Selected Podcast
Using the COSO ERM Framework to Align Strategy, Business Objectives and Mission
This podcast, the second in a series of five covering the 5 components of the COSO Framework, will discuss the COSO ERM Component of Strategy and Objective setting to help listeners understand the importance of aligning your business strategy and objectives with your strategic plan. In strategic planning, organizational leadership defines risk appetite and risk tolerance to ensures business objectives are met and organizational value is achieved.
Featuring:
Ms. Gaffey is the President of Healthcare Risk and Safety Strategies. She is an industry recognized career risk management, quality and patient safety professional with thirty-five years of experience in healthcare, having served as the 2016 President of ASHRM. Ann provides innovative consultative services to healthcare organizations across the care continuum to improve and enhance enterprise risk management and patient safety programs. Significant accomplishments including design and implementation of risk and claims management programs in healthcare systems. She is a frequent national speaker on topics related to enterprise risk management and leadership, and has authored in peer reviewed journals and several ASHRM publications. Ann is on the Advisory Council of the Coalition to Improve Diagnosis, the Board of the Society to Improve Diagnosis in Medicine, past-chair and member of the Board of the National Perinatal Information Center, Vice-Chair of the National Coordinating Council on Medication Error Prevention and Reporting (NCC MERP), and a Technical Expert for AHRQ’s Maker Healthcare Safer 3.
Carolyn Bailey, CHPRM, CHSP | Ann Gaffey, RN, MSN, CPHRM, DFASHRM
Carolyn has been the Administrative Director of Risk Management for the Blessing Health System in Quincy, Illinois since 2008. The Blessing Health System consists of two hospitals, two physician groups, a number of clinics, a four-year nursing and health sciences college, a foundation, TPA service for area self-insured employers, a CIN and a group of medical specialty businesses (linen company, DME, pharmacy, etc.) and other affiliations. Carolyn helped to create the system’s Enterprise Risk Management program and has oversight of its Risk Management Department . Prior to Blessing, Carolyn has over twenty years risk management experience, including at a hospital in St. Louis, a medical device manufacturer, industrial coating manufacturer and insurer. Carolyn has experience in all aspects of ERM. She is an instructor for ASHRM’s ERM Certificate Program and serves on ASHRM’s ERM Task force. She is also a member of ISHRM, CHRMS, and other professional organizations.Ms. Gaffey is the President of Healthcare Risk and Safety Strategies. She is an industry recognized career risk management, quality and patient safety professional with thirty-five years of experience in healthcare, having served as the 2016 President of ASHRM. Ann provides innovative consultative services to healthcare organizations across the care continuum to improve and enhance enterprise risk management and patient safety programs. Significant accomplishments including design and implementation of risk and claims management programs in healthcare systems. She is a frequent national speaker on topics related to enterprise risk management and leadership, and has authored in peer reviewed journals and several ASHRM publications. Ann is on the Advisory Council of the Coalition to Improve Diagnosis, the Board of the Society to Improve Diagnosis in Medicine, past-chair and member of the Board of the National Perinatal Information Center, Vice-Chair of the National Coordinating Council on Medication Error Prevention and Reporting (NCC MERP), and a Technical Expert for AHRQ’s Maker Healthcare Safer 3.
Transcription:
Bill Klaproth (host): Welcome to the ASHRM podcast, made possible by the American Society for Healthcare Risk Management to support efforts to advance safe and trusted healthcare through enterprise risk management. You can visit ASHRM.org, that's A-S-H-R-m.org/membership, to learn more and to become an ASHRM member. I'm Bill Klaproth.
In this podcast, we're going to talk about the COSO ERM Framework to align strategy, business objectives, and mission. With me is Carolyn Bailey, Administrative Director of Risk Management at Blessing Health System, and Ann Gaffey, President of Healthcare Risk and Safety Strategies.
Carolyn and Ann, thank you so much for your time. We're interested in learning more about the COSO ERM Framework. So Ann, let's start with you. Why don't you give us the positioning of where strategy and objective setting fit into the COSO Framework and who are the key drivers of that work?
