enterprise risk management emhs experienceenterprise risk management (“erm”) is a discipline...

Enterprise Risk Management &

theEMHS Experience

April 27, 2017George F. Eaton, Esq.

Deputy General Counsel & Senior Governance Advisor

Together We’re Stronger

Agenda

• EMHS History of ERM• ERM Defined• ERM Principles• ERM Risk Domains• ERM Process• ERM Benefits• Tools• Risk Appetite • Implementation Advice & Challenges• Wisdom

2


Early EMHS ERM Projects

• Migrate and expand online contract management through the MediRegs' contract relationship manager system

• Reduce risk by restructuring current professional and general liability process

3


History of ERM

• “Pure risks”- loss or no loss - hazard risks - insurance • 1970’s – Emergence of financial risk concepts

(primarily banking)• Exponential increase in complexity of enterprise:

regulation, technology, global economy, competition, etc.

• Accelerating pace of change• Multiplicity of uninsurable risks that can cause

irreparable damage• ERM in response to need to identity the most

important risks and properly manage them4


DefinitionEnterprise Risk Management (“ERM”) is a discipline focused on identifying and managing the operational and financial impact and volatility of the myriad of material risks, regardless of source and nature, across an entire enterprise, in order to align risk-taking with strategic priorities, perpetuate enterprise-wide sustainability, and maintain competitive advantage.

5


Definitions of ERM

• ASHRM*:– Enterprise risk management in healthcare promotes a

comprehensive framework for making risk management decisions that maximize value protection and creation, by managing risk and uncertainty and their connections to total value.

– Comprehensive framework – organization-wide; broad perspective; covering many domains; emphasizes the importance of the whole and the interdependence of its parts; synergistic effect; discipline; practice; process

* American Society for Healthcare Risk Management

6


Definitions of ERM (cont.)

• COSO:– A process effected by an entity’s board of directors,

management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

*Committee of Sponsoring Organizations of the TreadwayCommission, “Enterprise Risk Management – Integrated Framework – Executive Summary” 2004

7



• RIMS* – Enterprise Risk Management (“ERM”) is a strategic

business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio.

– ERM represents a significant evolution beyond previous approaches to risk management in that it:Encompasses all areas of organizational exposure to

risk (financial, operational, reporting, compliance, governance, strategic, reputational, etc.);

*Risk & Insurance Management Society

8



Prioritizes and manages those exposures as an interrelated risk portfolio rather than as individual “silos”;

Evaluates the risk portfolio in the context of all significant internal and external environments, systems, circumstances, and stakeholders;

Recognizes that individual risks across the organization are interrelated and can create a combined exposure that differs from the sum of the individual risks;

9



Provides a structured process for the management of all risks, whether those risks are primarily quantitative or qualitative in nature;

Views the effective management of risk as a competitive advantage; and

Seeks to embed risk management as a component in all critical decisions throughout the organization

http://www.rims.org/resources/ERM/Pages/WhatisERM.aspx

10



• AHLA*:– ERM recognizes the synergistic effect of risks across

the continuum of care, and has as its goals: to assist the organization to reduce uncertainty and process variability; promote patient safety; and maximize the return on investment (ROI) through asset preservation and the recognition of actionable risk opportunities

*Enterprise Risk Management Handbook for Healthcare Entities – Second Edition, Editor-In-Chief Robert Carroll, American Health Lawyers Association, 2013

11


ERM Principles:

• Enterprise-Wide View• Supported by Board and Executive

Management• Across Risk Domains• Risk Appetite• Ongoing Assessments• Multidisciplinary Approach

12

Together We’re Stronger 13

RiskDomains


Risk Domains:

• Operational– risks related to the business operations of a

healthcare organization– risks that result from inadequate or failed

internal processes, people, or systems– patient-related– examples: adverse patient events, chain of

command issues, quality initiatives, supply chain issues, business relationships, fraud & abuse

14


Risk Domains:

• Financial– risks that affect the financial position of

an organization– not just the balance sheet / income

statement, financial projections, capital planning

– examples: billing and collections, bond ratings, changes in reimbursement

15


Risk Domains:

• Human Capital– risks relating to the healthcare

organizations workforce– includes employed and not employed

professionals– examples: unionization, disruptive

behavior, discrimination, morale, staffing, compensation, absenteeism and turnover

16


Risk Domains:

• Strategic– risks associated with business

strategy– risks that affect brand and reputation– examples: managed care

relationships, changing legislation, media and publicity, business ventures

17


Risk Domains:

