enterprise risk management - mnshrm.org€¦ · developed erm framework and supportive governance...

A professional membership group of1

Enterprise Risk Management

An ASHRM Presentation


Definition, Terms, Guiding Principles, Framework

Traditional Risk Management to ERM

Diagnostic Tools

Steps to implement an ERM Program

OBJECTIVES


ASHRM’s ERM Definition

ERM in healthcare promotes a comprehensive framework for making risk management decisions which maximize value

protection and creation by managing risk and uncertainty and their connections to total value.

comprehensive framework value

protection creation uncertainty

A professional membership group of

≈

TRADITIONAL

Silo Approach

Risk Transfer

Claims Management

Loss Control

Fails to ID complex risk

EMERGING

Healthcare Reform

Transparency

Uncertainty in reimbursement

NEW APPROACH

Comprehensive

Strategic Planning

Risk Financing

Value Creation

Value Protection

4

Driving Need for Change


ADVANCEDINTERMEDIATEBASIC

Compartmentalized risk program

Asset preservation

Value protection

Risk identification is reactive

Inconsistencies in risk management practices

Traditional Risk Management (TRM) Program

Focused on “Pure Risk”

Insurance purchased

Risk Adverse

Risks seen in silos

Starting to compile and use data for decision-making

Developing an understanding of ERM

ERM strategies and tools utilized for key risks on a unit, departmental basis

Correlation of risk is better understood

Moving to value creation

Risk opportunities identified

“Micro” ERM application

Fully integrated program

“Everyone is a Risk Manager”

Developed risk appetite and tolerance statement

Use of risk-based decision analysis for decision-making

Developed ERM framework and supportive governance

Risk Takers

ERM is a top-down, bottom-up process

Risk identification is proactive

“Macro” ERM application

Value is recognized

EFFICIENCY IN RESOURCE CONSUMPTION

ERM PROGRAM MATURITY

5

Breaking Down the Silos: Moving to ERM


ERM | Essential Elements

GUIDING PRINCIPLES

GOVERNANCE


TERMSValue Creation Value Protection Managing

Uncertainty


Terms

Terms & Complementary Descriptions

ComprehensiveFramework Value Protection Value Creation Managing Uncertainty

• Organization-wide• Holistic• Broad perspective• Synergistic effect• Comprehensive• Strategic• Thorough• Robust• Structured

• Reduce uncertainty• Reduce variability• Duplication• Separation• Shield assets• Efficient use of

resources• Quality outcomes• Safe practices

• Increased market share• Competitive edge• Financial strength• Improved ROI• Increased margins• Enhanced reputation• Improved satisfaction

scores• Quality outcomes• Credible• Respected

• Reduce risks• Eliminate loss• Promote standardization• Use evidence-based practice• Decrease variability• View the impact of risk

holistically not in silos (eliminate silo mentality)

• Understand chaos theory• Eliminate/minimize lost

opportunities• Captures the positive or

upsideSource: ERM—A Framework for Success, 2014


GUIDINGPRINCIPLES

9

Advance safe and trusted healthcare

Manage uncertainty

Maximize value protection and creation

Encourage multidisciplinary accountability

Optimize organizational readiness

Promote positive organizational culture

Advance ERM Practices –continuous/comprehensive

Utilize data/metrics to prioritize risks

Align risk appetite and strategy


Risk Domains

Operational Clinical Financial HumanCapital Strategic Legal &

RegulatoryTechnology Hazard

Evaluate synergistic effect of risks


Domain Description / Example

Operational Risks resulting from inadequate or failed internal processes, people, or systems that affect business operations.

Clinical /Patient Safety

Risks associated with the delivery of care to residents, patients and other healthcare customers.

Strategic Risks associated with the focus and direction of the organization—brand, reputation, competition, failure to adapt tochanging times, health reform or customer priorities

Financial Decisions that affect the financial sustainability of the organization, access to capital or external financial ratings throughbusiness relationships or the timing and recognition of revenue and expenses make up this domain

Human Capital This domain refers to the organization’s workforce. This is an important issue in today’s tight labor and economicmarkets

Legal /Regulatory

Risks are generally associated with fraud and abuse, licensure, accreditation, product liability, management liability,Centers for Medicare and Medicaid Services (CMS) Conditions of Participation (CoPs) and Conditions for Coverage(CfC), as well as issues related to intellectual property.

Technology This domain covers machines, hardware, equipment, devices and tools, but can also include techniques, systems andmethods of organization.

