And Then Came COVID...One Health Care System’s Journey to Develop and Sustain an Enterprise Risk Management Program
AHLA thanks the leaders of the Enterprise Risk Management Task Force for contributing this feature article.
- March 01, 2021
- Eva J. Goldenberg , Atlantic Health System
- Sheilah O’Halloran , Atlantic Health System
Certain non-health care industries are required to have a formal, published enterprise risk management (ERM) program. Other industries voluntarily adopt an ERM program. While the health care industry has not been on the leading edge of such voluntary adoption, health care organizations can benefit from a disciplined ERM program. At our health care system, we saw the value of transitioning from a department-focused risk management program to an enterprise-wide program.
This article discusses how one health care system built its ERM program. The authors describe how a solid framework enabled their health care system to incorporate COVID-19 into its ERM program.
Genesis of ERM
Over the past decade, many health care organizations attempted to develop an ERM program but often failed to successfully complete the process. Our organization tried its hand at ERM but, like other health care organizations, failed to sustain it. Four years ago, as part of its annual self-assessment process, our health care system’s board of trustees saw the need to address risks on an enterprise-wide basis, which began our ERM journey.
What It Is
ERM is a structured, consistent, and continuous process across an entire organization designed to identify, assess, respond to, and report on opportunities and threats that affect the organization’s achievement of its strategic objectives.It is “applied in strategy setting across an enterprise, designed to identify potential events that may affect the entity, and manage risk . . . to provide reasonable assurance regarding the achievement of entity objectives.” Compared to traditional risk management, ERM elevates the focus on managing risks from tactical (individual, departmental) to more strategic objectives to assist an organization’s ability to achieve its objectives and goals. The process of managing enterprise-level risks is integrated with strategy setting, business planning, performance measurement, and other business disciplines. ERM implementation is tightly linked to the “assessment and formulation of business strategy.”
Application of ERM must be “across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risk.”Unless the ERM implementation is applied uniformly across the company and is a holistic and comprehensive focus on all key business risks, it is not truly enterprise-wide.
Identification of Risk Categories and Systemwide Risks. The organization’s chief compliance officer and chief legal officer (the “ERM Executives”) spearheaded the development of the ERM program. We decided to build the framework and initial content of the ERM program internally rather than utilize a third-party consultant.
We were familiar with the organization, its functional and strategic focuses, and its leadership. However, having little familiarity with the elements of ERM and how to develop an ERM program, we consulted various references and sources including:
- Treadway Commission’s Committee of Sponsoring Organizations (COSO), which includes five organizations: American Accounting Association, American Institute of Certified Public Accounts, Federal Executives International, The Association of Accountants and Financial Professionals in Business, and The Institute of Internal Auditors.
- Protiviti’s Guide to Enterprise Risk Management
- American Health Law Association
- Health Care Compliance Association
- various universities’ ERM programs
- various pharmaceutical companies’ ERM programs
- various health care systems’ ERM programs
To develop the framework of the ERM program, we identified 17 risk categories at our health care system, as follows:
Senior management’s feedback was incorporated into the selection of the 17 risk categories. Involving senior management at the initial phase of building the ERM program helped overcome any skepticism as to the importance of the endeavor, particularly when we presented it as a board priority. Within each of the 17 risk categories, we identified what we believed were all possible risks that could impact the organization. This resulted in just over 200 individual risks across the 17 risk categories. Again, feedback from senior management was incorporated into the 200+ identified risks.
Risk Alignment. After identifying the 17 risk categories and individual risks within each category, we cross-checked the risk categories against our organization’s guiding principles and goals. Specifically, we wanted to ensure that the ERM program was aligned with those guiding principles and goals (see Figures 1 and 2).
