ERM in Practice at the University of California Health System
Senior Vice President and Chief Risk and Compliance Officer, AAA Northern California, Nevada, and Utah; former Chief Risk Officer, University of California
The University of California's Health System is comprised of numerous clinical operations, including five medical centers that support the clinical teaching programs of the university's medical and health sciences schools and handle more than three million patient visits each year. The medical centers provide a full range of health care services in their communities and are sites for the development and testing of new diagnostic and therapeutic techniques. Collectively, these centers comprise one of the largest health care systems in the world.
The University of California Office of the President's Office of Risk Services is responsible for developing and implementing enterprise risk management (ERM) systemwide, identifying and developing strategies to minimize the impact of risk, developing a center of excellence for managing risk, reducing costs, and improving safety by executing new ideas and strategic plans in a rapid manner in support of the university's mission of teaching, research, public service, and patient care.
THE ENTERPRISE RISK MANAGEMENT PROGRAM
The University of California (UC) System began an ERM initiative as a natural progression of making the decision to adopt the Committee of Sponsoring Organizations (COSO) Internal Control – Integrated Framework in 1995, and in that same year UC's vice chancellors for business and finance accepted an internal audit recommendation to adopt COSO as the Internal Control Integrated Framework for the university. In 2004, COSO's inclusion of enterprise risk management into its model led to the hiring of a chief risk officer (CRO) tasked with implanting enterprise risk management.
The chief risk officer, who had previously implemented ERM for a publicly traded company, set out to learn about the operations and culture of the university and identify what ERM activities were already in place and where there were gaps, and what would be the best approach for implementing ERM. Visits were made to all of the campuses and medical centers, and leaders from various departments and disciplines were gathered together and asked: How do you know if you are doing well ? What data do you have to let you know how you are doing? Leadership clearly was able to articulate their objectives and the risks that could impact those objectives, but the data for measuring and monitoring were not timely and were primarily ad hoc, annual, and manual. The information gathered through these meetings was critical for understanding and developing the key performance indicators (KPIs) that would later become an important component of the ERM program. (See What Is a KPI?)
What Is a KPI?
Generally, strategic or operating plans will identify the critical success factors and key goals of an organization. Critical success factors are the areas that the organization must focus on and do well in to satisfy customer/client needs. An example may be "meeting client expectations." KPIs are derived from critical success factors and define these critical success factors into more meaningful criteria. For example, the critical success factor of "improve productivity" might have KPIs such as cost, service quality, cycle time, streamlining of processes, and reduced duplication and/or rework.
How often can KPIs be updated?
KPIs can be updated as frequently as the data they are drawn from is updated. Some examples:
Claims information, daily Payroll information, monthly Construction scheduling, quarterly
How is improvement measured with KPIs?
Improvement is measured by looking at ratios between time periods relative to risk. For example, in the area of workers' compensation:
Recordable rate = Number of injuries relative to the hours worked
Next, an ERM panel was formed to develop an ERM strategy. The ERM panel included management representatives from the Office of the President, the campuses, and the health system. The CRO along with the ERM panel recognized that, given the complexity of the university's operations and the general decentralization of services and information, technology would need to be leveraged to identify, manage, and monitor risks. The overall strategy was to develop a data warehouse that could manage information already being collected by various groups, existing programs, and initiatives throughout the system – an enterprise risk management information system (ERMIS). Once consolidated in a single location, the data could then be used to analyze processes, risks, and controls systemwide.
As the ERMIS was being developed, the CRO commissioned a cost of risk study to be able to measure and monitor success of the ERM program. The first Risk Summit was held with more than 100 attendees, and the charge was given to the attendees to reduce the cost of risk by 16 percent in 24 months. How? At the summit the program Be Smart about Safety (BSAS) was launched, which was the first of many initiatives focused on preventing and managing risk. The university not only met this charge, but exceeded it by meeting the target in only 18 months.