Enterprise Risk Management (ERM) Operational Patient Safety/Clinical Care Quality Strategic

ERM Risk Management Strategies for Physician Practices

While Enterprise Risk Management (ERM) has traditionally been a focus for large hospitals and health systems, many ERM strategies can be effectively implemented to manage risk in the physician practice setting. Regardless of the size or structure of the practice, risk managers and organizational leaders bring value through ERM by aligning with the organization’s strategies and goals.

Unlike traditional risk management programs that focus primarily on patient safety issues, an ERM program addresses the full spectrum of risks and brings value to the organization while managing uncertainty.  

An effective ERM program is:

  • Designed as a decision-making process to recognize, analyze, manage and anticipate risks.
  • Designed to mitigate the impact of adverse events while improving compliance oversight.
  • Responsible for fostering a culture and collaboration between business units, departments, divisions and disciplines.
  • Focused on enhancing governance by allowing for a more informed decision-making process, especially at the highest levels in the organization.
  • Supported from the top for the most success.

Prioritizing Risk

By rating and prioritizing risks, focus can be placed on those that pose the greatest threat to the success of the organization’s strategic plan. One method of establishing prioritization is to assign a priority number to each potential risk. This is done by having key stakeholders score each identified risk on two dimensions: the potential impact of the risk (1 the least impact to 5 the highest) and the likelihood of the risk occurring (1 the least likely to 5 the most likely). By multiplying both scores and aggregating the results, the organization can begin to establish a risk prioritization map with scores ranging from 1 to 25. It is important to keep in mind that there is inherent subjectivity in this methodology and that all stakeholders should be included to gain an accurate overview of the organization’s risks and priorities.

Scored Risk Examples

Following are examples of risks identified in an independent, multi-location family practice group. An ERM framework and model were developed and approved by stakeholders. The following risks were identified and prioritized, and mitigation strategies were approved by the risk and compliance committee. Key stakeholders were assigned and held accountable for risk reduction strategies. The committee meets monthly and reports on the status of the ERM plan. A full ERM risk assessment is conducted every three years.

The following risks were identified in this sample practice:

Domain                                   Risk                                                                            Risk Score

Human Capital                        Burnout                                                                       20

Technology                             Telemedicine                                                              20

Finance                                   Merit-based Incentive Payment System (MIPS)       25

Operations                              Missed or Cancelled Appointments                           15

Chaperones during Physical Examinations               15

Human Capital – Burnout

Physician burnout was identified as one of the risks that could impact the success of the practice. Drivers identified:

  • Busy practice with a push for productivity.
  • Aging physicians who demand work-life balance.
  • Increase in patient complaints about “physician disengagement.”

The mitigation strategies include the following key components:

  • Distinguishing between and appropriately managing inherent and external stress and rewards.         
  • Changing in the “productivity orientation” of the current practice model.
  • Implementing of the American Medical Association’s STEPS Forward™ practice improvement initiative.

Technology – Telemedicine

The assessment identified previously unknown risks of the rapidly growing telemedicine program.  Drivers identified:

  • Implemented telemedicine with local nursing home with plans to expand.
  • Plan to embed telepsychiatry into the practice.
  • Lack of standard operating procedures.
  • Lack of confidence in the technology.

Mitigation strategies to manage the program include:

  • Performing an assessment utilizing a Telemedicine Risk Management Checklist that includes privacy, security and patient confidentiality; credentialing; reliability of the technology; training; quality management; and more.
  • Review of ASHRM Whitepaper, “Telemedicine: Risk Management Considerations”
  • Selection and monitoring of key metrics
  • Development of telemedicine interactive consult standards and protocols

Finance – Merit-based Incentive Payment System (MIPS)

The group’s executives and partners agreed that the financial stability of the practice was at risk because of changes in reimbursement. The MIPS is one of two payment tracks created under Medicare Access and CHIP Reauthorization Act of 2015 (MACRA). MIPS adjusts payment based on performance in four performance categories: quality, cost, promoting interoperability and improvement activities. Drivers identified:

  • New payment methodology.
  • Unclear financial impact on the practice.
  • Lack of clarity around individual incentives.
  • Lack of confidence that the group will meet all incentive metrics.

Mitigation strategies include:

  • Further assessment of compliance with physician quality reporting requirements.
  • Actuarial analysis and risk modeling to predict the financial impact.
  • Affirmation that the new EHR meets the requirements for incentives.

Operations – Cancellations/No Shows

An analysis of data for the previous calendar year found the practice was doubling the national average for missed appointments as a result of cancellation or no-shows, resulting in significant financial loss. Missed appointments can potentially affect patient health, access to care, practice workflow and the financial health of the organization. Drivers identified were:

  • After-hours calls and urgent care/ED visits for the practice’s patients have steadily increased.
  • Follow-up processes for missed patient appointments are inconsistent.

