Selected Podcast
COSO Framework: The Performance Component
In 2019, ASHRM aligned its enterprise risk management approach with the updated 2017 COSO framework. This podcast, the third in a series of five covering the 5 components of the COSO Framework, will focus on one aspect of the COSO framework: The “Performance” section. This aspect of the COSO framework focuses on business objective formulation through the risk management process to identify risk, assess the severity of risk, prioritize risks, implement risk response and develop a portfolio view of risks across the organization.
Featuring:
Caroline Bell is a veteran of creating and implementing effective risk management approaches in healthcare organizations. She has over 25 years of experience in the healthcare industry. Caroline’s collaborative and results-oriented approach facilitates the adoption of impactful risk management strategies in healthcare entities.
Caroline’s extensive experience includes leadership and execution in risk management and patient safety programs for healthcare risk consulting firms, medical malpractice insurance companies, large and mid-size health systems, and academic university medical centers. Her clinical experience is vast and enables her to provide guidance across multiple specialties and disciplines.
Caroline provides consultative services to improve and enhance risk management and patient safety programs. She assists healthcare organizations with clinical risk management program design and development; enterprise risk management evaluation, development and implementation; strategic risk management initiatives including implementation and evaluation. She also specializes in coaching/mentoring risk management professionals at all levels of healthcare organizations.
Caroline has a Bachelor of Science in Nursing and a Juris Doctor degree. She is a Certified Professional in Healthcare Risk Management (CPHRM). Caroline is actively engaged in local and national risk management societies and has served as a member of a variety of professional committees. She is a Distinguished Fellow of the American Society for Health Care Risk Management (DFASHRM) and was the 2019 President of Colorado Healthcare-Associated Risk Managers (CHARM), faculty member for ASHRM’s ERM Certificate Program and she’s an ASHRM board member. She has authored numerous articles and speaks on a local, national and international level on healthcare risk management topics.
Carolyn Bailey, CPHRM, CHSP | Caroline Bell, RN, JD, CPHRM, DFASHRM
Carolyn has been the Administrative Director of Risk Management for the Blessing Health System in Quincy, Illinois since 2008. The Blessing Health System consists of two hospitals, two physician groups, a number of clinics, a four-year nursing and health sciences college, a foundation, TPA service for area self-insured employers, a CIN and a group of medical specialty businesses (linen company, DME, pharmacy, etc.) and other affiliations. Carolyn helped to create the system’s Enterprise Risk Management program and has oversight of its Risk Management Department . Prior to Blessing, Carolyn has over twenty years risk management experience, including at a hospital in St. Louis, a medical device manufacturer, industrial coating manufacturer and insurer. Carolyn has experience in all aspects of ERM. She is an instructor for ASHRM’s ERM Certificate Program and serves on ASHRM’s ERM Task force. She is also a member of ISHRM, CHRMS, and other professional organizations.Caroline Bell is a veteran of creating and implementing effective risk management approaches in healthcare organizations. She has over 25 years of experience in the healthcare industry. Caroline’s collaborative and results-oriented approach facilitates the adoption of impactful risk management strategies in healthcare entities.
Caroline’s extensive experience includes leadership and execution in risk management and patient safety programs for healthcare risk consulting firms, medical malpractice insurance companies, large and mid-size health systems, and academic university medical centers. Her clinical experience is vast and enables her to provide guidance across multiple specialties and disciplines.
Caroline provides consultative services to improve and enhance risk management and patient safety programs. She assists healthcare organizations with clinical risk management program design and development; enterprise risk management evaluation, development and implementation; strategic risk management initiatives including implementation and evaluation. She also specializes in coaching/mentoring risk management professionals at all levels of healthcare organizations.
Caroline has a Bachelor of Science in Nursing and a Juris Doctor degree. She is a Certified Professional in Healthcare Risk Management (CPHRM). Caroline is actively engaged in local and national risk management societies and has served as a member of a variety of professional committees. She is a Distinguished Fellow of the American Society for Health Care Risk Management (DFASHRM) and was the 2019 President of Colorado Healthcare-Associated Risk Managers (CHARM), faculty member for ASHRM’s ERM Certificate Program and she’s an ASHRM board member. She has authored numerous articles and speaks on a local, national and international level on healthcare risk management topics.
