Healthcare risk leaders may be forced to adapt to tidal wave of new risks

By | April 30, 2019

Chief financial officers and risk leaders at healthcare organizations are generally aligned, and prepared, when it comes to managing key risk areas — but change is coming.

And that change may force some in the industry to adapt. According to new research from Deloitte, there are indications that the risk functions at many healthcare organizations lack the time or the capacity — in the form of talent, organizational flexibility and technology — to prepare for the pace of change the industry will likely face in the coming years.

In fact, when it comes to top priority risks, the majority of CFOs say they’re not prepared, or only moderately prepared, for the future.


Cybersecurity was the top area in which CFOs said they were inadequately prepared, with 65 percent citing it as a concern. The transition to value-based care models drew concern from 58 percent of those surveyed, as did consumer engagement and technology and digital transformation.

CFOs also said there were challenges in terms of preparing for future risks, including the allocation of resources based on historical risk experiences (48 percent); more important organizational priorities (38 percent); and a lack of information or awareness (30 percent).

Risk leaders said crisis management today prevents them from planning for the future. And budgets seems to be concentrated on the top risks; 56 percent of CFOs indicated they spend half or more of their budget on their top three risks, while 62 percent expect the percentage of the risk budget allocated to their top priorities to grow disproportionately larger over the next few years.

Consumer engagement was the top risk priority for 58 percent of CFOs, but they expect technology and digital transformation to be the top risk priority within three years. Cybersecurity, regulatory compliance and big data and analytics are all expected to grow as risk priorities.

These are issues that risk leaders have been managing for years, but they’re growing in breadth and reach. New technologies are changing the risk profile for these topics and prompting the addition of new solutions.

They’re also more imminent today because organizational strategies that include consumer engagement, value-based care and digital transformation all amplify cybersecurity, privacy and patient safety risks. Risk leaders also noted that their organizations are becoming more complicated through mergers and acquisitions and expansion.


As emerging technologies become more pervasive, they should be accompanied by a risk approach that builds technical capacity while effectively managing today’s top-of-mind risks, the research concluded.

Technology is changing and maturing exponentially; to start behind the curve today will only make it more difficult to catch up later. By taking the time now to consider how to thoughtfully deploy new technologies, organizations can prepare for today’s risks and those of the future. Waiting to do this can result in greater, more complicated risks as organizations will have already started to invest in and use these new technologies.

To begin addressing this, risk leaders should take ownership of educating the broader organization on potential risks with emerging technologies, Deloitte found. This approach can help them get their foot in the door and be seen as enablers of strategies. Enhancing the organization’s knowledge and maturity can help position risk leaders as partners on initiatives for emerging technologies.

Potential steps for risk leaders to consider include creating an inventory of the technologies and algorithms being used throughout the organization; establishing policies and procedures for the use of these technologies; continuously testing, monitoring and validating technologies before and after they’re implemented; and assessing the skills and capabilities og staff in risk functions to ensure they have the appropriate knowledge.


According to Faye Sheppard, President of the the American Society for Healthcare Risk Management, everybody needs to be a risk manager.

Enterprise risk management means looking across the healthcare continuum and empowering everyone in the organization take an active role in evaluating and  assessing risk —  and then coming up with plans of action to address them, said Sheppard. All departments should look at every risk undertaking, including finance and IT, as it’s a more holistic and inclusive organizational approach to risk management.

Twitter: @JELagasse

Email the writer:

News Feed