Enterprise Risk Management: An Overview

Like the ever-changing healthcare landscape, the risk management profession is also evolving. The discipline of risk management has shifted from a limited focus on risk (primarily operations and compliance) to one that looks broadly at the organization to assess, evaluate, and measure all of its risks. This approach, called ERM, can expand the risk manager's role beyond solely evaluating risk to protect the organization's assets to also include identifying value in the choices available to the organization to meet its strategic goals.

Numerous trends stimulated the shift to ERM from the traditional "silo" approach of risk management. These trends include globalization of financial and business markets, continued integration of the insurance industry, increased regulation, and a greater focus on corporate governance. A number of well-publicized cases of fraud as well as business scandals and failures over the past several years left regulators, investors, and other stakeholders calling for better corporate governance and improved oversight of risks. In response, the Sarbanes-Oxley Act of 2002 was enacted, requiring increased involvement from the audit committee of the board of directors of public companies with regard to risk management. This law extended requirements for reporting, certification, and attestation by an independent auditor as to the effectiveness of the company's internal control systems. (COSO "Enterprise Risk")

As of 2015, nearly half (46%) of all businesses participating in a global risk management survey, conducted by insurance broker Aon, indicated that they address current and emerging risks with a structured enterprise-wide risk identification and assessment process (Aon). Although the survey included representatives from the healthcare industry, the healthcare services sector has lagged behind other industries in implementing ERM (ASHRM "Enterprise . . . Defining"). In a 2010 survey of Healthcare Risk Controlmembers, respondents indicated that adopting enterprise-wide risk management was among their top 10 challenges as risk managers (ECRI Institute).

While many healthcare organizations are either privately held or nonprofit organizations, and thus exempt from Sarbanes-Oxley per se, the value in using an enterprise approach to manage risks in the increasingly complex healthcare environment is becoming apparent. Indeed, the American Society for Healthcare Risk Management (ASHRM) established a goal to facilitate the application of ERM for its members in its 2013 to 2015 strategic plan (ASHRM "Strategic").

The role of the healthcare risk manager originally arose from a need to manage medical malpractice claims and to decrease the costs associated with them. As a result, traditional healthcare risk management focused on clinical operations because of...