Transcription:
Bill Klaproth (host): Welcome to the ASHRM podcast, made possible by the American Society for Healthcare Risk Management to support efforts to advance safe and trusted healthcare through enterprise risk management. You can visit ASHRM.org, that's A-S-H-R-M.org/membership, to learn more and to become an ASHRM member. I'm Bill Klaproth.
On this podcast, we're going to talk about the COSO framework, the performance component with Caroline Bell, principal and founder of IERM and Carolyn Bailey, Administrative Director of Risk Management at Blessing Health System. Caroline and Carolyn, welcome to the podcast. So this is a first, two guests with the exact same first name. So I will refer to each of you with your first and last name, just so we know which Caroline I'm directing the question to and which Caroline is answering. So Caroline Bell, let me start with you. Can you briefly describe the COSO Performance Component?
Caroline Bell: Yes, Bill. This is the operational aspect of the COSO Framework, and this encompasses the process to identify risk, assess the severity of risk, prioritize risk, implement risk responses and develop a portfolio view. This essentially describes the risk management process that all risk managers use on a daily basis. However, ERM expands this process across the organization and it weaves risk management principles and strategies into the fiber of the organization.
Bill Klaproth (host): So then what are some of the strategies used for risk identification, Caroline Bell?
Caroline Bell: So in general, there are several strategies that can be used during the risk identification phase. And these include gathering quantitative data from across the organization and also gathering qualitative data through interviewing, brainstorming, or focus groups and surveys and questionnaires. And Carolyn Bailey has really shared very widely what she does within her organization. So Carolyn Bailey, can you describe a little bit further how it works within your organization?
Carolyn Bailey: Sure. Initially and depending on whatever size of an organization you have, whether it's a single hospital or physician group, or maybe a health system, like we are, sometimes you might want to start a little smaller and choose one of the entities before you push your enterprise risk program across all of the entities. That's what we kind of did. One year when we first started out, we just did our main hospital. And then since then, since we are a health system, we branched it out into all of the organizations. So initially, we did a lot of interviews. In the very beginning we met, you might need team, but just met with different department heads. Whether it was finance, strategy and development, marketing, your nursing leaders, you just want to make sure you're turning over every rock and stone looking for ways to make sure you're identifying all the risks.
So initially, we did interview. And then after that, like another year, we then did some surveys where we would send it out to the various leaders of each department and each system entity. And then, other times, we've done some group brainstorming activities as well as one good resource that I like to make sure I do every year towards the end of the year or at the beginning of the next calendar year is to really go out there and see what are the top risks for that year in different areas, such as what are your technology risks for 2022? What are your patients' safety risks? There's various organizations that publish the top risks each year. And so that helps to kind of see your own organization and determine if that too is a risk that would be applicable to your organization. Looking at headlines and articles, that helps as well. And your enterprise risk committee that you might have in place will definitely also help to make sure that you're identifying those risks and helping bring to fore things. The one thing that's very, very important though is for every risk professional to know their strategic plan, because you want to make sure you are capturing some things that are on your strategic plan, that could also be a risk to your organization if you don't do it well.
Bill Klaproth (host): Right. So you mentioned turning over every rock and stone developing the risk list. So Carolyn Bailey, once the risk list has been developed, how are they then prioritized?
Carolyn Bailey: Sure. We do a risk scoring type of process, which is very common. Most of the times you're looking at what's the frequency or likelihood of the advent or the risk occurring. Is it something that's rare? You don't think it's ever going to happen, or it would be maybe that one in a hundred-year type event. Or is it something that is already happening or could happen at any moment?
So we have a numbering system, like one to five, that we use for frequency of the risk as well as then the severity. What is that financial impact to the organization of that risk? Is it something that's negligible? Like maybe, depending on what values you have at your organization, you can determine what would be negligible to you versus something that would be catastrophic. What is that number like? Is it anything over 25 million that would really be something that could be totally devastating to your organization?
