Posted: 11 Jun. 2019 5 min. read

Little fires everywhere: Can health care organizations prepare for future risk without getting burned?

By Steve Burrill, vice chairman, US health care leader, Deloitte LLP

Risk leaders—whether working at a health plan or a multi-hospital health system—often see themselves as part of a fire brigade that must run from department to department stomping out flames. While these leaders are typically able to stay ahead of their day-to-day crises, it can leave them with little time to prepare for the bigger industry-wide emergencies that are building on the horizon.

In my meetings with C-suite executives, it became clear that risks and opportunities are at the top of their minds, but these priorities tend to be short-term. Many of these leaders are focused on helping their organizations overcome immediate challenges related to interoperability or ensuring compliance under the Merit-based Incentive Payment System (MIPS) for Medicare. All the while, they might also be working closely with the rest of the C-suite to maintain margins and achieve scale to stay competitive. The ability to overcome these short-term issues could be the difference between surviving or being swallowed up by a competitor. But organizations that successfully navigate the short-term challenges will likely need to pivot quickly to take on more complex and longer-term issues related to risk. Those who wait risk falling behind the early movers.

The Deloitte Center for Health Solutions recently surveyed chief financial officers (CFOs) from health plans and health systems to get a sense of how they are navigating the increasingly complex risk landscape. We also interviewed risk leaders, including chief risk officers and leaders from the risk functions (e.g., compliance, legal, and internal audit).

We asked CFO respondents to first rate the risks they face today on a scale of one-10, then we asked them to predict where those risks might rank three years from now. In each of the 16 risk categories we identified, health organizations expect each category of risk will be more of a priority three years from now. By 2022, nearly 80 percent of surveyed CFOs anticipate that technology and digital transformation—including artificial intelligence (AI), cognitive computing, and other emerging technologies—will be their biggest risk priority. Consumer engagement is seen as the top risk priority today among 58 percent of respondents, and nearly 70 percent of them expect it to be a top priority in three years. Risk leaders generally are aligned with these priorities and are focused on topics that support consumer engagement, such as privacy and cyber security.

While most risk leaders said they felt prepared to deal with their highest priority risks, many of them noted that their departments are thinly staffed. They also acknowledged that they tend to devote significant time to crisis management—investigating potential HIPAA breaches, patient/member complaints, and patient safety issues. Most surveyed CFOs said they are either only moderately or not prepared in:

  • Consumer engagement (58 percent)
  • Technology and digital transformation (58 percent)
  • Transitioning to value-based care (58 percent)
  • Cyber (65 percent)

Preparing for a new era of risk

Health care organizations have historically relied on prevention and limitations on access to help mitigate risks—particularly when dealing with patient records and personal devices. But this strategy might be ineffective as technologies become more advanced and more prevalent. While emerging technologies can lead to more efficient processes, improve clinical decision-making, and make it easier to engage with consumers, a minority of CFOs said their organizations are using these technologies to improve their responses to risk. Among our survey respondents, just 38 percent said they are using data analytics and other technologies to identify risks. While 30 percent of respondents are using AI or other technologies to identify risks, 45 percent expect to do so in the next three years. However, 25 percent of respondents have no such plans.

Here are three realities health care organizations should consider as they prepare for some of the new risks on the horizon:

  • New sources of data could bring new risks: Health organizations are tapping into many new streams of data to drive improved clinical decision-making, organizational efficiencies, and competitive advantage. However, the lack of standardized practices for collection, storage, and exchange of data can create new risk challenges. For example, aggregating data from medical apps, wearable devices, and social media portals can create new risks around privacy and transparency. Moreover, consumers might not understand these new risks and might give consent in exchange for convenience. Health organizations that have strong data quality and security strategies can gain the trust of patients, regulators, and ecosystem partners.
  • Advanced algorithms could lead to new insights into patients but could also create new biases: AI and intelligent automation hold the promise of more accurate decision-making and better efficiencies. However, the black-box nature of self-learning algorithms can make them difficult to understand and manage. Algorithms can be prone to human biases and faulty assumptions, and risks could be compounded by erroneous training data, unsuitable modelling techniques, and incorrect interpretation of algorithmic outputs. As algorithms become more pervasive and complex, organizations should adopt a risk-aware mindset to help manage the novel risks emerging from cognitive technologies.
  • Advanced data analytics could help improve regulatory compliance: The use of advanced data analytics, robotic process automation, and other emerging technologies could make it possible for health care organizations to analyze a much larger universe of transactions with fewer people. This could help them identify anomalies, regulatory and operational risks, and performance trends. Near real-time feedback could help organizations identify and correct instances of non-compliance and operational errors prior to regulatory audits. As robotic tools learn and understand data, deeper insights and understanding of risks can be identified—and can further inform the refinement of data modelling and algorithms.

CFOs and risk leaders from health plans and health systems face many of the same issues, which are becoming increasingly intertwined as convergence continues and interoperability becomes more of a focus in the industry. Risks are no longer standalone issues…they tend to all be connected to each other. The systems and resources that health care organizations rely on today might not be able to take on new, more complicated risks in the future—even though these opportunities are critical for the enterprise’s success. The leaders who oversee the risk function must continue to tend to the day-to-day fires, but they could get burned if they aren’t also able to prepare for the technology-related risks that might be four or five years down the road.


Return to the Health Forward home page to discover more insights from our leaders.

Get in touch

Steve Burrill

Steve Burrill

Vice Chairman | US Health Care Leader

Steve, a partner with Deloitte LLP, is the vice chairman and national sector leader for Deloitte’s Health Care practice. He leads a multi-disciplinary team who serves clients through consulting, advisory, audit, and tax services. Steve also leads the overall strategic direction and market eminence of the health care sector, including client-facing leaders’ development and succession, business development efforts, and cross-functional go-to-market strategies. With more than 33 years of experience, Steve has served clients across the health care spectrum–complex large systems, academic medical centers, children’s hospitals, and single location entities–and has led large transformational projects involving acute care hospitals, ambulatory operations, clinics, and physician practices.