Limited functionality available
Most health organizations believe they are prepared for the health care risks of today. But a tidal wave of new challenges and risks is coming, calling for a fresh approach to risk management that capitalizes on future opportunities.
With the aim of understanding the level of alignment and prioritization that health systems and health plans have on organizational risks now and in the future, the Deloitte Center for Health Solutions recently surveyed health system and health plan chief financial officers (CFOs) and interviewed risk leaders (chief risk officers [CROs], chief audit executives, and chief compliance officers). Our findings offer insights into emerging opportunities to manage risk through collaboration and investment, and we offer suggestions on how health care organizations can prepare for the future, starting today.
Explore the Health care collection
Read more from the Risk management collection
Subscribe to receive related content from Deloitte Insights
Our research showed that CFOs and risk leaders at health care organizations are at present generally aligned on managing key risk areas and believe they are prepared. CFO priority areas are consumer engagement, cybersecurity, transitioning to value-based care, and technology and digital business transformation, while cybersecurity, privacy, and patient safety are the focus areas for risk leaders.
However, there are some early indicators that the risk functions at these health care organizations lack the capacity (talent, organizational flexibility, technology) or the time to prepare for the type and pace of change the health care industry is likely to experience in the coming years.
How can risk functions (compliance, legal, and internal audit) be more prepared and agile to enable their organizations’ strategies and even embrace these key risks versus just reacting to them? How can organizations prevent their risk functions from failing? We offer suggestions for the steps health plans or health systems can take to keep up with the changing demands and thereby focus on opportunities. These include an action plan that begins with educating leaders and then the broader organization about the impact of emerging technologies, developing an inventory of current and proposed strategies and technology investments, establishing policies for the use and monitoring of emerging technologies, and assessing the skills and capabilities of risk staff to ensure that they align with risk programs for these new investments.
The risk landscape for health care organizations is continuously shifting and expanding. In addition to daily challenges such as compliance, patient safety, and cybersecurity, organizations often have to grapple with disruption to the industry, increasing consumer demands, and innovation-driven changes via both scientific discoveries and emerging technologies. While these latter issues may be raised in strategic planning agendas at most health care organizations, they are not always considered from a risk perspective.
Some of these risks overlap with each other—investing in new technologies requires expanded cybersecurity efforts. Old risks can also manifest in new ways; for example, as health care organizations continue to invest in emerging technologies, they should now consider new potential concerns such as data dichotomy, algorithm appropriateness, and the “next generation” of cybersecurity that is more complex than today. (See the sidebar, “Monitoring traditional risk with forward-thinking approaches.”)
We found that health care organizations are able to keep up and balance efforts against top risk areas today. But, we identified some early indicators that their risk functions may lack capacity (skill, people, time) to deal with the type and pace of change expected in the coming years. A tidal wave of new risks may force them to sink or swim. Today’s models may not be able to take on new, more complicated risks in the future even though these opportunities are critical for the enterprise.
To better understand how health care organizations are navigating today’s ever-more complicated risk landscape and preparing for the future, the Deloitte Center for Health Solutions researched how health care organizations prioritize and deploy resources to their top risks. We conducted a survey of 40 CFOs, as some CFOs oversee board committees or budgets dedicated to risk management. For comparison, we also interviewed 15 risk leaders including CROs and C-suite and VP-level leaders from the risk functions (compliance, legal, and internal audit) of health systems and health plans. We wanted to compare both the strategic and tactical approaches to risk. Health system participants were from organizations with an annual income of more than US$2.5 billion. Health plan participants were from organizations with more than 500,000 covered lives.
We asked CFOs and risk leaders, separately, what their top organizational risk priorities were. Our findings highlight how health care organizations prioritize a mix of familiar and emerging concerns. While there are some differences in the two perspectives, there are similarities, too. CFOs ranked their top risk priorities today as (see figure 1):
Technology and digital transformation (including artificial intelligence[AI], cognitive computing, and other emerging technologies) and big data/analytics (the ability to report on performance metrics, integrate multiple internal data sets for data-driven insights, or leverage external data sets on consumer preferences and social determinants of health for clinical and business decisions) are particularly interesting as risk priorities. CFOs expect these to increase significantly in priority over time:
Both these areas are also connected to broader strategies and investments that health care organizations are making to become more efficient, engage consumers, stay competitive, and, most importantly, remain relevant in their markets. The ability to better engage consumers, improve cost and quality of care, and transform their businesses, all depend on the ability to leverage technologies, digital solutions, and data-driven insights. But these investments also carry cyber, regulatory, quality, safety, and other strategic risks that organizations should prepare for.
