ERM: evolving from risk assessment to strategic risk management: Changes in the healthcare system are bringing new risks, which hospitals and health systems need to manage effectively to remain competitive
The U.S. healthcare ecosystem represents a $5 trillion market and is projected to grow to a $5.5 trillion market by 2025. The exponential growth comes from several thematic drivers, including the shift from volume to value and the rise of the consumer, both of which are turning the industry on its head as new payment models and greater expansion of consumer options are being introduced to the marketplace. Other drivers include evolving mobile strategies, new entrants, an aging population, and continued uncertainty in political and regulatory environments. With medical device cybersecurity vulnerabilities being reported at record levels, it is evident that new risks are constantly threatening the quality of patient care and providers' long-term prosperity.
As the healthcare market expands and evolves, the inherent risks also are increasing, as shown in the sidebar on page 45.
Moving Beyond Risk Identification
Traditionally, the healthcare industry has exceled in risk identification and assessment. The industry has been less proficient at prioritizing and managing risk, however, and it has a vital need to tackle these areas. To do so, healthcare providers must invest more in building enterprise risk management (ERM) capabilities.
As a defensive strategy, a focus on avoiding risk may seem to hold promise, but no hospital or health system can avoid risk entirely. By giving an organization insight into how to take the right risks at the right time, an effective ERM program can help the organization more successfully execute its strategic imperatives.
Getting Beyond Basic Effectiveness
Despite the growing importance of programs today, and the raised awareness of their importance, many healthcare providers have been slow to adopt a more sophisticated approach. As shown in the exhibit on page 46, the current state for most providers falls between "basic" and "evolving" maturities for ERM programs.
Organizations classified as basic recognize the implications of risk to achieving the organization's objectives and are just beginning to have important discussions on the topics of risk. Often defined as hazards and considered only in the context of their adverse consequences, risks managed at a basic maturity levels are identified on an annual basis; risk mitigation and controls are seldom factored in, and reporting is seldom, most often biannually at best.
Organizations at basic maturity also may have disparate risk management processes that aren't managed in a coordinated method (e.g., compliance, IT/cyber security, operations, and legal/ insurance) and that exist outside normal management processes or cadences. Moreover, the internal ERM risk assessment is siloed from other risk assessments conducted in the organization.
Components for the risk assessment tend to be seen as requirements imposed upon the organization rather than as opportunities for proactive investment in the organization. As a result, the risk assessment often lacks substantive data and analysis, misses measurable monitoring, and does not align with the organization's strategic vision and operational goals. It therefore is not surprising that ERM programs at the basic-maturity level often suffer from a lack of value creation in helping the enterprise manage risk to drive performance, and that...