Ann Gaffey: Thank you, Bill. And thanks for having us today. There are five interrelated components of enterprise risk management that are reflected in it. We're going to talk about strategy and objective setting. And that's the second component illustrated in the framework. And if you had chance to take a look at it, it looks like a helix and ribbons are kind of running through it. Each component has a series of principles that then represent the fundamental concepts that go along with that component. And we're going to be diving into some of those in our conversation with you today.
The strategy and objective setting component is also reflected as a ribbon, as I mentioned in the illustration. And really what that's doing is acknowledging that this is a common process that flows through the entity and work that is ongoing. So we never really sit still on strategy. It's just something that we want to pay attention to all the time.
If you think about it, we really don't develop an organizational strategy and business objectives and the tactics and then just put it on a shelf, because our job is to continually evaluate how we're moving our strategy forward. And we do that by measuring the effectiveness of our objectives, monitoring our operations on a day-to-day basis and evaluating our decision-making. And we use that based on our organization's performance. So this component of ERM really considers the business context that we are operating within and we consider what risk various internal and external factors might bring to achieving our objectives. And that helps us establish a risk profile.
Now, the work is primarily driven by the governing body and senior leaders. But I think what's really important is that the strategy is communicated broadly across the organization. And that's really to ensure that we have engagement at all levels of the organization. And it also supports communication of changes in the risk profile because that can have either a positive or a negative impact on us achieving the business objectives. And I like to say that first line of defense are really those folks who are really down there doing the work and they know their risk best. So we want to make sure that they are aligned with the overall strategy of the organization.
Just a moment ago, I used the word interrelated when I was describing the COSO ERM component. And I think for those who are in the early stages of developing an ERM program, it's important to recognize how each of these components link together and that the ERM process, as I mentioned before, is continuous. It's just not an annual activity where we check in to see how we did with moving the strategic plan forward.
Bill Klaproth (host): Right. The ERM process is continuous. And you also said it's important to recognize that each of these components are linked together. So let's talk a little bit more about strategy. What is the connection between ERM and strategy, Ann?
Ann Gaffey: Well, great question. So at the end of the day, an organization wants to successfully achieve the strategy that they set out to pursue, right? Because that's what brings their mission and their vision to life. It would be nice if we could just set a plan, follow it as we wrote it, achieve our objectives easily and nothing throws us off course, but I think we all know that that is not how it works.
ERM gives us a structure to thoughtfully evaluate strategy, and we can do that by using the first principle within this component, and that's to analyze the business context. So here, the risk professional and the leaders who are driving the strategic planning, they want to consider first their external stakeholders and how they can influence the ability of the organization to achieve their strategy.
To me, a good example in healthcare is the influence that the Centers for Medicare and Medicaid or CMS can have from a regulatory perspective. So if we're significantly out of compliance with CMS regulations, we could be placed under a corporate integrity agreement. That particular action significantly realigns financial and human resources, and it can also bring up reputational harm and that's not going to be favorable if we're going, for example, to lenders for a line of credit.
We also want to consider our internal environment and stakeholders and the risks that may bring to achieving our strategy. So do we have the right people or access to the human capital to develop and implement, say, a new clinical service line that we think is important to achieve our mission and is part of our strategy? Alternatively, do we already have the right individuals, but we are potentially at risk of losing them to a competitor who might offer more to them?
These examples I've given are really activities to undertake to understand the risk profile in the present and perhaps the future. And we also want to consider our past performance. So looking at our performance in various states gives more context around how our strategy may be influenced, and business context can be dynamic. So when new risks emerge that disrupt the status quo, I think we all know one of those that we're still within our pandemic, that can change the way we look at our strategy or how we actually have to implement our strategies. Business context can also be complex, particularly if you have a large health system that serves patients in many states, and you're looking at external stakeholders that are different departments of health and different state regulations and laws. You might be a health system that's actually in multiple countries, much more to consider there. So once we have a good understanding of the business context we're working within, that's when the organization can define the risk appetite.