Risk Prioritization. Once the risks were identified and assessed, the next phase of the ERM framework required that the risks be prioritized. We created a risk algorithm based on the following factors: (1) risk impact, (2) risk likelihood, (3) risk management and mitigation tactics, and (4) risk control. To determine risk impact, we considered what effect an event would have on our operations or ability to fulfill our mission. For instance, a very high risk would involve an event that would have a devasting effect on our operations should it occur. This would include events such as a substantial cyberattack, exclusion from participation in Medicare/Medicaid, or loss of our 501(c)(3) status. A high risk would involve any event that would require a significant modification of our operations and might have a potential long-term impact. This would include events such a breach of the Health Insurance Portability and Accountability Act affecting 500 or more individuals or compliance-related issues resulting in the imposition of a corporate integrity agreement or other monitoring. Using these four factors, we assigned a risk rating (1 for high, 2 for medium, and 3 for low) to each of the 200+ risks. Within each of the 17 risk categories, we identified the single highest risk. The resulting list of the 17 highest priority risks also took into account feedback from members of management, alignment with the organization’s then-current annual goals, and innate and common-sense information about business operations. For instance, while most in the organization agreed that cyberactivity was the greatest risk in the technology risk category and, in fact, our algorithm supported that ranking, we were about to implement a new electronic medical record systemwide and the common-sense consensus was to have implementation of that system as our highest technology risk.
The highest risks in each of the 17 risk categories were as follows:
The risks and ratings were documented on a home-grown ERM spreadsheet and circulated to the organization’s leaders for review and input. Accountability for each of the 17 risk categories was assigned to a specific leader.
Risk Mitigation. Each accountable leader (with input from appropriate stakeholders) created and documented tactics to mitigate (or eliminate) the highest priority risks. Thereafter, each leader, with assistance from appropriate team members, began to execute on the risk mitigation tactics.
ERM Feedback. After the highest priority risks were identified, the ERM Executives developed and distributed an online survey to all members of management seeking additional input into the identified risks. The survey consisted of the following questions:
- Are there any routine practices that we do that could damage our reputation or undermine our Trusted Network of Caring®?
- What risks or vulnerabilities keep you up at night? How can we address them?
- Anything else?
The results of the survey were analyzed, shared with leadership, and the spreadsheet was updated to include additional risks.
ERM Communications. The ERM Executives created an ERM communication timeline. Throughout the course of many months early on in the development of the ERM program, updates were presented to all management at the organization’s various hospital management meetings, physician enterprise management meetings, and human subject research management meetings. Information about the ERM program was posted on the organization’s intranet.
A message map, available for all team members, was created to help communicate ERM throughout the organization (see Figure 3).
The ERM Executives provided regular updates to the organization’s senior leadership, board of trustees, and the board’s Audit and Compliance Committee, to which the board of trustees delegated oversight (see below).
ERM Oversight. The organization’s board of trustees delegated oversight of the ERM program to the board’s Audit and Compliance Committee. The committee amended its charter to include oversight responsibility for the ERM program. At each of its quarterly meetings, the committee receives an update about the ERM program from the ERM Executives. In addition, the board also periodically receives an ERM update.
ERM Policy. The ERM Executives created an ERM Policy that was included in the organization’s published corporate compliance policies. Undergirding the ERM Policy is the principle that the organization requires a systematic review of risk to ensure that the greatest areas of risk are afforded the appropriate level of attention and resources. The Policy recognizes that the ERM program should be used as a tool to drive decision making so that decisions are made with full knowledge of the risks inherent in the decisions and in accordance with the organization’s level of risk tolerance.
See the following supplemental materials included with this article.
Approximately 12 months after creating the ERM framework, identifying the risk categories, ranking the risks, and creating tactics to mitigate the highest priority risks, the ERM Executives met with each leader of the 17 risk categories to receive an update on the status of risk management plans, specifically mitigation tactics. During these meetings, risk reduction accomplishments and ongoing risk mitigation tactics were discussed and documented on the ERM spreadsheet. New risks were identified and documented on the ERM spreadsheet. Thereafter, each leader, with assistance from appropriate team members, continued to implement the risk mitigation tactics.
