Enterprise Risk Management Involves Everyone, Including Residents
 “Are we good, or are we lucky?” That was the challenge that Deborah Hart was asked to address about three years ago, when she became CFO of Smith Senior Living in Chicago, Illinois.
 At the time, Smith wasn’t practicing strategic risk management, although it was inherently doing things that managed risk. “We’ve since tried to modify the focus of the board of trustees, as well as our management, so that they understand that a lot of the decisions they’re reaching are, in fact, a form of risk management,” Hart said. 

 In today’s world, both external and internal factors are posing financial risk to senior living organizations and senior care facilities. The largest external risk area, of course, is the financial health of the national and state economies, combined with the uncertainty about proposed health care reform legislation. That has already pushed employer health insurance premium costs into double-digit increases, as carriers are bracing for the unknown. And similar increases are expected in the coming two years. “The economic conditions in the industry—the slowdown in move-ins at CCRC campuses, for example, present additional pressures,” said Hart. “But managing risk is always important.”
Internal risk factors
The desire for residents to age in place is increasing the acuity levels in senior living facilities, while the current low census levels have reduced revenue and, as a result, required staff reductions. That’s pushing communities to do more with less, according to Bill Coons, Loss Control Director at Thomco, a risk-management insurer located in Kennesaw, Georgia. The low census also motivates communities to accept and retain residents that they normally would not take during better economic times. “Those things lead to unhappy employees, unhappy residents and unhappy responsible parties,” he said.
 Also, the public perception of assisted living and skilled nursing often is the same, leading to unrealistic family and resident expectations. If Mom is falling at home, for example, there’s no guarantee that she won’t fall when residing in an assisted living facility. But if expectations aren’t managed on the front end, the risk of a lawsuit inevitably increases.
 Nevertheless, higher acuity residents who are more appropriate for skilled nursing are being put in assisted living due to the lack of nursing home beds. “That poses a financial risk to the organizations,” cautioned Coons. “In fact, we’ve seen an increase in litigation against assisted living facilities in recent years.”
 At Smith Senior Living, the employee base currently represents the largest internal risk factor, according to Hart. “We had wage freezes last year, so the question is whether we’ll have to do it again this year,” she explained. “We’ve limited the number of positions that get replaced and reduced FTEs, although only through attrition. Yet all that impacts employee morale. You can insure against tangible risks, but morale is a huge intangible risk.”
 To mitigate the morale situation, Smith is making an effort to communicate constantly with employees about the economic issues the company is facing, that there have been no layoffs, and about the value of their still rather rich benefits package compared to other companies. “It’s almost a sales effort, so that our staff clearly understands our employment practices,” said Hart.  “The two most important elements to reducing risk are the consistent application of policies and procedures and then communication, ” she continued. “Whether between employer and employee or between employee and resident and/or family, consistency and communication provide a comfort level, in that the individuals involved can expect the same practices and outcomes in similar situations. It develops trust and allows the organization to focus its energies on quality improvement rather than on managing negative risk or outcomes.”
 Strategic planning—having a plan ready for each situation before it becomes a reality—is certainly the best protection. As an organization, Smith reviews and identifies areas of risk and their perceived impact on a quarterly basis.
 Action plans, which include defining efforts to mitigate the potential of an occurrence, are then evaluated and updated for the risk areas defined as most likely to occur.
Incorporating enterprise risk management
Enterprise risk management came about in the past few years as a result of efforts to involve the C-suite (CEOs, CFOs, and COOs) in risk management, according to Coons. Those executives rarely dealt with hazard risks and insurance, but the concept of enterprise risk management allowed risk management insurers to speak directly with top management about all four types of risk: financial, operational, strategic (competitive) and hazard.
 To protect themselves from financial risk, organizations must find their niche in the community, charge the right price, manage expenses and evaluate the business regularly through internal and external audits and reviews. “That sounds so simple,” said Coons, “but we see a lot of organizations falling short.”
 Operational protection relies on creating a common goal, educating all employees about the goal, and then documenting efforts to reach that goal to provide a defense in case something bad happens down the road. “You also need to be flexible,” said Coons, “and recreate your model or readjust your goal, if that makes sense.”
 Then, organizations can protect themselves competitively by always putting their best foot forward to the public. Good marketing, a good media presence, no negative publicity, and an excellent looking (and smelling) facility can go a long way, according to Coons.

 Hazard risk management is really about insuring against loss resulting from claims by an injured party. To prevent or reduce claims, management and the board must hold each area of the operation responsible for its portion of managing risk; for example: caregivers who distribute medicine or provide bathing and other activities of daily living, kitchen staff who manage food quality and temperatures to avoid food-borne illnesses, marketing staff who avoid overpromising, front-end employees who manage visitors and prevent wanderers, housekeeping staff who control germs, and management who respond to media and community relations.
Culture, culture, culture
It’s important for an organization to create a culture in which they are able to quickly and easily recognize internal risks—anything from a crack in the sidewalk to cyber risk, according to Cindy Lusignan, Senior Vice President and Health Care Practice Leader at risk-management insurer Marsh USA in Milwaukee, Wisconsin.
 “The key to successful risk management is culture, culture, culture,” she stressed. “The organization must create a nurturing environment, one in which everyone—both employees and residents—owns risk management
and risk elimination and where communication is encouraged. The more pervasive that effort, the more you will be able to identify risk and reduce your exposure to unprotected risk.”
 Key elements to every risk management program, regardless of the industry, include identifying risks and finding a way to eliminate, avoid, modify or reduce those risks. That then presents an opportunity for continuous monitoring and improving. Marsh USA refers to these domains when evaluating an enterprise risk system:
Operational: What do you need to keep your core business going?
Financial: What is your ability to raise capital and transfer risk appropriately (insurance)?
Human: Are you making the right hires, terminations? What’s your on-boarding process?
Strategic growth and expansion: What are your plans going forward? How do you identify your marketplace?
Legal and regulatory: What changes or issues are you dealing with regarding HIPA, OSHA, Medicare, Medicaid, etc.?
Technical: Technical issues are quickly crossing into all the other areas.

