Begin 2023 with Enterprise Risk Management Goals

Proactivity and Transformative Risk Strategies in Healthcare. The evolution of healthcare is driving a reassessment of how healthcare providers view and manage risk while providing quality care and a safe working environment. Direct care professional shortages, increased regulatory scrutiny and the changing needs patients and families especially in senior living, create new and different risks and opportunities for enterprise risk management and transformational, sustained changes.

What can healthcare providers do proactively to meet the challenges ahead?

Organizations can focus on Health Care Enterprise Risk Management (ERM) and embracing the concept that a long-term view of risk provides a complete perspective of all interrelated risks to the organization, rather than attempting to manage risk in silos. Ownership of risk must be shared across the enterprise. ERM allows for greater organizational capacity to manage uncertainty. Also, it is important to appreciate that underwriters look favorable on organizations that have a risk management professional to guide internal preventative and risk mitigation strategies.

What is ERM?

ERM, is a top-down and bottom-up, holistic portfolio view of the most significant risks to achieving a health care organization’s strategic objectives. An enterprise-wide view would consider human capital risks stemming from inadequate training about privacy that, if not identified and treated properly, could lead to privacy breaches impacting legal and regulatory compliance. Inadequate training on the EHR could lead to delays in providing patient care and incomplete documentation of care. This may impact strategic risk related to inaccurate data capture, impacting reporting of key quality metrics and ultimately reimbursement for care related to the success of those metrics. When the holistic view is used to identify risk and treat it proactively, value can result in part through efficiency in patient care from a more satisfied work force, improved cybersecurity that minimizes risk of data breach, and accurate data collection and reporting of quality metrics.

  • Operational

The business of healthcare is the delivery of care that is safe, timely, effective, efficient, and patient-centered within diverse populaitons. Operational risks relate to those risks resulting from inadequate or failed internal processes, or systems that affect business operations. Examples include risks related to: adverse event management, credentialing and staffing, documentation, chain of command, lack of internal controls, supply chain and identification of existing opportunities within management oversight.

  • Clinical/Patient Safety

Risks associated with the delivery of care to patients, residents and other healthcare customers. Clinical risks include: failure to follow evidence based practice, medication errors, hospital acquired conditions (HAC), serious safety events (SSE), healthcare equity, opportunities to improve safety within the care environments, and others.

  • Strategic

Risks associated with the focus and direction of the organization. Because the rapid pace of change can create unpredictability, risks included within the strategic domain are associated with brand, reputation, competition or failure to adapt to changing times (such as health reform to shifting customer priorities). Managed care relationships/partnerships, conflict of interest, marketing and sales, media relations, mergers, acquisitions, divestitures, joint ventures, affiliations and other business arrangements, contract administration, and advertising are other areas generally considered as potential strategic risks.

  • Financial

Decisions that affect the financial sustainability to the organization, access to capital or external financial ratings through business relationships or the timing and recognition of revenue and expenses make up this domain. Risks might include: capital structure, credit and interest rate fluctuations, foreign exchange, growth in programs and facilities, capital equipment, regulatory fines and penalties, budgetary performance, accounts receivable, days of cash on hand, capitation contracts, reimbursement rates, managed care contracts, revenue cycle/billing and collection.

  • Human Capital

This domain refers to the organization’s workforce. Included are risks associated with employee selection, retention, turnover, staffing, absenteeism, on-the-job work-related injuries (workers’ compensation), work schedules and fatigue, productivity, compensation, succession planning and labor unionization activity. Human capital associated risks may cover recruitment, diversity, retention, and termination of members of the medical and allied health staff.

  • Legal/Regulatory

Risk within this domain incorporates the failure to identify, manage and monitor legal, regulatory, and statutory mandates on a local, state and federal level. Such risks are generally associated with fraud and abuse, licensure, accreditation, product liability, management liability, Centers for Medicare and Medicaid Services (CMS) Conditions of Participation (CoPs) and Conditions for Coverage (CfC), as well as issues related to intellectual property.

