Like many hospitals and health systems in the early 2000s, Catholic Healthcare West wondered whether it could end up in the crosshairs of legislators and litigators who were challenging pricing and charity care policies.
So before lawmakers and lawyers could train their sights on CHW, CEO Lloyd Dean wanted to find out just how threatened the organization and its 41 individual hospitals might be. He convened a task force of representatives from corporate compliance and finance, advocacy, community benefit, revenue services, and communications to answer the question: "Are we doing all we should to maintain our tax-exempt status?"
Over the next year, the task force identified and prioritized the areas that posed the greatest risk to the San Francisco-based health system's financial performance and reputation. At the top of the list was charity care. Collection activity was another area. Then there were concerns about CHW's joint venture and management arrangements, and executive compensation.
CHW assessed, mitigated and measured external and internal risks that could have a devastating effect on operations, reporting, compliance and strategy across all of its hospitals. In the process, the system employed the concept of enterprise risk management without really realizing it. "We didn't have a lot of information about enterprise risk management at the time," acknowledges Mary Connick, vice president of finance and corporate controller.
ERM nevertheless made sense because the risks to CHW were highly complex and interrelated, and their roots stretched through many different operational areas: patient accounting, finance, strategic development, communications, contracting, human resources, patient satisfaction, compliance, mission and vision.
"You get people from other disciplines together and start seeing aspects [of risk] you didn't understand before," Connick says. "[The exercise in ERM] opened our eyes to what the risks can even be. It made us realize that risk is not so straightforward."
A Look at the Big Picture
Enterprise risk management offers a whole new way for hospitals and health systems to think about business and operational risk.
Traditional risk management segregates insurance risk to the insurance department, market risk to the sales or marketing department, and patient safety risks to quality assurance. "With traditional risk oversight, we'll have the chief technology officer manage the risk of making sure our technology systems are available today to do business," says Mark Beasley, Deloitte Professor of Enterprise Risk Management, North Carolina State University, Raleigh. "HR is going to make sure we manage the risk of hiring a sufficient number of people and placing them correctly in the corporate well. The general counsel is going to make sure we don't violate the law, and the CFO and treasurer will manage the risk of cash flow. The problem is we never see the big picture or get an aggregate view of risk. We don't know when we have problems in multiple places within the organization."
Rather than view individual risks in isolation, as standard hospital risk management does, ERM analyzes many risks as they relate to one another across an entire organization. "How could my legal risks and my IT system risks and my HR risks be connected to the same big event?" Beasley asks. An example is a class action lawsuit involving charity care practices for the uninsured.
Conventional risk management is inward and historical. "Like any business that has accounts receivable, hospital board reports have information about write-offs of bad debt, receivables getting older and older, declines in admissions," he says. "These have already happened, and they are internal measurements. The ERM perspective is heavily external and proactive. ERM identifies things in the marketplace that can help an organization predict it will have more bad debt in nine months, such as rising unemployment levels or bankruptcies in its customer base. ERM tracks data that will ultimately drive customers' ability to pay."
Rather than a bottom-up, departmentally driven focus on risk, ERM is a top-down process that is driven by an organization's board of directors, management and key personnel, and it creates a single view of overall risk, according to the Committee of Sponsoring Organizations (COSO) of the Treadway Commission, a private-sector organization that advises upper management and trustees on ethics, fraud, financial reporting and internal control. ERM aims to help senior management and the board understand the portfolio of risks that face an organization.
With existing risk management systems, "there is often a disconnect between the gathering of risk information at the top level and the integration of that information into the key decision-making processes in an organization, whether it's strategic planning, mergers and acquisitions, or budgeting," says Laurie Champion, director of enterprise risk management for Aon Global Risk Consulting.
ERM, Beasley notes, "looks at risk holistically so the leadership and the board can determine the full basket of risk for an entity and directly connects risk to initiatives that are designed to add value to an organization by taking each of an organization's strategic initiatives and identifying the factors that could unravel it."
Health Care's 'Overconfidence'
Although it first appeared in Europe and Australia in the 1990s, ERM only began to emerge in the United States in 2000 and 2001. In the last 18 months, however, its popularity has grown for a number of reasons: leaders of many American corporations realized they did not have a good grasp on their risk exposures; credit-rating agencies such as Standard & Poor's incorporated ERM in their analysis of debt issuers; and corporate audit committees bemoaned the absence of a comprehensive process for evaluating and mitigating risk.
In health care, however, ERM has not been a priority. While some health care organizations with significant debt have turned to ERM to bolster their credit ratings, others are not embracing the concept, largely because they believe they are ahead of the game when it comes to risk management due to their strong insurance risk management and quality monitoring.
Hospitals also are heavily involved in financial oversight. At the board level, for example, the vast majority of trustees evaluate capital risks. When the Health Research & Educational Trust and the Center for Healthcare Governance surveyed 258 hospital and health system CEOs about their boards' risk management and oversight activities in 2008, they found that 79 percent regularly and comprehensively assessed capital risks, 83 percent routinely evaluated the amount of outstanding debt, and 70 percent reviewed the debt service coverage ratio. Eighty-four percent of hospital board meetings in the previous year addressed future capital risk, and 62 percent focused on interest rate volatility.
