This document outlines a presentation on enterprise risk management (ERM) given to Massachusetts Continuing Legal Education, Inc. It discusses how ERM began with the Committee of Sponsoring Organizations of the Treadway Commission to help organizations assess internal controls. It describes how ERM was initially implemented in the financial sector but is now used more widely across industries. The presentation explains the traditional silo structure of risk management in healthcare and payers and how ERM provides a more holistic and strategic approach to managing enterprise-wide risks.
Presentation Makes the Case for Enterprise Risk Management
1. David McMillan, Pershing Yoakley & Associates, P.C.
dmcmillan@pyapc.com
(865) 673-0844
Larry Vernaglia, Foley & Lardner LLP
lvernaglia@foley.com
(617) 342-4000
Enterprise Risk
Management
A Presentation For: Massachusetts Continuing Legal Education, Inc.
May 16, 2014
2. Page 1
May 16, 2014
Massachusetts Continuing Legal Education, Inc.
• ERM began with the Committee of Sponsoring Organizations of the Treadway
Commission (COSO), which issued “Internal Control – Integrated Framework”
to assist businesses and other entities assess and enhance their internal controls
systems.
• Over the past two decades, this framework has been incorporated into policy,
rule, and regulation, and is used by thousands of enterprises to better control their
activities in moving toward achievement of their established objectives.
• COSO’s framework for ERM helps organizations achieve their objectives:
o Strategic
o Operations
o Reporting
o Compliance
Enterprise Risk Management:
The Beginning
3. Page 2
May 16, 2014
Massachusetts Continuing Legal Education, Inc.
• ERM first implemented in financial sector (banks, investment companies,
insurers, etc.)
• Now widely utilized and well-developed across the business sector and slowly
being adopted by the healthcare industry.
• Well-known accounting compliance and corporate governance scandals (e.g.,
Enron and WorldCom) largely the impetus for the passage of the Sarbanes-Oxley
Act of 2002 (SOX), resulting in many organizations implementing ERM
programs.
• Primarily publicly traded, for-profit organizations (including healthcare).
• Increased awareness of boards of directors’ responsibility for identifying and
managing organizational risk.
Enterprise Risk Management
Across Industries
4. Page 3
May 16, 2014
Massachusetts Continuing Legal Education, Inc.
How Have Payers Traditionally
Managed Risk?
• Historically insurance companies have been designed in a silo structure (i.e.,
each operational activity is undertaken independently, as are the associated risks)
– Ex: there can be virtually no interaction between underwriting and claims
department of insurance companies. As a result of this structure, information
generated from these activities are rarely every shared or synthesized.
• In previous, less volatile years, the silo structure was workable. Given the
dramatic regulatory and technological changes in recent years, the silo structure
is giving way to newer, more strategy-focused structures, such as ERM.
• In many circumstances, the management of these risks can be more efficient if
conducted at the enterprise level.
5. Page 4
May 16, 2014
Massachusetts Continuing Legal Education, Inc.
Healthcare Risk Management
Healthcare slow to introduce ERM programs but,
as it has become increasingly evident that no
organization or business sector is immune from
catastrophic loss, the industry’s interest in ERM is
greatly increasing.
Shift away from regional operations to state, multi-
state, and/or national level has played a significant
role in igniting interest in ERM across the
healthcare industry.
Traditional Setting
Acute Care Hospital
Contemporary Setting
Expanding Beyond Hospital Walls
and State Lines
6. Page 5
May 16, 2014
Massachusetts Continuing Legal Education, Inc.
Drivers of Change
Healthcare
Industry
Changing
patient
demographics
Advances in
medicine
Competition
Patient-
centered
focus of
care
Changing
reimburse-
ment
The ACA
Increasing
regulation
Shift to EMR
and
Meaningful
Use
Necessity of
outcomes
data
Rapidly
changing
technology
7. Page 6
May 16, 2014
Massachusetts Continuing Legal Education, Inc.
Five Indications of the Industry
The Five Fundamentals Driving Healthcare
Transformation:
Read more at http://www.pyapc.com/resources/collateral/white-papers/2014-Healthcare-Whitepaper-PYA.pdf
8. Page 7
May 16, 2014
Massachusetts Continuing Legal Education, Inc.
