AMERICAN

ASI-IRM SOCIETY FOR

HEALTHCARE
RISK
• MANAGEMENT

safe and trusted healthcare

A professional membership group of the
American Hospital Association

HEALTHCARE
RISK MANAGEMENT

M
FUNDAMENTALS
R
y
H
ht nl
The essential resource for risk management, patient safety, insurance, legal,
AS
ig O

financial and other related professionals in health care

yr w
op ie
C ev
Pr
 HEALTH CARE
RISK MANAGEMENT

M
FUNDAMENTALS

R
y
H
ht nl
The essential resource for risk management, patient safety, insurance,
legal, financial and other related professionals in health care
AS
ig O
yr w
op ie
C ev
Pr
 © 2017 ASHRM

The American Society of Healthcare Risk Management (ASHRM)

of the American Hospital Association
155 North Wacker Drive, Suite 400
Chicago, IL 60606
(312) 422-3980

ASHRM@aha.org
www.ASHRM.org

M
To purchase additional copies, visit www.ASHRMstore.org.

R
ASHRM catalog number: 178164

y
H
ht nl
AS
ig O
yr w
op ie
C ev

ASHRM Disclaimer

This document is provided by ASHRM as a service to its members. The information provided may
Pr

not apply to a reader’s specific situation and is not a substitute for application of the reader’s own
independent judgement or the advice of a competent professional. Neither ASHRM nor any author
makes any guaranty or warranty as to the accuracy or completeness of any information contained in
this document. ASHRM and the authors disclaim liability for personal injury, property damage, or
other damages of any kind, whether special, indirect, consequential, or compensatory, that may result
directly or indirectly from use of or reliance on this document.

First Edition

2 Risk Management Fundamentals

Contents
Foreword.......................................................................................................................................... 5
Contributors.................................................................................................................................... 7

Chapter 1: History of Risk Management in Health Care and the Evolution to Enterprise Risk

M
Management.................................................................................................................................. 11
Ann Gaffey

R
Sue Boisvert

y
H
ht nl
Chapter 2: The Risk Manager as Leader......................................................................................... 21
AS Bob Bunting
ig O
Ann Gaffey

Chapter 3: Health Care Risk Management Operations.................................................................. 35

yr w

Mike Midgley
op ie

Heather Marchegiani
C ev

Chapter 4: Clinical Risk Management and Patient Safety............................................................. 125

Cynthia Siders
Pr

Chapter 5: The Legal and Regulatory Environment...................................................................... 171

Dan Groszkruger
Dann Brown
Fay Rozovsky

Chapter 6: Claims and Litigation Management............................................................................ 219

Pamela Popp
Karen Markwith

www.ASHRM.org 3
 Chapter 7: Fundamentals of Risk Financing................................................................................. 241
Mike Midgley
Pamela Popp

Chapter 8: Technology and Data in Health Care.......................................................................... 289

Bob Chaput
Dann Brown
Sue Boisvert

Chapter 9: Human Capital Management..................................................................................... 345

M
Cynthia Siders
Sherrill Peters

R
y
H
ht nl
References.................................................................................................................................... 365
Index............................................................................................................................................ 405
AS
ig O
yr w
op ie
C ev
Pr

4 Risk Management Fundamentals

Foreword

M
R
y
H
ht nl
AS
ig O
yr w
op ie
C ev

This book is intended to help a new risk manager understand the fundamentals of the discipline
of enterprise risk management, but also to assist the veteran risk manager in understanding areas
Pr

of the field with which he or she has had little experience. The book is based on the enterprise risk
management (ERM) model, and it illuminates the domains of ERM. However, it is not intended as
an in-depth treatise on any of the subjects discussed. Rather, it is intended to allow the enterprise risk
manager to understand the risks associated with all the moving parts of a health care organization and
serve as a resource in obtaining Certified Professional in Healthcare Risk Management (CPHRM)
designation.

The enterprise risk management model does not presuppose that risk managers are content experts
in the functions of all departments or functions that bear some degree of risk throughout the
organization. Risk managers are invariably true content experts in one area: risk management.
However, the basic tenets of risk management are a philosophy and an approach that can be used
to manage a number of risk issues throughout the facility. In order to be a resource to these other

www.ASHRM.org 5
 departments and functions, the risk manager has to have a certain level of familiarity with the issues
presented by other departments and functions.