We did that at first where we multiplied the frequency times the severity, but we also then added velocity into our scoring system. Like, is it something that can happen arise and you have weeks to months, if not years, to prepare for that risk? Such as if an organization that might be a competitor of yours decides to build a hospital. You have a few years to kind of plan, because it's not like they're going to pop up that hospital overnight. So that's something that would take weeks to months. So that would get a low score, like, let's say a one. But if it's something that could happen within hours or days, such as all of a sudden a tornado that could wipe out your buildings and operations, that's something that has a lot more velocity, so we would score that a three. So we use a one to three ratio on the velocity. And so we multiply the frequency times the impact, and then we add in the velocity and that gives us a numerical score, which then depending on the score, that helps us prioritize the risks for that year and what is most important. We also though, just as an added point and I'm sure Caroline can also speak to this, is that we also look at our strategic plan. Is there something that didn't score in the top maybe five that we think is a hot topic or is tied into our strategic plan? We then might want to focus on that as well, even though it wasn't the highest scoring risk. We just want to make sure we're really addressing everything of importance for that year.
Bill Klaproth (host): Caroline Bell, any thoughts on how risks are prioritized?
Caroline Bell: Yeah. And Carolyn Bailey also talked about this and we're going to talk about this a lot during this Todd. But I'll add that prioritization can be further determined according to the impact that a risk has on the organization's mission and strategic goals. So for example, does the risk prevent the organization from fulfilling its mission? Or might the risk impact the achievement of strategic objectives? The organization's mission and strategic goals should play an integral role in the ERM program and processes.
Bill Klaproth (host): Yeah, that's really good extra insight into that. Thank you, Caroline Bell. So Carolyn Bailey, you mentioned there's an equation that you use and then of course, it's put on a one to five scale to help you with that. And then Caroline Bell, you mentioned, you know, what is the strategic mission of the hospital, so you've got to factor that in as well. So Caroline Bell, when it comes to these risks, after they're prioritized, how may an organization then respond to a risk?
Caroline Bell: Well, I'll address this very broadly. So first of all, risk responses are encompassed in four main categories that include risk avoidance, risk retention, risk transfer, and risk mitigation. So I'll describe those very briefly risk avoidance is, of course, when the entity does not undertake the risk. Risk retention is when the entity assumes the risk without mitigation strategies. So this might include establishing a self-insurance program rather than shifting the risk to an insurer. On the other hand, risk transfer is where the entity transfers the risk to a third party, such as an insurer. And finally, there's risk mitigation and risk mitigation strategies are used to minimize the impact of the threat.
Carolyn Bailey: I was just going to add a little bit of specifics that might help our listeners for when they're really looking at maybe risk mitigation strategies, such as like, for instance, if you're focusing on your supply chain, which we're all dealing with right now. Maybe some of your mitigants are making sure you have redundancies built in either by ordering supplies for those high needs if something would happen or maybe you have redundant locations. Maybe you have a couple of physician groups or different locations that could be of help. Maybe you're partnering with additional vendors that you weren't using before and having other agreements and contracts in place, which is then kind of a risk transfer, but also it is a good thing to have in place when you're looking at the mitigants and maybe even like materials management system. Same way like a compliance risk, there's various things that you could do as a risk mitigation effort. Do you have an audit committee, a compliance plan? Do you do internal and external audits? Do you have a hotline, background checks? All of those are different controls and mitigants that you would identify that address those risks to help the organization showed their boards that, "Hey, we have identified that risk. And these are the things we're doing to make sure that the impact, if we have something bad happen, that this will help minimize that financial loss that could be tied into that risk."
Bill Klaproth (host): Yeah. Some great tips for risk mitigation. And Caroline Bell, thank you for sharing those four areas for us. Risk avoidance, risk retention, risk transfer and risk mitigation. Carolyn Bailey, let me ask you this then, where do you think risk managers have the most difficulty in the performance phase and what can they do to overcome those challenges?