Making the Case for
Enterprise Risk Management
Healthcare reform is causing many health systems to quickly
react/respond/implement (i.e., bundled payments, ACO regulations,
value-based purchasing, etc.)
Too often, health systems are failing to proactively plan for the
response of the reaction to health reform, often leaving the system at
risk
Hastened decisions are often made in silos and without considering
the impact/risk to all entities
EnterpriseRiskManagement
9. Page 8
May 16, 2014
Massachusetts Continuing Legal Education, Inc.
Risk Management in Face of
Rapidly Changing Environment
Today’s
Challenge:
Defining the
parameters “along the
way”
Yesterday:
• Financial derivatives in capital and debt structures
Today:
• Rapidly changing reimbursement structures
• Physician-Hospital integration (horizontal & vertical)
Tomorrow:
• Bearing insurance risk
10. Page 9
May 16, 2014
Massachusetts Continuing Legal Education, Inc.
What do YOU see?
11. Page 10
May 16, 2014
Massachusetts Continuing Legal Education, Inc.
Traditional Risk Management
Program Structure
Manage Risks of “Separate and Distinct” Departments/Silos
Operations
Finance
HumanCapital
Strategic
Legal/Regulatory
Technology
Hazard
12. Page 11
May 16, 2014
Massachusetts Continuing Legal Education, Inc.
Shifting Toward a Contemporary
Model of Risk Management
Traditional ModelTraditional Model
• Reactive
• Incident-based
• Clinically focused
• Risk analyzed according to silo or
department (e.g., market risks
handled by marketing department,
patient safety risks handled by the
quality/patient safety department).
• Fails to account for the fact that risks
do not exist in isolation (i.e., cross
organizational structures,
departments, etc.)
• Reactive
• Incident-based
• Clinically focused
• Risk analyzed according to silo or
department (e.g., market risks
handled by marketing department,
patient safety risks handled by the
quality/patient safety department).
• Fails to account for the fact that risks
do not exist in isolation (i.e., cross
organizational structures,
departments, etc.)
Traditional Model
• Reactive
• Incident-based
• Clinically focused
• Risk analyzed according to silo or
department (e.g., market risks
handled by marketing department,
patient safety risks handled by the
quality/patient safety department).
• Fails to account for the fact that risks
do not exist in isolation (i.e., cross
organizational structures,
departments, etc.)
Contemporary Model (ERM)Contemporary Model (ERM)
• Proactive, which better equips healthcare
organizations to focus on all risks
throughout the organization while
maintaining patient safety, ensuring
compliance and improving the
organization’s bottom line.
• Holistic
• Multidisciplinary
• Risk analyzed across the entire enterprise,
not solely at silo/department level.
• Accounts for synergistic relationship
among and between risks.
• Proactive, which better equips healthcare
organizations to focus on all risks
throughout the organization while
maintaining patient safety, ensuring
compliance and improving the
organization’s bottom line.
• Holistic
• Multidisciplinary
• Risk analyzed across the entire enterprise,
not solely at silo/department level.
• Accounts for synergistic relationship
among and between risks.
Contemporary Model (ERM)
• Proactive, which better equips healthcare
organizations to focus on all risks
throughout the organization while
maintaining patient safety, ensuring
compliance and improving the
organization’s bottom line.
• Holistic
• Multidisciplinary
• Risk analyzed across the entire enterprise,
not solely at silo/department level.
• Accounts for synergistic relationship
among and between risks.
13. Page 12
May 16, 2014
Massachusetts Continuing Legal Education, Inc.
ERM means different things
to different people…
Discipline
ProcessPractice
14. Page 13
May 16, 2014
Massachusetts Continuing Legal Education, Inc.
What is Enterprise Risk Management
(“ERM”)?
Enterprise risk management is a discipline that engages professionals in the practice of
identifying, managing, controlling, and monitoring all risks to the organization.
A Discipline
A Practice
ERM can best be described as an ongoing business decision-making process instituted and
supported by the healthcare organization’s board of directors, executive administration and
medical staff leadership. ERM recognizes the synergistic effect of risks across the continuum of
care, and has as its goals to assist the organization reduce uncertainty and process variability,
promote patient safety and maximize the return on investment (ROI) through asset
preservation, value creation, and the recognition of actionable risk opportunities.