That is where this book comes in. It is a resource for the new enterprise risk manager or the seasoned
traditional risk manager who wants to help apply enterprise risk management principles inside the
organization. This book will not equip the risk manager to be a chief information officer; it will equip
the risk manager to speak to the CIO with a basic level of information about health information
technology. It will not teach the risk manager how to be a human resources (HR) professional, but it
will equip the risk manager to discuss the risks of human capital with an HR professional.

This publication should form, as its name implies, the fundaments of the enterprise risk manager’s
library. One likely cannot obtain subject matter expert mastery of all the concepts outlined in this

M
book, nor should one try. However, risk managers often need more information about a given
subject. For example, if a facility has a patient safety officer in addition to the risk manager, this

R
book will provide much of the information the risk manager needs to interact with the patient

y
safety officer. However, if the risk manager is also the patient safety officer, the risk manager may

H
ht nl
want to review ASHRM’s “Patient Safety Risk Management Playbook: Identify, Analyze and Present
Meaningful Data” for greater detail about the subject. ASHRM has developed, or is in the process
of developing, playbooks on a wide variety of issues of interest to risk managers. These playbooks
AS
ig O
provide a higher level of detail about the subjects included in this treatise for those whose job duties
require greater detail than can be afforded by a foundation-level publication.
yr w

A note of thanks is due to the contributors to this work, without whose hard work this book would
never have come to fruition. The contributors include some of the true thought leaders on these
op ie

topics as well as thought leaders in the field of risk management. It has been my honor to work
with them, to read what they have written, and to combine it all into a valuable reference for all risk
managers.
C ev

John C. West, JD, MHA, DFASHRM, CPHRM,

Editor
Pr

6 Risk Management Fundamentals

Contributors

M
R
y
H
ht nl
AS
ig O
yr w
op ie
C ev

Susan Boisvert, BSN, MHSA, CPHRM, FASHRM, is a Senior Risk Specialist with Coverys. Ms.
Boisvert is a registered nurse with a Master’s degree in Health Services Administration from St.
Pr

Joseph’s College of Maine and a Bachelor of Science in Nursing from the University of Connecticut.
She is a Certified Professional in Healthcare Risk Management (CPHRM) and a Fellow of
the American Society for Healthcare Risk Management (ASHRM). Ms. Boisvert is a frequent
presenter at regional and national conferences, and she regularly contributes to health care and risk
management journals and publications.

Dann W. Brown, JD, CPPS, CPHRM, FASHRM, has nearly 30 years of health care experience; the
last 10 have been dedicated to health care risk management and patient safety. He has consulted with
health care facilities nationwide about how to improve their care delivery processes. He is a past president
of the North Texas Society for Healthcare Risk Management (NTSHRM) and has served as a member
on several ASHRM committees and projects. His interests include the use of technology to improve
patient engagement, the impact of legalization of marijuana, and ethics related to substituted judgment.

www.ASHRM.org 7
 Robert F. Bunting Jr., PhD, MHA, DFASHRM, CPHRM, CPHQ, MT(ASCP), has more than
30 years of health care experience in risk management, quality improvement, data analytics, and
laboratory science. He has lectured nationally on risk management topics and has written numerous
articles, book chapters and books. Dr. Bunting was the editor of the first three editions of ASHRM’s
CPHRM study guide.

Bob Chaput, MA, CISSP, HCISPP, CRISC, CIPP/US, is widely recognized for his extensive
and in-depth knowledge of health care compliance and cyber risk management. He is one of the
industry’s leading authorities in health care information security and cyber risk management today.
As a leading authority on safeguarding health data, Mr. Chaput has supported hundreds of hospitals
and health systems to successfully manage health care’s evolving cybersecurity threats and ensure
patient safety.

M
Franchesca J. Charney, RN, BS, MSHA, CPHRM, CPHQ, CPSO, CPPS, DFASHRM, is the

R
Director of Risk Management for the ASHRM in Chicago. She is a registered nurse (R.N.) with a

y
Master Degree in Healthcare Administration. She has served on the PA Medical Society Executive

H
ht nl
Council on Patient Advocacy and is a certified trainer in Just Culture and a master trainer in
TeamSTEPPS. Ms. Charney has also furthered her knowledge in health care risk management by
achieving certificates in Health Care Law and ASHRM Barton and Patient Safety curriculums.
AS
ig O
Charney also has a certificate in Lean Six Sigma and black belt. Ms. Charney served as the Managing
Editor for this publication, "Health Care Risk Management Fundamentals."
yr w