Carolyn Bailey: Well, of course, Bill, we'd all like to say we need more people and more money, but since that doesn't typically happen. I think for our risk professionals, I think one area might be even the identification part. If they're pretty much one of those type of professionals that really came from that clinical background, and then they ended up getting into the risk management world, they might have a little bit harder time to really do things that might be a little foreign to them, like really understanding how the stock market could impact your organization or maybe there's risks with consumerism, things like that that they really weren't identifying and wasn't part of their world before. So on one hand that could be a little bit of a learning curve, is to just get their mindset a little bit away from the clinical patient safety quality side. For instance, at our organization, we lump all the patient safety events, errors that could happen in the clinical world into one major risk, patient safety events, because you could really get bogged down and lost in that if you're looking at okay, if you have an OB, the possibility of a bad outcome or Medication errors. I mean, you can really end up getting burdened with all the different clinical risks that there are. So just getting out of that silo, that might be a challenge.
The other is probably the risk response because sometimes risk management professionals might think that they have to take this all on. And actually, once you identify those risks, you assign risk owners. For instance, your strategic risk, if it's something more like competition or something, it's going to be your either CEO or somebody in your executive team, that's going to be the risk owner of that risk. And they're the ones that should be coming up with the action plans and identifying what they have in place and what they need to work on. Same way right now with, let's say, talent management and talent retention. We're all struggling with staffing issues. It's your VP or chief of HR who would own that risk. So just making sure that the risk professional doesn't think that they need to own all of these strategic and enterprise risks would be very important. So I don't know, Caroline, have you got any thoughts too?
Caroline Bell: Yeah. And actually, I agree with what you said, and my thoughts are aligned with that. So, we talk about folks that come from the clinical space, that tends to be a very task-oriented endeavor. And so when you switch over to enterprise risk management, it's much more strategic and you have to look at things other than patient safety type of risks. So that said, the organization might be too focused on the downside of risk and might miss an opportunity to embrace the upside of risk that can further the entity's strategic objectives. So this happens when the ERM processes such as COSO performances we're talking about today are approached as a task rather than a process management strategy that's aligned with the organization's mission and strategic goals. It is important to approach ERM in alignment with the mission and goals and recognize when a threat may be an opportunity.
So ideally, COSO performance might be done simultaneously with strategic planning. And so to give an example, suppose an identified high priority threat is a significant backlog in outpatient appointments. We don't really need to dive too deep into the actual and potential impacts, but we can certainly recognize this can have a significant impact on revenue, malpractice claims, ability to compete, provider wellbeing, patient satisfaction scores, and so on. So let's suppose that that organization, their strategic goals include improving community health and focusing on innovation. This now becomes an opportunity to recognize the identified threat as an opportunity to further embrace maybe innovative technology and allocating resources to creating and implementing strategies to improve community health, to prevent patients from needing care in the first place. So we do know that efficiencies are created when the entire organization moves in the same direction, and this can be achieved when the organization strategicals are leveraged through the ERM process to address an identified threat.
So to summarize, to achieve really a well-functioning ERM program of processes, the organization's mission, vision and goals really should be at the forefront.
Bill Klaproth (host): Well said and some really good thoughts from both of you. Carolyn Bailey, you were mentioning, remember, don't feel like you have to shoulder the whole load when it comes to risk management. And Caroline Bell, you said sometimes we're focusing too much on the downside of risk of it. At times, we should look at the potential upside of risk as well. So great thoughts from both of you for that. And as we wrap up talking about the COSO Framework, the performance component, I wonder if I can get some closing thoughts from each of you. Carolyn Bailey, let me start with you. Anything else you'd like to add?
Carolyn Bailey: I just think that the performance section is really kind of the meat of your whole program and that this is where you're really identifying those risks that the board wants to know about. And then they want to have confidence that, yes, you've identified it, but yes, you're also trying to do something about it. And when you have all of these principles and components of the COSO Framework, it really does give some structure to your enterprise risk program at your organization. And it's easy to then kind of show the board, "We looked at all these risks that we identified this year, and these are the top ones and these tie into our strategic plan. And these are the things we're doing about it." And what's interesting, after you've done this for a couple of years, you will see how risks will change because of what's changing in the world or in your own environment, such as the pandemic. I mean, that rose to the forefront. Sure, it was always in like our top 10, but it was not our top five until COVID. Same way with cyber years ago. That might have been an identified risk, but then as Ransomware took off, more things could impact healthcare facilities with respect to hackers and cyber threats, that's now a top risk as well. So it does show the board that this isn't just a one and done, once you've identified a risk, it's over. There's always new things that arise that really need some attention in the organization. So I think this is where you spend a lot of time and energy because it affects all the risk owners and is definitely something that the board and the executive team likes to see.