HazardThis ERM domain covers assets and their value. Traditionally, insurable hazard risk has related to natural exposure andbusiness interruption. Specific risks can also include risk related to: facility management, plant age, parking (lighting,location, and security), valuables, construction/renovation, earthquakes, windstorms, tornadoes, floods, fires.


Risk Tolerance & Risk Appetite

Risk Tolerance

Risk Appetite

An articulated quantified measure of the maximum amount of risk an organization can stand to assume in order to avoid failing to meet its objectives.

An articulated quantified measure of the amount of risk an organization seeks to assume in order to maximize fulfillment of its objectives.

RISK AVERSE

RISK TAKER

GuaranteedCost

Cash Flow Programs

Retro Dividend Programs

SelfInsurance

Captives


For every project, initiative, and strategic direction there is a…

There are identifiable factors that drive each final outcome:

Costs Time Other resources Returns Revenues Fulfillment

of mission

Range of possible inputs Range of possible outputs

Some are internal to the organization, others are external.

Some are random, others are not.

Some are controllable & others are beyond the organization’s ability to control.

13

A Risk-Aware Culture Understands…


ERM as a Decision Making Process

Examining/evaluating alternate risk techniques

Selecting the best techniques to implement

Identifying and analyzing an organization’s exposure to loss

Monitoring the techniques making changes as necessary

Implementing the selected risk techniques

IDENTIFY & ANALYZE

1EVALUATE

ALTERNATIVES

2

34

5

SELECT BEST TECHNIQUE

MONITOR, CHANGE,

LEARN

IMPLEMENT CHOSEN

TECHNIQUE

ERM


MacroMicro

Risk list Risk ranking Risk inventory Risk register Risk strategy Risk mitigation Risk evaluation

15

Approach and Tools


RISK # RISK NAME RISK DOMAIN

F1 Payer Mix/Reimbursement Financial

T1 IT Infrastructure & Security Technology

T2 Cyber-Liability Technology

LR1 Research Compliance Legal/Regulatory

LR2 Regulatory Changes Legal/Regulatory

H1 Environmental/Disposal of toxic chemo-therapeutic waste Hazard

HC1 Succession Planning Human Capital

S1 Recruitment & Retention – Physicians Strategic

Risk List Template--Macro


Potential Risk Associated with Acquisition of a Multi-Specialty Physician Medical Practice

OPERATIONALCLINICAL/ PATIENT SAFETY

FINANCIAL STRATEGY LEGAL/ REGULATORY

HUMAN CAPITAL HAZARD TECHNOLOGY

Access to care

Infection control

Hand washing

Culture/ environment

Inadequate policies and procedures

Failure to follow EBM

Adverse event reporting

Informed Consent

Failure to diagnosis

Failure to refer

Misdiagnosis

Clinical continuity

Medication admin. & safety

Critical test results

Payer mix

Reimbursement

Access to capital

Contracts management

Supply management

Collection/AR

M, A, & D

Competition

Conflicts of interest

Diminishedmarket-share

Reputation

HIPAA

ACO

Employment practices liability

Mandatory reporting

Data breach

Physician turnover

Competency

Retention & recruitment

Competitive benefit program

Aging workforce

Drug diversion

Disruptive behavior

OSHA

Crisis management

Fire safety

UST

Environment of care

Emergencypreparedness

Critical care

Hybrid EHR

Meaningful Use

Social networking

Multiple and competing vendors

Data security

Encryption

Micro-Physician Practice Acquisition Risk List


Risk Ranking Process

Risk ranking provides an initial means of prioritizing assessed risks based upon assessments of IMPACT and LIKELIHOOD.

– Risks were assessed assuming the effectiveness of existing risk management activities.

Risk rankings are used to identify a risk’s position on a Risk Map.

Multiply the IMPACT assessment and the LIKELIHOODassessment for each risk.

Reference the product against a range of values.

Assign one of four risk rankings (Very High, High, Medium or Low) based upon referenced range.

RISK RANKING OVERVIEW

RISK RANKING CALCULATION STEPS

RISK RANKING MATRIX

LIKELIHOOD

IMPA

CT

Unlikely Potential Likely

Insi

gnifi

cant

Mod

erat

eC

ritic

al

Risk Map

VERY HIGH Greater than 17.0

HIGH Greater than 10.0, but less than 17.0

MEDIUM Greater than 5, but less than 10.0

LOW Less than 5.0

RISK RANKING RANK RANGE


Risk Assessment Scales LIKELIHOOD

Adapted from original work by Aon Corporation in collaboration with client. Permission granted to use for educational purposes.

