practicable levels the risks originating from various medical systems, products, equipment, and our work environment, and meeting our legal obligations will take priority over other business objectives.
Together We’re Stronger
Oxford University Hospitals –NHS TrustGeneral Risk Appetite Statement‘The Trust recognises that its long term sustainability depends upon the delivery of its strategic objectives and its relationships with its patients, the public and strategic partners.As such, the Trust will not accept risks that materially impact on patient safety. However the Trust has a greater appetite to take considered risks in terms of their impact on organisational issues. The Trust has greatest appetite to pursue innovation and challenge current working practices and reputational risk in terms of its willingness to take opportunities where positive gains can be anticipated, within the constraints of the regulatory environment. This statement is depicted in the chart below”
36
Together We’re Stronger
What is our risk appetite relative to certain strategic objectives?
• Integrated delivery system• Financial resources• Physician enterprise• Population health strategies• Brand• Growth• Quality and Patient Safety• Patient/Customer Experience
37
Together We’re Stronger
Treasury Risk DilemmaHow should these tradeoffs be optimized?
How much cash?
How much debt?
How much capital expenditure?
How much profitability?
Keeping Capital Sources and Uses
in Balance
How can we determine the
appropriate credit risk context?
How should these tradeoffs be optimized?
38
Together We’re Stronger
Risk Governance
• High-Performing Enterprise Risk Management Program:– incorporates the enterprise strategic plan– has a risk appetite statement– performs regular stress testing of all risks and has a
risk dashboard that is reviewed by the Board of Directors
– board level and CEO commitment to ERM as critical for successful decision-making and driving value
39
Together We’re Stronger
Risk Governance
– dedicated risk executive who drives and facilitates the ERM process
– ERM culture that encourages full engagement and accountability at all levels
– engagement of all stakeholders– transparency of risk communication
40
Together We’re Stronger
Risk Governance
– integration of financial and operational risk information into decision-making
– use of sophisticated quantification methods to understand risk and demonstrate value through risk management
– identification of new and emerging risks– leveraging risk and risk management
options to extract value
41
Together We’re Stronger
Implementation Advice
• start small: education, quantifiable projects• include the entire enterprise-avoid hospital centricity• report to senior management and governing board• make ERM a part of all management/leadership
training and orientation• get ERM into management goals and objectives,
position descriptions, strategic planning• integrate ERM with your risk financing strategy• inventory where you already are doing ERM
42
Together We’re Stronger
Typical ERM Implementation Challenges:
• Perception as unneeded bureaucratic process
• Unclear ownership of responsibility• Management attention focused
elsewhere• Involvement at high executive level
43
Together We’re Stronger
•Originally Published November 10, 2014, 12:01 AM ET (WSJ)
Creating Value from Risk: Owen Ryan, CEO, Deloitte Risk Advisory Services
The core idea behind strategic risk is protecting the unique value of the organization—with a focus on the drivers of economic value of the enterprise–and at the same time, looking for new opportunities to create value. In a nutshell: strategic risks threaten the assumptions at the core of a company’s strategy…potentially making its products or services obsolete.
Together We’re Stronger
What is critical today is the ability to understand the marketplace and gather intelligence on important trends so that an organization can anticipate changes and evolve with the market. So strategic risk management starts with understanding the core strategy, and then working with the board and management to create protocols that can help the company advance—or adapt—its strategy while minimizing the risks.
Where [traditional] ERM was more about protection and defensive monitoring, strategic risk is about being open to opportunities to create value from risk. ERM in practice became driven by dashboards, with a series of measures and metrics that just didn’t have the impact that is needed for board members or C-suite executives.
The other challenge to avoid is the highly siloed nature of traditional risk management, where CEOs, risk officers and other leaders on the front lines are disconnected.
Together We’re Stronger
ERM – References & Resources:
• ERM – References & Resources:• Healthcare Risk Management: Back to Basics, Lisa Havens & Lynn
Sessions, American Health Lawyers Association Webinar – 2014• Enterprise Risk Management in Health Care Organizations, Part II: ERM
Tools & Techniques, Hagg-Rickert, Sheila; Carroll, Roberta; American Health Lawyers Association, 2014
• Board Perspectives On Risk, Protoviti Risk & Business Consulting, January 2014
• Enterprise Risk Management in Healthcare Organizations: The Micro, the Macro, and the Confusion, Hagg-Rickert, Sheila, AHLA Connections, May 2013
• Managing Enterprise Risk to Achieve Sustained Success in the New Healthcare Environment, A Governance Institute Whitepaper, Spring 2011
46