A Process
ERM is a process, effected by an entity’s board of directors, management and other personnel,
applied in strategy setting and across the enterprise, designed to identify potential events that
may affect the entity, and manage risks to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity objectives.
15. Page 14
May 16, 2014
Massachusetts Continuing Legal Education, Inc.
The Board’s Responsibility
to Manage Risk
A Process
ERM is a process, effected by an entity’s board of directors, management and other
personnel, applied in strategy setting and across the enterprise, designed to identify potential
events that may affect the entity, and manage risks to be within its risk appetite, to provide
reasonable assurance regarding the achievement of entity objectives.
The Board of Directors is not necessarily responsible for
the effects of decisions they make – they are, however,
responsible for having a sound process in place for making
these decisions, despite the outcome, good or bad, of the
ultimate decision.
16. Page 15
May 16, 2014
Massachusetts Continuing Legal Education, Inc.
What is Enterprise Risk Management
(“ERM”)?
Creating an effective structure through
combining the correct players with an
appropriate strategy, equipping these players
with a common understanding and
appreciation for the direction of the health
system and engaging these players in a
process to evaluate enterprise risk.
17. Page 16
May 16, 2014
Massachusetts Continuing Legal Education, Inc.
Example Risk Domains
Operational
• Transitions of care
• Quality/coordination of care
• Adverse event management
• National Patient Safety Goals
• Facility/equipment management
• Workplace safety
• Infection control
• Business continuity
• Billing/collections
• Corporate compliance (fraud and abuse)
• Liquidity
• Growth in programs/facilities
• Capital structure
• Capital equipment
• Capitation contracts
• Staffing/turnover
• Union and labor relations
• Hiring, retention, education
• Succession planning
• Organizational direction and culture
• Morale and engagement
• Employment Practices liability
Strategic
• Regulatory change
• Patient needs/expectations
• Population health competencies
• Advertising, marketing, branding
• Alliances/integration/affiliations
• Competition
• Antitrust
• Corporate compliance
• Confidentiality/security of PHI
• Multiple statutes, standards, and
regulations
• Accreditation
• State licensure
• Private inurement
• CPOE
• EMR/EHR
• Robotics
• Telehealth/telemedicine
• Radio Frequency Identification (patient
tracking, infant security, etc.)
• Information exchange
• Social media
• Facility management
• Plant age
• Natural disasters
• Parking
• Construction/renovation
Hazard
Financial
Legal/Regulatory Technology
Human Capital
18. Page 17
May 16, 2014
Massachusetts Continuing Legal Education, Inc.
Contemporary ERM Programs
ERM Structure and Process
Strategy
Real
Legal/Regulatory
Compliance
FinancialPerformance
Access
PhysicianAlignment
Patient
Estate
Technology
Health systems operate multiple businesses with divergent priorities within one entity.
An enterprise risk management framework, consisting of an effective structure and
disciplined process, intersects each distinctive business initiative to provide a holistic
view of the health system.
19. Page 18
May 16, 2014
Massachusetts Continuing Legal Education, Inc.
Interrelated Components of ERM
Internal
Environment
Objective
Setting
Event
Identification
Risk AssessmentRisk Response
Control
Activities
Information &
Communication
Monitoring
20. Page 19
May 16, 2014
Massachusetts Continuing Legal Education, Inc.
COSO’s “Cube”
Entity’s Objectives
Entity’s
Units
ERM’s
Components
“A distinct relationship exists
between an entity’s objectives
and ERM’s components, which
represent what is necessary to
achieve objectives.”
– COSO’s “Enterprise Risk Management –
Integrated Framework”
21. Page 20
May 16, 2014
Massachusetts Continuing Legal Education, Inc.
– Strategy/solution development that supports the organization’s mission, vision, and
values
– Better equipped to anticipate and deal with the unexpected
– Increased understanding of organization-wide costs of risks
– Establishment of consistent methodology for assessing future risks
– Development of strategic, organizational framework for managing risk
– Conservation and effective allocation of limited resources
– Improved decision making and creation of formal links between
units/divisions/organization
– Improved success of regulatory and compliance initiatives
– And the list goes on and on…
Benefits of ERM
22. Page 21
May 16, 2014
Massachusetts Continuing Legal Education, Inc.