RATINGLIKELIHOOD

DESCRIPTION CHARACTERISTICS

5 Almost Certain/Already Occurring

In System/Process: Knowledge Based Decisions by Trained Person Controls: Not Working/May Not Exist Expected to Occur: Daily/Weekly

4 Likely In System/Process: Rule-Based Decisions by Trained Person Expected to Occur: Annually

3 Potential In System/Process: Automated or Controlled by Trained Person Controls: Preventative not Detective Expected to Occur: Every 2 – 5 Years

2 Unlikely In System/Process: Highly Automated with Validation and Monitoring Expected to Occur: Every 5 – 20 Years

1 Rare Controls: Preventative and Detective Not Expected to Occur


RATINGIMPACT

FINANCIAL PATIENT SAFETY OPERATIONS/PROCESS REPUTATIONAL LEGAL/REGULATORY

5Critical

Cash: Results in <20 days cash on hand

Property damage: >$250,000

Key contract loss Loss of business

Death/permanent disability

Event: Suicide/Rape/ Child Abduction

Significant labor relations event

Workplace safety: multiple lost time injuries/ recordable incidents

PHI/PI Breach: >100

Significant brand impairment; loss of significant market share

Sustained, negative media coverage

Customer satisfaction: <85%

Loss of license State/Federal

investigation

4Major

Cash/expense: $150,000 Property damage:

$100,000 - 250,000 Additional unexpected

capital required

Substantiated boundary or code of conduct incident

Major or critical health incident

Non-compliance with Standard of Care

Loss/significant turnover of key personnel

IT systems disruption Workplace safety: Lost

time and recordable incidents

PHI/PI Breach: <100

Temporary but significant negative media coverage

Customer satisfaction: 85-88%

State/Federal inquiry (not investigation)

3Moderate


$10,000–100,000

Upward trend in minor health incidents

No clinical continuity

Loss of or increased turnover in key positions

Operational disruption or increased costs due to regulatory change

Negative media mention (state)

Customer satisfaction: 88-90%

Corporate non-compliance with financial impact

Insurance access implications

2Minor


<$10,000

Minor health incidents; Patient not knowledgeable of failure

Distraction in employee base

Customer satisfaction: 90–94%

Minor violations (e.g., auto)

1Insignificant

Insignificant property damage or impact to cash

No impact on the delivery of care

Customer satisfaction: >95%

Risk Assessment Scales IMPACT

20 Adapted from original work by Aon Corporation in collaboration with client. Permission granted to use for educational purposes.


Sample Formulas

Probability X Severity = Risk Score

1 to 5 X 1 to 5 = Risk Score

1 X 1 = 1 (lowest score)

5 X 5 = 25 (max. score)

1

(Probability + Time to Impact) X Severity = Risk Score

(1 to 5 + 1 to 3) X 1 to 5 = Risk Score

1 + 1 X 1 = 2 (lowest score)

5 + 3 X 5 = 40 (highest score)

2


RANK RISK NAME RISK CATEGORY LIKELIHOOD (1.00 TO 5.00)

IMPACT (1.00-5.00) RISK RANKING

1 Payer Mix / Reimbursements Financial 4.33 4.42 19.14 (Very High)

2 Billing Accuracy Financial 4.33 4.25 18.42 (Very High)

3 IT Infrastructure Technology 4.50 3.92 17.63 (Very High)

4 Confidentiality / Data Security Technology 4.08 4.08 16.67 (High)

5 Recruitment & Retention (Physician) Human capital 4.33 3.67 15.89 (High)

6 Health Reform Strategic / External 3.42 4.25 14.52 (High)

7 Adequate Protocols, Controls & Policies Operational 3.42 3.92 13.38 (High)

8 Cost Management Financial 3.08 4.08 12.59 (High)

9 Recruiting & Retention (Non-Physician) Human Capital 3.50 3.50 12.25 (High)

10 Safety & Security Operational) 3.58 3.33 11.94 (High)

11 Business Model / Service Units Strategic / External 3.17 3.75 11.88 (High)

12 Facility & Equipment Management Hazard 3.83 2.92 11.18 (High)

13 Employee Engagement Human Capital 3.17 3.50 11.08 (High)

14 Competition Strategic / External 2.92 3.75 10.94 (High)

15 Quality Outcomes Clinical 3.17 3.42 10.82 (High)

16 Skills & Competencies Human Capital 3.17 3.17 10.03 (High)

17 Conflict of Interest Operational (Non-Clinical) 3.42 2.92 9.97 (Medium)

18 Patient Needs Strategic / External 3.17 3.08 9.76 (Medium)

19 Support Staff / Staffing Levels Human Capital 2.91 3.08 8.97 (Medium)

20 Capacity & Availability of Space Strategic / External 2.92 3.00 8.75 (Medium)

21 Adequate Policies & Procedures Operational (Non-Clinical) 3.08 2.75 8.48 (Medium)

22 Compliance Operational (Non-Clinical) 2.50 2.83 7.08 (Medium)

Risk Inventory

Adapted from original work by Aon Corporation in collaboration with client. Permission granted to use for educational purposes.