But there are other major risks to the stability of a health care organization. "There is so much risk that is strategic that hospitals are not tracking," Beasley says. "There is an overconfidence in health care."
According to the HRET survey, only 52 percent of boards reviewed the risk to reputation or brand, 33 percent looked at physician flight risk, and 28 percent considered the risk of errant employee behavior. While 84 percent of boards evaluated future capital risk, 62 percent looked at interest rate volatility risk, and 15 percent analyzed tax risk.
ERM in Practice
When Shands HealthCare, Gainesville, Fla., was considering the fate of a seriously underperforming 400-bed community hospital, ERM helped management and the board come to an understanding of its overall strategic risk tolerance.
From 1996 through 2009, Alachua General Hospital steadily lost volume as older physicians retired and younger ones moved their practices and hospital affiliation to the faster-growing side of town. The average daily census fell from 300 to about 140, and financial losses increased from $7 million to $10 million a year. Looking ahead, the hospital would need $75 million to $100 million over the next decade for operations as well as an influx of $150 million to $200 million for upgrades. Meanwhile, one of Shands' nearby academic medical facilities was exceeding capacity to such an extent that a new $390 million, 192-bed tower was being added.
An obvious strategy was to close AGH and redirect patients and employees to the new patient tower. Closure, however, would cause Shands to lose 35 percent in marginal volume from community physicians who would not make the transition to the academic medical center. As Shands' management and board went through the ERM process of balancing the risks against the rewards of the strategy, they determined that the loss in volume would be far less harmful than the steady stream of dollars needed to keep AGH alive, said Bill Robinson, senior vice president and CFO of Shands HealthCare, at a seminar on ERM sponsored by the Healthcare Financial Management Association and Bank of America in 2009.
ERM also helped Shands prepare ahead of time for logistical, reputational and payment risks that could undermine the entire effort, such as a delay in the completion of the new patient tower, inadequate control over transfer and use of AGH's equipment and supplies, inability to maintain sufficient numbers of staff to care for patients during the transition period, lack of communication to stakeholders about the need for change, and a likely increase in bad debt.
According to Aon Global Risk Consulting, there are five development stages of ERM:
- Initial: Component and associated activities are limited in scope and may be implemented on an ad-hoc basis.
- Basic: Capabilities for identifying, assessing, managing and monitoring risks are limited.
- Defined: Capabilities for identifying, measuring, managing, reporting and monitoring risks are sufficient; policies and techniques are defined and used across the organization.
- Operational: Capabilities and policies are used consistently across the organization.
- Advanced: A process for addressing risk is dynamic and can adapt to changing risks and varying business cycles.
While ERM programs are maturing in organizations all over the world, most have still only reached the third level. Aon's 2010 ERM survey of 201 organizations worldwide found that 40 percent had defined-level programs; of those, 15 percent were operational, and less than 10 percent were advanced.
ERM takes time to establish because it is not a project that can be completed within a designated period (see sidebar, "Elements of Enterprise Risk Management," Page 9). "ERM is more of a change in mindset than the implementation of new software or the creation of a new project team," Beasley explains. The most important first step, then, is for the board and senior management to embrace the concept.
"The board and senior management have to want ERM," he notes. "They have to want to connect ERM to strategy because that is where the value comes in. The problem is no one wants to talk about risk; everyone wants to focus on reward. But if you know about your risks and want to manage them, you are more likely to get the rewards you are after."
Next, Beasley says, is to keep things simple. "Start with some dialogue and discussion about your top five to 10 risk exposures," he says. "Build a little bit of a process to get people in the organization to think more consistently about potential risk. At some point, you'd like to get people assessing the top five to 10 risks in their major units and assessing the probability and the impact of those risks so you can rank them in some way. But that is down the road."
Board members can help all along the way. "They are certainly important at the outset in spurring the process through the audit or finance or risk committee of the board," says Aon's Champion. "An enhanced or elevated focus on risk often emanates from board members who see that risk is managed at a high level in their own businesses or in other organizations on whose boards they sit."
Trustees also can add perspective on the risks that are emerging in the local environment and that may threaten the hospital down the line. "Management needs to build a process that prioritizes the top risks to the organization so those risks can be addressed," Beasley says. "As part of that risk identification phase, management can ask board members what they think the risks are."
Board members then can take the long view about risk and its management over time. "The organization needs to follow up to ensure that it is doing the right things in accordance with governance, operations and hazard risk," says Tom Wimberly, vice president of business development for Aon's eSolutions risk data management consulting group. "It needs to look back and see that it is handling risks effectively. In terms of addressing particular risks, [board members] need to be able to track where the organization was two or three years ago and where it is today."
Karen Sandrick is a freelance writer in Chicago.
Sidebar - Four Ways Boards Can Support ERM
Sidebar - Elements of Enterprise Risk Management
Sidebar - A Rating Agency's View of Risk