How Managing Enterprise Risk Can Help Hospitals In Crisis

By Keith Smith
Law360 is providing free access to its coronavirus coverage to make sure all members of the legal community have accurate information in this time of uncertainty and change. Use the form below to sign up for any of our weekly newsletters. Signing up for any of our section newsletters will opt you in to the weekly Coronavirus briefing.

Sign up for our Compliance newsletter

You must correct or enter the following before you can sign up:

Select more newsletters to receive for free [+] Show less [-]

Thank You!

Law360 (November 19, 2020, 5:21 PM EST) --
Keith Smith
Keith Smith
A different federal response to the COVID-19 pandemic and recalibrated health care policy priorities are among the likely changes health care organizations can expect from the new Biden administration.

As hospitals and health care systems continue to manage the financial strain and logistical challenges of the pandemic, they likely face more changes, such as increasing emphasis on value-based care, which is an area of bipartisan agreement, and shifts in the regulation and reimbursement of telehealth.

Health care organizations adjusting to federal policy changes can use enterprise risk management, or ERM, principles to improve performance and adapt to change. Integrating ERM into existing business processes increases chances for reducing organizational variation, uncovering business opportunities and developing resiliency. ERM principles are simple and appropriate for use in setting system-level strategy and evaluating operational business decisions.

Health care organizations are under pressure to reduce the cost and improve the quality of care, increase access to care for underserved communities, and improve the experience of care for both patients and health care professionals. Calls for reform of the health care system come from inside and outside the health care sector.[1]

In addition, many new market entrants are competing with traditional hospitals and health systems based on lower cost, faster service or easier access.[2] For executives leading health care systems and boards providing oversight in this challenging environment, ad hoc decision making increases the risk of missed opportunities and can lead to erosion of confidence in leadership.

Boards and executives using ERM, on the other hand, follow a business process designed to yield well-informed decisions and improve organizational performance.

What is ERM?

Clarifying what ERM means is important.

The term "enterprise risk management" sometimes causes confusion. Traditional hospital risk management focuses on insuring, or transferring, known risks such as unintended consequences or injury following medical or surgical care, and implementing measures to control or mitigate those risks.

ERM, on the other hand, is a business process intended to improve the overall performance of an organization.[3] ERM improves performance by establishing a framework for making well-informed, or risk-intelligent, decisions about strategic objectives and operations.

Going through the process of becoming risk-intelligent with respect to any potential strategy or decision-point positions decision makers well to discern additional opportunities and make risk-aware decisions. In simplest terms, ERM means establishing and supporting a culture of informed decision making within an organization.

ERM does not require a separate infrastructure; rather, ERM is a mindset. In other words, ERM is not a discipline unto itself, but a process for evaluating potential objectives and opportunities.

For a hospital or health care system, using ERM requires a willingness to become fully informed, but does not require additional budget allocations for staff. ERM can be integrated into a hospital's or health care system's existing planning, operational approval, and reporting systems and processes.

A health care organization should incorporate ERM principles in a manner that fits its practices and culture. The fundamental ERM process is simple: (1) understand and articulate the strategic objective or goal; (2) identify, assess and prioritize risks to achieving the objective; (3) evaluate methods for control and mitigation; and (4) monitor, communicate and inform strategic objective setting.

ERM Mindset in Action: Opportunities to Improve Performance

Reducing Organizational Variation

As health systems expand geographic coverage and services offered, controlling performance variability requires more effort. Obvious sources of significant process and performance variation, and, therefore, opportunities for performance improvement, include acquisitions and other strategic business combinations.

Many less obvious opportunities to identify and address organizational variation can be identified using ERM. The ERM process starts with understanding strategic objectives.[4] If objectives are presented consistently and clearly, obtaining perspectives on risks and controls from those situated in different parts of the hospital or health system will likely lead to discoveries of variation in managing identical challenges.

For example, Local Hospital System, a nonprofit community hospital system, adopts a mission statement — a statement of strategic objectives — of providing high-quality, accessible care in a cost-effective manner.

After identifying, assessing and prioritizing risks to achieving its mission, Local Hospital System determines that a clinical information system failure, due to malware or another cause, is an enterprise risk. Local Hospital System assigns a multidisciplinary working group to evaluate the readiness to respond to a clinical information system failure of the five hospitals in Local Hospital System.

The working group is composed of members of the medical staff and others whose work would be affected by the system failure, such as professionals from nursing, pharmacy, information technology, coding and billing, revenue cycle, communications and public information. In evaluating potential responses, the working group identifies variation across the five hospitals in their plans for handling clinical system failures.

The smallest of the hospitals has a well-considered plan to manage operations during a clinical information system failure, including written procedures, but the other four hospitals have underdeveloped and variable plans.

The working group has identified an opportunity to eliminate unnecessary variation and spread a best practice across the five hospitals, thereby reducing the potential impact of a clinical system failure on Local Hospital System.

Uncovering Business Opportunities

If health system operational leaders approach decision points with an ERM mindset, they put themselves in a position to uncover potential business opportunities. The ERM approach to becoming risk intelligent involves gathering input from individuals with different specialties and vantage points within the organization about potential risks as well as evaluation of control measures and mitigation strategies.

This collective input provides varying perspectives on opportunities, risks and controls, and may lead to reframing of objectives or discovery of new opportunities.

As an example, consider Hospital System A's business objective of securing a new exclusive services agreement with an anesthesia service provider for one of its hospitals.

Anesthesia service line Administrator Alan convenes a multi-disciplinary team including surgeons, certified registered nurse anesthetists, managed care specialists and others to identify risks associated with entering into an exclusive services agreement like the one that will be expiring soon, under which the anesthesia group bills directly for professional services.