Risk-Aware Culture Objectives

Risk Inventory to Risk Register

Opportunity to Create/Protect Value

Risk Response and Solutions

Top 3–5 Risks

Definition of Risk

Risk Score and Risk Drivers

Risk Register


Risk Register

Category/Domain

RiskDefined

Likelihood (L), frequency, numbers #, probability

Impact (I), financial severity $, harm index

Risk Score (RS)

L x I = RS

Risk Drivers (internal & external)

Risk Response

(in place & needed)

Opportunityto create, enhance value or protect

Risk Inventory to Risk Register

24


Risk Register


Strategies and Solutions

Once risks have been identified, defined, rated and ranked, and discussed to determine risk drivers and current risk management activities, the next step is to determine what further strategies and solutions are needed to minimize the potential for loss and how value can be created.


Risk Likelihood Impact Strategies & Solutions Type1. Payer mix Very High Very High Monitor all contracts and payer mix Prevention/Reduction

(Proactive/Reactive)

2. Billing accuracy Very High Very High Record review to ensure accurateentry & reporting of time

Prevention(Proactive)

3. Data breach High High Develop P&P for employee use of social media; monitor compliance


4. Engagement High High Repositioning employees to new or better fitting positions; monitor turnover rates


5. Medication error High Very High Double check all weight-based medication dosages for obese & pediatric pts

Prevention/Duplication(Proactive)

6. Cyclical nature of insurance market

Moderate Moderate Diversify insurance portfolio among several insurers and SIR

Separation(Proactive)

27

Tracking Strategies & Solutions


Potential Risk Mitigation Strategy Impact on Inherent Risk Score

Implementation of policies & procedures -3 -2 -1 0

Monitoring (telemetry, hand-washing) -3 -2 -1 0

Use of risk control programs (fall prevention) -3 -2 -1 0

Educational initiatives to relevant parties -3 -2 -1 0

Use of evidence-based practice (best practices, algorithms) -3 -2 -1 0

Use of specific technology (CPOE, RFID) -3 -2 -1 0

Use of clinical decision support systems -3 -2 -1 0

Enhanced communication (informed consent, disclosure & apology) -3 -2 -1 0

Implementation of TeamSTEPPS -3 -2 -1 0

Legend: Impact on the Inherent Risk Score with the Implementation of Mitigation Strategies:Highly Effective = - 3/Effective = - 2/Adequate but needs work = - 1 /No strategies in place = 0

Risk Mitigation

28


Risk Domain Risk Score (Inherent)

Mitigation Strategyand Solutions Efficacy Risk Score

(Residual)Payer Mix Finance 22 (Very High) Develop procedures to review

all contracts 120 days before renewal

- 3 19 (Very High)

Succession Planning

Human Capital

17 (Very High) Design & maintain formal plans for recruitment & placement of senior leadership

0 17 (Very High)

Clinical Care Clinical/Patient Safety

16 (High) Double check all high-risk medication calculations

- 2 14 (High)

Conflict of Interest Operations 9 (Medium) Board approved conflict of interest policy, education & monitoring

-1 8 (Medium)

Terrorism Hazard 8 (Medium) Purchase insurance;emergency preparedness

- 2 6 (Low)

Results of Mitigation on Inherent Risk Scores

29


KPI & KRI

Track achievement of specific organizational goals:FINANCIALDays cash on hand

OPERATIONAL30-day readmission rate

HUMAN RESOURCESTurnover rate

Key Performance

Indicators

KPIs

Key Risk Indicators

KRIs

Factors that drive risks related to specific initiatives:

CONSTRUCTIONWeather delays, material cost over-runs

ACO DEVELOPMENTLack of physician alignment, competition from other ACOs

SERVICE LINE EXPANSIONLabor shortages


Getting Started


Preparing for ERM

Review strategic plan for organization

Evaluate organizational readiness

Identify and engage an executive level champion

Initiate/facilitate ERM program committees: development team, ERM Steering Committee /Oversight Committee, ERM Work Group

