Blog Post

Enterprise Risk Management: How Leading Healthcare Organizations Reduce Compliance Risk 

Strategic Management Services, LLC May 2025
LinkedIn

Healthcare organizations can no longer afford to take a reactive approach to risk management – and enterprise risk management (ERM) can help them establish a proactive posture. But what can leaders do to develop an ERM program? 

This article answers those questions and provides a clear roadmap to establish an effective program – leveraging our experience to avoid common pitfalls and ensure efficiency. 

Key Points: 

  • ERM helps healthcare organizations mitigate compliance risk 
  • Effective programs must have strong foundations and clear internal roles 
  • Compliance should not have overall responsibility for ERM, only for a supporting role 

Enterprise Risk Management 101 

What is Enterprise Risk Management? 

Enterprise risk management (ERMR) is a comprehensive approach to risk management that identifies, manages, and monitors risks – and aligns these processes with larger business objectives. It differs from standard risk management in a few key ways: 

  • Proactive Posture: Rather than focusing exclusively on mitigating losses, ERM encourages risk leaders to consider how managing uncertainty can protect and create value (for example, by preventing harm to patients, safeguarding financial stability, and seizing opportunities safely). 
  • Holistic Viewpoint: Instead of treating individual “risk types” – such as financial, operational, or cybersecurity risks – as distinct areas, ERM encourages a holistic view of potential vulnerabilities. This helps to evaluate how an individual threat would cascade across the organization, ensuring risk managers understand the full implications of each specific threat. 
  • Cross-Department Collaboration: ERM expands decision-making to involve a wider group of stakeholders. This helps to evaluate the impact a given decision – from vendor selection to hiring new employees – may have on each area of the business. Equally, ERM typically extends risk management beyond a mid-level managerial function and encourages direct board and executive engagement with risk.  

These factors significantly increase performance at most organizations using the methodology. Recent research has found that 98% of large healthcare organizations now use at least some form of ERM program – with 76% of senior leadership teams and boards applying ERM insights to business decisions. 

Why ERM is Important for Healthcare Organizations 

Enterprise risk management enables healthcare risk managers with a more robust approach to organization-wide risk – and helps them tackle three clear challenges: 

  1. Regulatory Scrutiny: Healthcare is among the most heavily regulated industries, with compliance risk representing a major threat to organizations’ finances and reputation. These regulations affect every area of the organization – from IT and operations to the billing department and individual employees. 
  2. Organizational Complexity: Healthcare companies are unusually complex, with the average hospital working with more than 1,300 vendors. Risk is, therefore, highly diffuse, with a single operational issue or cybersecurity breach spreading easily through the organization – and leading to serious consequences. 
  3. Severity of Risk: The stakes for healthcare risk management could not be higher. Just 30 minutes of downtime can cost $500k, while research repeatedly shows that data breaches lead to higher mortality rates. 

      With a more unified approach to risk, it is easier to understand the full extent of compliance requirements, manage complex organizational dynamics, and avoid blindspots, which could be devastating for both individual patients and the organization as a whole.  

      But how do organizations actually implement an ERM program? 

      How Enterprise Risk Management Works 

      The Foundation of Enterprise Risk Management 

      Every ERM program requires a few key factors: 

      • Centralized Data: Information from risk assessments is centrally stored and shared between departments to gain greater visibility of organization-wide risk. This “risk inventory” enables teams to more accurately compare different risks between departments to ensure funds are allocated to remediate the most urgent vulnerabilities. 
      • Established Frameworks: Official ERM frameworks are implemented to organize the process and ensure risk management is consistent across all areas of the business. This varies between firms but generally involves four key processes (which are explored below). 
      • Official Roles: Given its emphasis on cross-departmental collaboration, ERM generally requires the establishment of several new roles to manage the program. This usually includes: 
      • A risk committee to manage the program and oversee key process 
      • An executive ERMR sponsor to encourage engagement with high-level stakeholders 
      • An internal auditor to evaluate the ERM program’s efficacy and recommend steps to improve processes 

      These enable risk managers to identify vulnerabilities and evaluate decisions across eight key domains. 