Bill Klaproth (host): Well, thank you for that. And Caroline Bell, final thoughts from you. Anything else you'd like to add?
Caroline Bell: Well, that was well stated by Carolyn Bailey. And just from the operational perspective, this can feel very overwhelming and it isn't just owned by the risk management professional. This should be done by a committee that has representation from across the organization. So this is a group effort. I would also say that there are plenty of resources out there that folks can use to help either initiate their program or to bring it to the next level. ASHRM has a lot of different resources as well as individuals who are ASHRM members who are already doing ERM. Folks in this industry are always ready to share. So it's just a matter of reaching out and seeking out those resources and not approaching it as an individual, but rather as a group.
Bill Klaproth (host): Great thoughts as well. Well, Caroline Bell and Carolyn Bailey, some great conversation today and discussion of the COSO Framework. I want to thank you both for your time on this podcast. Thanks again.
Carolyn Bailey: Thanks, Bill.
Caroline Bell: Thank you.
Bill Klaproth (host): And once again, that's Caroline Bell and Carolyn Bailey. And the next offerings for ASHRM's ERM certificate program will be July 13th and 14th at the ASHRM Express and September 9th and 10th at the pre-conference program. You can find out more information if you go to ASHRM.org/education/ermcertificate.
The ASHRM Podcast is made possible by the American Society for Healthcare Risk Management to support efforts to advance safe and trusted healthcare through enterprise risk management. You can visit ASHRM.org/membership to learn more and to become an ASHRM member. And if you found this podcast helpful, please share it on your social channels and check out the full podcast library for topics of interest to you. I'm Bill Klaproth. Thanks for listening.
Bill Klaproth (host): Welcome to the ASHRM podcast, made possible by the American Society for Healthcare Risk Management to support efforts to advance safe and trusted healthcare through enterprise risk management. You can visit ASHRM.org, that's A-S-H-R-M.org/membership, to learn more and to become an ASHRM member. I'm Bill Klaproth.
On this podcast, we're going to talk about the COSO framework, the performance component with Caroline Bell, principal and founder of IERM and Carolyn Bailey, Administrative Director of Risk Management at Blessing Health System. Caroline and Carolyn, welcome to the podcast. So this is a first, two guests with the exact same first name. So I will refer to each of you with your first and last name, just so we know which Caroline I'm directing the question to and which Caroline is answering. So Caroline Bell, let me start with you. Can you briefly describe the COSO Performance Component?
Caroline Bell: Yes, Bill. This is the operational aspect of the COSO Framework, and this encompasses the process to identify risk, assess the severity of risk, prioritize risk, implement risk responses and develop a portfolio view. This essentially describes the risk management process that all risk managers use on a daily basis. However, ERM expands this process across the organization and it weaves risk management principles and strategies into the fiber of the organization.
Bill Klaproth (host): So then what are some of the strategies used for risk identification, Caroline Bell?
Caroline Bell: So in general, there are several strategies that can be used during the risk identification phase. And these include gathering quantitative data from across the organization and also gathering qualitative data through interviewing, brainstorming, or focus groups and surveys and questionnaires. And Carolyn Bailey has really shared very widely what she does within her organization. So Carolyn Bailey, can you describe a little bit further how it works within your organization?
Carolyn Bailey: Sure. Initially and depending on whatever size of an organization you have, whether it's a single hospital or physician group, or maybe a health system, like we are, sometimes you might want to start a little smaller and choose one of the entities before you push your enterprise risk program across all of the entities. That's what we kind of did. One year when we first started out, we just did our main hospital. And then since then, since we are a health system, we branched it out into all of the organizations. So initially, we did a lot of interviews. In the very beginning we met, you might need team, but just met with different department heads. Whether it was finance, strategy and development, marketing, your nursing leaders, you just want to make sure you're turning over every rock and stone looking for ways to make sure you're identifying all the risks.