Bill Klaproth: That's an interesting term, the risk appetite. So Carolyn, why is defining a risk appetite important and who develops it? Can you provide some example?
Carolyn Bailey: Sure. It is really important for an organization to determine basically how much risk they are willing to take at any given time in pursuit of their value and growth because, of course, we all want to be successful and resilient, but you can't just willy-nilly, same way with your budget at home, just go out on a spending spree and not have any concern as to the ramification. So, the risk appetite really typically is either set by the board or at least approved by the board. So definitely, the executive team is the one, in my experience, who develops it because, as we know, depending on the size of the organization, so for instance, risk appetite for a small, rural critical access hospital is going to be different than the risk appetite of perhaps a large health system. Because you only want to take on as much as you think you can, successfully incur and you usually even set like what you call like a capacity, like you might have a risk tolerance level, so "I can take this much on." But knowing that sometimes we have deviations or something new could come along, you have to have a certain definite threshold. "We cannot go beyond X or it is really going to implode our strategic plan and initiatives."
So, a lot of organizations may choose to either do kind of a quantitative versus qualitative approach to their risk appetite statement. For instance, some may just say, "Our appetite is low. We don't take on much risk. We don't have the financial means, so we are not going to do, but maybe one capital initiative this year, because our tolerance is low." In turn, you might have an organization that are risk takers and they have a high threshold and they may do theirs more kind of quantitative, that "Our risk appetite is such that we are willing to exceed our budget by 10%," that might be their initial risk appetite statement. But knowing that they will then have a threshold of, "We cannot go beyond 20% of our budget." So something like that kind of is an example of using more of the quantitative where you're using values, percentages or thresholds as to what your variance could be as to what you can and cannot handle.
Bill Klaproth: Right. So what if you set your risk appetite at a lower level and then something comes along, like just what happened over the past two years with the pandemic, which we're still living in? What if something like that derails your strategy or is bigger than your risk appetite?
Carolyn Bailey: Hopefully, especially with organizations that are maybe a little bit farther down the road with their enterprise risk management program is you have to be able to pivot and perhaps then flex a little bit of what your risk tolerance is going to be for that particular risk. For instance, you have risk profile and maybe within your top risks, you realize you're going to have maybe a higher threshold maybe on your capital spending and maybe a lower threshold on your cyber, if that's a risk for instance. But if something gets derailed, like what we've all been living in the two years, and even going into the pandemic, most healthcare organizations were already dealing with a concern for a nurse shortage or a physician shortage.
What happened then with COVID and with the pandemic and post-COVID and post-pandemic, we saw more nurses leaving organizations to either go to agencies or maybe they were getting burnt out just because of post-COVID situations. So now, what organizations were feeling was more of the labor shortages and the increase in operational expense. So you now have to kind of pivot and say, "Okay, maybe now we're going to have to put a little bit more of a risk appetite into retention, recruitment, operational expense, and maybe we need to postpone opening that new service line for another year. Or maybe we're not going to update our facility this calendar year, because we need to focus on this more critical risk of labor shortage and how are we going to manage that operational impact?" Because I don't know of any organization that hasn't had some financial hit because of the increase in operational budgets on labor costs.
So that actually kind of goes into while you might have to pivot with your strategy and sometimes you also then look for alternative strategies. For instance, with that, many organizations were like, "Okay, how do we address these labor shortages?" Some organizations, even ours, maybe you end up creating your own internal agency staff, giving maybe better pay, the staff is not necessarily going to have some of the benefits that your employees have. Or maybe you end up bringing in more LPNs, CNAs, or you start looking at more telehealth, hospital at home, doing technology, adopting all sorts of things, being creative with your shift, being creative with your sign-on bonuses. Some of these are things that not only did you have to pivot, but now you are now coming up with new strategies to address that risk of retention and recruitment. So we know that there's always some changes in strategies that happen sometimes mid-year or in the mid-year of your strategic planning. And it's not always easy, but being agile and kind of recognizing some of these areas that you need to change your focus and reassess and realign that operational capital helps and will give you an edge above some of your competing organizations and kind of puts you a little bit ahead because you are readjusting your risk appetite for one and your risk tolerance as well as still trying to pursue your strategic objective.
