Emerging ERM Lessons from COVID-19: Considerations for Compliance Officers and Managers of Risk

December 14, 2023

By Jeffrey Driver, JD, MS, and Sarah Couture, RN, CHC, CHRC

Originally Posted on: Compliance Cosmos

For months, our world, our country, our healthcare systems, and our lives have been drastically altered by the COVID-19 pandemic. It has been impossible to hide from the realities of the pandemic as news, social media, and conversations with friends and colleagues have frequently centered on the continuously developing COVID-19 stories. At the same time, our healthcare systems have not been able to hide or be sheltered from the course-altering effects of the pandemic. Healthcare providers around the country have been rocked in multiple ways, including their financial health, their ability to take care of patients, and the new normal of taking both small and drastic measures to help prevent COVID-19 transmission. While pandemics are no “black swan” events,[1] very few in our country were fully ready for the effects of one. Households rushed to hoard pantry supplies and toilet paper, and healthcare systems clamored to reorganize operations and try to guess and react to what was coming next. Businesses and organizations around the country and around the world are wondering what they could have done to be more prepared. Should they have known this was coming? Could they have more intentionally planned for and forecasted this event in order to be better equipped to handle the sequelae of the pandemic, or even been able to flourish through it and come out stronger on the other side? These are questions that our country’s healthcare leaders should be asking. And many of the answers can be found in the discipline of enterprise risk management (ERM).

ERM overview

While ERM programs are not new to healthcare, many healthcare organizations may not have a good understanding of ERM either because they do not have an ERM program or because their ERM functions are not structured or have not been updated in an industry-standard way. Past iterations of risk management roles or programs may have included only a slice of an organization’s risk profile, such as insurance or malpractice risk, or patient safety or quality risk. Modern ERM, however, includes all risks that could affect an organization, from the boardroom to the storeroom, as well as everything in between within an organization and risk adjacent or external to the organization. Any risk that could affect an organization is considered in ERM.

The best practice of ERM provides a framework by which all organizational risks are identified, thoroughly analyzed and prioritized, and appropriately mitigated in order to allow the organization to make thoughtful and informed business decisions. Modern ERM does more than protect value; it also creates value. The business decisions resulting from a best practice ERM framework can create value by looking for risk mitigation/treatments that are both protective and beneficial for the organization’s bottom line by providing a financial return on risk and compliance management investments. In addition, ERM helps enhance compliance effectiveness, ensures interdepartmental understanding and collaboration, promotes proactive mitigation of risk instead of reactive responses, and helps strengthen organizations during events that create uncertainty.

ERM will be most successful when those involved in the ERM process all speak the same language, have a similar set of risk perspectives, and have a common way of viewing the risk management process. This can be achieved by developing the organization’s risk management framework and processes. At a high level, an ERM framework helps an organization define how it will survey the universe of risks, prioritize and select the risks to mitigate, and then allocate appropriate resources to address the risks. There are two alternative main frameworks popularly used in ERM: International Organization for Standardization guidelines[2] and Committee of Sponsoring Organizations of the Treadway Commission guidance.[3] Both frameworks have been updated recently, displaying continued growth and evolution in the field of risk management. A simple internet search shows how much has been written about each framework and how each could be more beneficial in different contexts. Organizations pursuing risk management should explore both frameworks and develop a pragmatic solution based on one or a combination of the frameworks.

In order to ensure that all of the organization’s risks are considered, it is important to consider whom to involve in the ERM program. There is no one right answer as to who should lead ERM activities. Large organizations may have a chief risk officer whose primary responsibility is to oversee ERM. Organizations with fewer resources or varying organizational dynamics may appoint the chief compliance officer, chief financial officer, vice president of internal audit, or another executive to oversee ERM. In the authors’ view, it makes little difference who “owns” it, as long as the owner has sufficient authority to lead the program and the purview of the program is truly enterprise wide and ensures input of all risks from around the organization.

When deciding who should provide input on risk and collaborate with the ERM function, the phrase “from the boardroom to the storeroom” will again be helpful. Ensure that each operational area has a conduit to direct its risks into the ERM process. Even if assessed informally or without much structured thought, understanding, prioritizing, and mitigating risk is not new to operational areas. A normal part of doing business and running operations is continual understanding and mitigation of risks.

