Enterprise Risk

Management
Dr (Colonel) Rakesh Verma
MBBS (AFMC, Pune), MHA (AIIMS, New Delhi), PGDHHM, PGDMLS
Founder & CEO, AeonMed Health & Hospitals Pvt Ltd
Scheme of Presentation
• Introduction - Enterprise Risk Management

• ERM Models for Hospitals & Healthcare Organizations

• ERM Process – the Nuts & Bolts

Watch this
video
carefully!
Introduction
• ERM is a process that sets the strategy and framework for risks across the
organization – ‘Enterprise wide’.

• Effected by Top management

• ERM seeks to manage and monitor risks within a defined risk appetite and to
provide reasonable assurance that the entity’s objectives can be achieved

• ERM enable a robust, quantitative, and economic understanding of risks and

communicates the impact of those risks at all levels of the organization.
Issues in ERM
• Healthcare organizations are complex – high volume of people and laws

• Requires a transparent organization culture to be

• ‘open to change’,
• ‘prepared for cooperative process improvement between departments’.
Fundamental Design of Risk Management
System

Hazards Potential N NO RISK – CONTINUE SURVEILLANCE

In the
Environ-
to Cause
ment Harm Y RISK EXISTS

Identify Analyse Treat

ERM Models in Healthcare
ERM Models
• ISO 31000:2018

• JCI Risk Management Program

• Identification, prioritization, reporting, assessment, risk management and
claims management

• Model proposed by Ana Paula Beck et al from Brazil

• Others – from non-healthcare domains e.g. COSO

ISO 31000:2018
Framework – ISO 31000:2018

Improve Integration

Design

Evaluate Implement
Principles – ISO 31000:2018

Continual
Improvement Integrated

Human/Cultural Structured &

Factors Comprehensive

Best Available
Information Customized

Dynamic Inclusive
Process – ISO 31000:2018
JCI Risk Management Program
IDENTIFY PRIORTIZE REPORT ASSESS MANAGE CLAIMS

Use Tools Risk Score Report to Mgt Scope, Analyse and Managing
Formal report Objectives manage the claims arising
HIRA 2 factor Criteria risk out of risks
FMEA Probability Elimination
RCA Severity Substitution
HVA Engr Control
etc 3 Factor Admin
Probability Control
Severity Local level
Detectability actions
Brazil Model

Shared as PDF
ERM Process
ISO 31000:2018
Process - Communication & Consultation
The purpose is to
• Assist in understanding the risk, the basis on which decisions are made and the
reasons why particular actions are required.
• Promote awareness and understanding of risk, whereas consultation involves
obtaining feedback and information to support decision-making.
• Bring different areas of expertise together for each step of the risk
management process;
Process - Communication & Consultation
• Ensure that different views are appropriately considered when defining risk
criteria and when evaluating risks;
• Provide sufficient information to facilitate risk oversight and decision-making
• Build a sense of inclusiveness and ownership among those affected by risk.
• BEST WAY TO DO THIS IS TO USE COMMITTEE APPROACH
Process - Scope
• Important to clear scope, the relevant objectives, alignment with organizational
objectives as the risk management process may be applied at different levels
(e.g., strategic, operational, programme, project, or other activities).

• Levels can be –
Clinical & Pt
Operational Strategic Human Capital
Safety
Legal &
Technological Environmental Infrastructure
Regulatory
Process - Context

Internal Context External Context

Clinical & Pt Legal &

Operational Environmental
Safety Regulatory

Human Capital Technological

Strategic Infrastructure
Process - Criteria
• Type and amount of risks that can be taken

• Considerations for setting criteria

• Nature & type of uncertainties – Tangible / intangible -
• Consequences, likelihood, frequency – define these.
• Consistency in use of measurements – Training observers (E.g. ICN)
• How to determine level of risk? E.g., by using RPN
• Org Capacity – Resource availability?
Risk Assessment
• Risk Identification
• HIRA – Hazard Identification & Risk Assessment
• HVA- Hazard Vulnerability Analysis
• FMEA – Failure Modes & Effect Analysis
• RCA – Root Cause Analysis
Risk Assessment
• Risk Analysis
• Likelihood
• Severity of Impact
• Detectability

• Score to measure all these (Usually 1 to 5)

• Likelihood – Remote – Unlikely – Possible – Likely – Certain
• Severity – Negligible – Minor – Moderate – Major - Catastrophic
• Detectability – Obvious – Easy – Likely – Fair – Difficult
Risk Evaluation
• What to do with the risk?
• Do nothing further
• Consider risk treatment options
• Undertake further analysis to better understand the risk
• Maintain existing controls
• Reconsider objectives.
Risk Treatment
• Options
• Avoid risk – Discontinue / do not undertake activity
• Take the risk – May be the only option or opportunity has to be used
• Remove the risk source
• Changing the likelihood
• Changing the consequences
• Sharing the risk (Insurance)
• Retaining the risk by an informed decision
Monitoring & Review
• Required for all stages of risk management

• Important that top management receives reports on risk management activities

• Required under accreditation standards

• Actions must be taken as appropriate

Recording & Reporting
Aim is to

• Communicate risk management activities and outcomes across the hospital

• Provide information for decision-making

• Improve risk management activities;

• Assist interaction with stakeholders, including those with responsibility and

accountability for risk management activities
RISK MANAGEMENT PROCESS
• Scope, Context, Criteria
• Risk Assessment
• Risk Identification
• Risk Analysis
• Risk Evaluation
• Risk Treatment
• Communication & Consultation
• Monitoring & Review
• Recording & Reporting
Thank You