Review and identify risk tools

Compile and share resource lists, reference materials, subject matter experts

Develop a timeline

21

4

3 5 76


Developing an Infrastructure

The “Worker Bees”

you + other day-to-day staff

Helpful if Interdepartmental

ERM Working Group

Internal Audit

Corporate Compliance

Key Committees

Linkages with Other Key Functions

Written ERM Plan

Governing Board Reporting


Offer education on uncertainty/risk

Develop a well articulated vision and plan

Maintain a positive culture and environment

Implement cross-functional teams

Develop and implement a communication plan

Integrate risk awareness with strategic planning

Determine availability of internal resources

34

Step to Implementation

Obtain Board and senior leadership support1

23

4

5

6

7

8


Implementation Steps | PLANNING

KNOW the organization’s mission, vision, objectives, and current strategic plan.

UNDERSTAND current practice regarding risk identification, analysis and reporting.

LEARN how the organization identifies opportunities to create value.

IDENTIFY organizational objectives for establishing an ERM program.(Why now? Is there a sentinel, triggering event such as a rating agency’s questions during a visit)

EVALUATE organizational readiness for ERM specifically as it respects culture

DESCRIBE resources necessary for ERM program development and implementation and identify if those resources are external or internal to the organization and are they available


Implementation Steps | DEVELOPMENT

DRAFT clearly articulated goals and objectives.

DEVELOP and deliver ERM education to board, senior leadership and medical staff leaders.

ENGAGE and deploy necessary resources.

DEVELOP risk appetite and tolerance statements for significant risks, organization wide and/or by domain.

DEVELOP a framework including organizational Guiding Principles.

DRAFT the ERM plan and timeline

DEVELOP committee structure (ERM steering committee and ERM work group); identify membership as appropriate and draft committee charters

IDENTIFY success metrics to mirror articulated goals and objectives


Implementation Steps | INTEGRATION

INTEGRATE ERM practices into the strategic planning process, business-practices and business unit

SUPPORT and implement the steps to effectively and efficiently identify, assess, and respond to organizational exposure to loss including the techniques for: avoidance, retention, transfer, mitigation and value creation

ADOPT risk champions for specific projects and as program supporters from among the board, senior leadership and medical staff leadership

INTEGRATE the process throughout the organization by educating all employees on their role and responsibility in ERM program

DEVELOP a communication plan to facilitate organizational wide integration


Implementation Steps | MONITOR / EVALUATION

How success will be measured

What metrics will be used

How often to report, in what format, and to whom to report

The assigned responsible party(s).

Build criteria into each implemented risk strategy to identify:

Identified risks

Risk prioritization

Status of risk strategies implemented

Value creation opportunities

Goals for the next period

Challenges encountered

Recommended new projects and strategies

Periodic (monthly, quarterly, yearly) reviews of KPIs and KRIs to evaluate all risk identified and the effectiveness of chosen risk strategies

Prepare an annual ERM Program report for the Board that includes:


Hallmarks of Sustainable ERM

1 Board-level commitment

9 A move from focusing on risk avoidance and mitigation

8 Identification of new and emerging risks

7 Use of sophisticated quantification methods

6 Integration of financial and operational risk information

5 Transparency

4 Engagement of stakeholders

3 An ERM culture that encourages full engagement and accountability

2 A dedicated risk executive


Risk Managers Should Take the Lead

Remember… ERM is a relatively new concept in the field.

Many organizations are just beginning to adopt ERM principles.

Risk Manager to take the lead in keeping ERM alive.

The Risk Manager needs to continually explain the benefits of an ERM approach.

Risk Managers must be aware of the strategic plans.

Be armed with a battery of tools & techniques so ERM can come alive.

Gather anecdotal information & real-world examples of how ERM was beneficial.

The Risk Manager must remain a committed advocate.

Consider the development of an annual report.

Identify a champion for ERM throughout the enterprise.


In Summary

The next 10 years in healthcare will be one of dramatic change highlighted by:

Change in the delivery model for how patients receive care across the healthcare continuum

Formation of new relationships and partnerships

Change in how care will be financed and providers reimbursed

Patients will have responsibility and a voice not previous heard

The emphasis on quality outcomes and minimization of process variability will continue to challenge us all

The development, implementation and support of an ERM Program will meet the challenge of addressing organizational risks proactively, meeting these new challenges directly


Questions?

42


Contact

Denise Shope RN, MHSA, ARM, CPHRM, FASHRMRisk Management ConsultantRCM&D [email protected]

43

mailto:[email protected]

enterprise risk management - mnshrm.org€¦ · developed erm framework and supportive governance...

Documents