Approximately 18 months after creating the ERM framework, a top-tier accounting and consulting firm with ERM expertise was engaged by the organization’s Audit and Compliance Committee to review the ERM program. The review assessed the following elements of the ERM program:
- Risk management process
- Culture & performance
After a comprehensive review, the consulting firm pointed to the following items as wins for the program:
- Strong leadership support and an established ERM governance and reporting framework
- Engaged Board and Board committee
- Regular risk assessment and risk mitigation process
- Active coordination and communication across interdependent risks
- Key risk indicators and performance metrics developed
- Right tone at the top to drive execution of ERM
- Establishment of risk ownership and accountabilities
The firm found, however, that the program was too focused on operational risks and required heightened focus on strategic risks since the true purpose of an ERM program is to support achievement of an organization’s strategic plan. The firm recommended that risks associated with the organization’s five-year strategic plan be bifurcated from the operational risks. Based on that recommendation, two ERM programs were created—one that focused on the previously identified risk categories that related to operational-level risks, i.e., risk implications to business operations (the “Operational ERM”), and the other that utilized the goals set forth in the organization’s strategic plan, i.e., risks integrated with business planning and risks that could affect the success of the organization’s five-year strategic plan (the “Strategic ERM”). The ERM Executives now spearhead the Strategic ERM and the director of internal audit is responsible for the Operational ERM.
For the Strategic ERM, senior leaders analyzed each goal of the organization’s five-year strategic plan and identified the possible risks inherent to completion of each goal. The goals of the organization’s strategic plan are grounded in four pillars, namely, (1) performance, (2) growth, (3) population health, and (4) innovation, research, and education. Each of the four pillars contains four goals and each goal has numerous tactics that must be accomplished in order to achieve the goal. Risks that could derail the tactics and impact the goals were identified and mitigation tactics to reduce those risks were developed. The risks were documented in a format that tracked the strategic plan goals. Leaders of the various strategic plan goals created risk mitigation (or elimination) tactics for each of the identified risks. If all mitigation tactics were completed, a new risk, tied to the corresponding strategic goal, was identified and risk mitigation tactics were developed.
With 17 risks categories in the Operational ERM and risks corresponding to 16 goals in the Strategic ERM, the organization’s Audit and Compliance Committee asked leadership to identify the Top Ten ERM risks. For each of the Top Ten risks, we documented the accomplishments achieved to mitigate the risks. We also documented the risks that needed to be further mitigated (or eliminated). After approximately six months, senior management reviewed and updated the Top Ten ERM risksas follows:
- Failure to achieve consistent, nationally recognized quality and safety throughout the system
- Failure to engage patients, providers, and team members
- External events with significant operational impact, e.g., cyberattack, pandemic
- Failure to achieve financial targets, financial market instability
- Failure to increase unique lives served, grow market share, and expand points of access
- Failure to grow key clinical programs
- Provider, supplier, key team member shortages
- Failure to optimize care coordination across all settings of care
- Failure to transition a more significant portion of payer contracts to risk models
- Failure to support a culture of innovation and education
And Then Came COVID
“Pandemic” was included among the Top Ten enterprise risks before COVID-19 became a reality. New Jersey and New York were particularly hard hit by the pandemic in early Spring of 2020 and our entire health care system was mobilized to deal with the unprecedented circumstances it faced. As we participated in daily command center calls that spanned more than 120 consecutive days and listened to the challenges that our organization was facing and the innovative solutions that team members brought to bear, we realized the importance of incorporating the details of our COVID-19 response into the ERM program to preserve the lessons learned. As the clinical and operations teams were creating some 30 playbooks for use in the predicted second surge, we developed the COVID-19 risk areas and mitigation tactics for incorporation into the ERM program, just as we had with the other more traditional risk areas identified. In fact, through constant communication and report-outs among the organization’s senior leadership team, we realized that the COVID-19 portion of the ERM program had developed somewhat organically as leaders identified their risks and mitigation tactics in real time. We realized, too, that we were witnessing ERM in action as the COVID-19 response was a complex, risk-laden event that touched every part of the organization. Several months into the pandemic, the ERM Executives, with input from the organization’s leadership, documented the risks associated with COVID:
The risk mitigation efforts and accomplishments related to each of the COVID risks were documented. This process contributed to the organization’s response plan for a COVID resurgence.
