Selected Podcast
ASHRM ERM and the Adoption of the COSO Framework
In 2019, ASHRM aligned its ERM approach with the updated 2017 COSO Framework. But how does this framework, commonly used in the finance or accounting fields, align with our work in health care? This podcast, delivered by two of the ERM faculty, will look to answer this question and provide listeners with concepts to continue the ERM conversation within their organizations.
Featuring:
Sheila Hagg-Rickert recently retired following a career in healthcare risk and enterprise risk management. She has held positions as the senior corporate risk management executive for both for-profit and
not-for-profit acute care and long-term care health systems, as an academic medicine enterprise risk management executive, insurance broker and risk management consultant. She served on the board of
directors for the American Society for Healthcare Risk Management (ASHRM) and has presented and written extensively on health care risk management and enterprise risk management topics. She has
served as team lead and faculty for the ASHRM’s HRM 3 educational module and as leader and faculty for ASHRM’s Enterprise Risk Management Certification Program. She is a contributing author for the
Risk Management for Health Care Organizations, 1 st -6 th editions and 1 st and 2 nd editions of The Enterprise Risk Management Handbook for Healthcare Attorneys published by the American Health Lawyers
Association (AHLA) and served and Editor-in-Chief for the 3 rd and upcoming 4 th editions. Sheila served on boards of directors of both captive and commercial insurance companies and of the Texas
Association for Patient Access (TAPA) and is a member of ASHRM’s ERM Task Force.
Sheila holds a J.D. from the University of Iowa and Masters of Business Administration and Masters of Healthcare Administration degrees from Georgia State University and has completed the Graduate Certificate in Healthcare Corporate Compliance Program at George Washington University. She has earned Chartered Property and Casualty Underwriter (CPCU) and Certified Professional in Healthcare Risk Management (CPHRM) designations and is a Distinguished Fellow of the American Society of Healthcare Risk
Management (DFASHRM).
Carolyn Bailey, CPHRM, CHSP | Sheila Hagg-Rickert, JD, MHA, MBA, CPHRM, DFASHRM, CPCU
Carolyn has been the Administrative Director of Risk Management for the Blessing Health System in Quincy, Illinois since 2008. The Blessing Health System consists of two hospitals, two physician groups, a number of clinics, a four-year nursing and health sciences college, a foundation, TPA service for area self-insured employers, a CIN and a group of medical specialty businesses (linen company, DME, pharmacy, etc.) and other affiliations. Carolyn helped to create the system’s Enterprise Risk Management program and has oversight of its Risk Management Department . Prior to Blessing, Carolyn has over twenty years risk management experience, including at a hospital in St. Louis, a medical device manufacturer, industrial coating manufacturer and insurer. Carolyn has experience in all aspects of ERM. She is an instructor for ASHRM’s ERM Certificate Program and serves on ASHRM’s ERM Task force. She is also a member of ISHRM, CHRMS, and other professional organizations.Sheila Hagg-Rickert recently retired following a career in healthcare risk and enterprise risk management. She has held positions as the senior corporate risk management executive for both for-profit and
not-for-profit acute care and long-term care health systems, as an academic medicine enterprise risk management executive, insurance broker and risk management consultant. She served on the board of
directors for the American Society for Healthcare Risk Management (ASHRM) and has presented and written extensively on health care risk management and enterprise risk management topics. She has
served as team lead and faculty for the ASHRM’s HRM 3 educational module and as leader and faculty for ASHRM’s Enterprise Risk Management Certification Program. She is a contributing author for the
Risk Management for Health Care Organizations, 1 st -6 th editions and 1 st and 2 nd editions of The Enterprise Risk Management Handbook for Healthcare Attorneys published by the American Health Lawyers
Association (AHLA) and served and Editor-in-Chief for the 3 rd and upcoming 4 th editions. Sheila served on boards of directors of both captive and commercial insurance companies and of the Texas
Association for Patient Access (TAPA) and is a member of ASHRM’s ERM Task Force.
Sheila holds a J.D. from the University of Iowa and Masters of Business Administration and Masters of Healthcare Administration degrees from Georgia State University and has completed the Graduate Certificate in Healthcare Corporate Compliance Program at George Washington University. She has earned Chartered Property and Casualty Underwriter (CPCU) and Certified Professional in Healthcare Risk Management (CPHRM) designations and is a Distinguished Fellow of the American Society of Healthcare Risk
Management (DFASHRM).