Among the risks the team identifies is the risk that the anesthesia group becomes out of network with one of Hospital System A's top commercial payors. The team considers control measures that could be implemented to mitigate this risk of having a hospital-based provider out of network, including employing anesthesiologists instead of entering into a services agreement with a group.

Administrator Alan communicates this risk and potential control measure to Executive Ed, and then Hospital System A's executive team reframes the business objective from securing a new exclusive anesthesia services agreement for one hospital to securing stable, high-quality, cost-effective anesthesia services in a consistent manner for all of Hospital System A's hospitals.

The team continues with the ERM mindset and considers a full array of options for securing anesthesia services: (1) entering an agreement with an anesthesia group under which the group bills for professional services, with the risk that the group gets out of network; (2) entering an agreement with group under which hospital bills for services, with the risk that being insulated from collection risks will make physicians less attentive to efficiency; and (3) employing anesthesiologists and certified registered nurse anesthetists, with the risk that employment costs more than other options.

Now, Hospital System A is considering a wider array of possible business solutions and is equipped to make a risk-intelligent decision about which option best fits the unique circumstances of its market. Following the ERM process leads to consideration of multiple coverage models and a well-informed, risk aware decision as to which opportunity to pursue.

Developing Resiliency

Cost- and risk-shifting reimbursement models, entry of new market competitors and consumer demands are prompting changes in health care. Responding to health care costs, employers have encouraged employees to transition from traditional health plans to high-deductible health plans,[5] and the federal government is encouraging movement to value-based payment models.[6]

Rapid and constant advances in technology and nimble, well-funded market entrants are adding new sources of competition to the health care sector. Health care consumers, reacting to increases in cost-sharing burdens and nontraditional health care industry entrants,[7] are increasingly sensitive to price, service and ease of access. For hospitals and health care systems looking to thrive in such a dynamic environment, resiliency and adaptability are essential.

A health system with ERM integrated into its business processes will not identify every new opportunity or anticipate every emerging risk to the organization's strategic objectives. Practicing the ERM mindset, however, helps organizational leaders be more resilient, inclined to seek the full array of options and prepared to address obstacles.

For leaders accustomed to soliciting input vertically, from line managers and others, and investigating all possible options to address a challenge, considering entering a joint venture with a new market entrant, for example, will likely be less of a stretch than for a leader who is in the habit of pursuing only traditional solutions.

The acceleration of acceptance of telemedicine during the COVID-19 pandemic offers an example of an unanticipated change, and how certain organizations that followed ERM principles were prepared to adapt.

Hospitals and health systems that identified telemedicine as a potential control measure to address risk, whether from emerging competitors or evolving reimbursement models, began developing telemedicine programs well in advance of commercial payors reimbursing for telemedicine services.[8]

When many of the barriers to use of telemedicine were lifted during the pandemic,[9] these hospitals and health systems were prepared to respond to its increasing use. After experiencing the convenience of a telehealth encounter, will waiting for an appointment with a primary care provider be acceptable? As price transparency increases, will site-of-service price differentials for imaging services be tolerable?

For health care organizations, resiliency will be important post-pandemic, when patients, payors and non-traditional competitors push the health care system for improved service and access at more competitive prices.


The goal of ERM is to improve performance by supporting a culture of informed decision making and by framing challenges as catalysts for discerning new opportunities. In an environment of rapid change fueled by new competitors, reimbursement model adjustment and consumer access to information, successful health care organizations must constantly improve and adjust.

With ERM principles integrated into existing business processes, hospitals and health systems can increase their odds of surviving and succeeding, continuously improving performance through reducing variation, discerning new business opportunities, and being resilient and adapting to change. 

Keith Smith is a member at Moore & Van Allen PLLC.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

[1] See, e.g., Internists Call for Comprehensive Reform of U.S. Health Care, AMERICAN COLLEGE OF PHYSICIANS NEWSROOM (January 20, 2020)

[2] See, e.g., Christina Farr, American Well pulls in $194 million to keep up with the skyrocketing demand for telemedicine, CNBC TECH (May 20, 2020, 12:35 PM EDT),; Leah Rosenbaum, Exclusive: Telemedicine Company Doctor on Demand Raises $75 Million to Expand During the Covid-19 Pandemic, FORBES (July 8, 2020, 6:00 AM EDT),

[3] Richard J. Anderson & Mark L. Frigo, Creating and Protecting Value, Understanding and Implementing Enterprise Risk Management 3 (January 2020) (research commissioned by Committee of Sponsoring Organizations of the Treadway Commission),

[4] Mark Beasley, Ph.D., What is Enterprise Risk Management (ERM)? at 6 NC STATE POOLE COLLEGE OF MANAGEMENT (July 17, 2020),


[6] CMS Issues New Roadmap for States to Accelerate Adoption of Value-Based Care to Improve Quality of Care for Medicaid Beneficiaries, CMS.GOV NEWSROOM (September 15, 2020),

[7] See, e.g., Dane Finley, Sam's Club and 98point6 are partnering to offer members $1 telehealth visits, BUSINESS INSIDER (September 24, 2020, 10:08 AM),; Zoe LaRock, Amazon is launching health clinics for select US employees, BUSINESS INSIDER (July 16, 2020, 8:38 AM),

[8] AMERICAN HOSPITAL ASSOCIATION, Telehealth: Delivering the Right Care, at the Right Place, at the Right Time (July 2017),

[9] Coronavirus Aid, Relief, and Economic Security Act, Pub. L. 116-135 (2020).

For a reprint of this article, please contact

Hello! I'm Law360's automated support bot.

How can I help you today?

For example, you can type:
  • I forgot my password
  • I took a free trial but didn't get a verification email
  • How do I sign up for a newsletter?
Ask a question!