• Legal/Regulatory– risks arising out of laws and regulations that impact

healthcare organizations– risks associated with licensure and accreditation,

conditions of participation, and intellectual property– examples: HIPAA (privacy), EMTALA (emergency

medical treatment), CMS (medicare / medicaid),TJC (the Joint Commission), OIG (Office of Inspector General), Stark (physician referrals), IRS, State & Local Laws / Regulations

18


Risk Domains:

• Technology– risks associated with the use of

machines, equipment, devices and other tools

– ensuring safety and security of the technology

– examples: EMR’s, CPOE, robotics, simulation, telemedicine, information security

19


Risk Domains:

• Hazard– risks attributable to physical loss of

assets or reduction in use or value– natural disasters and business

interruption– examples: hurricanes, flood, ice storms,

fire, facility management, construction

20


ERM Process

• identify the organization’s exposure to specific risks / losses

• prioritize the importance of addressing identified risks

• evaluate alternate risk mitigation techniques• select optimal techniques to implement• implement the selected risk techniques• monitor the techniques, making changes as

necessary

21


ERM Benefits

• methodology for assessing future risks• comprehension of cost to enterprise• strategic approach for managing risks• using risk as competitive edge• enhancement of compliance initiatives• development of risk identification / classification

(“taxonomy”) used across the organization• identification of risk interdependencies/clusters• Financial markets, lenders, regulators

22


Some ERM Management Tools

• Risk Identification– brainstorming– focus groups– questionnaires– surveys– interviews– organization wide: bottom up / top down;

quantitative / qualitative; controllable/ non-controllable; low likelihood / high impact (crisis); micro / macro

23

Some ERM Management Tools

• Risk Inventory

*

*American Health Lawyers Association Webinarsee references on last slide

24

Some ERM Management Tools (cont.)

• Risk Assessment Scales– Risk Assessment Map

Example: Confidentiality / data security*

*American Health Lawyers Association Webinar see references on last slide

25

Some ERM Management Tools (cont.)

– Risk Prioritization

*American Health Lawyers Association Webinar see references on last slide

*

26


Enterprise Risk Appetite1


Defining Risk Appetite• Risk appetite: more than a policy statement.• Ongoing process • Helps the board and management:

– understand and manage exposures and – make appropriate risk based strategic

decisions.• Creates a consistent message for

stakeholders

28


Working Definition of Risk Appetite

The amount of risk an organization is willing to accept in pursuit of strategic objectives.

29


Risk Appetite: Profile, Capacity, Tolerance, Attitudes

30

Source: COSO, Understanding and Communicating Risk Appetite, Rittenberg & Martens, January 2012


Appetite, Capacity, Tolerance

31

Source: Deloitte, Risk Appetite Frameworks - 2014

Acceptable range for

risk profile

ObjectiveUnder threat

Desired range

Escalation ObjectiveUnder threat

unviable

Profile

CapacityCapacityCapacityCapacityCapacity

Upper limit

Upper trigger

Lower trigger

Lower limit

Profile

Profile

Profile

Profile

Appetite Appetite Appetite AppetiteAppetite

Risk profile is less than the lower

limit. Corrective action must be

taken

Risk profile exceeds than the

lower limit. Corrective action

must be taken

Risk profile is between the

upper and lower triggers

Risk profile is between the

upper trigger and limit. Escalation

to consider corrective action

Risk profile exceeds risk

capacity. EMHS must enact its

Recovery & Resolution Plan


Risk Appetite Framework

32

Source: Deloitte, Risk Appetite Frameworks - 2014

1. Set strategic plan & objectives, risk strategy, risk mitigation strategy and risk

capacity

4.Control

and Correct

Communicate


Risk Appetite Process• Explicit enough to drive behavior and

strategic decision-making.• Developed in general terms at a high level

and followed by more definition for specific strategy objectives or business activities.

• Tolerance levels are generally defined for specific risks and can vary based on the importance of the strategic objectives and the relative cost/benefit of achieving the objective.

33


Role of Board in Overseeing Risk Appetite• Regular substantive discussion about risk

appetite and strategic objectives.• Monitor implementation of risk appetite

process.• Be informed when tolerance limits are either

exceeded (meaning too much risk is being taken) or not obtained (meaning too little risk may be taken).

• Understand the changes in strategic objectives and risk profile brought about by new strategies and changes in the business environment.