In essence, all operational areas in a healthcare organization have some sort of micro risk-management processes going on to manage specific business processes and outcomes. Throughout this article, we will use the terms “micro risk” and “micro risk management” to describe risk management efforts that occur within a specific operational area that are in place only to address those risks that are relevant for that specific area. By contrast, we will use the terms “macro risk” and “macro risk management” to describe enterprise-wide risk management efforts that are in place to address risks that are applicable to and potentially significant for the organization as a whole. In some operational areas, like compliance and finance, the micro risk management, or selection and management of relevant risks, may be intentional, well defined, and documented. In other operational areas, like supply chain or food or interpreter services, the management of pertinent risk may not be formalized or documented, yet it occurs as the operations ebb and flow and as issues arise and require solutions. In many healthcare organizations, each area’s micro risk-management efforts occur in silos and in disparate ways that are specific to each department. While multiple and often informal micro risk-management efforts may be occurring around the organization, there may be little to no effort on the part of the organization as a whole to understand the micro risks of each area, and understand how the micro risks may affect the organization as a whole. ERM programs provide a framework for the enterprise and its leadership to understand not only the micro risk-management efforts taking place disparately, but also provide a forum for those micro risks to be evaluated at the macro, or enterprise-wide, impact level. Many risks will remain primarily relevant for only the operational area to address, but some risks, as assessed through the ERM framework, will become larger and more complex macro risks that must be understood and addressed at the enterprise level. Thus, ERM capitalizes on the expertise, risk knowledge, and risk management efforts from partnerships around the organization and ensures that relevant risks that could reasonably affect the organization as a whole are identified, prioritized, and addressed. Additionally, ERM can help organizations standardize risk assessment processes in the various operational areas in order to more efficiently and effectively prioritize enterprise-wide risk.

ERM and compliance

So how should managers of micro risk interface with ERM? More specific to this audience, how should compliance officers interface with ERM? Whether or not compliance officers realize it, compliance and ERM have more in common than they have different. Like peanut butter and jelly, compliance and ERM work on risk together, but in complementary ways. Compliance operations are driven by assessment and prioritization of compliance risk. ERM helps the organization as a whole understand and evaluate compliance risk and other micro operational risks that affect the whole in order to develop an accurate and cohesive picture of the organization’s risk profile. Best practice organizations develop micro and macro risk-management structures that ensure consistency between micro risk-management efforts, resulting in standardized information flow into the macro ERM framework. Compliance and ERM should be speaking the same risk management language and working from the same risk management playbook, just from different ends of the spectrum. Compliance is the subject matter expert and risk owner of the compliance micro risks, and ERM is the risk jack-of-all-trades and collaborative organizer that brings together the organization’s micro risks for ERM coordination and assessment. Successful ERM programs understand the value of collaboration and the subject matter expertise of each of the managers of micro risk, including the compliance officer. And compliance officers can best help their organizations by not only appropriately assessing and managing compliance risk but also being an active contributor to the organization’s ERM efforts.

ERM and COVID-19

Returning to the questions from the introduction, could an ERM program have helped a healthcare organization be better prepared for the COVID-19 pandemic, and how can an organization be better prepared for the next big risk management challenge? Many thought leaders across various industries have debated whether the pandemic was a black swan event—an event with devastating consequences that was almost impossible to predict and almost impossible to be ready for—others yet argue that the pandemic was more of a “gray swan” event—predictable and subject to risk management controls. While there are very good arguments on all sides of this debate, one thing rings true in all of the arguments: A robust enterprise-wide risk management program is essential. Healthy and maturing ERM programs do more than just assess risk and help allocate resources for risk treatment. With time, investment, and data analysis, ERM programs evolve into sophisticated systems that are nimble and proactive, novel and even groundbreaking, where leaders come together to evaluate real-time issues and predict and prepare for what is likely to come next. So the real value in ERM is not only in the ongoing assessment and treatment of risk, but in the growth and evolution of the ERM program that draws on a wide cache of leadership expertise to plan strategy and response and help the organization weather any storm that comes.