Ann D. Gaffey, RN, MSN, CPHRM, DFASHRM, is President of Healthcare Risk and Safety
Strategies LLC, an independent consulting firm providing risk management consulting services
op ie

nationally to health systems and health care providers. She has more than 25 years of experience in
health care risk management, patient safety and quality. Ms. Gaffey is a frequent speaker at state
and national conferences on a wide range of risk management and patient safety topics, and she has
C ev

been an author of articles published in peer-reviewed journals. She serves as ASHRM Faculty, and is
adjunct faculty at George Washington University. Ms. Gaffey has served on the ASHRM Board of
Directors, and she served as the President of ASHRM in 2016.
Pr

Dan Groszkruger, JD, MPH, CPHRM, DFASHRM, leads rskmgmt.inc, a consulting firm serving
the patient safety and health care risk management fields. Mr. Groszkruger is a health care attorney,
and was formerly a hospital executive, in-house counsel, compliance officer and risk manager. Mr.
Groszkruger is a regular presenter, author and faculty member. He has served on the Board of
Directors of ASHRM, on the CPHRM oversight committee, and currently he serves on the editorial
board for ASHRM’s Journal of Healthcare Risk Management and chairs ASHRM’s Advocacy Task
Force.

8 Risk Management Fundamentals

Heather Marchegiani, MBA, has nearly 10 years experience in risk management, primarily focusing
on assisting physicians and other healthcare providers mitigate their malpractice risk and improve
patient safety. Through her work in risk management, Ms. Marchegiani has specialized in project
management for implementation of risk education and consulting initiatives, operations (including
finance), contract management, and introducing metrics to measure success, and customer service
and business development. Ms. Marchegiani received her Bachelor’s degree from the University Of
Connecticut School Of Business, and her Master’s in Business Administration from Western New
England University.

Karen M. Markwith, RN, MJ, CPHRM, CHPS, holds a Bachelor of Science in Nursing degree
from Pacific Lutheran University and a Masters’ of Jurisprudence from Loyola University Chicago
School of Law. Ms. Markwith has been a registered nurse for 34 years and has worked in a variety

M
of leadership positions within a health care system, including in positions in risk management for
18 years. She has experience in both ambulatory and inpatient settings. Ms. Markwith has been

R
a member of ASHRM since 1999. She is currently the Director of Quality and Patient Safety at

y
Virginia Mason Medical Center in Seattle.

H
ht nl
Mike Midgley, RN, JD, MPH, CPHRM, DFASHRM, is an experienced health care risk manager,
nurse, insurance professional and attorney licensed in New York. He earned his Juris Doctor degree
AS
ig O
from Fordham University, his Master of Public Health degree from the University of Medicine and
Dentistry of New Jersey, and a Bachelor of Science in Nursing degree from Rutgers University. Mr.
Midgley was the 2017 President of ASHRM. He is a Clinical Assistant Professor at Stony Brook
yr w

University School of Health Technology and Management, where he teaches Advanced Practice for
Risk and Safety Officers in the Master of Science in Patient Safety Program. He has authored various
op ie

health care risk management resources, and he routinely provides health care risk management
lectures locally, nationally and for international audiences.
C ev

Pamela L. Popp, MA, JD, DFASHRM, CPHRM, AIM, has managed and internalized some of
the largest health care liability claims programs in the United States, including Stanford University
Medical Center, Tenet Healthcare, Spectrum Healthcare Services, and SSM Health Care. She has
Pr

served in risk and claims management consulting roles on the brokerage side as well as in-house with
several large malpractice carriers. She served as the President of ASHRM, and she was a multi-year
Board member as well as a two-term President of the American Hospital Association's Certification
Center (which develops and administers the CPHRM). Ms. Popp served as President of the Board
of the International Center for Captive Insurance Education, and she continues as faculty on health
care captive and risk financing topics. She is an international speaker and author on various risk
and claims topics. Ms. Popp received her Juris Doctorate from Saint Louis University and her dual
Master's in Health System Management/Legal Studies from Webster University. She has earned the
CPHRM certification and the Associate in Management (AIM), and she is a Distinguished Fellow
with ASHRM. In 2007, Ms. Popp was awarded ASHRM’s Distinguished Service Award.

www.ASHRM.org 9
 Sherrill Peters, BSN, ARM, CPHRM, FASHRM, has been the senior director of risk management
at Community Health System in Franklin, TN for 15 years. Before that, Ms. Peters worked for
HCA for 18 years. Her background includes obstetrical nursing, acute care nursing, physician
practice risk management, liability claims management (including employment claims) and facility
support for risk mitigation, disclosure and risk prevention for 200+ facilities and 3000+ employed
physicians. She served on the ASHRM board of directors in 2003-2004 and 2014-2016, on the
nominating committee in 2017-2018 and has been a faculty member for ASHRM for 15+ years.

