Category: GRC/ERM

ERM Done Differently

Those in the risk management field have heard plenty about the benefits of establishing an enterprise risk management (ERM) program. In some cases, they’ve likely heard too much. Lost in debates about frameworks or which acronym to employ (ERM vs. IRM vs. GRC) is the answer to the question, “How do I actually establish an ERM program that produces tangible, measurable results?”

An ERM program doesn’t have to be overly complicated (really!). Neither does it have to be an academic exercise that takes you away from critical daily tasks. When ERM is done right, it’s tied directly to your organization’s central strategic goal and consists of clearly laid-out, doable steps.

You can launch a manageable and sustainable ERM program. You can get everyone on board with the process. You can find success without losing your mind.

You can do ERM differently.

Focus on execution

ERM isn’t a magical, all-knowing tool into which issues are input and solutions spit out. ERM is a considered process that forces you to ask the right questions—questions that lead to the right preventative measures. So when embarking on the creation of an ERM program, your focus should be on execution: What actions am I not taking today that I should be taking in order to get out in front of risks?
read more

How to get leadership buy-in for ERM

Before organizations can begin implementing an enterprise risk management (ERM) program, they must get buy-in from leadership. But in order for leadership to feel comfortable buying into a program, they must have sufficient evidence that it will make a difference for the organization’s overall goals.

There’s a solution to this catch-22. By having the right conversations and showing results from smaller-scale initiatives, organizations can demonstrate the value of an ERM program to leadership—and do so without the same time, effort, and resources required for a full-scale ERM operation.

Start the old-fashioned way

The right technology can be instrumental in demonstrating ERM program successes. However, before using technology to prove the benefits of an ERM program, risk managers can begin influencing leadership through small, in-person conversations.

“One of the biggest buy-in methods for a successful strategy is talk,” writes Darius Delon, AVP of risk services for Mount Royal University, in the article Putting Strategy into Risk Management. “One person at a time, one hour at a time, one advocate at a time. People will not buy-in to ERM just because they read something you put in front of them or heard at a large forum. Talk to them, work with them, get small wins…”

read more

Risk management technology’s role in keeping ERM on track

Enterprise risk management (ERM) programs require focused planning and commitment from a range of stakeholders within an organization. However, even organizations with the best intentions can see ERM efforts fall to the wayside as more pressing day-to-day issues take precedence.

In the article Leveraging Technology To Drive Sustainable ERM Initiatives, Origami Risk’s Josh Newsum discusses the powerful role of risk management technology in keeping ERM initiatives on track, as well as how organizations can achieve the best results, regardless of where they are in the process.

Read the article in Risk Management →

Hospital staff burnout, part 2: How healthcare ERM can prevent burnout

As the hospital burnout crisis continues to make headlines, healthcare organizations are in need not only of solutions that address the consequences of burnout, but also strategies for preventing burnout in the first place. As discussed in part 1 of this series, the right healthcare risk management technology can play a role in efforts to ensure physicians are more fully engaged. Physicians who feel connected to the core purpose of their work are less likely to burn out, and more likely provide quality patient care.

Another approach to addressing clinician burnout is the establishment of an organization-wide plan to monitor, analyze, and, ultimately, prevent the condition from occurring. Efforts to mitigate burnout will likely come from many directions within an organization, but to streamline the process and get everyone on the same page, a logical but perhaps unexpected place to start is with the hospital risk management team. Healthcare risk managers can play a crucial role in successfully preventing burnout by viewing burnout like the other risks they manage, developing a healthcare enterprise risk management (ERM) framework, and leveraging the technology they already work with on a daily basis.

read more

Healthcare administration: The vital role of healthcare risk management

Those working in the healthcare industry are no strangers to constant change. A healthcare risk management program and the right technology can help to effectively monitor risk across specialties and improve patient safety. Origami Risk’s Bill Schwacke spoke to Future of Personal Health about the intersection of risk management and the healthcare industry.

Risk management software is used in various industries. How is it applied to healthcare?
Risk management software is at the center of a healthcare organization’s approach to risk, safety, claims, and insurance. The software can define the provider’s approach to risk by linking, organizing, and distributing data from independent, critical functions to provide an organizational view of risk.

Can you elaborate on the correlation between patient safety and risk management software?
Patient safety and risk management software are often linked due to the nature of the data involved. While they often work independently, there are insights that can be discovered when linked together. These insights can improve quality of care and reduce claims/insurance costs for the organization.

Read the full article in Future of Personal Health.

ERM – Moving beyond enterprise risk assessments and risk heat maps

Enterprise risk assessment and risk heat map in the risk management process

Risk assessments and heat maps remain central components in most enterprise risk management (ERM) programs. Yet there is considerable debate about their effectiveness and both tools have no shortage of critics. In 2011 Howard Sklar, a Forbes contributor, outlined one of the most popular criticisms regarding companies that viewed risk assessments as a document instead of a risk management process. He noted, “Companies that fail in this way are often trying to check the risk-assessment box on their program. That’s fine, as far as it goes. At first glance, a risk assessment seems like a low-ROI effort. You put in time and potentially money, and you get back a piece of paper laying out what you already know.

Similarly, others deride heat maps as nothing more than “colorful guesses.” Brian Priezkalns, in the not-too-subtly titled article, Why I hate Heat Maps, says “Heat maps are just a terrible terrible terrible way to understand, communicate about, and decide how to respond to risks. They either mess up what you already knew, or they hide the fact you are too ignorant to make a rational decision. Everything that can be done with heat maps would be done better with actual numbers.”

