Proactive Risk Assessment as a Foundation of Enterprise Risk Management

ECRI Institute and Annals of Long-Term Care: Clinical Care and Aging (ALTC) have joined in collaboration to bring ALTC readers periodic articles on topics in risk management, quality assurance and performance improvement (QAPI), and safety for persons served throughout the aging services continuum. ECRI Institute is an independent, trusted authority on the medical practices and products that provide the safest, most cost-effective care.

Like the ever-changing health care landscape, the risk management profession is also evolving. The discipline of risk management has shifted from a limited focus on risk (primarily operations and compliance) to one that looks broadly at the organization to assess, evaluate, and measure all of its risks. This approach, called enterprise risk management (ERM), can expand risk management beyond solely evaluating risk and protecting the organization’s assets toward also identifying value in the choices available to the organization to meet its strategic goals.

Numerous trends stimulated the shift to ERM from the traditional “silo” approach of risk management. Traditional health care risk management has focused on clinical operations because of the devastating consequences for patients, staff, and the organization when patient outcomes are poor. But the changing health care environment also requires increasing attention to a multitude of other risks facing organizations, such as the following:

• Cyberattacks and computer system failures
• Disease outbreaks
• Fraud and abuse citations
• Mergers and acquisitions
• New health care delivery models
• Oversight of physician practices and other health care settings
• Supply chain disruptions, including drug shortages
• Technology changes

The list of possible risks facing health care organizations goes on and on and extends beyond clinical risks. 

In addition to an organization-wide approach to risk, ERM shifts the traditional focus from a reactive approach to risk (eg, claims management) to a proactive one, aligning risks with the organization’s strategic goals and objectives.¹ This expanded view considers risk as having the potential for gain (ie, the upside of risk) as well as potential for loss (ie, the downside of risk) for the organization. For example, while there may be numerous risks for a health care organization to participate in an accountable care organization (ACO) (eg, fraud and abuse violations, medical liabilities, privacy breaches), there are potential benefits if the risks are properly managed (eg, larger referral network, increased market share). Participation in the ACO may also mesh with organization’s objectives for serving its community. 

By applying the principles of ERM, organizations can take an expanded and all-encompassing view of risk. This article expands on how to apply these principles in practice.

Implementation

There is no one “right way” to implement an ERM program; each organization must set its own course using approaches that fit with corporate goals and objectives. Among the most desired goals from an ERM program are the following^2-5:

• Achieve better organizational decision making
• Align the organization’s risk appetite with its strategic plan
• Assist the board with its corporate governance obligations
• Centralize accountability for risk
• Incorporate risk management into the organization’s overall decision-making process
• Optimize regulatory compliance
• Reduce risk exposure
• Standardize the process for risk assessment and analysis

There are not any specific regulatory requirements for health care organizations to adopt ERM approaches. Nevertheless, adopting an ERM framework will help health care organizations address the myriad regulations and standards they must comply with by ensuring an organization-wide and coordinated approach to federal, state, and accrediting requirements, ranging from federal reimbursement rules for the Medicare program to worker safety standards from the Occupational Safety and Health Administration. As new regulations are added and as existing regulations are updated, organizations can use the ERM framework to ensure compliance with them.

Impact Assessments

An important part of the ERM process can be to profile and prioritize risks by ranking through probability and impact analyses. Impact analysis is a method used to assist with anticipated changes and is often used in business management. The method provides a broad understanding of the implications of a proposed change and helps a business make informed decisions about which proposals to approve. An impact analysis has three phases:

Understand the possible implications of making the change. 

Identify all the systems, tasks, and documentation that may be modified by the proposed change.

Identify the tasks required to implement the change and estimate the effort needed to complete those tasks.

Risk Score

Risks are prioritized to quantify the potential implications and magnitude of each risk. Quantitative information allows comparisons of risks by assigning them risk scores, derived from the product of the risk’s probability and severity.⁶ In addition to understanding the magnitude of the risk from the risk score, the organization can begin to decide which business decisions present an unacceptable risk and which can be reasonably tolerated given its risk appetite.

A risk score indicates the impact the risk will likely have on the organization and therefore the level of priority the risk should receive with regard to prevention and mitigation strategies. On a scale of 1 to 10 (with 1 being low and 10 being high), the risk of hospital supplies (eg, sterile preparation kits) being unavailable for the insertion of central lines, for example, might be given a score of 4 for probability and a score of 8 for severity, resulting in a risk score of 32—a high priority.

In calculating the risk score, the organization considers whether existing controls are already in place to manage a particular risk. If existing measures to address the risk are already in place, the risk score may be lower than a risk for which controls have not been implemented.⁷ 

Some organizations may add a third variable, velocity, to calculate the risk score. Velocity measures how fast an incident can affect an organization and the organization’s ability to respond promptly with mitigating strategies. An earthquake, for example, would have a high velocity score because it occurs with little warning. By contrast, Medicare reimbursement changes have a low velocity score because they are typically announced in advance of their effective date, giving organizations time to prepare. When the three variables of probability, severity, and velocity are used, the risk score is calculated by adding the velocity score to the probability score and multiplying the sum by severity (ie, [probability + velocity] × severity = risk score).

Risk Mapping

The process of assessing identified risks is better understood with the use of a risk map or risk modeling software. The risk map provides a visual tool to graphically display the risk score for each of the risks identified by the organization. The possible severity of an occurrence is charted on the y-axis on a scale of 1 to 10, and the probability of an occurrence is charted on the x-axis on a scale of 1 to 10. The possible occurrences are plotted based on their relative relationship to each other. The risk score, being a product of the severity times the probability, ranges from 1 to 100. (Depending on their preferences, some organizations may choose a smaller scale [eg, one to five] to prioritize their risks.)