  • Technology

This domain covers machines, hardware, equipment, devices, wearable technologies and tools, but can also include techniques, systems and methods of organization. Health care has seen an escalation in the use of technology for clinical diagnosis and treatment, training and education, information storage and retrieval, and asset preservation. Examples also include Electronic Health Records (EHR) and Meaningful Use, financial and billing systems, social media and cyber security; cyber risks can be significant.

  • Hazard

This ERM domain covers assets and their value. Traditionally, insurable hazard risk has related to natural exposure and business interruption. Specific risks can also include risk related to: logistics/ supply chain, facility management, plant age, parking (lighting, location, and security), valuables, construction/renovation, earthquakes, windstorms, tornadoes, floods, fires and pandemics.

ERM Guiding Principles

The following guiding principles have been developed as basic building blocks supporting the framework for ERM in healthcare:

  • Advance safe and trusted health care
  • Empower health care risk managers to mitigate risk and maximize value
  • Promote ethical and transparent decision making
  • Improve patient safety through execution of ERM principles
  • Improve strategic decision making

ERM Practices

  • Are continuous
  • Require a paradigm shift in how an organization identifies and manages risks and opportunities
  • Are “not a stop on the road, but a journey”

How is ERM Implemented?

It is not uncommon for senior living health care providers to be overwhelmed by the idea of transitioning from a traditional insurance-led, asset-protection risk management program to a fully matured ERM model and process. Our firm has developed tools and resources to determine the organization’s readiness for ERM. A gap analysis can be used to determine the breadth of the current state and actions required to achieve the desired state for your risk management program.

The Four Major ERM Implementation Steps which form the basis of our firm’s collaboration with clients are:


  • Know the organization’s mission, vision, objectives, and current strategic plan
  • Understand current practice regarding risk identification, analysis and reporting
  • Summarize the effectiveness and sustainability of previous root cause analyses and action plans. Learn how the organization identifies opportunities to create value
  • Identify organizational objectives for establishing ERM. (Why now? Is there a sentinel, triggering event such as a rating agency’s questions during a visit?)
  • Evaluate organizational readiness for ERM specifically as it relates to culture
  • Describe resources necessary for ERM implementation and identify whether those resources are external or internal to the organization and are available.


  • Draft clearly articulated goals and objectives. Include key risk indicators or other metrics where appropriate
  • Develop and deliver ERM education to board, senior leadership and medical staff leaders
  • Engage/deploy necessary resources
  • Develop risk appetite and tolerance statements for significant risks
  • Develop a framework for EMR decision making including organizational guiding principles
  • Develop committee structure (ERM steering committee and ERM work group) identify membership as appropriate and draft committee charters
  • Draft the ERM plan and timeline
  • Identify success metrics to mirror articulated goals and objectives


  • Integrate ERM practices into the strategic planning process, business practices and business unit
  • Support and implement the steps to effectively and efficiently identify, assess, and respond to organizational exposure to loss including the techniques for: avoidance, retention, transfer, mitigation and value creation
  • Adopt risk champions for specific projects and as program supporters from among the board, senior leadership and medical staff leadership
  • Integrate the process throughout the organization by educating all employees on their role and responsibility related to ERM
  • Develop a communication plan to facilitate organization-wide integration

Monitoring/Evaluation – Proactively build criteria into each implemented risk strategy to identify how success will be measured, what metrics will be used, how often to report, in what format and to whom to report, and the identification of the assigned responsible party/ies.

Prepare an annual ERM report for the board that includes:]

  • Identified risks
  • Risk prioritization
  • Status of risk strategies implemented
  • Value creation opportunities
  • Goals for the next period
  • Challenges encountered
  • Recommended new projects and strategies

Periodic (monthly, quarterly, yearly) reviews of KPIs and KRIs also should be conducted to evaluate all risks identified and the effectiveness of chosen risk strategies.

Adelman Advantage Recommendations: As healthcare professional liability defense attorneys and risk managers, our firm has engaged with a variety of healthcare risk and litigation management models. ERM encompasses the widest array of strategies to provide a proactive strategy for organizational risk mitigation that improves quality of care, resident safety, and controls financial and risk outcomes. We welcome connecting with you on how your senior living community is managing risk, litigation, and how ERM can be implemented with your teams.

Share This Post