Bill Klaproth: Right. So being agile, being able to pivot, being able to develop new strategies is very important. And, Ann, if you do have to pivot, like Carolyn was just talking about, how do you bring this back to the business objectives? And what can you tell us about how they align with strategy and the risks that the organization is willing to take?
Ann Gaffey: Sure. Well, Carolyn gave some great examples, certainly around the alternative strategies and that's important. So this is really where the rubber meets the road, I'd say. So we now have our business context, right? We've kind of evaluated current state, we've done an environmental scan. We understand the risk we're willing to take and that goes back to our risk appetite. We've considered some alternative strategies. And with that, you really have to consider the upside and the downside. So as Carolyn, for example, talked about, the human capital needs that we have, for example, when she mentioned, maybe we pay more, but we take away benefits, we would want to think about perhaps in a certain community, are there a lot of homes where there is one primary worker and a second adult may be home with children. Can we realistically take away benefits or is it more important to keep the benefits and not be able to increase the pay? So as you're thinking about those alternative strategies, you really have to go upside, downside, and might they align with our overall strategy.
And once we've kind of done that evaluation, we develop some relevant objectives. So when thinking about that, first, how does leadership even want to organize your business objectives. For example, is it going to be by a customer focus like a business line? Is it going to be by a functional area, such as technology objectives or human capital objectives, like we've been discussing? And do they link to certain practices or might there be an objective that is more cascading, like one focused on financial performance? So, you know, we're going to be evaluating financial performance all the way from top to bottom in the organization, not necessarily with one business line, because that's a big function and an important function in an organization.
But the important part here is that the objectives align with strategy regardless of how they are organized. When you've evaluated those alternative strategies, you've kind of thought of the upside, downside, downstream. And then you want to make sure that your objectives are going to be SMART as we've all heard. So that's specific and measurable, achievable, relevant, and somewhat time-bound. And to get to this, the organization really is going to set performance measures and some targets. And an example of that might be a particular level of patient satisfaction or a specific employee turnover rate. And these targets are going to be important because they influence your risk profile. So let's say your employee turnover goal is less than 3%, that would be our dream, and the organization creeps up to 10%. So what impact could that have on meeting a particular element of the strategy? So, you know, now, we've got our objective, we've got some targets that we're trying to hit as part of that, and now we need to understand upside downside risks. So that last point kind of leads us to establishing risk tolerance, which Carolyn touched on a bit too. And that's really the last element in formulating your business objectives. So she talked about appetite, talked a little about bit about tolerance. And more on that is that tolerance is the acceptable level of variation that the organization is willing to accept within the risk appetite. And it doesn't focus on a particular risk. It really focuses on your objectives and the performance.
So for example, in my employee turnover example, the risk tolerance that the organization sets may be between 0% and 7%. So a lot of little details when we're talking about strategy and objective setting, but it really comes down to that high-level view of our business context that we're working in. How might we go about achieving our strategy? Do we need to consider some alternatives? As we look, for example, here during the pandemic, when there were some things none of us were expecting, and kind of going through those bits and pieces of categorizing your objective, setting your measures and targets, and then understanding your tolerance to those.
So I know we've covered a lot in our conversation about strategy and objective setting that's a component of the framework and hopefully our listeners found the information helpful.
Bill Klaproth (host): Well, I'm certain that they have, and thank you for that very detailed answer. And Carolyn and Ann, before we go, I want to thank you for your time. And I want to ask each of you one last question. If you could wrap this up for us and give us any final thoughts on using the COSO ERM framework, Carolyn, let's start with you.
