It’s Time to Rewrite Your Enterprise Risk Management Playbook

In 2022, it's important that healthcare leaders make investments that help them more effectively anticipate, mitigate, and manage business risk.

As the healthcare industry moves from stability to volatility, enterprise risk management (ERM) strategies are evolving from check-the-box compliance exercises to key areas of focus for health system leaders.

When HFMA invited us to provide insight on ERM last spring, it was clear that the characteristics that define business risk in healthcare were beginning to look markedly different. Threats such as the move toward digital care delivery, well-capitalized disruption, lack of agility among legacy organizations, and increased demands for price transparency all required a more urgent and complete approach to identifying and responding to business risk.  

Today, the level of volatility in the healthcare industry is bigger than anyone anticipated. Distressed organizations are on the rise, half of health system leaders are unsure they will meet budget in 2021, and more than 40 million patient records have been compromised due to cybersecurity incidents. Additionally, while a recent Guidehouse survey, in collaboration with the Association for Federal Enterprise Risk Management, suggests organizations across industries are dedicating greater funding to ERM, just one in four believe they manage risk “well” or “very well” across the enterprise.

ERM is a leadership challenge. It is virtually impossible to predict all material variables accurately and to do so with precision at the pace required by a rapidly shifting market. In 2022, it is important that leaders make investments that help them more effectively anticipate, mitigate, and manage business risk. Five areas of focus should be top of mind.

No. 1: Labor shortages.

This is a topic of conversation in virtually every C-suite: Staff are “stressed, overworked, and in high demand”—and health systems are struggling to find creative solutions to lessen the load. Nurse turnover rates alone average 17.2%, while 43% of physicians are considering early retirement. Moreover, when new graduates enter the workforce, they are unprepared to provide the level of care required during the pandemic.

But there’s another workforce shortage that is vexing hospitals: the shortage of nonclinical frontline staff and lower-wage clinical workers who can get paid more at Target, Walmart, or Whole Foods—and experience less grief—than at a hospital. Experts predict healthcare organizations could face a shortage of more than 3 million lower-wage clinical workers by 2026.

All of this is happening at a pace we could not have expected just eight months ago – potentially putting patient safety and retention at risk. While some organizations, such as Summa Health, have explored creative strategies to combat workforce shortages—such as reducing hospital beds by more than 20% to give short-staffed teams a reprieve—the surge of COVID-19 cases ultimately made this impossible. “It was an aspiration at the time, but right now, it’s hard to even answer the question [around volume] day to day,” Cliff Deveny, MD, CEO, Summa Health, told the Akron Beacon Journal.

This phenomenon flips traditional thinking about workforce management on its head. Typically, we look to healthcare workers to create scale and broaden growth. These levers enable growth and strengthen performance under value-based contracts. Now, with fewer resources in place, leaders must create the means to reduce healthcare consumption.

How can leaders implement ERM strategies related to labor—and how can they balance these strategies with the mission to meet community health needs, even in the presence of economic headwinds?

Here are six emerging prerequisites:

  • Reshape the workforce to adapt to near-term demand.  
  • Look for opportunities to reduce consumption of services—clinically and operationally—through improved efficiency, throughput, and capacity management.
  • Double down on strategies that navigate patients to the right care setting.
  • Get creative in recruiting talent.  
  • Investigate the number of healthcare training slots in your community, the percentage of slots that are filled, and whether there are enough to fill routine needs.
  • Automate workflows to improve the employee and customer experience.

No. 2: Capital planning.

Most capital plans were created in more stable times. Those funded with bonds include a risk section that reflected a stable operating environment.

Now, healthcare leaders must examine not just whether they have the right capital plan for an evolving environment, but also whether the financial covenants in their bond documents, combined with their operating performance, put their organizations at risk of default (for example, when they fail to meet the minimum required debt service coverage ratio or liquidity requirements, such as days cash on hand).

In instances where health systems are spending less on capital even with massive influxes in cash flow, there is also the business risk associated with lack of investment in innovation amid a period of disruption in healthcare. One example is the move toward remote patient monitoring, a market projected to reach $4.1 billion by 2028. This phenomenon, which stems from increased demand for home care capabilities during the pandemic, forces leaders to consider whether they are overleveraging physical facility assets and what they should do to right-size in-person care to match current demand.

Further, a hospital or health system’s future financial position could be adversely affected by legislation, regulatory actions, economic conditions, increased competition from other providers, changes in demand for healthcare services, and demographic changes. Any of these business risks could have a material adverse effect on the organization’s financial health—which could affect the organization’s ability to make payments under loan agreements.

ERM likely will impact your organization’s capital finance agenda, especially if it’s tax-exempt. The imperative for leaders: Balance financial risk with your organization’s mission imperative to invest in care delivery and resources. This demands a more strategic, integrated approach to cost containment—one that prioritizes the goals that matter most, operationalizes improvement and automates measurement.