34


Example: Healthcare Organization

35

The Organization operates within a low overall risk range. The Organization’s lowest risk appetite relates to safety and compliance objectives, including employee health and safety, with a marginally higher risk appetite towards its strategic, reporting, and operations objectives. This means that reducing to reasonably practicable levels the risks originating from various medical systems, products, equipment, and our work environment, and meeting our legal obligations will take priority over other business objectives.


Oxford University Hospitals –NHS TrustGeneral Risk Appetite Statement‘The Trust recognises that its long term sustainability depends upon the delivery of its strategic objectives and its relationships with its patients, the public and strategic partners.As such, the Trust will not accept risks that materially impact on patient safety. However the Trust has a greater appetite to take considered risks in terms of their impact on organisational issues. The Trust has greatest appetite to pursue innovation and challenge current working practices and reputational risk in terms of its willingness to take opportunities where positive gains can be anticipated, within the constraints of the regulatory environment. This statement is depicted in the chart below”

36


What is our risk appetite relative to certain strategic objectives?

• Integrated delivery system• Financial resources• Physician enterprise• Population health strategies• Brand• Growth• Quality and Patient Safety• Patient/Customer Experience

37


Treasury Risk DilemmaHow should these tradeoffs be optimized?

How much cash?

How much debt?

How much capital expenditure?

How much profitability?

Keeping Capital Sources and Uses

in Balance

How can we determine the

appropriate credit risk context?

How should these tradeoffs be optimized?

38


Risk Governance

• High-Performing Enterprise Risk Management Program:– incorporates the enterprise strategic plan– has a risk appetite statement– performs regular stress testing of all risks and has a

risk dashboard that is reviewed by the Board of Directors

– board level and CEO commitment to ERM as critical for successful decision-making and driving value

39


Risk Governance

– dedicated risk executive who drives and facilitates the ERM process

– ERM culture that encourages full engagement and accountability at all levels

– engagement of all stakeholders– transparency of risk communication

40


Risk Governance

– integration of financial and operational risk information into decision-making

– use of sophisticated quantification methods to understand risk and demonstrate value through risk management

– identification of new and emerging risks– leveraging risk and risk management

options to extract value

41


Implementation Advice

• start small: education, quantifiable projects• include the entire enterprise-avoid hospital centricity• report to senior management and governing board• make ERM a part of all management/leadership

training and orientation• get ERM into management goals and objectives,

position descriptions, strategic planning• integrate ERM with your risk financing strategy• inventory where you already are doing ERM

42


Typical ERM Implementation Challenges:

• Perception as unneeded bureaucratic process

• Unclear ownership of responsibility• Management attention focused

elsewhere• Involvement at high executive level

43


•Originally Published November 10, 2014, 12:01 AM ET (WSJ)

Creating Value from Risk: Owen Ryan, CEO, Deloitte Risk Advisory Services

The core idea behind strategic risk is protecting the unique value of the organization—with a focus on the drivers of economic value of the enterprise–and at the same time, looking for new opportunities to create value. In a nutshell: strategic risks threaten the assumptions at the core of a company’s strategy…potentially making its products or services obsolete.


What is critical today is the ability to understand the marketplace and gather intelligence on important trends so that an organization can anticipate changes and evolve with the market. So strategic risk management starts with understanding the core strategy, and then working with the board and management to create protocols that can help the company advance—or adapt—its strategy while minimizing the risks.

Where [traditional] ERM was more about protection and defensive monitoring, strategic risk is about being open to opportunities to create value from risk. ERM in practice became driven by dashboards, with a series of measures and metrics that just didn’t have the impact that is needed for board members or C-suite executives.

The other challenge to avoid is the highly siloed nature of traditional risk management, where CEOs, risk officers and other leaders on the front lines are disconnected.


ERM – References & Resources:

• ERM – References & Resources:• Healthcare Risk Management: Back to Basics, Lisa Havens & Lynn

Sessions, American Health Lawyers Association Webinar – 2014• Enterprise Risk Management in Health Care Organizations, Part II: ERM

Tools & Techniques, Hagg-Rickert, Sheila; Carroll, Roberta; American Health Lawyers Association, 2014

• Board Perspectives On Risk, Protoviti Risk & Business Consulting, January 2014

• Enterprise Risk Management in Healthcare Organizations: The Micro, the Macro, and the Confusion, Hagg-Rickert, Sheila, AHLA Connections, May 2013

• Managing Enterprise Risk to Achieve Sustained Success in the New Healthcare Environment, A Governance Institute Whitepaper, Spring 2011

46

enterprise risk management emhs experienceenterprise risk management (“erm”) is a discipline...

Documents