Carolyn Bailey: I just feel that it is really helpful for organizations to adopt a framework and COSO really sets it up in great principles for organizations to kind of follow, because your business objectives and your strategy and objective setting component is really important because that's what really drives the business plan each year for your organization. Like what are the goals and objectives that they're trying to achieve whether it's a two year plan five-year plan or what have you, and how are we going to get there without disrupting too much other areas of risk? And what are we going to focus on? What's our top priorities? What do we really need to gain and achieve? And that way, we can be successful and resilient if that makes sense.
Bill Klaproth: Yeah, absolutely. Very well said. Well, thank you for that. And Ann, how about you? Any final closing thoughts?
Ann Gaffey: I think I would just reinforce the importance of engaging the entire organization in this work. Because as I mentioned, people doing the work day to day, right? They understand the risk in their particular area. And that's important to know if there is a change in the risk profile for them, because when you bubble that up, it really could have an impact on strategy and objective setting. So I think from governance perspective, making sure that everyone understands the organizational strategy and how they participate in the success of that is really important.
Bill Klaproth: Yep. That absolutely makes sense. Well, Carolyn and Ann, thank you so much for this great discussion. We really appreciate it. Thanks again.
Ann Gaffey: Thanks, Bill.
Carolyn Bailey: Thanks, Bill. Thanks Ann.
Bill Klaproth (host): And once again, that's Carolyn Bailey and Ann Gaffey. The next offerings for ASHRM's ERM Certificate Program will be July 13th and 14th at the ASHRM Express and September 9th and 10th at the pre-conference program. Please visit ashrm.org/education/ermcertificate for more information. That's ashrm.org/education/ermcertificate.
And if you found this podcast helpful, please share it on your social channels and check out the full podcast library for topics of interest to you. I'm Bill Klaproth. Thanks for listening.
Bill Klaproth (host): Welcome to the ASHRM podcast, made possible by the American Society for Healthcare Risk Management to support efforts to advance safe and trusted healthcare through enterprise risk management. You can visit ASHRM.org, that's A-S-H-R-m.org/membership, to learn more and to become an ASHRM member. I'm Bill Klaproth.
In this podcast, we're going to talk about the COSO ERM Framework to align strategy, business objectives, and mission. With me is Carolyn Bailey, Administrative Director of Risk Management at Blessing Health System, and Ann Gaffey, President of Healthcare Risk and Safety Strategies.
Carolyn and Ann, thank you so much for your time. We're interested in learning more about the COSO ERM Framework. So Ann, let's start with you. Why don't you give us the positioning of where strategy and objective setting fit into the COSO Framework and who are the key drivers of that work?
Ann Gaffey: Thank you, Bill. And thanks for having us today. There are five interrelated components of enterprise risk management that are reflected in it. We're going to talk about strategy and objective setting. And that's the second component illustrated in the framework. And if you had chance to take a look at it, it looks like a helix and ribbons are kind of running through it. Each component has a series of principles that then represent the fundamental concepts that go along with that component. And we're going to be diving into some of those in our conversation with you today.
The strategy and objective setting component is also reflected as a ribbon, as I mentioned in the illustration. And really what that's doing is acknowledging that this is a common process that flows through the entity and work that is ongoing. So we never really sit still on strategy. It's just something that we want to pay attention to all the time.
If you think about it, we really don't develop an organizational strategy and business objectives and the tactics and then just put it on a shelf, because our job is to continually evaluate how we're moving our strategy forward. And we do that by measuring the effectiveness of our objectives, monitoring our operations on a day-to-day basis and evaluating our decision-making. And we use that based on our organization's performance. So this component of ERM really considers the business context that we are operating within and we consider what risk various internal and external factors might bring to achieving our objectives. And that helps us establish a risk profile.
Now, the work is primarily driven by the governing body and senior leaders. But I think what's really important is that the strategy is communicated broadly across the organization. And that's really to ensure that we have engagement at all levels of the organization. And it also supports communication of changes in the risk profile because that can have either a positive or a negative impact on us achieving the business objectives. And I like to say that first line of defense are really those folks who are really down there doing the work and they know their risk best. So we want to make sure that they are aligned with the overall strategy of the organization.