Transcription:
Michael Carrese (Host): Welcome to the ASHRM podcast made possible by the American Society for Healthcare Risk Management to support efforts to advance safe and trusted healthcare through enterprise risk management. You can visit ASHRM.org/membership to learn more and become an ASHRM member. I'm Michael Carrese. In 2019, ASHRM aligned its enterprise risk management approach with the updated 2017 COSO framework. But how does this framework commonly used in finance or accounting, align with our work in healthcare?
Well, we have two guests today who are going to tackle that question and provide us with concepts to continue the ERM conversation within our organizations. So, let me welcome to the ASHRM podcast, Sheila Hagg-Rickert recently retired Director of ERM, at Penn State Health and Carolyn Bailey, Administrative Director of Risk Management at Blessing Health System, and they are both on the ASHRM ERM faculty. So thanks to you both for joining us today.
Sheila Hagg-Rickert, JD, MHA, MBA, CPHRM, DFASHRM, CPSU (Guest): Thank you. Good to be here.
Michael Carrese (Host): So, I thought I'd give you a chance both of you, first to give us some career highlights. So we understand what you're bringing to the table today and Sheila, you want to go first?
Sheila Hagg-Rickert, JD, MHA, MBA, CPHRM, DFASHRM, CPSU (Guest): Sure. I'm happy to. Thank you. I worked in healthcare risk management for 30 plus years. I've been a member of ASHRM since 1983, which goes back quite a while. Have been the senior risk management official for both not-for-profit and for-profit health care systems, acute care, and long-term care. Have been an insurance broker and a risk management consultant. I've worked exclusively in the ERM space for about the last three years.
Michael Carrese (Host): So that covers the waterfront pretty well. Carolyn, what about you?
Carolyn Bailey, CPHRM, CHSP (Guest): Sure. I have over 30 years of risk management experience with the last 20 plus in healthcare. Otherwise I worked at some other industries with respect to risk management and enterprise risk management. I'm currently over the Blessing Health System, which is in a tri-state area, Illinois, Missouri, and Iowa. And it is made up of a few hospitals and physician groups among other different specialties. And I am a proud member of ASHRM. I have been on the Enterprise Risk Management Task Force for ASHRM for the last couple of years, as well as am currently the Chair of the ERM Task Force Committee. So happy to be here and give some insight to enterprise risk management.
Host: We definitely have the right people here. So Carolyn, let me stick with you. What is an enterprise risk management framework? And why is it important for an organization to adopt a framework as part of the development of an ERM process?
Carolyn: Sure. First off it is best to utilize some sort of framework, whether it is your own, or if you adopt one from any of the national organizations such as ISO or COSO or others, it really helps for not only the organization, but the risk management professional to have kind of a roadmap to lead them down the path to ensure that they have a comprehensive approach to enterprise risk management.
It provides a structure for organizing and carrying out the enterprise risk management activities such as you want focus on, of course, what is your culture, your governance. What is what I call more of the busy work of risk management, which is typically identifying your risk and analyzing those, making sure you're monitoring them as well as reporting out.
So, a framework helps to provide that structure. And then it also helps to encourage common language to use along enterprise risk management within your organization and reporting it up to your boards and other committees. And so that everyone is speaking the same language and understands enterprise risk management concepts. I personally provide our framework consistently in reports when I give it to the board and to our audit and compliance committee so that they keep it in front of them and they understand, you know, what enterprise risk management is and how it evolves from year to year. It also helps, provide, so, if you're starting out in enterprise risk management, it'll help provide a good framework for you to also further develop your enterprise risk management plan and is just something to, again, keep as like what I would consider a blueprint or roadmap to make sure that your enterprise risk management program follows certain key components.
Michael Carrese (Host): So Sheila, what is the COSO framework and why did ASHRM move to it from having its own ERM framework to to going to the COSO?
Sheila: When ASHRM first sort of got into the ERM business, probably seven or eight years ago, they looked at the ASHRM membership and saw that they were somewhat different than risk managers in other industries. If you go to most industries, the risk management professional tends to be an accounting or internal audit or finance professional, maybe someone with an insurance background, whereas in healthcare, many risk managers or clinicians by training often registered nurses.