Designing an ERM Program
Consideration should be
given to the following:
Organizational structure (for profit, not-for-profit,
governmental)
Business approach (acquisition/growth, struggling to
survive, maintain status quo)
Strategy (academic, integrated network, community-
based, etc.)
Variances in setting/locale (acute care hospital, physician
practice, etc.)
23. Page 22
May 16, 2014
Massachusetts Continuing Legal Education, Inc.
A Practical Approach
( + ) *
Right
Processes
Right
People
Disciplined
Approach
Ability to
Evaluate Risks
Contributes to
Right Culture
24. Page 23
May 16, 2014
Massachusetts Continuing Legal Education,
Inc.
• Risk management must be
driven
from the top down
• At its core, an ERM framework is
proactive, not reactive
• A framework acknowledges that
confronting risks before they are
emergent yields significant
benefit
• A comprehensive risk
management framework does
not automatically ensure that a
system will be void of future and
present risks
The Right Process
25. Page 24
May 16, 2014
Massachusetts Continuing Legal Education, Inc.
The Right Process
• Risk Identification:
– Identification and analysis of risk is management’s
responsibility with respect to determining which
risks may impact strategy and achievement of
organizational goals.
– It is essential to create a comprehensive list of
internal and external risks facing the organization
– Risk identification tools can be developed and used
to survey leadership and interviews can be utilized
to develop a deeper understanding of risks already
identified
26. Page 25
May 16, 2014
Massachusetts Continuing Legal Education, Inc.
The Right Process
• Risk Assessment and Evaluation:
– Once all organizational risks have been
identified and analyzed, the next steps are:
o Understand and attempt quantification of
potential magnitude of each risk
o Identify risk drivers
o Consider positive and negative consequences
across the organization
o Assess likelihood and severity of each risk
27. Page 26
May 16, 2014
Massachusetts Continuing Legal Education, Inc.
The Right Process
• Tools to Evaluate Risk:
– Risk Scoring: evaluates the importance of one risk over another, accounting for
likelihood/probability and impact/severity.
• Sample formula:
Probability x Severity = Risk Score
– Risk Mapping: a data generating process that utilizes local perceptions to identify
and address risks in an effort to reveal transactions, departments, or processes that
result in different types and levels of risks.
• Graphically depicts the organizations’ risks, displaying the relationship between
frequency and severity.
• Requires a team approach to identify and rank each identified risk.
28. Page 27
May 16, 2014
Massachusetts Continuing Legal Education, Inc.
The Right Process – Risk Mapping
Risk Measurement
Minimal
Moderate/
Acceptable Untenable
Clinical Quality
Financial/Economic
Legal/Compliance
Marketing/Brand
Patient Experience
Relational
29. Page 28
May 16, 2014
Massachusetts Continuing Legal Education, Inc.
Perspective
Prospective
Senior
VP
New Initiative/ Transaction New Initiative/ Transaction New Initiative/ Transaction
Departments/ServicesDepartments/Services Departments/Services
Developing a Comprehensive Risk
Profile
Departments/Services
Comprehensive
Risk Profile
Comprehensive
Risk Profile
31. Page 30
May 16, 2014
Massachusetts Continuing Legal Education,
Inc.
• The Right People make up the ERM evaluation team.
• Right People, typically members of senior management, are
responsible for evaluating risks respective to his or her
position within the organization and hold responsibility for
strategic initiatives.
( + ) *
Right
Processes
Right
People
Disciplined
Approach
Ability to
Evaluate Risks
Contributes to
Right Culture
The Right People
32. Page 31
May 16, 2014
Massachusetts Continuing Legal Education, Inc.
The Right People
CEO
CFO
COO
CMO
CNO
CIO
Human Resources
Legal Counsel
Risk Manager
Real Estate/Facility Management
Key Leader
33. Page 32
May 16, 2014
Massachusetts Continuing Legal Education, Inc.