Just a moment ago, I used the word interrelated when I was describing the COSO ERM component. And I think for those who are in the early stages of developing an ERM program, it's important to recognize how each of these components link together and that the ERM process, as I mentioned before, is continuous. It's just not an annual activity where we check in to see how we did with moving the strategic plan forward.
Bill Klaproth (host): Right. The ERM process is continuous. And you also said it's important to recognize that each of these components are linked together. So let's talk a little bit more about strategy. What is the connection between ERM and strategy, Ann?
Ann Gaffey: Well, great question. So at the end of the day, an organization wants to successfully achieve the strategy that they set out to pursue, right? Because that's what brings their mission and their vision to life. It would be nice if we could just set a plan, follow it as we wrote it, achieve our objectives easily and nothing throws us off course, but I think we all know that that is not how it works.
ERM gives us a structure to thoughtfully evaluate strategy, and we can do that by using the first principle within this component, and that's to analyze the business context. So here, the risk professional and the leaders who are driving the strategic planning, they want to consider first their external stakeholders and how they can influence the ability of the organization to achieve their strategy.
To me, a good example in healthcare is the influence that the Centers for Medicare and Medicaid or CMS can have from a regulatory perspective. So if we're significantly out of compliance with CMS regulations, we could be placed under a corporate integrity agreement. That particular action significantly realigns financial and human resources, and it can also bring up reputational harm and that's not going to be favorable if we're going, for example, to lenders for a line of credit.
We also want to consider our internal environment and stakeholders and the risks that may bring to achieving our strategy. So do we have the right people or access to the human capital to develop and implement, say, a new clinical service line that we think is important to achieve our mission and is part of our strategy? Alternatively, do we already have the right individuals, but we are potentially at risk of losing them to a competitor who might offer more to them?
These examples I've given are really activities to undertake to understand the risk profile in the present and perhaps the future. And we also want to consider our past performance. So looking at our performance in various states gives more context around how our strategy may be influenced, and business context can be dynamic. So when new risks emerge that disrupt the status quo, I think we all know one of those that we're still within our pandemic, that can change the way we look at our strategy or how we actually have to implement our strategies. Business context can also be complex, particularly if you have a large health system that serves patients in many states, and you're looking at external stakeholders that are different departments of health and different state regulations and laws. You might be a health system that's actually in multiple countries, much more to consider there. So once we have a good understanding of the business context we're working within, that's when the organization can define the risk appetite.
Bill Klaproth: That's an interesting term, the risk appetite. So Carolyn, why is defining a risk appetite important and who develops it? Can you provide some example?
Carolyn Bailey: Sure. It is really important for an organization to determine basically how much risk they are willing to take at any given time in pursuit of their value and growth because, of course, we all want to be successful and resilient, but you can't just willy-nilly, same way with your budget at home, just go out on a spending spree and not have any concern as to the ramification. So, the risk appetite really typically is either set by the board or at least approved by the board. So definitely, the executive team is the one, in my experience, who develops it because, as we know, depending on the size of the organization, so for instance, risk appetite for a small, rural critical access hospital is going to be different than the risk appetite of perhaps a large health system. Because you only want to take on as much as you think you can, successfully incur and you usually even set like what you call like a capacity, like you might have a risk tolerance level, so "I can take this much on." But knowing that sometimes we have deviations or something new could come along, you have to have a certain definite threshold. "We cannot go beyond X or it is really going to implode our strategic plan and initiatives."
So, a lot of organizations may choose to either do kind of a quantitative versus qualitative approach to their risk appetite statement. For instance, some may just say, "Our appetite is low. We don't take on much risk. We don't have the financial means, so we are not going to do, but maybe one capital initiative this year, because our tolerance is low." In turn, you might have an organization that are risk takers and they have a high threshold and they may do theirs more kind of quantitative, that "Our risk appetite is such that we are willing to exceed our budget by 10%," that might be their initial risk appetite statement. But knowing that they will then have a threshold of, "We cannot go beyond 20% of our budget." So something like that kind of is an example of using more of the quantitative where you're using values, percentages or thresholds as to what your variance could be as to what you can and cannot handle.