And so, ASHRM's thinking wise that maybe a very business specific framework that focused on language thatt would be very different for clinical professionals would be, will be hard to learn and be a very difficult concept. So ASHRM created their own ERM model. What happened is, as people started trying to implement an ERM framework in health care organizations, is if they started talking to you and using the language from the ASHRM framework, their senior leadership and the governing board who were instrumental in putting together an ERM effort often said, well, that's not ERM because they knew ERM from from banking or finance or for whatever other industries they had familiarity . So ASHRM moved to the COSO framework in 2019. COSO really started in 2014 and it was a group of people, specifically from the accounting and internal audit professions that formed the council sponsoring organizations of the Treadway commission.
So COSO was an acronym for that group. They revised their framework in 2017. So that 2017 version of the framework that ASHRM follows. It allows the risk manager to share a common language and a common understanding of ERM concepts with other industries. And therefore also with the experience of their governing board and senior leadership team. It also allows ASHRM members to avail themselves of continuing education outside ASHRM, from organizations like the Risk and Insurance Management Society or RIMS, or the Institute of Internal Audit.
And also white papers and other kinds of treatises around enterprise risk management that may be published outside of healthcare, that may be quite applicable, but focus on a non ASHRM framework. So, the COSO framework is very adaptable to all industries. There's nothing that unique about healthcare. It focuses on human resources risk. It focuses on strategic risk and all businesses, whether they be healthcare or something else, all have those same kind of risks that face them. So healthcare may just look a little bit different in that it's operational risk, maybe at the patient care in nature, but there's nothing different about healthcare that the COSO model would not fit.
Host: And Carolyn, where can listeners find additional information about COSO and ERM in healthcare?
Carolyn: Well, there is a lot, I would suggest that first off, hopefully the listeners are a member of ASHRM, which is the American Society of Healthcare Risk Management. We do have a newly published ERM handbook, that would be a great resource. There's also ASHRM offers various ERM certification courses either at the ASHRM Express that usually takes place in the summer.
And then the ASHRM Academy that usually takes place in the spring. And then we often have classes that are in line with our annual conference, either kind of pre-conference session, or even during the conference. We always have various enterprise risk management type conference sessions that I would definitely recommend that a practitioner or somebody that's just starting out in with enterprise risk management, that they would, should look into those that are held at the conference.
There's other organizations as well, such as RIMS, American Health Lawyers Association. I would say Google should be your friend because there is so much out there for enterprise risk management in healthcare, as well as even further exploring COSO itself, to see a little bit more about their framework and understanding their components and principles that make them, that make up their COSO framework.
But there is a lot out there. I don't think anyone has to reinvent the wheel. ASHRM is really good about sharing ideas through their list serve as well as and again, I think there's just a plethora of information that's out there. So, I don't think any of them, our listeners should feel like they're struggling alone because there's other organizations that have already led the pathway down through enterprise risk management and have successful programs in their organizations.
Host: And Sheila, do you have any final thoughts as we wrap up here?
Sheila: Yeah, I really encourage healthcare risk managers to take the ERM journey. I know it's a little bit out of some people's comfort zone if you've spent most of your career focusing on patient safety related events but it's very rewarding. You learn a lot about risk of your organization that may be significant and have really nothing to do with it, with the patient safety risks that we're all familiar with and allows you to have a closer working relationship with both of your senior leadership team and your governing board, which is wonderful for career advancement and really being an attribute to your organization.
Host: Well, that's great and good words to end on. I want to Thank my guests today. Sheila Hagg-Rickert, Director of ERM at Penn State Health and Carolyn Bailey who's Administrative Director of Risk Management at Blessing Health System. Thanks to you both.
Carolyn: Thank you.
Sheila: Thank you, Michael.
Host: A reminder that ASHRM's updated ERM playbook will be published soon. You can check out ashrm.org/pubs to peruse and purchase great risk management resources there. And we want you to know the next offering for ASHRM's ERM Certificate Program will be July 28th and 29th in Nashville. Those interested in learning more about ERM and how to start this journey at their own healthcare organization are encouraged to attend that. To register, you can go to Ashrm.org/ ashrmexpressriskmanagementeducation. This podcast Is made possible by the American Society for Healthcare Risk Management to support efforts to advance safe and trusted healthcare through enterprise risk management, you can visit ashrm.org/membership to learn more and become an ASHRM member. I'm Michael Carrese. Thanks for listening.