If the risk assessment and risk heat map have such fierce critics, then why are they still central to most ERM programs? In this article, we’ll examine what drives the limitations, and the key missing ingredient that turns them into powerful assets. read more

GRC: Where to start? Productive healthcare ERM tools

Coordinated care in hospitals starts with the right GRC tools and ERM framework.

In November 2018, Baylor St. Luke’s Medical Center in Houston made two medical errors, the second of which lead to the death of a 75-year-old patient. After an investigation by the Houston Chronicle and ProPublica, the Centers for Medicare and Medicaid Services issued a report in early 2019 that outlined a pattern of blood labeling errors at the hospital. A ProPublica article on the report states:

Dr. Ashish Jha, an expert in hospital quality, reviewed the government’s findings and said it appeared St. Luke’s was struggling to meet basic care standards. The labeling mistakes, he said, seemed indicative of ‘a broader systemic problem.’… St. Luke’s appeared to miss warning signs in the months prior to the deadly mistake, according to the government report.

The “broader systemic problem” Dr. Jha mentions is, unfortunately, not unique to St. Luke’s. Many hospitals and healthcare systems face organization-wide, process-related issues, especially in a modern healthcare landscape that’s rife with change. Mergers, multiple technology platforms, and changing healthcare policies, to name just a few, contribute to widespread miscommunication and a lack of transparency. This, in turn, jeopardizes the overall quality of care within these organizations.

Hospitals can stem the scope of these issues by implementing a healthcare enterprise risk management (ERM) program. Healthcare ERM establishes a standardized framework for identifying risk across an organization, encourages cross-departmental collaboration, and shifts hospitals from a reactive clinical risk program to a proactive holistic risk management program. A straightforward process, along with the right technology that leverages healthcare analytics, can help to make this shift effective.

read more

Facing the challenge of reputation management in higher education

Reputational risk in higher ed needs proactive reputation management

The Operation Varsity Blues scandal has heightened reputation management concerns across the higher education community. Seeing how quickly any college or university can suffer reputational damage, and how lasting that damage can be, underscores how valuable an institution’s reputation is, and how critical it is to safeguard it.

The book Reputation management: The key to successful public relations and corporate communication by New York University professors John Doorley and Helio Fred Garcia opens with a quote from Warren Buffet who addressed a group of Salomon Brothers managers in 1991 after the firm became mired in a high-profile trading scandal: “If you lose dollars for the firm by bad decisions, I will be very understanding. If you lose reputation for the firm, I will be ruthless.”

Although numerous surveys show that many leaders of higher education institutions place the same value on reputation as Buffet does, effectively managing these risks remains elusive. In fact, most cannot even define what reputation is.

Defining Reputational Risk

In the article How to Manage Reputation Risk, Nir Kossovsky addresses the definitional ambiguity directly. “From your boardroom and C-suite to the SEC and Office of the Comptroller of the Currency, everyone agrees reputation risk exists, yet few can describe it. However, this isn’t as difficult as it seems.” Kossovsky defines reputation as the expectation of behavior that is set by stakeholders. “Customers have expectations when they buy products or services, employees have them when they accept jobs, vendors have them when they partner, creditors and investors have them, and even regulators have them.” For colleges and universities, this extends to the communities that house them, the potential pool of students and parents considering attendance, research partners, and the other organizations that interact with them.

read more

How ERM technology helps financial institutions address Matters Requiring Attention (MRAs)

Complying with Bank Secrecy Act/Anti-Money Laundering (BSA/AML) regulations is a major challenge for financial institutions. Those found with deficient practices are subject to receive a Matter Requiring Attention (MRA) notification. The Office of the Comptroller of the Currency (OCC) states, “MRAs communicate specific supervisory concerns identified during examinations in writing to boards and management teams of regulated institutions. MRAs must receive timely and effective corrective action by bank management and follow-up by OCC examiners.”

This combined requirement of timeliness and proof of effectiveness makes delivering an acceptable response particularly challenging. Unfortunately, MRAs are not uncommon. The article Get to Know the “5 Cs” — BSA Matters Requiring Attention notes, “Most banks receive some sort of finding or ‘Matter Requiring Attention’ (MRA) or ‘Matter Requiring Immediate Attention’ (MRIA) regarding their BSA Program during a BSA exam.” Given the likelihood of receiving an MRA, and the burden associated with the response, developing a robust process to handle them is essential.

This post will examine how the right Enterprise Risk Management (ERM) system is uniquely suited to not only help efficiently and effectively respond to the challenges associated with MRAs, but also (when properly configured) help minimize them.

To understand how this is possible it is useful to “learn from the mistakes of others.”

read more

Looking to launch an ERM program? Borrow ideas from startups

Implementing an enterprise risk management (ERM) program can be a daunting, intimidating project. Trying to introduce new frameworks and controls across the organization, roll up risk reporting from the unit to enterprise level, and initiate discussions with the board that lead to action can be overwhelming. Using techniques proven to work with startups, however, can make the process far more manageable and increase the odds for success.

Startup incubators often promote a few common themes:

  • Let customers/market dictate the product
  • Scale it down – start small and go live fast
  • Do the research and learn about the market
  • Get feedback as quickly as possible
  • Fail silently – incorporate lessons learned without dragging the whole effort down

These techniques suggest that the traditional high-profile, enterprise-wide rollout of a new ERM program may not always be the best way to launch. Instead, focusing on the smallest scale project—one with the potential to yield meaningful results—and relying on a customer-driven approach may be the key to creating a sustainable, effective ERM program.

read more