Skip to main content
Published on
Wed, 09/07/2022 - 15:48

Reactive versus Proactive. Siloed versus Holistic. Static versus Responsive. Risk management professionals will recognize these descriptors given their frequent use in summarizing differences between traditional risk management and enterprise risk management (ERM). Though broadly accurate, they fall far short of explaining why more and more organizations — including those in the healthcare sector — are working to implement and grow effective ERM programs. 

“A major difference between a traditional risk management program and organization-wide ERM programs is the effort to create and recognize value,” explains the authors of Enterprise Risk Management: Implementing ERM, an American Society for Health Care Risk Management (ASHRM) whitepaper published in 2020. While the primary focus of traditional risk management programs is on protecting value through reactive strategies for mitigating risk, “ERM programs change that dynamic and consider value creation, recognition, and enhancement on the same level as value protection. ERM acknowledges the risk of missed opportunities as a risk to be identified and managed.” 

In an increasingly complex and challenging risk environment, establishing a more proactive, holistic, and responsive approach to managing risk is essential. Given the competitive nature of the healthcare sector, it is no less important that organizations put into place strategies for recognizing and taking advantage of opportunities whenever possible. Despite strides made by healthcare organizations in planning, launching, and growing ERM programs, the whitepaper’s authors acknowledge that there is still a significant amount of work to be done if the healthcare sector is to catch up to most financial services organizations and publicly listed companies.  

Accomplishing this is no easy venture for healthcare risk professionals; however, with the right guidance, use of best practices, buy-in from stakeholders, and the strategic use of risk management technology, the transformation from a traditional risk management approach to one that fully incorporates established tenets of enterprise risk management is possible.  


To support healthcare organizations that are looking to implement and grow successful and sustainable ERM programs, ASHRM has adopted (and adapted for use in healthcare) an ERM framework created by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The framework is made up of five core components — Governance & Culture; Strategy & Objective-Setting; Performance; Review & Revision; and Information, Communication & Reporting. Grouped under these components are 20 guiding principles. Together, they provide a healthcare organization’s board and executive leadership with effective guidelines for the development and implementation — and, later, the growth of — a sustainable ERM program.  

Rather than suggesting that the structure elements framework be applied without deviation, the whitepaper’s editors and contributors acknowledge that risk management professionals will need to redefine and modify some of the framework’s basic structural elements to accommodate the fact that “each organization’s ERM program will vary due to differences in mission, vision, culture, and strategic direction.”  


“Organizational success with any initiative requires deep commitment in its ability to to be effective in information collection and communication,” write the authors of the ASHRM whitepaper, Enterprise Risk Management: Implementing ERM. For many risk management professionals, especially those still working to fully implement an ERM program, effective information collection and communication are restricted by reliance on spreadsheets. Inconsistencies in data structure, “multiple versions of the truth,” limited security controls, and a lack of integration with other technology systems in place across the organization are just a few of the drawbacks.  

While neither a “silver bullet” that will entice buy-in from reluctant stakeholders nor a solution to any structural issues that may be affecting an ERM program, putting the right risk management technology in place can play a critical role in improving ERM processes — for example, risk and opportunity identification; risk evaluation and assessment; and review, evaluation, and monitoring — and communication.  

Just as the ASHRM ERM framework’s inherent flexibility is an essential element in implementing and growing a healthcare ERM program, flexibility should be a key consideration when selecting risk management technology to support the various components of organization-wide ERM. “Long-term, the flexibility of the system is directly related to how well it adjusts to the unexpected changes of tomorrow,” states the Origami Risk ebook, Choosing ERM Technology and Frameworks. “From the adoption of different ERM frameworks to changes in departmental objectives or personnel, to major shifts in the organizational structure, absorbing these types of events is far easier with a flexible system than a rigid one.” 

Framework Alignment 

Origami Risk’s highly-configurable healthcare ERM solution aligns with COSO and other established risk management frameworks (ISO31000, NIST) to facilitate identification, assessment, measurement, and communication. Among the features and functionalities available in the solution are the following:  

Risk & Opportunity Identification 

To aid in risk and opportunity identification efforts, Origami Risk provides tools that support an array of identification methodologies, including adverse event reporting, root cause analysis, questionnaires, peer reviews, patient satisfaction surveys, and more. Additionally, when compiling a Risk List, ASHRM’s eight healthcare risk domains are incorporated into the Origami Risk ERM solution to help ensure adherence to industry-specific best practices and visually display related risks. 

ERM framework infographic


Risk Evaluation & Assessment 

With identified risks gathered in a central location, the Origami Risk ERM solution allows for the use of different methodologies and scoring models to assess risks. For example, likelihood, impact, probability, severity, and velocity can be used, along with the application of subfactor scoring (i.e., financial, brand/reputation, health and safety, and compliance risk). Designated risk owners can use the system to rate risks; or, if preferred, a crowd-sourcing tool allows for the polling of multiple stakeholders to score risks (using an average or the highest reported value). To reduce administrative tasks and streamline risk evaluation and assessment, automated workflows can be configured to route assessment to risk owners; alerts & notifications based on assessment status and/or due dates can also be set up.  

Performance Measurement, KPIs, KRIs, and Tolerance 

Origami Risk makes it possible to link and track risks using defined KRI and KPI metrics. To facilitate the process of collecting KRI/KPI data, a recurring schedule can be created. Additionally, the system allows for using KRI/KPI data to trigger automated reports when values exceed defined thresholds. Finally, in Origami Risk, action plans can be created for risks that fall outside of tolerance or appetite thresholds, and make it possible to document ownership of action plan steps and report on the completion status and results of action plans. 


The ERM framework developed by COSO and adopted by ASHRM provides healthcare organizations with a flexible structure for guiding risk management professionals as they work to implement and build upon ERM programs that focus not just on the protection of value, but the creation of value, as well. As part of its single-platform delivery of risk, insurance, safety, and compliance solutions, Origami Risk provides a wide range of flexible tools that support the foundational elements of healthcare ERM, help to promote overall program credibility and success, and also streamline the activities that contribute to long-term program sustainability.  

To learn more about how Origami Risk can support your healthcare ERM program or discuss other healthcare solutions available as part of the Origami Risk platform, contact us