Mitigation strategies include:

  • Optimal use of reminders through a combination of calls, text messages and patient portals.
  • Education at every patient encounter on the importance of complying with appointments and how to cancel or reschedule.
  • Documenting patients’ reasons given for not keeping appointments for review and analysis.
  • Working with patients to identify their barriers and develop effective solutions.

Operations – Chaperones

Awareness of the practices’ process for the use of chaperones is essential. Chaperones are typically made available with intimate or sensitive exams, patient requests and provider requests. Policies should be based not only on the gender of the patient or provider, or the type of exam. Rather, policies should apply to all regardless of gender, sexual orientation or gender identification. Drivers identified:

  • News about a provider in a nearby town who was accused of sexually abusing patients
  • Patient complaint alleging an inappropriate exam
  • No routine process for use of chaperones

At each visit during which a sensitive exam is planned, the patient should be made aware of the practice’s policy and offered a chaperone, as well as the opportunity to consent or decline.  

Mitigation strategies include:

  • Ensuring patient awareness of the organization’s chaperone policy and availability of a chaperone through verbal communication and signage at strategic locations in the office suite.
  • Communicating the policy through educational materials and “new patient” information.
  • Developing policies with representatives from clinical staff with input from risk management and the organization’s legal counsel.
  • When developing policies, incorporate guidelines from professional organizations, local medical societies and medical professional boards; consider cultural elements.

Enterprise Risk Management Action Plans
Once the organization has identified and prioritized risks, the next step is to assign accountability and mitigation strategies. Every effective risk management program must include governance and reporting structure. It is critical in an ERM program that key decision-makers are included in the communication and sharing of ERM strategies. Keep in mind that a physician group practice, especially one that is independent, may not have a board or ERM committee. Therefore, the governance and structure of the ERM program may be embedded into operations and the overarching responsibility for risk management would be deferred to the executives that make up the leadership team.

Measure Monitor and Evaluate

To have an effective ERM program, the organization must have a methodology to measure and monitor the effectiveness, compliance and sustainability of its mitigation strategies. Each strategy will have its own unique metric. Stakeholders must be held accountable not only for implementing the mitigation strategies but also for selecting appropriate metrics that align with each strategy. Key indicators can be either outcome measures or process measures. In either case, a process must be in place to collect and analyze the data as well as communicate the effectiveness of the strategy.

A physician group practice, whether independent or integrated within a health system, can effectively design ERM strategies and implement ERM principles to protect the group’s assets, but also, to demonstrate a proactive value-added, decision-making process that aligns with the group’s mission, vision and strategic plan. When supported by leadership, an effective ERM program can be effectively implemented to help a physician practice identify, mitigate and anticipate risks across the entire organization.


ASHRM Physician Office Risk Management Playbook (2016) Retrieved fromhttps://ams.aha.org/eweb/DynamicPage.aspx?WebCode=ProdDetailAdd&ivd_prc_prd_key=123964ad-2007-4781-8d17-d12184c64785

Maximizing Patient Access and Scheduling – An MGMA Research & Analysis Report, (2017 August). Retrieved from https://www.mgma.com/getattachment/Products/Products/Maximizing-Patient-Access-and-Scheduling/PatientAccessSchedulingResearchReport-INTER_FINAL.PDF.aspx

Russell, Denise Ed; Boisvert, Sue and Borg, Douglas, Assoc. Eds. (2018) ASHRM Whitepaper – Telemedicine: Risk Management Considerations. Retrieved fromhttp://www.ashrm.org/pubs/files/TELEMEDICINE-WHITE-PAPER.pdf?pdf=telemedicine1

Denise Shope, RN, BSN, MHSA, ARM, CPHRM, DFASHRM, is ASHRM’s 2019 President with more than 25 years of experience in the health care industry. Currently a risk management consultant with RCM&D in Baltimore, she has authored several risk management resources, chaired the ASHRM Enterprise Risk Management Advisory Committee and is ASHRM faculty for the organization’s ERM Certificate program and Health Care Risk Management Certificate program.

Nancy Connelly, RN, BA, CPHRM, DFASHRM is a risk management consultant with RCM&D, an independent insurance advisory firm based in Baltimore, Maryland. RCM&D provides strategic solutions and consulting for risk management, insurance and employee benefits. She is the vice chair for the ASHRM Forum Task Force.

Sign Up for ASHRM Forum Updates

Provide your information below to subscribe to ASHRM email communications