Risk management in health care can vary greatly across different organizations. Yet the focus on managing risk should be an integral part of all boards of directors’ ongoing discussions. So what should the directors and their senior executives be thinking about when it comes to risk management performance?
Here are five key questions:
1. What are the most critical risks that need to be prioritized and addressed?
The goal of an effective enterprise risk management (ERM) process is to identify, assess, prioritize and develop performance improvement plans for the most critical risks that could threaten the achievement of strategic and business objectives and the sustainability of the organization. Data breaches and ransomware attacks are recent examples of priority risk areas.
2. How is risk management involved in risk identification, assessment, analysis, mitigation, monitoring and communication of risk?
Just as risk management roles differ greatly among organizations, so does the sophistication of their ERM programs. Only 31% believe their organizations have complete ERM processes in place, according to The State of Risk Oversight: An Overview of Enterprise Risk Management Practices. Having the necessary resources to develop a robust ERM program will improve the identification of risk, opportunities and threats and increase the likelihood that the organization will achieve its strategic objectives.
3. Has risk management and the board defined a clear risk appetite statement to identify which risks are acceptable and which are undesirable?
Health care organizations are among the most complex to understand and manage. With all of the significant changes occurring in the sector, these organizations need to understand their risks, but also need to take acceptable strategic risks to grow and thrive in the future.
The risk appetite statement is the foundation of a successful risk management structure for aligning decision making and risk. Clearly defining the risk appetite statement is one of the most important processes for the board and the organization to understand past risk-taking qualities and align risk appetite with the strategic vision and mission.
4. What is the state of the culture of risk awareness within the organization?
Every organization needs a clear understanding of the internal philosophy of the management of risk, and this philosophy must be distinctly and openly communicated across the appropriate levels of the organization. Everyone in the enterprise needs to be responsible for risk; it starts with the board and management exemplifying good risk practices.
5. How are the organizations with the more mature ERM programs successful in managing their risks?
A well-designed, mature ERM program can identify strategic opportunities, help the organization see if objectives are being met, increase decision support and minimize uncertainty by allowing for adjustments in strategy in response to changing environmental conditions. A robust ERM program evaluates risk on a real-time basis, communicates it in a standardized nomenclature across the organization and continuously responds to regulations, controls, processes and strategic outcomes.
Revised criteria for a successful future
You’ve asked these questions and you have your answers. Now what?
Chances are you have a clearer understanding of the critical risks, the state of the enterprise risk management process, the risk appetite of the organization and the cultural awareness of risk. Just as importantly, you will also have performance metrics that will allow you to create a set of criteria to judge the success of future risk management initiatives.
To learn more, please see our article, What board members should ask about risk management performance.