Fay A. Rozovsky, JD, MPH, DFASHRM, is President of The Rozovsky Group, Inc. A lawyer and
risk management consultant, Ms. Rozovsky is the author and co-author of numerous books and
articles about topics in health care risk management, health law and patient safety. Her treatise,
“Consent to Treatment: A Practical Guide,” has been cited by several state and federal courts,

M
including the U.S. Supreme Court. Ms. Rozovsky is a past president of ASHRM and the recipient
of the Distinguished Service Award. She is also a faculty member in the ASHRM Healthcare Risk

R
Management Certificate Program.

y
H
ht nl
Cynthia (Cyndi) Siders, RN, MSN, CPHRM, DFASHRM, CPPS, has more than 30 years
of health care, administrative and insurance experience, and 25 of those years have been spent
focused on risk management and patient safety. Ms. Siders’s responsibilities as CEO and Executive
AS
ig O
Consultant of Siders HealthCare Consulting, LLC include providing customized risk management
and patient safety professional consultation and strategic support, coaching, mentoring and
education for health care organizations and health systems, risk management companies, insurance
yr w

and claims management companies, and insurance agencies. Ms. Siders is a frequent speaker at
state and national meetings on a variety of risk management and patient safety topics, and she has
op ie

authored several national publications. Ms. Siders is past president of the North Dakota Society for
Healthcare Risk Management and serves as faculty for the ASHRM Healthcare Risk Management
Certificate Program: Essentials.
C ev

John C. West, JD, MHA, DFASHRM, CPHRM, is currently employed as the Principal of West
Consulting Services LLC, an independent risk management and patient safety consulting firm that
Pr

specializes in continuing medical/legal education for physicians and nurses. He holds a law degree
from Chase College of Law, a master’s degree in health services administration from Xavier University
and a Bachelor’s Degree in biology from the University of Cincinnati. He holds the designation
of Distinguished Fellow of the ASHRM. He received the Presidential Citation Award (2011) and
the Distinguished Service Award (2001) from ASHRM, which are its highest honors. He has been
a CPHRM since 2006. Mr. West has been the author of the “Case Law Update” column, which
appears quarterly in the Journal of Healthcare Risk Management, since 1994. He is a regular speaker
at national and regional risk management meetings and has published numerous articles on risk
management. Mr. West served as the Editor for this publication, "Health Care Risk Management
Fundamentals."

10 Risk Management Fundamentals

Chapter 1

History of Risk
Management in Health

M
Care and the Evolution

R
y
to Enterprise Risk

H
ht nl
Management
AS
ig O
yr w
op ie
C ev

INTRODUCTION
Pr

In health care, everyone is a risk manager. The housekeeper who follows protocol and ensures
that the correct germicide is used on the correct surfaces for the correct amount of dwell time is
managing risk. The receptionist who collects demographic information, such as current primary
care provider; health care insurance information; and preferred contact number, name, and gender
identity and pronoun, is managing risk. The chief executive officer who controls the margins to
maintain the mission is managing risk. The business analytics staff members who collect and col-
late data to produce real-time, actionable business intelligence tailored to the needs of end users
are risk managers, as are the providers, clinicians, managers, patients and families who act on the
data provided. Multiply these examples by the dozens, hundreds and perhaps even thousands of
individuals who interact with health care every day, and there is a veritable army of visible and
invisible risk managers functioning in an environment saturated with information just waiting to be
massaged into actionable data that can be applied to mitigate risk.

www.ASHRM.org 11
 The ability to identify, analyze, translate and package data into actionable intelligence can be greatly
enhanced by using a framework or model. Models and frameworks are extremely common in health
care. Here are some examples, some of which will be elaborated upon in other chapters:

 Nursing Process: Assess, diagnose, plan, implement, evaluate1

 Quality Improvement: Plan, do, study, act2
 Triple Aim: Improve the experience of care, improve the health of populations, reduce the per
capita cost of care3
 High Reliability Organization (HRO): Preoccupation with failure, reluctance to simplify,
sensitivity to operations, commitment to resilience, deference to expertise4

M
TRADITIONAL RISK MANAGEMENT MODEL
Risk management also has frameworks, models and defined processes. Although the remainder of

R
the book will focus on risk in an enterprise risk management (ERM) model, it is important to review

y
the foundation of risk management in health care to view where we came from with an eye to where

H
ht nl
we are going. In the early 1970s, health care was in crisis. Medical claims were on the rise, which
was pushing the cost of medical professional liability coverage beyond affordability. Hospitals began
looking for ways to control these costs. Clinical risks are active and tangible and have the potential
AS
ig O
for significant consequences to the organization, providers, staff, patients and patients’ families. Early
clinical risk management incorporated the traditional risk management (TRM) concepts of risk
identification, risk analysis, risk control, risk financing and claims management.
yr w

Risk Identification
op ie

Risk identification involves identifying and evaluating actual and potential risks. Retrospective risk
identification tools include incident reports, chart review with trigger tools, surveys, debriefs and
root cause analyses. Prospective tools include SWOT (internal strengths and weaknesses and external
C ev

opportunities and threats), SWIFT (structured what-if technique) and FMEA (failure mode and
effects analysis). FMEA also contains elements of risk analysis.
Pr

Risk Analysis
Risk analysis is the quantification of risk based on an agreed upon set of criteria. Early on, risks
were classified according to a high/low assessment of frequency and severity. This resulted in a four-
quadrant grid: low frequency-low severity, low frequency-high severity, high frequency-low severity
and high frequency-high severity. As risk management matured, the need and ability to analyze risk
also matured. Widening the high-low scale to a range of options (high, medium, and low or five
through one) increases the sensitivity of the analysis.

12 Risk Management Fundamentals

Risk Control
Risk control is the process of preventing losses and/or developing mitigation strategies for identified
risks that are difficult or impossible to prevent. Risk control is a spectrum, with risk avoidance on
one extreme and risk transfer on the other. Clinical risk management tends to focus more on the in-
between activities of loss prevention, loss reduction, and separation or loss segregation.

Risk Financing
Risk financing includes planning and activities associated with financing loss. Strategies may include
transferring risk to another party, such as an insurer, or contractually transferring risk through
indemnification and hold harmless language. Retained risk may be financed by insurance or self-
insurance or establishing loss reserves, or it may simply be tolerated without financing based on the
organization’s risk appetite.

M
Claims Management

R
Claims management includes all activities associated with litigation. These activities include

y
reporting, investigating the allegations, determining coverage, securing counsel, managing the claim,

H
ht nl
and settlement and regulatory reporting.

AS
The application of traditional risk management techniques to clinical risk was a natural progression.
ig O
This new discipline required a specific set of skills, including curiosity, critical thinking, situational
awareness, basic management and communication. The newly minted position of health care risk
manager was initially filled by experienced clinicians, usually nurses. This approach made sense given
yr w

the identified needs and resources on hand. However, one of the most enduring questions in health
care risk management is whether a clinical background (or license) is a requisite for practice. There
op ie

are persuasive arguments on both sides.

C ev

As the profession developed, so did structure and function. The American Hospital Association (AHA)
recognized the importance and utility of clinical risk management as a budding discipline and organized
a small group called the Hospital Association of Risk Managers (HARM) in 1973. The group held
several exploratory meetings over a period of years. The traditional clinical risk management model was
Pr

beginning to gain traction. The Ohio Society of Healthcare Risk Managers was founded in 1978 and
became the first state-based health care risk management association. The success of these early initiatives
prompted a series of formal meetings between the AHA and emerging risk management leaders, which
resulted in the formation of the American Society of Healthcare Risk Managers (ASHRM) in 1979. The
first annual ASHRM business meeting and educational conference was held in New Orleans in 1980.
ASHRM became the American Society for Healthcare Risk Management in 1984, and by 1985, there
were 29 affiliated chapters. The first issue of Perspectives in Healthcare Risk Management was published
in 1987, laying the groundwork for today’s Journal of Healthcare Risk Management. As the organization
grew in membership, chapters and knowledge, additional resources were added, including the first
edition of the “Risk Management Handbook for Healthcare Facilities” in 1990. ASHRM’s programs,
expertise, publications, resources and membership continued to grow. Fellow and diplomat designations
as well as certifications were added. The first CPHRM examination was held in 2000.