Michael Carrese (Host): Welcome to the ASHRM podcast made possible by the American Society for Healthcare Risk Management to support efforts to advance safe and trusted healthcare through enterprise risk management. You can visit ASHRM.org/membership to learn more and become an ASHRM member. I'm Michael Carrese. In 2019, ASHRM aligned its enterprise risk management approach with the updated 2017 COSO framework. But how does this framework commonly used in finance or accounting, align with our work in healthcare?
Well, we have two guests today who are going to tackle that question and provide us with concepts to continue the ERM conversation within our organizations. So, let me welcome to the ASHRM podcast, Sheila Hagg-Rickert recently retired Director of ERM, at Penn State Health and Carolyn Bailey, Administrative Director of Risk Management at Blessing Health System, and they are both on the ASHRM ERM faculty. So thanks to you both for joining us today.
Sheila Hagg-Rickert, JD, MHA, MBA, CPHRM, DFASHRM, CPSU (Guest): Thank you. Good to be here.
Michael Carrese (Host): So, I thought I'd give you a chance both of you, first to give us some career highlights. So we understand what you're bringing to the table today and Sheila, you want to go first?
Sheila Hagg-Rickert, JD, MHA, MBA, CPHRM, DFASHRM, CPSU (Guest): Sure. I'm happy to. Thank you. I worked in healthcare risk management for 30 plus years. I've been a member of ASHRM since 1983, which goes back quite a while. Have been the senior risk management official for both not-for-profit and for-profit health care systems, acute care, and long-term care. Have been an insurance broker and a risk management consultant. I've worked exclusively in the ERM space for about the last three years.
Michael Carrese (Host): So that covers the waterfront pretty well. Carolyn, what about you?
Carolyn Bailey, CPHRM, CHSP (Guest): Sure. I have over 30 years of risk management experience with the last 20 plus in healthcare. Otherwise I worked at some other industries with respect to risk management and enterprise risk management. I'm currently over the Blessing Health System, which is in a tri-state area, Illinois, Missouri, and Iowa. And it is made up of a few hospitals and physician groups among other different specialties. And I am a proud member of ASHRM. I have been on the Enterprise Risk Management Task Force for ASHRM for the last couple of years, as well as am currently the Chair of the ERM Task Force Committee. So happy to be here and give some insight to enterprise risk management.
Host: We definitely have the right people here. So Carolyn, let me stick with you. What is an enterprise risk management framework? And why is it important for an organization to adopt a framework as part of the development of an ERM process?
Carolyn: Sure. First off it is best to utilize some sort of framework, whether it is your own, or if you adopt one from any of the national organizations such as ISO or COSO or others, it really helps for not only the organization, but the risk management professional to have kind of a roadmap to lead them down the path to ensure that they have a comprehensive approach to enterprise risk management.
It provides a structure for organizing and carrying out the enterprise risk management activities such as you want focus on, of course, what is your culture, your governance. What is what I call more of the busy work of risk management, which is typically identifying your risk and analyzing those, making sure you're monitoring them as well as reporting out.
So, a framework helps to provide that structure. And then it also helps to encourage common language to use along enterprise risk management within your organization and reporting it up to your boards and other committees. And so that everyone is speaking the same language and understands enterprise risk management concepts. I personally provide our framework consistently in reports when I give it to the board and to our audit and compliance committee so that they keep it in front of them and they understand, you know, what enterprise risk management is and how it evolves from year to year. It also helps, provide, so, if you're starting out in enterprise risk management, it'll help provide a good framework for you to also further develop your enterprise risk management plan and is just something to, again, keep as like what I would consider a blueprint or roadmap to make sure that your enterprise risk management program follows certain key components.
Michael Carrese (Host): So Sheila, what is the COSO framework and why did ASHRM move to it from having its own ERM framework to to going to the COSO?
Sheila: When ASHRM first sort of got into the ERM business, probably seven or eight years ago, they looked at the ASHRM membership and saw that they were somewhat different than risk managers in other industries. If you go to most industries, the risk management professional tends to be an accounting or internal audit or finance professional, maybe someone with an insurance background, whereas in healthcare, many risk managers or clinicians by training often registered nurses.