For example, the loss of state licensure (risk number 1) is deemed to be just remotely probable and given a score of 1, but should the facility lose its license to operate, it would face closure—a devastating consequence—and thus it is given a score of 10. The product of 1 × 10, or 10, is the “risk score” of this occurrence, which classifies it as a low priority. Considering the example of possible failure of a costly joint venture with a high-profile physician group (risk number 2), both probability and severity are given scores of 9, the product of which is 81 (9 × 9), indicating that this financial and strategic risk is of a critical nature and a top priority. Because medication errors at this organization are relatively frequent, this operational risk is given a probability score of 8. 

On the other hand, the confidence level in the hospital’s mitigation strategies to prevent serious harm or injury from medication errors is high, and so their severity is scored at 5. Nevertheless, the risk score for medication errors is 40 (8 × 5), which ranks them as a high priority for the organization. Lastly, the inability to obtain replacement medical devices, such as intravenous (IV) pumps, as planned is an unlikely risk (scored as 4), and because the current inventory of IV pumps can be used in the short term, the risk of a delay in obtaining replacements receives a severity score of 5. The score for this risk is 20 (4 × 5), a medium priority for the facility.

Profiling risks on a risk map provides an indicator of the combined risks facing the organization. Senior management should consider the prioritized risks in light of the risk appetite and goals established for the organization. For example, the acquisition of physician practices may show up as a high risk on the risk map.

This particular initiative may also fit with the organization’s goal to align with physician practices to ensure that it can participate in ACOs. Knowing which risks require attention in order for the organization to pursue its strategic plan enables the ERM task force to develop an action plan in accordance with strategic goals and objectives.

Failure Mode and Effects Analysis

Predictive systems analyses and failure mode and effects analysis (FMEA) are also useful in evaluating processes, equipment, or techniques in advance of making changes and are often used in the health care industry. FMEA is a “bottom-up” approach, meaning that it starts at a task level of the product or process and works its way up to the effects to systems or subsystems. FMEA also analyzes interlinks among devices or systems. FMEA mandates a detailed examination of each potential device to consider how it might fail and to analyze the effect of such individual failures on the system. The steps of the FMEA process are described in Box 1.

To help guide and document the FMEA process, the US Department of Veterans Affairs’ National Center for Patient Safety developed a health care FMEA worksheet (available at https://www.patientsafety.va.gov/docs/hfmea/FMEAblkwsheet.xls). 

Leading Indicators

Another strategy is to identify leading indicators. Leading indicators are forward-looking metrics that can be used proactively to target hazards that arise from the interaction of people with processes and with the environment. Leading indicators demonstrate performance and help an organization measure a desired outcome against future performance. Tracking leading indicators gives the organization a better picture of its safety performance because it indicates what is occurring in the organization on a day-to-day basis. If there is a plan to implement a new device, developing leading indicators to test performance is an important step in the process. 

In safety-critical industries such as health care, leading indicators reflect (1) performance related to key work processes, (2) operating discipline, and (3) gaps and opportunities for improvement that help prevent incidents. Thus, they facilitate continuous improvement and early detection of possible problems. When developing new processes or using new equipment, developing leading indicators is recommended to evaluate safety continuously and proactively while also continuing to track adverse events and near misses. 

The Robert Wood Johnson Foundation has published an overview of the health impact assessment process, stakeholder involvement, examples of the use of the assessments, and how they can influence policy, which may be useful when developing your own impact analyses.⁸

Conclusion

ERM does not necessarily negate or replace the traditional risk management process of risk identification, risk analysis, development of alternative techniques to treat risks, selection of best risk treatment techniques, implementation of selected techniques, and monitoring and evaluation of effectiveness of the chosen risk management techniques and strategies. Rather, ERM expands the process to more fully integrate risk management into the organization’s structure and decision making. It is an enterprise-wide approach to risk identification, analysis, and treatment through an entrenchment of risk management principles into corporate operations and strategic planning. To these ends, impact analysis resources can be useful tools when an organization is considering implementing new procedures, policies, or equipment to ensure that they consider how the change might affect the work of various departments. 

References

1. The Risk Management Society. ERM: an overview of widely used risk management standards and guidelines. ttps://www.scribd.com/document/325373240/An-Overview-of-Widely-Used-Risk-Management-Standards-and-Guidelines-1-pdf. Published 2011. Accessed July 31, 2019. 

2. Behamdouni G, Millar K. Implementation of an enterprise risk-management program in a community teaching hospital. Healthc Q. 2010;13(1):72-78.

3. Committee of Sponsoring Organizations of the Treadway Commission (COSO). Enterprise risk management—integrated framework [executive summary]. https://www.coso.org/Documents/COSO-ERM-Executive-Summary.pdf. Published September 2004. Accessed July 31, 2019.

4. Committee of Sponsoring Organizations of the Treadway Commission (COSO). Enterprise risk management, integrating with strategy and performance [executive summary]. https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf. Published June 2017. Accessed July 31, 2019.

5. Carroll R. Enterprise risk management: the impact on healthcare organizations. In: Youngberg BJ, ed. Principles of Risk Management and Patient Safety. Sudbury,MA: Jones & Bartlett Learning; 2011:115-134.

6. Heim T. Searching for risk. Healthc Financ Manage. 2004;58(4):52-58. 

7. Carroll R. An Enterprise Risk Management Playbook: An Implementation Guide for Healthcare Professionals. Chicago, IL: American Society for Healthcare Risk Management; 2015. 

8. Gottlieb L, Egerter S, Braveman P. Health impact assessment [issue brief]. Robert Wood Johnson oundation. ttps://www.rwjf.org/en/library/research/2011/05/health-impact-assessment.html. Published May 1, 2011. Accessed July 31, 2019.