No. 3: Energy consumption and social determinants of health.

More and more, consumers view a health system’s efforts to reduce energy consumption as a sign of its commitment to its mission to improve community health.

Today, air quality and water quality are considered social determinants of health, given their effects on gastrointestinal, neurological, respiratory and even reproductive health. Among not-for-profit healthcare organizations, which must conduct a community health needs assessment (CHNAs) every three years to maintain tax-exempt status, the call for CHNAs to reflect organizations’ work around eliminating social determinants of health is gaining steam. It’s not hard to imagine a time when an organization’s work toward reducing its carbon emissions will become a focal point in CHNA review.

Developing a robust plan for energy efficiency and sustainability also makes good business sense, given that energy use comprises 51% of facility expenses. At Robert Wood Johnson University Hospital Somerset, a $5.7 million investment in energy efficiency improvements will save more than $600,000 annually.

However, as trailblazers in this area can attest, this work is not easy. It takes long-term investment and a shift in culture to reduce energy consumption.

In 2022, consider the following steps:

  • Take stock of your organization’s environmental activities, pressures, and impacts.
  • Use the data from this analysis to develop a game plan for energy efficiency.
  • Once your organization has decided on a course of action, work to secure organizational buy-in and the necessary funding.
  • Develop a targeted communication plan to keep the momentum going.
  • Make sure you have the processes and tools in place to capture and report on the organization’s efforts.

No. 4: Cyber risk.

Data is the new oil, but access to that data via more consumer-centric channels heightens cyber risk.

Healthcare organization now have more IT assets per employee than any other industry in the world, with 10 to 20 devices per employee. This creates the largest attack surface with the least dollars spent per device on cybersecurity—and thus the easiest target to attack.

The currency of consumer data contained in patients’ health records—from social security numbers to financial and demographic data—also makes healthcare a prime target for cyberattack. In 2021 alone, 82% of health systems were the victim of cyberattack.

In 2022, healthcare leaders must become more strategic about developing a cyber defense. Here are a few ways to start:

  • Remember that cybersecurity is not just a technology issue. Security must be built into everything an organization does, not bolted on. As you roll out new processes, hire new personnel and implement new technology, cybersecurity should be incorporated into each element of the organization’s daily thinking.
  • Strengthen security of connected resources. Interconnected resources increase efficiency, but they also expose your organization to higher levels of business risk. Before your organization plugs in a new interconnected asset, it is vital to understand how the asset will help your organization meet its mission, the ways in which that asset can be secured, where it can be placed within the organization’s security architecture, and the risks that the asset presents.
  • Conduct an annual assessment of your cyber posture. Complete a third-party cyber maturity assessment on an annual basis. This provides a deeper view of an organization’s cybersecurity gaps. It also generates a road map for measuring and improving cybersecurity maturity—vital to managing enterprise risk.   

No. 5: Increased pricing transparency.

When the price transparency regulations took effect in January 2021, many in the industry thought they could just pay the fine and it would pass. As a result, one month after the regulations took effect, 30% of hospitals were not in full compliance with either aspect of the price transparency rule.

But the focus on price transparency has not dissipated. Instead, price transparency has expanded beyond a matter of compliance to an area of operational concern under the “No Surprises Act,” set to take effect on New Year’s Day. Organizations that lack controls to support compliance with this act leave themselves vulnerable to enforcement action.

The stakes—consumer trust and loyalty and the organization’s market position—are too high for leaders not to put their organization’s best foot forward. To make a “good faith” effort to achieve compliance, leaders should ask the following questions:

  • Scheduling: How well does your organization validate in-network versus out-of-network coverage for non-employed providers? Are provider enrollment checks performed?
  • Billing: How effective are your processes for adjusting or reviewing patient liabilities that fall outside the “good faith” threshold?
  • Insurance verification/eligibility: Does your organization maintain strong processes around certification of benefits and eligibility? Are you comfortable with your price estimate process?
  • Case pricing: Does your negotiating team have the appropriate support to navigate the independent dispute resolution process?
  • Contract negotiations: Where does your organization stand relative to market median for your geography?

A New Enterprise Risk Playbook for a New Year

It will take strong ERM muscle to mitigate these threats in 2022. Executive support is crucial; in fact, our 2021 survey shows executive support for ERM presents the most impactful improvement that organizations can make to anticipate and respond to volatility.

By integrating ERM into management processes, developing well-established mechanisms for risk identification and response, and creating a culture that accepts business risk as part of everyday business, healthcare organizations can more successfully evolve ERM from a check-the-boxes compliance exercise to a fundamental component of doing business in a rapidly evolving environment.

About the Experts

Back to top