At a Glance
- The traditional frameworks that healthcare providers used for managing risk in the past under the volume-based payment model are insufficient for managing risk posed by today’s value-based payment models.
- Under value-based care, a provider can be financially penalized for failing to meet quality standards established for what previously would have been a purely clinical domain of risk.
- Managing risk under value-based care therefore requires an enterprise risk management framework that accounts for the financial risk inherent in each of the provider’s larger risk domains (e.g., strategic, operations, human capital, and clinical performance risk).
Appropriately identifying and reconciling risks and opportunities tied to performance-based payment is essential for success and survival in value-based care models.
Healthcare organizations have long employed various approaches to risk management to prepare for risks that are unique to the healthcare delivery settings, such as adverse events that pose harm to patients, visitors, and employees. However, with the advent of the ACA, which mandated the tethering of clinical and financial operations together into value-based systems, the traditional risk management approaches has become inadequate.
This required healthcare leaders to think in terms of the entire system, constantly making an in-depth analysis of risk and taking proactive steps to build a safer, more cost-efficient healthcare environment. Recently, Enterprise Risk Management (ERM) has emerged as a preferred risk management approach for businesses across many industry sectors, including aviation, construction, public health, international development, energy, finance, and insurance.
Healthcare organizations, too, have begun adopting ERM as a means to adapt to the uncertainties of the changing healthcare landscape. However, building and implementing an ERM framework for value-focused health care is not without considerable challenges. These tasks involve a top-down approach involving key stake-holders creating a risk-focused architecture within the hospital or healthcare system that aligns with the organization’s strategies and initiatives.
Traditional Healthcare Risk Management Approaches
Risk management has always been especially important in health care because human lives are on the line. Healthcare organizations have long employed various approaches to risk management to prepare for risks that are unique to healthcare delivery settings, such as adverse events that pose harm to patients, visitors, and employees.
The role or purpose of risk management has traditionally been regarded as “protection from loss” in narrow insurable categories, such as medical malpractice, general liability, property loss, and directors’ and officers’ risk. Thus, the idea of risk and insurance tended to be directly linked.
Many risk management programs later evolved to include early patient safety efforts, relying on voluntarily reported events and incidents to identify risk. As such, these programs’ activities tended to be reactive and retrospective. Risk management program success was measured based on insurance premiums, reserves, and losses and reported incidents, and the assessment did not consider lost opportunities, sacrificed value, and evaluation of nonclinical risk.
One of the key differences between the traditional risk management approaches and the new ERM framework is the tethering of the clinical and financial performance, which is discussed in greater detail below.
Understanding the forces reshaping ERM
Regulations established under the Affordable Care Act (ACA), emerging malpractice reforms, changes to prospective payment systems (PPSs), and the shift to value-based payments all have dramatically transformed the care delivery and risk management profile for most healthcare providers. Some have started down the path to implementing ERM to prepare for these new payment risks, but many entities remain focused simply on limiting underwriting risks as part of risk-management strategies.
As clinical and financial performance are increasingly tethered to one another in value-based healthcare delivery and payment models, the key to managing and avoiding risk moving forward will be to thoroughly understand the emerging new payment methodologies that are designed to change provider behavior and the ways these changes impact patients’ entry and movement through the healthcare delivery system. (For a brief discussion of these new payment models and how they are introducing new forms of payment risk to provider organization, see the sidebar).
Risk Management Across a Spectrum of Risk
As the healthcare industry continues its movement from the volume-based, fee-for-service (FFS) payment model to the value-based payment model, hospitals and health systems face major challenges and opportunities in transforming their clinical, financial, and operational models to align with new value-based payment policies, while still living in a volume-based environment.
For example, the federal government has assumed a more active role in advancing the Quality Payment Program, further emphasizing the need for ERM and the importance of an organization’s clearly defined roles and processes:
The Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) ended the Sustainable Growth Rate (SGR) formula and by law required organizations to implement the Quality Payment Program. Those who participate in Medicare Part B are part of the dedicated team of clinicians who serve more than 55 million of the country’s most vulnerable Americans. The Quality Payment Program provides new tools and resources to enhance patient care. There are two ways to choose how to participate based on practice size, specialty, location, or patient population:
- Advanced Alternative Payment models (APMs) or
- The Merit-based Incentive Payment System (MIPS)
Participation in an Advanced APM through Medicare Part B might mean earning an incentive payment for participating in an innovative payment model.
Important among the risks that must be managed across various types of value-based arrangements are the potential financial impacts associated with the transition, such as decreases in emergency department patient volume, hospital admissions, and inpatient length of stay and admissions at skilled nursing facilities that result from better management of chronically ill and high-risk populations.
In one-sided risk arrangements, such as advanced alternative payment models (APMs) and shared savings models, providers and healthcare delivery organizations assume the up-front costs to acquire and deploy resources for their participation without accepting downside financial consequences.
By contrast, in two-sided risk arrangements—such as bundled payments, partial capitation, and full capitation—providers and healthcare delivery organizations share savings and losses with insurers. Optimizing payment in two-sided arrangements requires a significant focus of care coordination, care management, and high-risk case management. If successfully implemented, two-sided risk models are a means to align interests across payers and providers, improve population health management, and empower and encourage providers to deliver high-value care.
Building an ERM framework for value-focused healthcare
As a strategic discipline, ERM supports the identification, assessment, and management of risks, uncertainties, and opportunities that may affect an organization’s strategy, economic position, or operating performance. A comprehensive and sustainable ERM addresses all the major categories of risk exposure, including environmental, competitive, strategic, financial, regulatory, and operational risk, as well as the risk associated with technology and an organization’s reputation.
Various ERM approaches are available, some of which are more specifically structured to accommodate the risk management needs of selected industries or stakeholders. A mature ERM program supports the entire organization in the evaluation and treatment of risk.
An important foundation for any ERM strategy and risk management plan, particularly in a value-based payment environment, is the development of an ERM framework. Such a framework generally encompasses a series of qualitative and quantitative tools and methods for identifying, examining, and prioritizing risks and for making informed decisions on how to handle them. To understand what is required to build an ERM framework for value-based care, it is helpful first to review traditional healthcare risk management approaches under the volume-based payment model and then consider how the shift in focus from volume to value requires a new approach that involves managing risks across the risk spectrum in value-based arrangements.
A practical approach to creating an ERM framework begins with the following core components:
- Assess, analyze and understand what risk prevention policies and processes are already in place.
- Develop a roadmap of how much risk the organization is willing to take on outside of its original risk parameters and what is needed to achieve these objectives.
- Involve Senior leadership which includes the chief executive officer, chief nursing officer, chief medical officer, chief financial officer and other key cross-functional leaders such as risk managers to steer the development of the ERM framework.
ERM framework can be developed, articulated and set for implementation by the healthcare organization’s board and senior management. The organization’s appetite for risk and tolerance are closely linked with its strategic plan and provide the foundation of the ERM program. Every organization embodies differing levels, amounts and types of risks accepted to achieve anticipated results, which are usually expressed in qualitative and quantitative measures and can be altered to reflect ongoing strategy changes.
It is also likely that the leadership structure of the healthcare organization will differ depending upon its mission, size, complexity and governing body. Assuming that key leaders will review and approve the ERM plan and offer guidance when needed, other committees will further refine roles and responsibilities. This may include the board of directors, department leadership teams, specially convened ERM committees, steering committees, oversight committees or workgroups, as well as those responsible for strategic planning; internal audit compliance, risk management; capital budgets; and mergers/acquisitions/development. Responsibilities can be assigned to specific leaders, including the chief risk officer (CRO), chief financial officer (CFO), chief digital/information officer (CDO/CIO), and the CEO.
The evolution of risk frameworks in healthcare
Most traditional frameworks consists of segmented structures that organizes specific types of risks as part of disparate risk domains (e.g., “Regulatory,” “Finance,” “Operations”). Changes in payment structure are assumed to constitute financial risks in traditional risk management frameworks. However, because payment amounts are not susceptible to measures of quality or other measures of clinical performance in traditional FFS models, the risk management frameworks for these models are not designed to fully reconcile the relationship between clinical and financial risks across risk domains.
For example, the American Society for Healthcare Risk Management (ASHRM) ERM Framework identifies medication errors and hospital-acquired conditions (HAC) as risks allocated only to a Clinical/Patient Safety Risk Domain; it does not recognize HACs as examples of clinical or financial risks as part of its other risk domains.
As defined by the American Society for Healthcare Risk Management, the Financial Risk Domain in its framework comprises financial risks tied to decisions that affect areas such as the financial sustainability of the organization, access to capital, external financial ratings through business relationships, the timing and recognition of revenue and expenses.
Under value-based payment, however, HACs have implications for both clinical and financial risk, given that HACs are the subject of measurement in the Hospital-Acquired Conditions Reduction Program (HACRP) administered by the Centers for Medicare & Medicaid Services (CMS), which reduces hospital payment by one percent of total Medicare billings. Given their financial implications in this case, HACs presumably should be accounted for as examples of financial risks in the ASHRM ERM Framework’s Financial Domain.
The ASHRM ERM Framework also includes a Human Capital Domain, which refers to the organization’s workforce and includes risks associated with recruitment, employee selection, retention, turnover, staffing, absenteeism, on-the-job work-related injuries (workers’ compensation), work schedules and fatigue, productivity, compensation, and termination of members of the medical and allied health staff. HACs are not identified as examples of human capital risks in the Human Capital Risk Domain.
Such an omission is problematic, however, given that CMS uses patient safety indicators (PSIs) established by the Agency for Healthcare Research and Quality (AHRQ) in its HACRP scoring methodology, and that the AHRQ defines the PSIs as being a set of measures designed to screen for adverse events that patients experience as a result of exposure to the healthcare system and that could be prevented by changes at the system or provider level.
By contrast, a value-based healthcare ERM framework places financial performance at the center of the framework, enabling organizations to more effectively identify and reconcile the impact and magnitude of losses or opportunities that could occur as a reflection of clinical preformance under emerging value-based payment and delivery models. Value-based ERM frameworks assume that performance risks exist across risk and opportunity domains, that such risks are predictable, and that any particular risk may have a measurable impact on the economic position and/or financial sustainability of the organization.
This important structural difference between traditional risk management frameworks and value-based ERM frameworks are illustrated in the exhibit.
Value-based ERM frameworks are structured to identify the variable sources of clinical and financial performance risks as key risk indicators (KRIs), so that the anticipated financial consequences of such variability can be measured and reconciled across risk and opportunity domains. KRIs can be derived from key performance indicators (KPIs), benchmarks, and implications on payment determination associated with measures used in various quality improvement and performance reporting programs, and from those utilized as part of risk sharing contracts and arrangements across the provider or healthcare delivery organization’s payer mix.
How to Identify, Qualify, and Prioritize Risks Using a Value-Based ERM Framework
As noted previously, an imperative for effectively managing risk under value-based payment is to have an ERM framework that is well-designed for this purpose. To create such a framework, it is necessary to understand how it differs from traditional healthcare risk management. “An ERM framework should include risk governance, risk appetite setting, enterprise-wide risk management processes that includes the identification of risks, assessment/measurement of risk and actions to address those risks, management of risk through controls/risk responses, and reporting of siks and the status of action plans. Lastly, the integration with business decision making at the corporate level and establishment of a strong risk culture.”
As previously stated, under value-based payment, HACs have implications for both clinical and financial risk. CMS recently released the final FY 2018 adjustments for the Readmissions Reduction Program (HRRP), the Value-Based Purchasing Program (VBP), and the Hospital-Acquired Conditions Reduction Program (HACRP) which ties payments to performance on patient safety issues such as infections, bed sores and post-operative blood clots and where medicare payments were cut for 751 hospitals by 1% in fiscal year 2018 for having the highest rate of hospital-acquired conditions. This illustrates the importance of implementing an ERM program that not only manages the risk for that organization but maximizes financial performance.
A Process Tailored to Circumstances
Value-based ERM approaches and associated frameworks effectively account for elevated financial risks and opportunities linked to quality and other clinical performance measures across the continuum of care. Moving forward, the key to preventing and managing risk will be to understand the relationship between clinical and financial performance. Because there is no one-size-fits-all approach to value-based payment, value-based ERM frameworks can be adjusted to account for a provider’s organizational classification, such as the hospital or health system, including risks and incentives associated with its participation in specific value-based arrangements, risk appetite, organizational capabilities and culture, and market and policy forces.
In today’s healthcare environment of increased uncertainty, complexity and continuous change, traditional risk management approaches can be ineffective. The transition in focus from volume to value has necessitated a shift in how hospitals and health systems identify, evaluate, refine and mitigate risks. The optimal approach is to adopt a comprehensive system that takes into account all aspects of risk across the entire organization and to monitor and address emerging risks before they become significant events. By employing ERM practices that are more accountable to the implications of value-based payments, healthcare provider organizations can better anticipate, recognize, and address the myriad of risks and opportunities to deliver safer, higher quality care.
Federal and Other Initiatives That Are Transforming Provider Risk
Building on the foundation set by the Affordable Care Act, in 2015, the U.S. Department of Health & Human Services (HHS) is continuing to increase the percentage of Medicare payments tied to value and made through alternative payment and delivery models. Specifically, the department’s goal was to tie 30 percent of Medicare payments to alternative payment models by the end of 2016 and 50 percent by the end of 2018. In early 2016, HHS announced it had met its first goal via a combination of accountable care models, episode-based payments, and primary care initiatives.
Quickening the pace of the value-based payment transition is a major focus for HHS. Despite the political shifts, there remains a strong bipartisan commitment to the shift in focus to value There is likely to be increased emphasis on the implementation of Medicaid and Medicare alternative payment models. As the largest payers in the industry, Medicaid and Medicare have the market power to be the first movers in the accelerated value-based reimbursement transition.
In addition to federal reporting and quality improvement programs—such as the Hospital-Acquired Conditions Reduction Program (HACRP) or the Hospital Readmissions Reduction Program (HRRP) administered by the Centers for Medicare & Medicaid Services (CMS), which together penalize inpatient hospital payment by as much as eight percent for poor-quality performance—including new “at-risk” payment models, such as bundled payments, shared savings, pay-for-performance, and capitation introduce variable financial risks and incentives linked to clinical performance, value-based utilization, and cost containment across inpatient and outpatient care settings.
When Congress passed the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA), “risk” moved front and center as a feature of provider payment models. MACRA’s Quality Payment Program contains two value-based payment tracks: the Merit-based Incentive Payment System (MIPS) and the advanced alternative payment model (APM) track. Providers that take on sufficient financial risk under an advanced APM can earn value-based incentive payments greater than the MIPS payment adjustments. CMS expects about 25 percent of eligible clinicians in the Quality Payment Program to participate in an approved two-sided-risk APM by this year.
In addition to these federal initiatives, hospitals and health systems must now manage payment risks associated with value-based payment arrangements with large employers and value-based purchasing consortia. Examples include the following:
- Boeing is contracting with providers to offer a preferred-partnership accountable care organization (ACO) to 50,000 employees in target markets.
- Marriott International is contracting with local hospitals to provide primary and urgent care through outpatient clinics.
- Lowe’s and other employers have established bundled payment arrangements with Centers of Excellence programs for high-volume procedures such as joint replacement and spine surgery.
- More than 300 ACOs now manage approximately 20 million individuals with commercial insurance or Medicaid.
2Centers for Medicare & Medicaid Services (CMS.gov.)
3ASHRM, Enterprise Risk Management (ERM) Resources.
4RSM, Enterprise Risk Management in Healthcare
5Centers for Medicare & Medicaid Services; Better Care. Smarter Spending. Healthier People: Improving Quality and Paying for What Works.
6Belliveau, Jaceuqline; Accelerating the Value-Based Payment Transition Top HHS Priority; RevCycle Intelligence, March 6, 2018.