So initially, we did interview. And then after that, like another year, we then did some surveys where we would send it out to the various leaders of each department and each system entity. And then, other times, we've done some group brainstorming activities as well as one good resource that I like to make sure I do every year towards the end of the year or at the beginning of the next calendar year is to really go out there and see what are the top risks for that year in different areas, such as what are your technology risks for 2022? What are your patients' safety risks? There's various organizations that publish the top risks each year. And so that helps to kind of see your own organization and determine if that too is a risk that would be applicable to your organization. Looking at headlines and articles, that helps as well. And your enterprise risk committee that you might have in place will definitely also help to make sure that you're identifying those risks and helping bring to fore things. The one thing that's very, very important though is for every risk professional to know their strategic plan, because you want to make sure you are capturing some things that are on your strategic plan, that could also be a risk to your organization if you don't do it well.
Bill Klaproth (host): Right. So you mentioned turning over every rock and stone developing the risk list. So Carolyn Bailey, once the risk list has been developed, how are they then prioritized?
Carolyn Bailey: Sure. We do a risk scoring type of process, which is very common. Most of the times you're looking at what's the frequency or likelihood of the advent or the risk occurring. Is it something that's rare? You don't think it's ever going to happen, or it would be maybe that one in a hundred-year type event. Or is it something that is already happening or could happen at any moment?
So we have a numbering system, like one to five, that we use for frequency of the risk as well as then the severity. What is that financial impact to the organization of that risk? Is it something that's negligible? Like maybe, depending on what values you have at your organization, you can determine what would be negligible to you versus something that would be catastrophic. What is that number like? Is it anything over 25 million that would really be something that could be totally devastating to your organization?
We did that at first where we multiplied the frequency times the severity, but we also then added velocity into our scoring system. Like, is it something that can happen arise and you have weeks to months, if not years, to prepare for that risk? Such as if an organization that might be a competitor of yours decides to build a hospital. You have a few years to kind of plan, because it's not like they're going to pop up that hospital overnight. So that's something that would take weeks to months. So that would get a low score, like, let's say a one. But if it's something that could happen within hours or days, such as all of a sudden a tornado that could wipe out your buildings and operations, that's something that has a lot more velocity, so we would score that a three. So we use a one to three ratio on the velocity. And so we multiply the frequency times the impact, and then we add in the velocity and that gives us a numerical score, which then depending on the score, that helps us prioritize the risks for that year and what is most important. We also though, just as an added point and I'm sure Caroline can also speak to this, is that we also look at our strategic plan. Is there something that didn't score in the top maybe five that we think is a hot topic or is tied into our strategic plan? We then might want to focus on that as well, even though it wasn't the highest scoring risk. We just want to make sure we're really addressing everything of importance for that year.
Bill Klaproth (host): Caroline Bell, any thoughts on how risks are prioritized?
Caroline Bell: Yeah. And Carolyn Bailey also talked about this and we're going to talk about this a lot during this Todd. But I'll add that prioritization can be further determined according to the impact that a risk has on the organization's mission and strategic goals. So for example, does the risk prevent the organization from fulfilling its mission? Or might the risk impact the achievement of strategic objectives? The organization's mission and strategic goals should play an integral role in the ERM program and processes.
Bill Klaproth (host): Yeah, that's really good extra insight into that. Thank you, Caroline Bell. So Carolyn Bailey, you mentioned there's an equation that you use and then of course, it's put on a one to five scale to help you with that. And then Caroline Bell, you mentioned, you know, what is the strategic mission of the hospital, so you've got to factor that in as well. So Caroline Bell, when it comes to these risks, after they're prioritized, how may an organization then respond to a risk?