Bill Klaproth: Right. So what if you set your risk appetite at a lower level and then something comes along, like just what happened over the past two years with the pandemic, which we're still living in? What if something like that derails your strategy or is bigger than your risk appetite?
Carolyn Bailey: Hopefully, especially with organizations that are maybe a little bit farther down the road with their enterprise risk management program is you have to be able to pivot and perhaps then flex a little bit of what your risk tolerance is going to be for that particular risk. For instance, you have risk profile and maybe within your top risks, you realize you're going to have maybe a higher threshold maybe on your capital spending and maybe a lower threshold on your cyber, if that's a risk for instance. But if something gets derailed, like what we've all been living in the two years, and even going into the pandemic, most healthcare organizations were already dealing with a concern for a nurse shortage or a physician shortage.
What happened then with COVID and with the pandemic and post-COVID and post-pandemic, we saw more nurses leaving organizations to either go to agencies or maybe they were getting burnt out just because of post-COVID situations. So now, what organizations were feeling was more of the labor shortages and the increase in operational expense. So you now have to kind of pivot and say, "Okay, maybe now we're going to have to put a little bit more of a risk appetite into retention, recruitment, operational expense, and maybe we need to postpone opening that new service line for another year. Or maybe we're not going to update our facility this calendar year, because we need to focus on this more critical risk of labor shortage and how are we going to manage that operational impact?" Because I don't know of any organization that hasn't had some financial hit because of the increase in operational budgets on labor costs.
So that actually kind of goes into while you might have to pivot with your strategy and sometimes you also then look for alternative strategies. For instance, with that, many organizations were like, "Okay, how do we address these labor shortages?" Some organizations, even ours, maybe you end up creating your own internal agency staff, giving maybe better pay, the staff is not necessarily going to have some of the benefits that your employees have. Or maybe you end up bringing in more LPNs, CNAs, or you start looking at more telehealth, hospital at home, doing technology, adopting all sorts of things, being creative with your shift, being creative with your sign-on bonuses. Some of these are things that not only did you have to pivot, but now you are now coming up with new strategies to address that risk of retention and recruitment. So we know that there's always some changes in strategies that happen sometimes mid-year or in the mid-year of your strategic planning. And it's not always easy, but being agile and kind of recognizing some of these areas that you need to change your focus and reassess and realign that operational capital helps and will give you an edge above some of your competing organizations and kind of puts you a little bit ahead because you are readjusting your risk appetite for one and your risk tolerance as well as still trying to pursue your strategic objective.
Bill Klaproth: Right. So being agile, being able to pivot, being able to develop new strategies is very important. And, Ann, if you do have to pivot, like Carolyn was just talking about, how do you bring this back to the business objectives? And what can you tell us about how they align with strategy and the risks that the organization is willing to take?
Ann Gaffey: Sure. Well, Carolyn gave some great examples, certainly around the alternative strategies and that's important. So this is really where the rubber meets the road, I'd say. So we now have our business context, right? We've kind of evaluated current state, we've done an environmental scan. We understand the risk we're willing to take and that goes back to our risk appetite. We've considered some alternative strategies. And with that, you really have to consider the upside and the downside. So as Carolyn, for example, talked about, the human capital needs that we have, for example, when she mentioned, maybe we pay more, but we take away benefits, we would want to think about perhaps in a certain community, are there a lot of homes where there is one primary worker and a second adult may be home with children. Can we realistically take away benefits or is it more important to keep the benefits and not be able to increase the pay? So as you're thinking about those alternative strategies, you really have to go upside, downside, and might they align with our overall strategy.
And once we've kind of done that evaluation, we develop some relevant objectives. So when thinking about that, first, how does leadership even want to organize your business objectives. For example, is it going to be by a customer focus like a business line? Is it going to be by a functional area, such as technology objectives or human capital objectives, like we've been discussing? And do they link to certain practices or might there be an objective that is more cascading, like one focused on financial performance? So, you know, we're going to be evaluating financial performance all the way from top to bottom in the organization, not necessarily with one business line, because that's a big function and an important function in an organization.
