Enterprise risk management (ERM) is an iterative process that takes a broader, integrated ecosystem view of the business objectives of an enterprise. Framed in a five-step process, ERM improves data analysis through: identification, assessment, and evaluation of risks, uncertainties and opportunities for the enterprise; implementation and monitoring of a plan for progress.1

Risk management programs in healthcare tend to struggle with maintaining an ERM process that is fully matured to beign proactively—not only reactively—utilized.2 Full ERM implementation represents a collaboration between the organization’s stakeholders, which includes executives, employees, and patients, and its professional risk management team. The work brings the expertise of these individuals together through an emphasis on seven primary areas.


Risk Domains


When considering ERM as an invigorating management practice, it is important to view the entity in its totality and understand what comprises the whole enterprise. Traditionally, risk management programs consist solely of clinical risk managers and claims management staff. This leaves the organization susceptible to understating potential exposures arising in other risk domains as well as unprepared— both financially and operationally—to address a real exposure.

Procedural errors in complex processes can and do result in negative outcomes for patients as well as involved staff. So that staff is in a position to mitigate risk, it is important for them to be oriented to the interrelationships of the many facets of the healthcare system and their bearing as individuals on the overall operation. One way to foster this interrelationship is for organizations to conduct departmental risk assessments created to continually monitor the potential impact of real risk exposures and uncertainty in the area assessed on the organization.3

These risk mitigating activities should be multi-faceted and involve people and resources throughout the enterprise. Many who are available to ERM motivationaddress certain areas of risk, but there still exists a need to maintain a strategic framework—and this is the driving force that has facilitated the development and spread of ERM.

Viewed in this way, it becomes clear that healthcare organizations require more comprehensive and data-driven approaches to managing risk; an approach that meshes well with other disciplines in the enterprise. Combining elements of clinical risk management, loss control and prevention, claims and litigation management, finance and quality to create a more comprehensive risk reduction structure benefits the entire enterprise.4

Adding space for growth and improvement into the traditional risk management field of practice presents challenges, including bringing together all the necessary players. It suggests that the first place for a risk management program to start is within. Once there is space for fresh thinking and design among traditional practices, risk professionals can look up from the routine day-to-day grind and generate targeted strategies. ERM provides a strong framework for a risk management program to consider strategic, exciting approaches to inspire shared responsibility for managing risk.

(The above is an excerpt from our book Inside Looking Up. To learn more, click here!)

By: Edward Hall, Jr., John Vaughan, and Manuel Solis


1. Tichansky DS, Morton J, Jones DB, ed. The Sages Manual of Quality, Outcomes and Patient Safety. Boston, MA: Springer; 2012.

2. Harvard Business Review Analytic Services. Risk Management in a Time of Global Uncertainty. Boston, MA; Harvard Business School Publishing; 2011. https://hbr.org/resources/pdfs/tools/17036_HBR_Zurich_Report_final_Dec2011.pdf Accessed October 4, 2015.

3. Risk management–principles and guidelines. In: International Standard ISO 3100:2009(E). Geneva, Swtizerland; International Organization for Standardization. November 15, 2009.

4. Committee on Sponsoring Organizations of the Treadway Commission. Enterprise Risk Management—Integrated Framework: Application Techniques, AICPA, New York, NY: 2004.