Approximately every 9-12 months, the ERM Executives meet with the leaders who are accountable for the strategic risks and the director of internal audit and enterprise risk management meets with the business leaders responsible for the operational risks to update progress on mitigating (or eliminating) the risks and identifying new risks. When the organization updates its strategic plan, the goals and risks in the ERM program are re-aligned with the updated goals. Risks that could undermine accomplishment of the goals are identified and mitigation tactics are developed and implemented. Initially, everything was documented on an Excel spreadsheet. As the program developed, documentation transitioned to an online SharePoint site where operational leaders could document risk updates in an electronic and transparent format.
Five Years and Still Going
When developing and sustaining an ERM program, it is important to be aware of the barriers to successful implementation and to the ongoing viability of the program. Barriers to a successful ERM program include:
- Lack of support from the top
- Lack of stakeholder ownership and buy-in
- Lack of resources to devote to ERM
- Failure to integrate ERM with what matters (goals, strategy)
- Failure to communicate
- Getting immersed in the details
- Failure to define roles and responsibilities
- Failure to consider cultural issues
We were fortunate the push to develop an ERM program started with our board of trustees since that facilitated stakeholder buy-in. Ultimately, a successful ERM program requires a comprehensive effort—a few people to lead the effort, senior leaders to participate and set the tone, management to support and drive it, board (and/or board committee) to oversee it, and the workforce to be aware and involved in it. A successful ERM program also requires discipline to keep it going and to keep people engaged. The value of ERM is clear: it helps an organization achieve its goals, objectives, and strategies. And when business opportunities grow out of risk identification and mitigation then it comes full circle. As an added value, having a robust ERM program has been viewed favorably by our insurance markets and rating agencies. And, our board of trustees sleeps better at night!
About Atlantic Health System
Atlantic Health System is a regional not-for-profit clinically integrated health care system headquartered in Morristown, New Jersey. Its five hospitals, physician practices, ambulatory sites and rehabilitation and skilled nursing facilities provide over 400 sites of care to serve more than half of the state of New Jersey including 11 counties and 4.9 million people. Atlantic Health employs 17,000 team members and has 4,800 affiliated physicians.
2 Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management—Integrated Framework (Sept. 2004).
3 Protiviti, Guide to Enterprise Risk Management (2006), https://www.protiviti.com/US-en/insights/guide-enterprise-risk-management.
6 See supra note 3.
7 The Top 10 ERM risks are not listed in order of priority. They are simply the highest risk in each of the 10 categories of strategic risk.
8 See supra note 3.
Eva Goldenberg serves as Atlantic Health System’s Vice President of Corporate Compliance & Internal Audit, Chief Compliance Officer, Privacy Officer, and Research Integrity Officer. Prior to her current position, she held roles as chief legal officer and chief human resources officer at a NJ community hospital, legal and human resources roles at a publicly-traded toy company and a corporate attorney at Morristown, New Jersey and New York City law firms.
Sheilah O’Halloran serves as Atlantic Health System’s Senior Vice President & General Counsel. Prior to her current position, she was in private practice in Morristown, New Jersey where she practiced corporate and commercial law and served as the Chair of the firm’s health care practice.
AHLA thanks the leaders of the Enterprise Risk Management Task Force for contributing this feature article: Susan Goodman, Pivot Health Law LLC (Chair); Justin Brown, Bradley Arant Boult Cummings LLP (Vice Chair—Educational Programming); Faisal Khan, Nixon Gwilt Law (Vice Chair—Educational Programming); Lisa Rivera, Bass Berry & Sims PLC (Vice Chair—Member Engagement); David Crapo, Gibbons PC (Vice Chair—Publishing); and Karen Kole, ECG Management Consultants (Vice Chair—Publishing).