How Swiss hospitals can manage their risks holistically
Risk management is becoming increasingly important in the management of hospital operations. In particular, the integration of risk information into decision-making processes is increasingly the focus of risk managers. Using the Insel Group as an example, we will show why a modern, holistic risk management approach can bring certain risks into sharper focus.
As comparatively risk-averse organizations, hospitals have a vested interest in prudent and value-creating risk management that allows an overall view of clinical, technological and business administration risks. In traditional risk management, the risk map plays a central role. Based on the classification of risks in a two-dimensional matrix, control measures are derived according to a traffic light system. This easy-to-understand instrument is propagated as an important tool at many training and further education institutions. For this reason, it is probably the most widespread approach to risk assessment in practice today, even though it is associated with considerable methodological shortcomings, such as the lack of a target reference and the dangerous consideration of risk expectation values.
Recent research findings suggest that risk maps, which are common in traditional risk management, should be used with great caution. They can encourage wrong decisions and thus have a counterproductive effect. This is where the modern enterprise risk management (ERM) approach comes in. It promotes a holistic understanding of risk that links the weighing of opportunities and threats with organizational goals and decision-making within the company. This objective underlies the federally financed research project "Holistic Risk Management in Swiss Hospitals" (see Infobox). The example of the Insel Group, which is participating in the project, is used below to outline what a modern ERM process can look like in hospital operations.
Risk identification and analysis
The first step is risk identification, which takes into account not only internal risks but also potential risks from the corporate environment. From an organisational perspective, risk identification starts at lower hierarchical levels (hospital operations) and proceeds from management. The risks thus identified are assigned to the cause-oriented risk categories of clinical, strategic, operational and financial with a view to qualitative risk analysis. The precise verbal description of cause(s) and effect(s) within the framework of risk identification creates the prerequisite for targeted risk management. Based on this, the pre-identified risks are to be evaluated according to frequency of occurrence (number of incidents per unit of time) and amount of loss (long-term net financial loss) for a credible worst-case scenario.
In traditional risk management, the risks are then classified in the aforementioned risk matrix on the basis of the assigned scale values for probability of occurrence and extent of damage in order to derive corresponding treatment strategies. Although this approach can serve the purpose of an initial risk selection, it is no longer sufficient for company-wide risk management according to modern ERM understanding. Risks should not be managed in isolation in a risk portfolio, but in accordance with the company-wide objectives derived from the strategy.
Selection of top risks
Due to the deficits mentioned above, risk managers preselect the top risks on the basis of the consolidated risks at the level of the company as a whole. These are risks that could have a serious impact on the company's objectives. The probability of occurrence is deliberately neglected in this selection: it is difficult to estimate reliably, and it is simply not relevant if the risk actually occurs. At the Insel Group, the top risks also include patient injuries from the core business. In principle, these can lead to higher treatment costs and insurance premiums, liability claims, loss of reputation and, in the medium term, to falling case numbers. Therefore, patient injuries, which have a high financial loss potential due to their chain of effects, are to be classified as a significant business risk. In order to create transparency, the risk management officers at the Insel Group inform the risk owners concerned about the top risks, which are reported to the Executive Board and the Board of Directors.
Quantitative scenario analysis
Risks can only be managed, compared and prioritized in a holistic manner if there is a common and consistent basis for assessment. To this end, the selected top risks must be subjected to a quantitative risk assessment. Together with the risk manager, the risk owners examine these risks using an in-depth scenario analysis. Scenarios are alternative, anticipated states in the future in which risks can occur in different forms (also as opportunities). In traditional risk management, it is too simplistically assumed that risks are binary alternatives in the sense of "they occur" or "they do not occur". In reality, however, a risk can occur in different degrees of severity and in different periods of time. This situation is to be represented by modelling scenarios. These scenarios include the cause on the one hand and the circumstances from which the actual risk arises on the other. As a consequence, the effects of the occurrence of the risk are also described in more detail. This chain of cause and effect of each risk is finally reviewed by the respective decision-makers (e.g. division heads).
The top risks described up to this point are in part interdependent, influence each other or are thereby amplified or reduced. In the integrated ERM approach, such risk interdependencies must be explicitly assessed. This allows a holistic and realistic risk assessment. The risk portfolio then contains all quantified top risks, their human-assessed scenarios and interdependencies. As a result, an overview of the financial impact of the respective scenarios of all top risks with a consistent assessment on a relevant tax parameter (e.g. EBITDAR in the hospital environment) can be generated. The figure summarizes these steps.
With the help of a simulation procedure available in the risk management tool or an MS Excel add-in, the top risks are finally aggregated into an overall risk based on the initial data described. This procedure makes it possible to link risk management with corporate planning. Only in this way can the effects of the risks on corporate planning be identified. In addition, the total risk value can be compared with the defined risk appetite (the accepted total entrepreneurial risk) and the performance over several years can be compared.
In the case of risks that cannot be accepted according to the applicable risk appetite, the risk owner plans measures that reduce the probability of occurrence and/or the amount of damage. Depending on the risk situation, the risk owner proposes measures that are preventive in terms of the causes or that are aimed at limiting the damage. If the decision-makers or a risk committee approve these, the risk owner is provided with a budget for the measures.
The ERM process presented is flanked by reporting and continuous monitoring as well as information, communication and reporting. In contrast to traditional risk management, decision-relevant risk information is available at all times in the Insel Group thanks to tool support and a flexible dashboard.
Conclusion
The implementation of the ERM process at the Insel Group makes it clear that special attention must be paid to an adequate internal environment right from the start. This includes a shared risk culture that establishes a uniform language with regard to risks and opportunities. Particularly in risk-averse hospital operations, it is important to prevent a one-sided negative understanding of risk that fundamentally views risks as something bad. With the help of a risk policy, the formal basis for the ERM process can be created. The latter is characterized by the fact that it links risk management with strategic goals. For this purpose, however, it does not use a statistical model, but rather various scenarios that are estimated by experts. This is precisely why the ERM approach presented here is a widely accepted management tool in the Insel Group.