      Key Risk Domains for Healthcare 

      The American Society for Healthcare Risk Management (ASHRM) cites eight core risk domains within the industry: 

      • Operational: Risks to the business’s processes and systems 
      • Clinical/Patient Safety: Risks arising from care delivery that could harm patients 
      • Strategic: Risks to the organization’s strategic goals or adapting to industry changes 
      • Financial: Risks to financial stability, reimbursement, costs 
      • Human Capital: Risks related to workforce, such as staffing shortages or injuries 
      • Legal/Regulatory: Compliance and legal risks, e.g., HIPAA violations or accreditation issues 
      • Technological: IT and cybersecurity risks, medical device failures 
      • Hazard: Property and environmental risks, such as disasters or facility hazards 

      A clear understanding of these domains enables healthcare organizations to implement a comprehensive process that covers all key areas of risk. 

      5 Key Phases of ERM 

      While there are multiple ERM frameworks and each organization develops its own distinct processes, there are five common elements to virtually all ERM programs: 

      1. Risk Identification 

        This involves cataloging a broad range of risks across the enterprise (clinical incidents, cybersecurity threats, supply chain disruptions, regulatory changes, etc.). In healthcare, this step requires input from many departments to capture patient safety risks, financial risks, strategic risks, and more. 

        2. Risk Assessment and Prioritization 

          Analyzing the likelihood and impact of each identified risk. For example, evaluating how likely a given risk is (e.g., a data breach) and how severely it could affect operations, patient safety, finances, or reputation. This often includes setting a risk appetite – i.e., the level of risk the organization is willing to accept in pursuit of its objectives. 

          3. Risk Response and Mitigation 

            Deciding on actions in response to each major risk – whether to avoid, mitigate (reduce), transfer (e.g., insure), or accept the risk. ERM emphasizes proactive and coordinated responses. In healthcare, a risk response might range from implementing new patient safety protocols to purchasing cyber insurance to investing in staff training, depending on the risk. 

            4. Communication and Reporting 

              ERM establishes reporting mechanisms so that top risks and how they’re being managed are communicated to senior leadership and the board. A mature ERM program will have governance structures (often a risk committee) ensuring that risk information flows to decision-makers in a timely manner. 

              5. Monitoring and Review 

                Because the risk landscape is dynamic, ERM is an ongoing, iterative process. Organizations continuously monitor existing risks and scan for emerging risks (e.g., a pandemic, new regulations) and adjust their risk management strategies accordingly. 

                4 Ways to Improve Enterprise Risk Management 

                While many healthcare organizations have begun adopting ERM, most struggle to implement a complete program. Just 33% of companies say their ERM processes are complete, and the ASHRM states that healthcare lags behind other industries in ERM adoption. 

                Our experience working with a wide range of healthcare organizations across multiple decades suggests four key steps that can mitigate these issues – and help you gain the full benefits of an ERM program: 

                1. Get Executive Buy-In 

                  The overall responsibility of ERM begins with the Board of Directors providing oversight of the overall risk management strategy and ensuring it aligns with the organization’s goals. It is, therefore, critical for a successful ERM program to engage the board and executive leadership in the process. This includes ensuring the active involvement of program managers who are in a position to identify risks, as well as solutions, to risk within their areas of operational responsibility. 

                  2. Establish Daily Responsibilities 

                    Day-to-day implementation is typically managed by a dedicated risk management team, including the CEO, COO, CFO, CIO, and other key leadership figures within the hospital. Often, they will assign an executive the responsibility for designing, implementing, and managing the ERM process, including establishing a framework for identifying, assessing, analyzing, monitoring, managing, and mitigating risks that could have an impact on the organization. Many organizations, especially hospitals, have a Chief Risk Officer assigned this responsibility. 

                    3. Create a Shared Language 

                      Communication is essential to build a cultural consensus and ensure your ERMR program operates consistently. The key is a shared language, but this goes beyond simply knowing the “eight core risks” listed above. Your teams must have a strong understanding of the risk scoring system you use and the processes you use to monitor, mitigate, and eliminate risks. 

                      4. Partner with Experts 

                        Many organizations simply lack the internal expertise or resources to scale an ERM program. However, this need not prohibit them from running one. Instead, working with an external partner who can help you run assessments, develop policies, and provide additional support will simplify, streamline, and accelerate adoption – ultimately making ERM far more sustainable for your organization.  

                        Make Enterprise Risk Management Easier with Strategic Management Solutions 

                        Strategic Management Solutions helps healthcare organizations manage and mitigate compliance risk – including developing policies and running assessments to support the establishment and effective operation of ERM programs. 

                        For more information on this topic, contact Richard Kusserow (rkusserow@strategicm.com). You can also keep up-to-date with Strategic Management Services by following us on LinkedIn. 

                        Subscribe to blog

                        Speak with a consultant about: