As healthcare organizations begin to emerge from the COVID-19 pandemic, they are realizing that the biggest risks were ones they never thought would be at the top of the checklist — during the pandemic, seemingly minor risk issues from one part of the operation permeated the entire organization.

One of the biggest takeaways from the COVID-19 pandemic is that healthcare organizations were confronted with risks they didn’t realize they had: A lack of personal protective equipment (PPE), unstable supply chains for equipment, an inability to isolate outbreaks and the inability to remain fully staffed.

These risk issues are not easily overcome, and traditional insurance options may not provide an adequate backstop against claims. As a result, healthcare executives are turning to enterprise risk management (ERM). ERM promises a greater ability to help reduce exposures, looking beyond traditional risks to include areas like data protection and strategic planning.

ERM: What is it and how does it work?

ERM is about understanding risks across an organization. It broadens the concept of risk and considers the ways those risks are interconnected in the organization, with insurance being one of many layers of protection rather than the primary one.

For example, many healthcare facilities struggled to isolate highly infectious patients with COVID-19. This was a serious risk, especially in senior care facilities, where 100,000 people lost their lives between March and November 2020.1 This has led to facility administrators looking at improving construction and building best practices to minimize the chances of infections.

ERM helps healthcare administrators identify threats and opportunities related to the organization’s goals, assess them in terms of the likelihood and magnitude of impact, create a plan of response and monitor processes. ERM practices also help protect the business and its stakeholders, including boards of directors, executives, management and patients.

At its base, ERM entails data gathering and analysis to support better understanding of the risks. In turn, this leads to:

  • Increased predictability in the cost of risk.
  • Greater investment in expanded healthcare services.
  • Increased attention to mitigation practices, leading to a decrease in financial losses.
  • A better risk story for insurers, leading to more competitive premiums.

How to roll out ERM

Here’s how to start implementing an ERM program at a healthcare organization:

  1. Perform a business impact analysis. This analysis entails gathering data on critical business operations and the associated resources necessary to ensure operational resilience. This data helps determine the projected costs of disruptions, including service delivery, recovery time objectives and recovery point objectives.
  1. Develop a business continuity plan. A business continuity plan outlines procedures and guidelines for operating during an unplanned disruption. It covers every aspect of the business, from business processes and assets to human resources and business partners.
  1. Test the plan. Management and employees need an opportunity to practice the procedures outlined in the business continuity plan so they understand their roles and to see if the plan is effective. Many organizations do tabletop exercises and other drills to learn what works and refine the plan.
  1. Take a team approach. It’s critical to develop a team of dedicated risk management experts to focus on risk, stay on top of emerging trends and educate employees. Brokers can help healthcare organizations develop risk management teams.

HUB experts can help you develop enterprise risk management in your healthcare organization — contact your local HUB broker.


1 AARP, “Who’s to Blame for the 100,000 COVID Dead in Long-Term Care?” December 3, 2020.