Support from right execs needed for successful ERM program

SAN DIEGO—Risk managers can easily and successfully move into enterprise risk management if they do not lose sight of a few important landmarks found in productive ERM efforts, according to several risk managers and a consultant.

Among the key factors are building early support for the effort from the right executives, tailoring the effort to the organization, keeping it simple and showing some immediate success, according to the experts.

Three risk managers, all involved in ERM efforts, and a consultant offered their advice to hospital risk managers during an educational session at the American Society for Healthcare Risk Management's 2006 conference and exhibition Oct. 29-Nov. 1 in San Diego.

An early requirement for launching a successful ERM program is the risk manager's willingness to view risk management differently, said John R. Phelps, director of risk management at Blue Cross Blue Shield of Florida in Jacksonville.

"Enterprise risk management as a concept is really sweeping through business," Mr. Phelps said. "ERM necessarily takes us out of insurance and into the operations of the company."

But "so many people in my discipline struggle with it" because it is "a different lens to look through" when managing risk, he said.

"ERM is about helping something to happen," because it is "a window into the strategy of the organization," he said. ERM focuses on how and when an organization should take risk to succeed, while traditional risk management "is about stopping things from happening."

As the ERM program is developed, a risk manager must have backing from an executive who can create support for it throughout the organization, the panel agreed.

While the chief executive officer's stamp of approval is best, the backing of other officials also would suffice, the risk managers said.

Mr. Phelps, for example, noted that when he started his ERM program seven years ago, he enlisted the support of the organization's general counsel. The Blues plan's top legal officer approved the ERM effort when he realized that he would have to answer for some potential problems that ERM would address.

But whoever heads the ERM effort should have access to an executive who is "no more that two levels from the top," or the program will suffer from a lack of organizational support, said consultant Michael J. Chagares, a Washington-based director with Mercer Oliver Wyman, a unit of Marsh & McLennan Cos. Inc.

In developing an ERM program, there are many models to follow and some relatively successful programs already are in place, but those should not limit a risk manager's approach, the panelists agreed.

"There's no really right way or wrong way to go about implementing enterprise risk management," said Mitch H. Melfi, a senior vp and the chief risk officer at Catholic Health Initiatives of Erlanger, Ky.

At CHI, which adopted the CRO concept during the 1990s, the ERM program is not a process for addressing every risk, Mr. Melfi said. Instead, it is designed to aid management with the key business risks it has identified through risk mapping, which management should re-evaluate yearly, he said.

Mr. Melfi noted that his risk mapping also depicts-albeit subjectively-the organization's current ability to handle each key risk. That helps management determine whether to devote any additional resources to key risks, he said.

An important way ERM assists management is by facilitating communication among organizational silos that typically "aren't talking to each other," Mr. Melfi said. In hospitals, those silos would include those departments or individuals who oversee clinical practices, mergers and workers compensation, he said.

Cynthia Magners, director of risk management at Children's Healthcare of Atlanta, advised risk managers that they can "jump into ERM in a slow, step-by-step way."

Ms. Magners recalled that in 2002 she pulled in her broker for support when she went "tapping on administration's door to say we want to get into your business."

Ms. Magners started with mapping risks in several key areas of the organization. She met with the senior vps of several departments-including finance and operations-as well as the general counsel to discuss their significant risk exposures and how ERM could address them.

The executives allowed Ms. Magners to implement her plan, and "they realized some success" within the next year, she said.

Those successes encouraged management to hire a consultant to conduct an enterprisewide risk assessment. The consultant met individually with leaders throughout the organization to discuss the controls they had in play and which issues still "kept them up at night," Ms. Magners said.

A written questionnaire supplemented those interviews, she said.

In 2004, the company created oversight committees for the top risks and established risk audits. In addition, the company developed an annual risk assessment survey for its executives.

The organization's ERM program has been "home grown," but next year the organization plans to begin looking to the standards developed by the Committee of Sponsoring Organizations, the voluntary group of accountants, auditors and financial executives that wants to improve financial reporting through business ethics, internal controls and corporate governance.

Whatever approach a risk manager chooses, "keep it simple and easy to understand," Mr. Phelps advised. "Some consultants will make it very difficult. Be aware of that."