And so, ASHRM's thinking wise that maybe a very business specific framework that focused on language thatt would be very different for clinical professionals would be, will be hard to learn and be a very difficult concept. So ASHRM created their own ERM model. What happened is, as people started trying to implement an ERM framework in health care organizations, is if they started talking to you and using the language from the ASHRM framework, their senior leadership and the governing board who were instrumental in putting together an ERM effort often said, well, that's not ERM because they knew ERM from from banking or finance or for whatever other industries they had familiarity . So ASHRM moved to the COSO framework in 2019. COSO really started in 2014 and it was a group of people, specifically from the accounting and internal audit professions that formed the council sponsoring organizations of the Treadway commission.
So COSO was an acronym for that group. They revised their framework in 2017. So that 2017 version of the framework that ASHRM follows. It allows the risk manager to share a common language and a common understanding of ERM concepts with other industries. And therefore also with the experience of their governing board and senior leadership team. It also allows ASHRM members to avail themselves of continuing education outside ASHRM, from organizations like the Risk and Insurance Management Society or RIMS, or the Institute of Internal Audit.
And also white papers and other kinds of treatises around enterprise risk management that may be published outside of healthcare, that may be quite applicable, but focus on a non ASHRM framework. So, the COSO framework is very adaptable to all industries. There's nothing that unique about healthcare. It focuses on human resources risk. It focuses on strategic risk and all businesses, whether they be healthcare or something else, all have those same kind of risks that face them. So healthcare may just look a little bit different in that it's operational risk, maybe at the patient care in nature, but there's nothing different about healthcare that the COSO model would not fit.
Host: And Carolyn, where can listeners find additional information about COSO and ERM in healthcare?
Carolyn: Well, there is a lot, I would suggest that first off, hopefully the listeners are a member of ASHRM, which is the American Society of Healthcare Risk Management. We do have a newly published ERM handbook, that would be a great resource. There's also ASHRM offers various ERM certification courses either at the ASHRM Express that usually takes place in the summer.
And then the ASHRM Academy that usually takes place in the spring. And then we often have classes that are in line with our annual conference, either kind of pre-conference session, or even during the conference. We always have various enterprise risk management type conference sessions that I would definitely recommend that a practitioner or somebody that's just starting out in with enterprise risk management, that they would, should look into those that are held at the conference.
There's other organizations as well, such as RIMS, American Health Lawyers Association. I would say Google should be your friend because there is so much out there for enterprise risk management in healthcare, as well as even further exploring COSO itself, to see a little bit more about their framework and understanding their components and principles that make them, that make up their COSO framework.
But there is a lot out there. I don't think anyone has to reinvent the wheel. ASHRM is really good about sharing ideas through their list serve as well as and again, I think there's just a plethora of information that's out there. So, I don't think any of them, our listeners should feel like they're struggling alone because there's other organizations that have already led the pathway down through enterprise risk management and have successful programs in their organizations.
Host: And Sheila, do you have any final thoughts as we wrap up here?
Sheila: Yeah, I really encourage healthcare risk managers to take the ERM journey. I know it's a little bit out of some people's comfort zone if you've spent most of your career focusing on patient safety related events but it's very rewarding. You learn a lot about risk of your organization that may be significant and have really nothing to do with it, with the patient safety risks that we're all familiar with and allows you to have a closer working relationship with both of your senior leadership team and your governing board, which is wonderful for career advancement and really being an attribute to your organization.
Host: Well, that's great and good words to end on. I want to Thank my guests today. Sheila Hagg-Rickert, Director of ERM at Penn State Health and Carolyn Bailey who's Administrative Director of Risk Management at Blessing Health System. Thanks to you both.
Carolyn: Thank you.
Sheila: Thank you, Michael.
Host: A reminder that ASHRM's updated ERM playbook will be published soon. You can check out ashrm.org/pubs to peruse and purchase great risk management resources there. And we want you to know the next offering for ASHRM's ERM Certificate Program will be July 28th and 29th in Nashville. Those interested in learning more about ERM and how to start this journey at their own healthcare organization are encouraged to attend that. To register, you can go to Ashrm.org/ ashrmexpressriskmanagementeducation. This podcast Is made possible by the American Society for Healthcare Risk Management to support efforts to advance safe and trusted healthcare through enterprise risk management, you can visit ashrm.org/membership to learn more and become an ASHRM member. I'm Michael Carrese. Thanks for listening.