www.ASHRM.org 13
 With the dawn of a new millennium came a change in focus. According to Roberta Carroll, “The
risk management professionals thought their efforts to avoid, prevent, and manage clinical risk
would preserve the financial assets of the organization through the delivery of safe patient care.
Somewhere along the way this message was lost.”5 Health care had moved from hospital-based
disease management to a complex array of inpatient, outpatient and post-acute care delivery models,
organizations and systems. Getting the right care to the right person at the right time in the right
way was more challenging than ever, as was managing risk. It became clear that the elements of
traditional management continued to have value, but the clinical focus was “fragmented into silos of
responsibilities and accountabilities across the organization with no clear coordination, facilitation, or
communication… risks had been managed if they were standalone, disparate business units with no
oversight or relationship with other units.”6 The concept of managing risk from an organization-wide
perspective across departments was beginning to gain acceptance. Traditional risk management was

M
maturing into enterprise risk management (ERM).

R
THE EVOLUTION TO ENTERPRISE RISK MANAGEMENT

y
The vision of ASHRM is to be the leader in advancing safe and trusted health care through enterprise

H
ht nl
risk management, with a strategic goal to facilitate effective decision making in the health care industry
through the application of enterprise risk management.7 ASHRM has adopted the following definition:
“Enterprise risk management in health care promotes a comprehensive framework for making risk
AS
ig O
management decisions which maximize value protection and creation by managing risk and uncertainty
and their connections to total value.”8 Each organization’s ERM framework will vary depending on the
culture, strategy, mission, vision and readiness to advance to this model of managing risk.
yr w

What does this mean for the traditional clinical risk manager? It depends on the scope, scale and
op ie

complexity of the organization; whether ERM has been embraced by leadership; and whether
the culture supports this change. The position of clinical risk manager continues, but duties,
responsibilities and reporting structure may be very different. Direct clinical knowledge is becoming
C ev

less important and is being replaced by leadership, informatics, team building, communication,
project management and data analysis skills. Role delineation between risk, quality and patient safety
is changing, as are titles. Taking a leadership role to advance ERM, even if informally, will be critical
Pr

to lead the complex task of transitioning from traditional risk management to an ERM program.

Domains of Enterprise Risk Management

Risk in health care has myriad facets. Every area of the health care facility’s operation carries risk of
one sort or another. There are eight domains of ERM, all of which focus on specific types of risks.
While these are not necessarily within the risk manager’s scope of responsibility, it is important that
the enterprise risk manager have familiarity with them. If the enterprise risk manager is to assist other
leaders with addressing the risk issues in various departments or functions, the risk manager must
have some familiarity with the domains. The domains include:

14 Risk Management Fundamentals

Operational
The business of health care is the delivery of care that is safe, timely, effective, efficient and patient
centered within diverse populations. Operational risks relate to those risks resulting from inadequate
or failed internal processes, people or systems that affect business operations. Included are risks
related to adverse event management, credentialing and staffing, documentation, chain of command
and deviation from practice. This domain is further examined in Chapter 3.

Clinical/Patient Safety
These are risks associated with the delivery of care to residents, patients and other health care
customers. Clinical risks include failure to follow evidence-based practice, medication errors,
hospital-acquired conditions (HAC), serious safety events (SSE) and others. This domain is the
subject of Chapter 4.

M
Strategic

R
These are risks associated with the focus and direction of the organization. Because the rapid pace

y
of change can create unpredictability, risks included within the strategic domain are associated with

H
ht nl
brand, reputation, competition, failure to adapt to changing times, health reform and customer
priorities. Managed care relationships/partnerships; conflicts of interest; marketing and sales;
media relations; mergers, acquisitions, divestitures, joint ventures, affiliations and other business
AS
ig O
arrangements; contract administration; and advertising are other areas generally considered to carry
potential strategic risks. Strategic risks are addressed in Chapter 5.
yr w

Financial
Decisions that affect the financial sustainability of the organization, access to capital and external
op ie

financial ratings through business relationships, or the timing and recognition of revenue and
expenses make up this domain. Risks might include costs associated with malpractice, litigation and
insurance; and capital structure, credit and interest rate fluctuations, foreign exchange, growth in
C ev

programs and facilities, capital equipment; corporate compliance (fraud and abuse); and accounts
receivable, days of cash on hand, capitation contracts, billing and collection. The aspects of financial
risk most relevant to risk managers are examined in Chapters 6 and 7.
Pr

