Health care board responsibilities historically have centered on strategic and financial aspects of the business operation. Today, boards face heightened scrutiny of patient safety and quality measures, increasingly stringent legal and regulatory requirements, and the uncertainties borne of large-scale reform. What's more, these risks are interrelated: A 2012 report by the Bureau of Labor Statistics and a 2010 Joint Commission "Sentinel Event Alert" reveal concerns about patient and employee safety, which can have legal and reputational consequences.

Trustees need to develop oversight mechanisms to keep current on known risks as well as critical and emerging risks, such as workplace violence and environmental contamination.

Vigilant boards will respond to these new complexities in three ways:

  • strengthening the board's oversight of risk management
  • integrating risk into all board decision-making
  • improving communication among senior executives, the organization's risk manager and the board

Strengthening Oversight

Effective oversight of risk requires rigor, objectivity, a heightened understanding of risk's importance and, most important, the recognition that unforeseen events and circumstances can and often occur. That recognition should be particularly acute for boards now, as many hospitals acquire private physicians' offices and smaller medical groups, which are additional sources of risk.

Contingency plans are a must to grapple with environmental threats, data breaches and other adverse events. To fulfill the mandate for strong oversight, however, boards must require that the organization's employees understand and follow these plans, and then direct senior management to evaluate that preparedness.

Boards are not responsible for "actual day-to-day risk management," noted a 2012 blog on the Harvard Law School Forum on Corporate Governance and Financial Regulation. Through their oversight role, directors instead should "satisfy themselves that the risk-management policies and procedures … are consistent with the company's strategy and risk appetite, that these policies and procedures are functioning as directed, and that necessary steps are taken to foster a culture of risk-aware and risk-adjusted decision-making throughout the organization."

Indeed, with the increasing pressure on trustees to protect hospital quality and safety, corporate boards simply must make risk management a bigger, and more formal, part of their agenda.

Integrated Decision-Making

Expanding risk oversight as part of the board's agenda is a crucial step for tackling risk. But sometimes the board itself has to change to integrate risk more capably into its decision-making.

Ideally, at least one member of every board will have risk-management expertise and a professional history of managing risk. If that's not the case, those skills and knowledge should be considered paramount in the selection of new board members. That is not to say that the rest of the board can ignore emerging risks.

Boards also can better understand and integrate risk into their decision-making by attending meetings of the organization's risk or claims committees. At some hospitals, board members participate in the decision to purchase insurance. This says a lot about the priorities of the organization and, ultimately, could have a positive influence on the organization's loss data.

Improving Communication

The Harvard Law School Forum blog offers a strong vision about the value of communication: It is up to the board to "send a message to management and employees that comprehensive risk management is neither an impediment to the conduct of business nor a mere supplement to a firm's overall compliance program, but is instead an integral component of strategy, culture and business operations." Yet, while it's clear that cultural change is implemented from the top down, true communication is a two-way street.

Today's boards aren't given enough education by senior-level officials at many hospitals, and there aren't enough opportunities for risk professionals to teach them. The chief compliance officer is responsible for reporting to the board, but that reporting often has been relatively narrow. Risk executives must take on an elevated role in the organization, and think more holistically about the organization in terms of enterprise risk management, rather than simply safety and compliance. It is up to the board, however, to make the importance of that new role clear.

Besides engaging the organization's risk professionals, trustees can seek other ways to learn about their organization's potential for risk. For instance, most hospitals hold monthly "leadership rounds" for senior management; board members might attend from time to time.

Health care leaders are experiencing pressure from multiple directions — the demand for transparency, increasing regulatory scrutiny and changing models of care and payment. To protect their organization, trustees need to improve their oversight of enterprise risk and work in partnership with risk management professionals.

For more on risk, including mitigation measures, contact the AHA's Center for Healthcare Governance about its upcoming monograph Bringing Risk to the Boardroom: Integrating Effective Governance Strategies to Help Mitigate Future Risks at

Caroline Clouser ( is executive vice president, ACE Medical Risk Group, Jersey City, N.J., and Diane Doherty ( is vice president, ACE Medical Risk Group, New York.