Caroline Bell: Well, I'll address this very broadly. So first of all, risk responses are encompassed in four main categories that include risk avoidance, risk retention, risk transfer, and risk mitigation. So I'll describe those very briefly risk avoidance is, of course, when the entity does not undertake the risk. Risk retention is when the entity assumes the risk without mitigation strategies. So this might include establishing a self-insurance program rather than shifting the risk to an insurer. On the other hand, risk transfer is where the entity transfers the risk to a third party, such as an insurer. And finally, there's risk mitigation and risk mitigation strategies are used to minimize the impact of the threat.
Carolyn Bailey: I was just going to add a little bit of specifics that might help our listeners for when they're really looking at maybe risk mitigation strategies, such as like, for instance, if you're focusing on your supply chain, which we're all dealing with right now. Maybe some of your mitigants are making sure you have redundancies built in either by ordering supplies for those high needs if something would happen or maybe you have redundant locations. Maybe you have a couple of physician groups or different locations that could be of help. Maybe you're partnering with additional vendors that you weren't using before and having other agreements and contracts in place, which is then kind of a risk transfer, but also it is a good thing to have in place when you're looking at the mitigants and maybe even like materials management system. Same way like a compliance risk, there's various things that you could do as a risk mitigation effort. Do you have an audit committee, a compliance plan? Do you do internal and external audits? Do you have a hotline, background checks? All of those are different controls and mitigants that you would identify that address those risks to help the organization showed their boards that, "Hey, we have identified that risk. And these are the things we're doing to make sure that the impact, if we have something bad happen, that this will help minimize that financial loss that could be tied into that risk."
Bill Klaproth (host): Yeah. Some great tips for risk mitigation. And Caroline Bell, thank you for sharing those four areas for us. Risk avoidance, risk retention, risk transfer and risk mitigation. Carolyn Bailey, let me ask you this then, where do you think risk managers have the most difficulty in the performance phase and what can they do to overcome those challenges?
Carolyn Bailey: Well, of course, Bill, we'd all like to say we need more people and more money, but since that doesn't typically happen. I think for our risk professionals, I think one area might be even the identification part. If they're pretty much one of those type of professionals that really came from that clinical background, and then they ended up getting into the risk management world, they might have a little bit harder time to really do things that might be a little foreign to them, like really understanding how the stock market could impact your organization or maybe there's risks with consumerism, things like that that they really weren't identifying and wasn't part of their world before. So on one hand that could be a little bit of a learning curve, is to just get their mindset a little bit away from the clinical patient safety quality side. For instance, at our organization, we lump all the patient safety events, errors that could happen in the clinical world into one major risk, patient safety events, because you could really get bogged down and lost in that if you're looking at okay, if you have an OB, the possibility of a bad outcome or Medication errors. I mean, you can really end up getting burdened with all the different clinical risks that there are. So just getting out of that silo, that might be a challenge.
The other is probably the risk response because sometimes risk management professionals might think that they have to take this all on. And actually, once you identify those risks, you assign risk owners. For instance, your strategic risk, if it's something more like competition or something, it's going to be your either CEO or somebody in your executive team, that's going to be the risk owner of that risk. And they're the ones that should be coming up with the action plans and identifying what they have in place and what they need to work on. Same way right now with, let's say, talent management and talent retention. We're all struggling with staffing issues. It's your VP or chief of HR who would own that risk. So just making sure that the risk professional doesn't think that they need to own all of these strategic and enterprise risks would be very important. So I don't know, Caroline, have you got any thoughts too?
Caroline Bell: Yeah. And actually, I agree with what you said, and my thoughts are aligned with that. So, we talk about folks that come from the clinical space, that tends to be a very task-oriented endeavor. And so when you switch over to enterprise risk management, it's much more strategic and you have to look at things other than patient safety type of risks. So that said, the organization might be too focused on the downside of risk and might miss an opportunity to embrace the upside of risk that can further the entity's strategic objectives. So this happens when the ERM processes such as COSO performances we're talking about today are approached as a task rather than a process management strategy that's aligned with the organization's mission and strategic goals. It is important to approach ERM in alignment with the mission and goals and recognize when a threat may be an opportunity.