Accumulating the Results
CE
O
SVP
Informatio
n
SVP
Finance
SVP
Operations
SVP
Quality
34. Page 33
May 16, 2014
Massachusetts Continuing Legal Education, Inc.
Frequency
Transparency
Board Involvement
Accountability
( + )*Right
Processes
Right
People
Disciplined
Approach
Ability to
Evaluate Risks
Contributes to
Right Culture
Disciplined Approach
35. Page 34
May 16, 2014
Massachusetts Continuing Legal Education, Inc.
Dysfunctional Practices,
Dysfunctional Culture
• Arthur Andersen
– Inability to question superior's practices and incapability to suggest new
ways of doing things. When these practices no longer worked, the culture
shifted to keeping clients at any cost.
– Resistance to change from seemingly unethical to ethical practices. The root
of the problem was top management figures who exemplified poor ethical
practices.
– Culture shifted to increasing revenue from clients as much as possible.
– Began to underestimate vulnerabilities in their practices, jeopardizing
the organization's future.
36. Page 35
May 16, 2014
Massachusetts Continuing Legal Education, Inc.
• Risk management must be driven from the top down and
embedded in an organization’s culture
• At the core of the ERM framework, an entity must be proactive,
not reactive
• Health systems should plan for risks, and create an efficient
structure and a disciplined process to evaluate potentially risky
strategic decisions.
( + )*Right
Processes
Right
People
Disciplined
Approach
Ability to
Evaluate Risks=>
Ability to Evaluate Risks
37. Page 36
May 16, 2014
Massachusetts Continuing Legal Education, Inc.
• Volume of data most organizations collect, process and analyze growing
exponentially.
• Numerous organizations, such as IBM and Microsoft, are now offering products
to utilize big data to analyze/predict risk.
• Example: Google Flu Trends
– “…we can accurately estimate the current level of weekly influenza activity in each region of
the United States, with a reporting lag of about one day.” – Google, 2009
– Found that certain search terms are good indicators of flu activity. Google Flu Trends, in
collaboration with the CDC, uses aggregated Google search data to estimate flu activity.
– Early detection of a disease outbreak can reduce number of people affected. Google’s up-to-
date influenza estimates may enable public health officials and health professionals to better
respond to seasonal epidemics and pandemics.
Ability to Evaluate Risks
38. Page 37
May 16, 2014
Massachusetts Continuing Legal Education,
Inc.
Implementing a
Contemporary ERM System
ERM
System
39. Page 38
May 16, 2014
Massachusetts Continuing Legal Education, Inc.
Challenges to Implementing a
Contemporary ERM System
• Competition among units (quality, risk management,
patient safety, corporate compliance, etc.)Territorial Turf
• Cultural incompatibility and diversity may act as barriersCulture
• Moving away from tradition punitive environment centered
around individual employee/staff error to an organizational
emphasis on systems
Changing Environment
• Employees often have a hard time working in teams and/or
promoting communication on their own
Teams and
Communication
• Technology should be used to support the core operations
of healthcare and to support patient safety, decrease
medical error, and improve management.
Limited use of
Technology
• C-suite should understand the concepts of ERM and also
lend organizational support for program development and
implementation
Inadequate Senior-
Level Support
• Willingness to devote time to implementation may hold
many organizations back from ERM.
Length of Time to
Implement
40. Page 39
May 16, 2014
Massachusetts Continuing Legal Education, Inc.
Challenges to Implementing a
Contemporary ERM System
• Expertise in risk and finance may be
limited.Expertise
• May be difficult to demonstrate
immediate, quantifiable ROI.ROI
• Without change and follow-through, ERM
programs become static and eventually
dwindle in support and effectiveness.
Follow-through
• Successful ERM programs recognize the
importance of employee involvement and
contributions and value their input.
Employee
Involvement in
Design
41. Page 40
May 16, 2014
Massachusetts Continuing Legal Education, Inc.
Success Factors of ERM Programs
• In assessment
• In scoring measurement
• Quantifying and benchmarking results
• Decreased variability through
evidence-based practice
Consistency
• Internal
• External
Monitoring and evaluation
Leadership support and a
positive culture
Broad-based employee
involvement
42. Page 41
May 16, 2014
Massachusetts Continuing Legal Education, Inc.
Questions?