Human Capital
This domain refers to the organization’s workforce. This is an important issue in today’s tight labor
and economic markets. Included are risks associated with employee selection, retention, turnover,
staffing, absenteeism, on-the-job activity, work-related injuries (workers’ compensation), work
schedules and fatigue, productivity, and compensation. Human capital-associated risks may cover
recruitment, retention and termination of members of the medical and allied health staff. The risks
associated with human capital management are explored in Chapter 9.

www.ASHRM.org 15
 Legal and Regulatory
Risk within this domain incorporates the failure to identify, manage and monitor legal, regulatory
and statutory mandates on a local, state and federal level. Such risks are generally associated with
fraud and abuse, licensure, accreditation, product liability, management liability, Centers for
Medicare & Medicaid Services (CMS) Conditions of Participation (CoP), and Conditions for
Coverage (CfC), and issues related to intellectual property. The legal and regulatory environment is
discussed in Chapter 5.

Technology
This domain covers machines, hardware, equipment, devices and tools, but it can also include
techniques, systems and methods of organization. Health care has seen an explosion in the use
of technology for clinical diagnosis and treatment, training and education, information storage

M
and retrieval, and asset preservation. Examples also include risk management information systems
(RMIS), electronic health records (EHRs) and meaningful use, social networking and cyber liability.

R
Chapter 8 addresses the risks associated with technology.

y
H
Hazard
ht nl
This ERM domain covers assets and their value. Traditionally, insurable hazard risk has related to
natural exposure and business interruption. Specific risks can also include risks related to facility
AS
ig O
management, plant age, parking (lighting, location and security), valuables, construction/renovation,
earthquakes, windstorms, tornadoes, floods and fires. The major hazard risks faced by health care
facilities are included in Chapter 3 on operations.9
yr w

Transitioning from Traditional Risk Management to Enterprise Risk Management

op ie

There are many drivers behind health care change today, ranging from increased regulatory
pressure to demands for transparency to variability in care to reputational risk to rapidly changing
technology in the face of supply chain vulnerability to a changing health care model and more.
C ev

Each organization will have primary drivers of their mission and strategy, and each will be impacted
in some way by these demands for change. Keeping in mind that the five basic risk management
principles are still relevant and necessary when advancing to an ERM model, the time needed to
Pr

transition from TRM to ERM will vary widely by organization. Successful transition begins with an
assessment of the organization’s readiness to move toward an ERM model and an evaluation of the
need for governance and leadership education around ERM concepts and program development, and
it continues all the way through understanding and defining risk appetite and tolerance to program
implementation.

An efficient way to consider what the future state of an ERM program looks like in an organization
is to consider the longitudinal view of operations in a specific setting, such as a hospital. There is
a structure to the organization – processes in place that direct operational, clinical and financial
decision making – and these processes generate outcomes. These processes can be visualized as
domains of risk that have synergistic relationships among and between them. Few if any activities

16 Risk Management Fundamentals

occur in a health care setting where only one domain is impacted. The ASHRM ERM model
recognizes eight domains: operational, clinical and patient safety, human capital, financial, legal and
regulatory, strategic, technology, and hazard. Risk identification, analysis and control are distributed
across all eight domains of the ASHRM ERM model and include individuals within the domains
who have the content expertise to share and help their direct efforts. For example, when considering
the technology domain, the chief information officer is likely to be the subject matter expert when
considering risk that resides in or crosses over that domain. Similarly, when considering the clinical/
patient safety domain of risk, natural choices for subject matter expertise might be the chief medical
officer and chief nursing officer.

Regardless of the stage of ERM adoption, it is beneficial for the health care risk manager to consider
the eight domains when evaluating current and emerging risks. On a micro level, this framework

M
can broaden the assessment of a potential risk and identify opportunities to create value for the
organization. As a simple example, consider the discharge process of escorting all patients out of

R
the hospital in a wheelchair with a transporter. While this protects value for the organization (safe

y
patient discharge), it may not be allowing for value creation. What does that look like? Consider the

H
ht nl
opportunity to allow some patients an ambulatory option for discharge by analyzing the possibilities
within the eight domains of risk in ASHRM’s ERM model as described in the following paragraphs.
AS
ig O
Operational
Efficient operations allow for patient throughput and room turn around time to be safe and timely.
When an otherwise healthy patient is ready to leave the hospital, is transportation to the front door
yr w

in a wheelchair by a transporter the most efficient process? The value created by a procedure change
in this area may improve operational efficiency and decrease the equipment needed when the number
op ie

of transports decreases.

