Boardroom Brief: Encouraging a Risk-Aware Culture to Drive Value

 Enterprise Risk Management 


Enterprise Risk Management (ERM) is a strategic business discipline that supports the identification, assessment and management of risks. ERM can advance internal control of material risk and allow an organization to generate greater value from strategic and operational activities. To achieve these advantages, organizations must embed ERM elements into their culture and structure and examine the nature of the risks they face.

A risk-aware culture recognizes the future can be unpredictable and outcomes cannot be forecasted with certainty. In this ERM for Health Care Boards document identifies the key benefits to enhancing a risk culture. This culture seeks to:

  • Quantify the potential variability of inputs and outputs when evaluating and prioritizing competing projects, initiatives and strategic directions.
  • Identify the sources of such variability, known as Key Risk Indicators (KRIs).
  • Measure the anticipated consequences, positive and negative, of such variability through the use of Key Performance Indicators (KPIs).
  • Set risk tolerances to establish the limits of acceptable performance.
  • Develop mitigation strategies to lessen the impact of and/or reduce the likelihood of negative consequences.
  • Develop contingency plans to deal with negative consequences if mitigation strategies fail or are not available.

Hospital leaders need to be prepared for a variety of situations that involve risk, such as disruptions in services, pandemics, emerging technologies and changes in reimbursement structure.

Effective ERM requires informed decision making conducted within the context of the organization’s risk appetite and its risk capacity, established by the board and executive leadership team. When ERM is used in the context of the organization’s decision making, the board can better understand how uncertainty can be quantified, and how it influences the organization’s decision making, priorities and strategies. Risk-adjusted decision making represents a more sophisticated approach than typical cost-to-benefit or Return on Investment (ROI) analyses. ERM looks at risk organization-wide and across various domains. Different organizations may choose to identify domains in a number of ways, but they typically include: clinical/patient safety, legal and regulatory, financial, technology, hazards, human capital, operational and strategic.

ERM also can support value creation. When risk is viewed only as negative, the goal is to reduce or eliminate the risk and minimize its impact. ERM views risk as uncertainty, which means it also can lead to positive outcomes that enhance revenue, reputation and value.

Why ERM and not traditional risk management?

Traditional risk management, which is more reactive, focuses on asset protection and siloes processes, is no longer sufficient to sustain organizational success in an environment of transforming health care delivery and payment. ERM provides a more comprehensive, holistic approach that can help hospitals, health systems and their boards better anticipate, recognize and address the myriad risks associated with the increased complexity of transformational change. Boards that understand the ERM framework and its key concepts will be better able to manage uncertainty, act as effective stewards and fiduciaries and focus on the issues critical to creating greater value for their organizations and stakeholders.

Where to start?

A readiness assessment is an important first step. The American Society for Health Care Risk Management of the AHA (ASHRM), provides a simple but comprehensive template to be used for the organization’s internal environment. An important output of this assessment is to determine if the organization’s culture and climate will embrace and support this type of program. The board should be fully engaged with performing this readiness assessment.1

The Board’s Role in ERM

Board support is critical for successfully engaging employees in ERM activities. Boards will be asked to make decisions as health care delivery models continue to evolve. Leaders must be willing to appropriately embrace entrepreneurial risk and pursue risk-bearing strategies.2 They will also be asked to make decisions that can help recognize and mitigate risks associated with these strategies and strategic business objectives.

Because risk oversight has become increasingly important to organizational sustainability, boards in both the for-profit and non-profit sectors are spending more time on risk oversight and incorporating it more visibly into their structure and function. For example, a health care board might develop a separate committee devoted to risk oversight versus only including it in the compliance or internal audit committees.

Health care organizations are facing higher levels of risk as they implement new care delivery and payment models. By employing ERM practices, health care organizations and their boards can better anticipate, recognize and address the risks associated with the transformational changes now occurring in the field.

Boards that embrace ERM view its value from two perspectives: optimize informed decision making and maximize value. ERM helps organizations optimize informed decision making by identifying the best strategies for reducing risk versus those that are simply good enough.

When successfully implemented, ERM can provide the board with the information it needs to appropriately oversee and reduce risk for the organization, the community it serves and other stakeholders. This creates value for the organization, promoting resiliency and the ability to act on opportunities for growth in an efficient way.

Discussion Questions

The questions below have been developed as a starting point for boards to begin important discussions about enterprise risk management.

  1. Are we in support of establishing ERM within our organization? Do we need to learn more?
  2. Do the relevant skills and experience exist within the organization to execute the ERM framework?
  3. Why do we think we need an ERM process in our organization?
  4. What do we seek to accomplish through ERM?
  5. How will the board fully support the ERM process?
  6. Where will enhanced risk management activities deliver the greatest value?
  7. What impact will the adoption of ERM have on the health care organization, and how should it be managed?
  8. What level of oversight will be required for performance measurement and risk mitigation?
  9. as an executive ERM champion been identified?
  10. Are sufficient internal and external resources to support ERM adoption available?
  11. How effectively can information technology be leveraged to support the organization’s risk and control framework?

AHA Resources

American Society for Health Care Risk Management (ASHRM) Resources

For more information and to download go to

Downloadable tools

  1. Ibid.
  2. SHRM. Health Care Enterprise Risk Management Playbook, second edition – An ERM Guide for Health Care Professionals, 2020.
Boardroom Brief: Encouraging a Risk-Aware Culture to Drive Value page 1.