Undertaking a gap analysis
A gap analysis is an insurance-driven term that indicates areas where there is a coverage gap. A gap analysis helps identify areas where an organization needs to incorporate some better procedures or safeguards. It’s a process analysis of each area of the operation to identify missing pieces. It provides a roadmap of actions to implement to repair those missing pieces and better control risk. 
 For example, a critical risk management team might observe a medicine path. If the team member observes that a nurse is filling in records before the resident actually consumes the medicine, that’s an area that needs retraining. “We see records indicating that medicine was given,” said Coons. “Then we learn in the middle of a lawsuit that the person wasn’t even in the facility at that date and time. That obviously kills any credibility the defendant might have had. So critical risk managers in the field will retrain caregivers to take the time to do it right.”
 Documentation is also critical. If an organization has a guard system to reduce the risk of wandering residents, for example, but doesn’t check the system perodically—and carefully document each time it was checked—the community has a higher exposure to loss in the event of a door alarm not working and a bad outcome.
 “A gap analysis can be viewed as a chart with four quadrants: low impact, high impact, low effort, and high effort,” added Lusignan. “It looks at all areas of the organization, from OSHA concerns in the kitchen or physical safety around the landscape to executing contracts and hold harmless agreements. The goal is to find those areas where adjustments or corrections will have the greatest impact.”
 A gap analysis also considers some of the more dominant or expensive past claims against the organization, including their frequency and severity. Mapping those against policies and procedures then allows leadership to design the most prudent and effective action plan for mitigating the greatest risks and thereby protecting the organization’s assets.
 At Smith Senior Living, Hart prefers to refer to the gap analysis as a SWOT analysis, which is a similar exercise but a more comprehensive, business-oriented term. “You define the strengths that the organization can use against its risk threats, the weaknesses that need to be addressed, the areas of opportunity, and threats that may be either external influences or internal weaknesses,” she explained. Smith involves in the process the CEO, the CFO (Hart), and the executive directors of its campuses—who, in turn, involve their management teams. The executive and finance committees of the board are also included.
 “Board and management need to be a team,” Hart stressed. “Management is obviously closer to the issues and more acutely aware of the details, while board members offer depth and idea concepts to the strategic process.” Risk is evaluated at annual board retreats, Smith’s board members are included in the quarterly evaluations, and they are included in task forces or teams to assist in specific strategies—whether daily operational issues or strategic business elements.
 “The hardest part was starting,” Hart recalled. “We began by listing risk areas, and those are constantly updated. It’s important to understand that you won’t identify all risks on your first pass—and also that doing the process once doesn’t mean you’re done. It needs to be a continual process.”
 The Smith group utilizes a matrix design and assigns a “likelihood” and an “impact” factor to each risk area. The higher the factors, the more attention and review that area will receive. At each quarterly review, the group picks three or four areas to put on the front burner, rotating the areas so all are reviewed in a given year. “All areas need to be addressed at some point to assure you haven’t inadvertently ‘created’ a new risk,” Hart cautioned.
 The resulting action plan can range from “look at this again next quarter” to very specific steps that must be accomplished in the next two to three weeks. The key to an effective action plan is to include dates and then manage the plan to make sure it is accomplished by the target date.
Third-party assistance
A gap analysis can be done on your own, but some organizations find it helpful to bring in a third-party facilitator to guide the process and keep the group focused.
 “Risk management is becoming more and more prominent in senior care,” said Lusignan. “Senior living organizations are increasingly looking at risk management, because the risks are there. Our recommendation is to hire an independent party—someone with years of experience and knowledge of the industry—to do an initial gap analysis. That removes any ‘fear factor’ from those being interviewed within the organization. ”
 Once the initial gap analysis is done, the critical periodic reviews should include monitoring the workforce and improving the physical plant but also trending losses, lawsuits, incidents, near misses and complaints.
Risk management best practices
“Senior Living is no different from any other business,” noted Hart. “Positive elements feed on each other and continue to build, but they are a result of strategic risk management.  Companies need to invest both monetary and human capital in risk management and then ‘sell’ their positive features to improve their reputation.” 
 Her advice to organizations is to make sure they identify someone or a group of people as being in charge of managing risk. Also, educate the staff on new or different ways of evaluating business practices, so they think in terms of risk management. And then make certain that any and all tools that can enhance the process are made available—including physical plant changes, if necessary.

 “Managing expectations is key,” added Coons. “Family members need to know that the organization will do its best to provide a caring environment for the resident. It may not prevent every fall, but it’s better than if the elderly person were living at home. And if families understand that from the beginning, they’re less likely
to file a claim later.” Resident and family satisfaction surveys can help identify problem areas and also document satisfied residents. Suggestion boxes are useful for identifying problem areas or situations where people are unhappy.
 “Documentation is essential,” Coons emphasized. “There’s an old adage: If it’s not documented, it didn’t happen. Document everything you do. Document care plans, exceptions to the care plans, efforts to manage risks, incidents, quality assurance programs…everything. And hold quality assurance meetings regularly to track the quality improvement process.”
 And finally, reputational risk is a huge concern nowadays given the popularity of social networking sites. It can take years for a community to recover from someone blogging about one bad outcome, especially if the mainstream media picks it up. At the same time, a consistently good reputation among the media creates increased traffic and more potential residents. Invite the local news media to your holiday party or to a resident’s 100th birthday party. Good publicity is a good thing.