Clinical/Patient Safety
C ev

While some patients are more safely discharged leaving the hospital by wheelchair, others can
ambulate directly from their room when the discharge process has been completed. By not having to
wait 15 to 30 minutes for a transporter to arrive with a wheelchair, patient satisfaction is increased,
Pr

a discharge is safely accomplished, and a room is vacated more quickly for the next admission. A key
performance indicator (KPI) for falls can be monitored for appropriateness of patient selection for
ambulation at discharge.

Strategic
Increased patient satisfaction with a discharge process that is performed in a safe, timely and
efficient manner increases confidence in the organization; improves reputation as patients share their
experience with others; and may improve publicly reported metrics, such as length of stay and wait
times in specific areas.

www.ASHRM.org 17
 Financial
Improved patient throughput allows for shorter lengths of stay (even if by an hour or two per patient),
which allows for less downtime and faster admission times when a room could be in use by an admitted
patient waiting for a bed. Also, fewer human and equipment resources are needed when there are fewer
transporters needed. Managing the various costs associated with the organization’s operations may have
a positive impact on profitability and other financial metrics.

Human Capital
Reduced transportation needs require fewer transporters for the task. By closely tracking transporter
needs by clinical area, a decentralized pool of resources may offer opportunities for mixed roles, such
as patient care technician responsibilities combined with transportation assistance. This may help in
executing business activities more efficiently and reliably. Other opportunities may include flexible

M
schedules for increased employee satisfaction based on data collected during high-volume transport
times.

R
y
Legal/Regulatory

H
ht nl
Patient autonomy and rights must be respected as part of the discharge process. When patient
preferences are recognized during discharge these preferences are more easily recognized and
supported.
AS
ig O
Technology
Data collected using radio-frequency identification and global positioning system capabilities for
yr w

equipment can help organizations monitor requirements for transporter frequency by location and
time of day, time saved by faster identification of equipment location, and other metrics related to
op ie

efficiency. Additional technology, such as the use of tablets, may allow for more timely and efficient
deployment and distribution of resources, and it may improve communication of discharge activities.
C ev

Hazard
Trip hazards may be reduced due to decreased equipment needs. Wheelchairs can clutter up hallways
and create hazards when not in use, and they take up storage space that could be better utilized for
Pr

other equipment or supplies.

Using micro ERM examples, such as the one above, the risk manager can demonstrate the value of
using an enterprise approach when considering new processes. It allows the team considering the
opportunity to see the importance of including all stakeholders and to identify metrics that can
quantify success in efficiency, quality, satisfaction and financial measures. With any change in process,
whether as part of a TRM or ERM program, the evaluation of the change, analysis of outcomes and
continuous improvement of the process will be necessary.

18 Risk Management Fundamentals

MOVING AHEAD WITH ENTERPRISE RISK MANAGEMENT
The basic risk management principles are the platform for moving from TRM to ERM. As the risk
manager advances in knowledge and experience, integrating the ERM discipline into everyday practice
will be essential to improve decision making with a disciplined approach to managing risk. Establishing
the framework to support an ERM program will be the first step. Recognizing the opportunities
that exist in an organization to increase or create value previously unrecognized and embedding
the elements necessary for developing an ERM discipline will move the program forward. The risk
manager will add value to the organization by providing the leadership, education and tools necessary
to advance ERM principles.

ASHRM’s ERM initiative supports the risk manager with comprehensive educational resources

M
and tools to advance the discipline of ERM. As the reader continues through this foundational
material, the ASHRM ERM domains should be utilized as a reference to consider risk broadly and
to challenge himself or herself to expand on the knowledge already gained about enterprise risk

R
management. Navigating the future of health care risk management will require a continual focus on

y
ERM. The risk manager will be poised to engage leadership at all levels, promote an organizational

H
ht nl
culture supportive of change and drive this new approach to managing risk.
AS
ig O
yr w
op ie
C ev
Pr

www.ASHRM.org 19