It is in this evolved and advanced view of ERM that we see several lessons emerging out of the COVID-19 crisis. These lessons are being learned even as we write this article, and they deserve additional exploration by healthcare leaders and developing ERM programs. To that end, we briefly introduce these ideas and provide resources for further exploration by risk professionals.

Lesson one: Using decision science to make decisions in hyper-uncertain situations

Unfortunately, healthcare organizations have had to make countless challenging decisions in the face of uncertain situations and uncertain outcomes created by the pandemic. Decision science helps organizations take what data they have available—though potentially limited—and other decision-making tools to help predict the best possible outcomes for decision-making in the face of uncertainty. Managers of risk are directed to Peter McNamee and John Celona’s seminal work: Decision Analysis for the Professional: Fourth Edition.

Lesson two: ‘Sensemaking’

The pandemic saga has resulted in scientific, social, and political information coming from multiple directions, resulting in what some have coined as an “infodemic.” The challenge has been that the information and reported data do not always align or point an organization in a consistent direction. Sensemaking, as introduced by Karl Weick in the 1970s, helps an organization take in data and then make sense of them.[4] This is especially important in new situations and as circumstances rapidly change. ERM programs have the benefit of bringing groups of leaders together, so sensemaking can occur not only on the individual level but on the collective level as a group.

Lesson three: Antifragility

Antifragile organizations are more than just resilient and do more than merely stay afloat during crisis; they actually grow stronger in crisis situations.[5] ERM programs can evolve to help position organizations to not just survive in extremely challenging times but actually thrive.

Lesson four: The Cynefin framework

The Cynefin framework is a type of sensemaking device. Developed by Dave Snowden in 1999 while working at IBM, this framework allows leaders and managers of risk to make risk-management decisions based on the situation in which the decision takes place.[6] The Cynefin framework helps with decision-making by first classifying the situation, whether clear, complicated, complex, chaotic, or disorderly, to help the decision maker know how to better respond.

Value-driven ERM

Along with these emerging lessons to help challenge ERM programs to evolve to the next level has been an increased focus on the value creation, or the upside of ERM. While ERM has traditionally been viewed purely as a value-protection function, it has been recently redefined as a function that can create value as well. And now more than ever, healthcare organizations need both sides of the ERM coin. Instead of relegating value protection to compliance, risk management, and internal audit and assigning value creation responsibility to strategy and finance, modern ERM brings together both the downside and upside of risk as it helps organizations creatively identify solutions for risk treatment. Among the many potentially devastating effects of the pandemic have been the financial ramifications experienced by our nation’s healthcare providers. Actions taken to help limit the spread of the virus, including prohibitions on many types of nonemergent medical care, have resulted in poor financial situations for the lucky, and bankruptcy and closure for others. As such, attention has turned to ERM to not only protect value but create value by providing financially beneficial risk mitigation innovations. By quantifying and monetizing risk mitigation with decision analysis based on data, cutting-edge ERM programs marry value protection and value creation. The resulting ERM message communicates how a risk treatment plan can both protect value and create value by calculating the monetary benefits of addressing the risk.

Making the case for ERM

We do not yet know what the post–COVID-19 healthcare landscape will look like, but one could guess that the current financial, compliance, and other risk challenges will continue to abound. Considering the collective benefits of risk protection, collaboration between silos, advanced decision analysis, and value creation, one could argue there has never been a better time for healthcare organizations to pursue ERM. So, if your organization has no ERM function, where can you start? While board and C-suite support is the ultimate goal, ERM efforts frequently start from grassroots efforts of those who are already managing the organization’s department-specific micro risks. Compliance officers can help get the ERM conversation started. A great place to start is self-education. Begin reading about ERM, including thought leadership and details around the Committee of Sponsoring Organizations of the Treadway Commission and International Organization for Standardization frameworks. Research different professional organizations that are talking about ERM; many have great articles and thought leadership available on their websites. Then begin having conversations about ERM, risk collaboration, and the upside of risk management with other operational risk managers. It could be that your peers in other departments are having similar thoughts on the value of a big-picture risk management strategy. Because many of the operational managers of risk should already be on the compliance committee, early ERM conversations, planning, and strategy could begin there. Begin discussing the why and how of ERM with the CEO and other executive leaders and provide them with education not only about the value protection aspect of ERM, with which they are probably already familiar, but also the value creation, collaboration, and decision analysis features of modern ERM. As these ERM ideas begin to take shape and take off, be sure the board is introduced to the ERM strategy, as ERM should ultimately be overseen by the board and aligned with corporate strategy overall.