So ideally, COSO performance might be done simultaneously with strategic planning. And so to give an example, suppose an identified high priority threat is a significant backlog in outpatient appointments. We don't really need to dive too deep into the actual and potential impacts, but we can certainly recognize this can have a significant impact on revenue, malpractice claims, ability to compete, provider wellbeing, patient satisfaction scores, and so on. So let's suppose that that organization, their strategic goals include improving community health and focusing on innovation. This now becomes an opportunity to recognize the identified threat as an opportunity to further embrace maybe innovative technology and allocating resources to creating and implementing strategies to improve community health, to prevent patients from needing care in the first place. So we do know that efficiencies are created when the entire organization moves in the same direction, and this can be achieved when the organization strategicals are leveraged through the ERM process to address an identified threat.
So to summarize, to achieve really a well-functioning ERM program of processes, the organization's mission, vision and goals really should be at the forefront.
Bill Klaproth (host): Well said and some really good thoughts from both of you. Carolyn Bailey, you were mentioning, remember, don't feel like you have to shoulder the whole load when it comes to risk management. And Caroline Bell, you said sometimes we're focusing too much on the downside of risk of it. At times, we should look at the potential upside of risk as well. So great thoughts from both of you for that. And as we wrap up talking about the COSO Framework, the performance component, I wonder if I can get some closing thoughts from each of you. Carolyn Bailey, let me start with you. Anything else you'd like to add?
Carolyn Bailey: I just think that the performance section is really kind of the meat of your whole program and that this is where you're really identifying those risks that the board wants to know about. And then they want to have confidence that, yes, you've identified it, but yes, you're also trying to do something about it. And when you have all of these principles and components of the COSO Framework, it really does give some structure to your enterprise risk program at your organization. And it's easy to then kind of show the board, "We looked at all these risks that we identified this year, and these are the top ones and these tie into our strategic plan. And these are the things we're doing about it." And what's interesting, after you've done this for a couple of years, you will see how risks will change because of what's changing in the world or in your own environment, such as the pandemic. I mean, that rose to the forefront. Sure, it was always in like our top 10, but it was not our top five until COVID. Same way with cyber years ago. That might have been an identified risk, but then as Ransomware took off, more things could impact healthcare facilities with respect to hackers and cyber threats, that's now a top risk as well. So it does show the board that this isn't just a one and done, once you've identified a risk, it's over. There's always new things that arise that really need some attention in the organization. So I think this is where you spend a lot of time and energy because it affects all the risk owners and is definitely something that the board and the executive team likes to see.
Bill Klaproth (host): Well, thank you for that. And Caroline Bell, final thoughts from you. Anything else you'd like to add?
Caroline Bell: Well, that was well stated by Carolyn Bailey. And just from the operational perspective, this can feel very overwhelming and it isn't just owned by the risk management professional. This should be done by a committee that has representation from across the organization. So this is a group effort. I would also say that there are plenty of resources out there that folks can use to help either initiate their program or to bring it to the next level. ASHRM has a lot of different resources as well as individuals who are ASHRM members who are already doing ERM. Folks in this industry are always ready to share. So it's just a matter of reaching out and seeking out those resources and not approaching it as an individual, but rather as a group.
Bill Klaproth (host): Great thoughts as well. Well, Caroline Bell and Carolyn Bailey, some great conversation today and discussion of the COSO Framework. I want to thank you both for your time on this podcast. Thanks again.
Carolyn Bailey: Thanks, Bill.
Caroline Bell: Thank you.
Bill Klaproth (host): And once again, that's Caroline Bell and Carolyn Bailey. And the next offerings for ASHRM's ERM certificate program will be July 13th and 14th at the ASHRM Express and September 9th and 10th at the pre-conference program. You can find out more information if you go to ASHRM.org/education/ermcertificate.
The ASHRM Podcast is made possible by the American Society for Healthcare Risk Management to support efforts to advance safe and trusted healthcare through enterprise risk management. You can visit ASHRM.org/membership to learn more and to become an ASHRM member. And if you found this podcast helpful, please share it on your social channels and check out the full podcast library for topics of interest to you. I'm Bill Klaproth. Thanks for listening.