An enterprise risk management (ERM) program identifies, assesses and quantifies risks posed to an organization. An effective Enterprise Risk Management program utilizes a cross-cutting methodology to prioritize identified risks in addition to finding ways to mitigate, control and monitor them.

Provident has identified lessons learned and best practices from developing, assessing and revamping client ERM programs.

Here are 9 things to consider whether you are evaluating an existing Enterprise Risk Management program or considering adopting a new ERM program:

1. Ensure a strong message and directive comes from the Board and the executive level – Organization-wide buy-in and participation is easiest when an ERM program is mandated or required by Board activities.
2. At the same token, involve all staff from management to front-line staff to participate in discussions of perceived and known risks – An open and tolerant environment will help staff members feel more comfortable identifying clinical and business processes and practices that pose risks.
3. Utilize previous work, minutes, corrective actions and news – Don’t reinvent the wheel. Use documentation from previous events and initiatives to identify risks and ways to mitigate and monitor those risks.
4. Create a well-represented Steering Committee that will spearhead the ERM program – Include representatives from strategy, finance, compliance and business and clinical operations. Ensure a reporting structure is developed from sub-committees to the Board.
5. Create sub-committees / facilitated sessions – Hold brainstorming sessions where representatives from strategy, finance, compliance and operations meet to discuss risks they are observing within their areas. For example, a compliance sub-committee can include medical staff services, coding/billing, research, patient financial services and other departments beyond the risk management and compliance teams.
6. Develop a clear and well-defined risk matrix to categorize and score identified risks – A risk matrix should utilize a standardized scoring matrix to apply to all risks. For example, consider how each risk “ranks” against a facility’s reputation, financial profile and internal controls and vulnerability.
7. Revisit risks and mitigation plans frequently – Develop a schedule for revisiting identified risks and evaluating the effectiveness of mitigation plans. An organizations’ risk profile changes as new regulations, medical technologies, payment programs, etc. are added.
8. Align top risk items with overall organization strategic priorities​ – An ERM program should not be siloed. An effective ERM program should lend itself to identifying and prioritizing an organization’s strategic priorities and other high level decision-making.
9. Embed approaches to risk identification and mitigation within day-to-day processes – A strong ERM program should cultivate a proactive approach to continuous risk identification and improvement. Communication, documentation and mitigation plans should be embedded within the day-to-day operations of all departments.