Jan 19, 2016 Practice Intelligence: Risk Management in the Health Care Industry Practice Intelligence: Business Solutions for Health Care Professionals Risk Management in the Health Care Industry Today more than ever, health care organizations (HCOs) are facing multiple risks on every front. Whether the risks are operational, technological, clinical, legal, or financial, an entity’s ability to identify and manage risk will be critical to its sustainability in the future. Some of the more common risks that HCOs are currently facing, and will continue to face into 2016 and beyond, include the following:   i. Risks associated with non-compliance with increased regulatory requirements; ii.

Risks associated with increasingly complex reimbursement methods and models; iii. Technology risks, including risks of cyber security breaches; iv. Risks related to breaches of patient privacy and health information; and v.

Financial risks, including revenue cycle management and fraud risk. These examples just scratch the surface! It is clear that business as usual is no longer an option, and businesses in the health care industry must be proactive in assessing and managing risk if they want to survive. According to the American Society for Healthcare Risk Management (ASHRM), adopting a definition of Enterprise Risk Management (ERM) is one of the early significant steps in developing an ERM program. ASHRM’s definition is as follows: “Enterprise risk management in healthcare promotes a comprehensive framework for making risk management decisions which maximize value protection and creation by managing risk and uncertainty and their connections to total value.” There are a number of other definitions for ERM from well-regarded organizations.

It is important that each HCO adopt a definition of ERM that is tailored to its own specific size, circumstances, and risk appetite. There are also a number of frameworks that an HCO can use to design and develop a comprehensive ERM program. Most ERM frameworks are similar in many regards, and the governing body should evaluate its options and adopt a framework that is most closely aligned with its goals. The Committee on Sponsoring Organizations of the Treadway Commission’s (COSO) framework includes the following eight components that work together to form a comprehensive ERM program:   i.

Internal Environment – The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate. ii. Objective Setting – Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite. iii.

Event Identification – Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes. iv. Risk Assessment – Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed.

Risks are assessed on an inherent and a residual basis. v. Risk Response – Management selects risk responses – avoiding, accepting, reducing, or sharing risk – developing a set of actions to align risks with the entity’s risk tolerances and risk appetite. vi. Control Activities – Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out. vii.

Information and Communication – Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity. viii. Monitoring – The entirety of enterprise risk management is monitored and modifications made as necessary.

Monitoring is accomplished through ongoing management activities, separate evaluations, or both. Regardless of the definition or framework used, the foundation of any effective ERM program is strong corporate governance with effective leadership. Corporate governance policies should set an appropriate tone that will permeate throughout the HCO to create a culture that understands and embraces the goals, including the ERM goals, that the organization desires to achieve. An ERM program that possesses actively involved leadership is the most successful in allowing the organization to achieve its goals and objectives. The design, development and implementation of an Enterprise Risk Management program is, in and of itself, a challenge for any organization.

Furthermore, an © CITRIN COOPERMAN & COMPANY, LLP CONNECTICUT | MARYLAND | NEW JERSEY | NEW YORK | PENNSYLVANIA | CAYMAN . ERM plan is not static, especially for organizations in the health care industry. The ERM plan of an HCO will require continuous monitoring and updating as the health care landscape changes and evolves. However, an effective risk management program will position hospitals and health care executives to respond better to risks, take advantage of opportunities, and in general, render any HCO more in control and less vulnerable to adversity. By Prabhleen S. Virk, CPA and Vincent Abbruzzese, CPA © CITRIN COOPERMAN & COMPANY, LLP CONNECTICUT | MARYLAND | NEW JERSEY | NEW YORK | PENNSYLVANIA | CAYMAN .