Practical next steps in pursuing ERM

An ERM plan and program is a worthy investment not only in light of the COVID-19 pandemic, but also to help future risk mitigation and decision analysis for whatever storms come next. Whether your organization needs to start an ERM program or tune up a current program to help it be more effective, take advantage of this interesting time in history to focus on and pursue ERM. There are multiple ERM resources available to help in the journey. A few publicly available resources to get started include:

  • “Creating and Protecting Value: Understanding and Implementing Enterprise Risk Management”[7]
  • “Enterprise Risk Management: A Framework For Success”[8]
  • “Value-Driven ERM: Making ERM an Engine for Simultaneous Value Creation and Value Protection”[9]
  • “Enterprise Risk Management: Defining the Concept; Getting an ERM Program Started; The Role of the Chief Risk Officer”[10]
  • Steven Minsky’s RIMS Risk Maturity Model,[11] an ERM program maturity self-assessment for organizations looking for an ERM tune-up.


  • Healthcare organizations should revisit enterprise risk management (ERM) in response to the pandemic, either to start ERM programs or retool current ERM efforts.
  • Managers of operational risk should not just work in silos to address relevant risk but instead work collaboratively as part of an ERM framework.
  • Compliance officers should participate in ERM and collaborate with those leading ERM programs.
  • Ultimately, the board and senior leadership should set the tone for ERM and should encourage ERM work.
  • Healthcare organizations should consider what learning lessons come out of the pandemic risk to help the organization become more resilient.

1 Investopedia Staff, “Black Swan,” Investopedia, updated August 17, 2020, https://bit.ly/36xfNP4.

2 International Organization for Standardization, ISO 31000:2018: Risk management — Guidelines, February 2018, https://bit.ly/38DvcQs.

3 Committee of Sponsoring Organizations of the Treadway Commission, ​​​​​​​​​​​​Enterprise Risk Management—Integrating with Strategy and Performance, June 2017, https://bit.ly/3nhQOG9.

4 Sally Maitlis and Scott Sonenshein, “Sensemaking in Crisis and Change: Inspiration and Insights From Weick (1988),” Journal of Management Studies 47, no. 3 (May 2010), 551–580, https://bit.ly/36xXvgv.

5 Nassim Nicholas Taleb, Antifragile: Things That Gain from Disorder (New York: Random House, 2016).

6 “Cynefin framework,” Wikipedia, last edited September 2, 2020, at 05:37 (UTC), https://bit.ly/38BWpTL.

7 Richard J. Anderson and Mark L. Frigo, “Creating and Protecting Value: Understanding and Implementing Enterprise Risk Management,” Committee of Sponsoring Organizations of the Treadway Commission, January 2020, https://bit.ly/2GTXOcO.

8 Roberta L. Carroll et al., “Enterprise Risk Management: A Framework For Success,” American Society for Healthcare Risk Management, 2014, https://bit.ly/32EAJCI.

9 John Celona, Jeff Driver, and Ed Hall, “Value-Driven ERM: Making ERM an Engine for Simultaneous Value Creation and Value Protection,” Monograph, American Society for Healthcare Risk Management, 2010, https://bit.ly/36wfyUl.

10 “Enterprise Risk Management: Part One: Defining the concept, recognizing its value,” Monograph, American Society for Health Care Risk Management, January 2006, https://bit.ly/2UoPHbv.

11 “RIMS Risk Maturity Model (RMM),” RIMS, last accessed November 12, 2020, https://bit.ly/38zbuWd.

Copyright 2023 Compliance Today, a publication of the Health Care Compliance Association (HCCA)

Connect with me!

I’d love to hear your thoughts on this Perspectives or discover if I’m the right fit for your compliance advisory needs!