American Society of Healthcare Risk Management – White Paper 2014

Abstract: Healthcare organizations have made significant strides in developing Enterprise Risk Management (ERM) programs, but there is still much work to be done. To facilitate this process, ASHRM has defined ERM and created an ERM Framework for use in healthcare around which an ERM Program can be formed. This white paper will graphically display the Framework and describe key structural components necessary in any healthcare setting. Use this Framework to help build consistency in your efforts to move ERM forward.

Audience: Novice, intermediate risk professional, or anyone desiring more information on ERM

Keywords: Enterprise Risk Management, ERM, Framework, Guiding Principles, Governance, Risk & Opportunity Identification, Assessment, Risk Response, Risk Evaluation

The advancement of healthcare Enterprise Risk Management is a key initiative in ASHRM’s Strategic Plan for 2014-2015. The implementation and maturity of ERM programs in healthcare organizations—while making significant strides—still lag behind large organizations, public companies, and financial services organizations. Although many healthcare risk-management professionals implement ERM strategies for new programs, projects and services (particularly to manage clinical, and patient-safety related risks), they fail to advance ERM strategies on an organization-wide basis beyond those risks and thus miss tremendous opportunity to increase or create value. Recognizing the elements necessary for ERM program development
and implementation and embedding them in the enterprise is central to program success and sustainability.

Supporting this key ASHRM initiative is the development of a framework around which an ERM Program can be structured along with a clear, concise and easily understood definition of ERM. This paper offers guidance on ERM methods specific to healthcare organizations. It outlines ASHRM’s ERM Framework highlighting structural components to support a solid foundation, promote program credibility and success, and advance ERM principles throughout your healthcare organization.


The Framework, as illustrated in this paper (See Graphic #1) ASHRMs ERM Framework, depicts a sample structure that can be utilized by any risk-management professional as the developmental foundation of an organization-wide ERM program. Understandably, each organization’s ERM program will vary due to differences in mission, vision, culture and strategic direction. However, components shown in the sample Framework are relevant to any healthcare organization. Each group may adopt these elements in a manner that accommodates the differences noted. Flexibility is important as a one-size-fits-all approach is not applicable in ERM. Realizing this at the outset will encourage the risk management professional to define and modify basic structural elements in the Framework to fit their specific organizational needs, particularly as they relate to unique delivery settings. This sample Framework allows for vital flexibility to create a unique and individualized healthcare ERM program. Once a Framework to address the specific needs of the organization is developed, the process may begin for creating program success building blocks such as: informing, consulting, learning, communicating and reporting.


The following Guiding Principles in concert with ASHRM’s mission and vision have been developed as basic building blocks supporting the Framework for ERM in healthcare:

  • Advance safe and trusted healthcare
  • Manage uncertainty
  • Maximize value protection and creation
  • Encourage multidisciplinary accountability1
  • Optimize organizational readiness
  • Promote positive organizational culture which will impact readiness and success
  • Advance ERM Practices – ERM programs once started are continuous 2 and are a paradigm shift in how an organization identifies and manages risks and opportunities. These comprehensive programs are “not a stop on the road, but a journey.”3
  • Utilize data/metrics to prioritize risks
  • Align risk appetite and strategy

The Governing Body4 of each healthcare organization is ultimately responsible for its ERM program. It is accountable either directly or through the leadership team for:

  • Defining ERM as appropriate for the organization
  • Creating and maintaining a culture that is supportive of ERM
  • Determining strategy and program objectives
  • Establishing parameters and levels for risk appetite and tolerance statements
  • Establishing the ERM structure
  • Approving the ERM plan (as well as communication and reporting plans)
  • Providing ERM program oversight
  • Each of these areas is described in more detail below.

Definition of ERM – Adopting a definition of ERM that is clear, concise and understandable is one of the significant early steps in developing an ERM Program. Without an articulated definition the organization can embrace, the activities associated with ERM development and implementation can become disjointed and without purpose. ASHRM has adopted the following definition.

“Enterprise risk management in healthcare promotes a comprehensive framework for making risk management decisions which maximize value protection and creation by managing risk and uncertainty and their connections to total value.”5

Other credible organizations such as the Committee of Sponsoring Organizations of the Treadway Commission6 (COSO), The American Heath Lawyers Association7 (AHLA), the Risk and Insurance Management Society (RIMS)8 , and the International Organization of Standardization – ISO 31000:20099 have all defined ERM, albeit differently. See the Endnotes for those definitions.

Read more in American Society of Healthcare Risk Management (ASHRM) White Paper

Leave a Reply

Your email address will not be published. Required fields are marked *