But the important part here is that the objectives align with strategy regardless of how they are organized. When you've evaluated those alternative strategies, you've kind of thought of the upside, downside, downstream. And then you want to make sure that your objectives are going to be SMART as we've all heard. So that's specific and measurable, achievable, relevant, and somewhat time-bound. And to get to this, the organization really is going to set performance measures and some targets. And an example of that might be a particular level of patient satisfaction or a specific employee turnover rate. And these targets are going to be important because they influence your risk profile. So let's say your employee turnover goal is less than 3%, that would be our dream, and the organization creeps up to 10%. So what impact could that have on meeting a particular element of the strategy? So, you know, now, we've got our objective, we've got some targets that we're trying to hit as part of that, and now we need to understand upside downside risks. So that last point kind of leads us to establishing risk tolerance, which Carolyn touched on a bit too. And that's really the last element in formulating your business objectives. So she talked about appetite, talked a little about bit about tolerance. And more on that is that tolerance is the acceptable level of variation that the organization is willing to accept within the risk appetite. And it doesn't focus on a particular risk. It really focuses on your objectives and the performance.
So for example, in my employee turnover example, the risk tolerance that the organization sets may be between 0% and 7%. So a lot of little details when we're talking about strategy and objective setting, but it really comes down to that high-level view of our business context that we're working in. How might we go about achieving our strategy? Do we need to consider some alternatives? As we look, for example, here during the pandemic, when there were some things none of us were expecting, and kind of going through those bits and pieces of categorizing your objective, setting your measures and targets, and then understanding your tolerance to those.
So I know we've covered a lot in our conversation about strategy and objective setting that's a component of the framework and hopefully our listeners found the information helpful.
Bill Klaproth (host): Well, I'm certain that they have, and thank you for that very detailed answer. And Carolyn and Ann, before we go, I want to thank you for your time. And I want to ask each of you one last question. If you could wrap this up for us and give us any final thoughts on using the COSO ERM framework, Carolyn, let's start with you.
Carolyn Bailey: I just feel that it is really helpful for organizations to adopt a framework and COSO really sets it up in great principles for organizations to kind of follow, because your business objectives and your strategy and objective setting component is really important because that's what really drives the business plan each year for your organization. Like what are the goals and objectives that they're trying to achieve whether it's a two year plan five-year plan or what have you, and how are we going to get there without disrupting too much other areas of risk? And what are we going to focus on? What's our top priorities? What do we really need to gain and achieve? And that way, we can be successful and resilient if that makes sense.
Bill Klaproth: Yeah, absolutely. Very well said. Well, thank you for that. And Ann, how about you? Any final closing thoughts?
Ann Gaffey: I think I would just reinforce the importance of engaging the entire organization in this work. Because as I mentioned, people doing the work day to day, right? They understand the risk in their particular area. And that's important to know if there is a change in the risk profile for them, because when you bubble that up, it really could have an impact on strategy and objective setting. So I think from governance perspective, making sure that everyone understands the organizational strategy and how they participate in the success of that is really important.
Bill Klaproth: Yep. That absolutely makes sense. Well, Carolyn and Ann, thank you so much for this great discussion. We really appreciate it. Thanks again.
Ann Gaffey: Thanks, Bill.
Carolyn Bailey: Thanks, Bill. Thanks Ann.
Bill Klaproth (host): And once again, that's Carolyn Bailey and Ann Gaffey. The next offerings for ASHRM's ERM Certificate Program will be July 13th and 14th at the ASHRM Express and September 9th and 10th at the pre-conference program. Please visit ashrm.org/education/ermcertificate for more information. That's ashrm.org/education/ermcertificate.
And if you found this podcast helpful, please share it on your social channels and check out the full podcast library for topics of interest to you. I'm Bill Klaproth. Thanks for listening.