Some surprising and less familiar areas of emerging focus include the potential for entry into global markets (18 percent say it is a top priority today vs. 49 percent in three years) and changing demographics, aging, and chronic disease (20 percent say it is a top priority today vs. 46 percent in three years). Demographic changes and chronic disease have been familiar topics for the strategy and operations teams in many organizations. However, some of the efforts in these areas involve new partnerships and alliances with other health care stakeholders that directly impact how risks can be experienced and who is responsible for managing them. Reassessing risk profiles in key initiatives and designing in risk management from the start will help avoid surprises later. Entry into global markets brings risk considerations (which other industries have been effectively managing for some time) and entail a rapid learning curve for health care on key global risk topics—areas such as Foreign Corrupt Practices regulation, cultural and economic differences, and the complex system of global privacy regulations different from those in the United States.
How do these priorities from CFOs line up with those of risk professionals? In our in-depth discussions with risk leaders, we found that their top risk priorities (and where they have focused most of their resources—dollars and people) include cyber/data security, privacy/Health Insurance Portability and Accountability Act (HIPAA) (with technology and staff), and patient safety.
At the end of the day, we have to focus on our core capabilities—that is, data. Therefore, cyber prevention will always be critical.
—Health plan risk executive
These are issues that risk leaders have been managing for many years, but they are growing in breadth and reach. New technologies are changing the risk profile for these topics and prompting the addition of new solutions. They are also more imminent today because organizational strategies that include consumer engagement, value-based care, and digital transformation all amplify cybersecurity, privacy, and patient safety risks. Risk leaders also noted that their organizations are becoming more complicated through M&A and expansion.
Risk managers put out fires.
—Health system risk leader
The speed of transformation at health care organizations is accelerating. Nontraditional players have been entering the market at a rapid pace, and competition from these sources is expected to grow. Scrutiny of costs and quality of care are rising. Thousands of innovative solutions that enable consumer experience have been introduced in the marketplace. The result is greater competition for shrinking revenue and margins. Organizations should determine their path to survive the industry’s current transformation.1 All this means that risks are also increasing at an accelerating pace.
In the past, prevention and limiting access was the primary method of mitigating risks, particularly with technologies such as personal devices or patient records. But, the scope and type of challenges have changed with technological advances. At the same time, regulatory and consumer expectations about access to information are significantly different today. These market pressures and strategies likely require a new approach to enabling access while mitigating risk.
With technology and risks, what is old is new again. The pendulum is swinging back. HIPAA and privacy are a major concern just like 20 years ago.
—Health plan risk executive
While these issues may seem old and familiar, their magnitude and the approaches to address them are not the same. Convergence, regulatory innovation (payment and coverage reform), consumer influence, and other pressures are beginning to drive major waves of innovation and transformation for the industry. While executives at some organizations have had these topics on their radar for at least two years, others are currently developing and implementing strategies to deal with them. Risk functions likely should engage more as these strategic decisions are being made.
Looking ahead, the risks in these areas will continue to evolve and become more complicated. A digitally enabled, interconnected health care system will require risk management to not only enable this but also to monitor and respond with real-time diligence. Organizations should leverage lessons learned and bring a whole new thought process to the table. A key question is: Can they do so effectively if they are at capacity covering current risks? Also, do they have the talent and skills to meaningfully do so?
Emerging technologies promise to help transform health care organizations. Technologies like AI, robotic process automation (RPA), cognitive computing, and others can help create efficiencies, improve clinical decision-making, and better engage consumers.
While the majority of organizations have enabling technologies in place, only about a third of CFOs indicate that they are leveraging emerging technologies for their risk functions:
Monitoring of regulatory and operational risk elements using advanced data analytics, RPA, and other emerging technologies can reduce an organization’s reliance on the traditional, labor-intensive approach, allowing for better risk management and reducing long-term costs. Automated solutions allow for the analysis of a much larger universe of transactions, enabling the organization to better identify anomalies, regulatory and operational risk, and performance trends. Near real-time feedback could help organizations identify and correct instances of noncompliance and operational errors in time, more importantly, in advance of a regulatory audit. As robotic tools learn and understand data, deeper insights and understanding of risks can be identified and further inform the refinement of data modeling and algorithms.
When asked about their level of preparedness, some CFOs reported (see figure 2) feeling very prepared for their top priority risks. However, when all priority areas are considered, it was most common for them to report they were only moderately prepared, and in some of the areas of emerging importance, a significant percentage said they were not prepared at all.
Most CFOs say they are either only moderately or not prepared in:
Risk leaders also painted a nuanced picture of their level of preparedness. They felt prepared for their priority risks, but they also describe departments that are thinly staffed and say that they tend to devote significant time to crisis management—investigating potential HIPAA breaches, patient/member complaints, and patient safety issues.
Also, some health systems and health plans are currently not focusing beyond the immediate steps to prepare for risks. While most (73 percent) of the CFOs said they have identified staff to address risks, fewer have invested in supporting technologies (63 percent) to prepare for risks or conducted training (58 percent) (see figure 3).
The target is always moving
—Health system risk executive
CFOs noted that the top challenges their organization faces in identifying and responding to potential risks include allocation of resources based on historical risk experiences (48 percent), more important organizational priorities (38 percent), and lack of information or awareness (30 percent) (see figure 4). Risk leaders discussed how challenging it is to be prepared for the unknown when it comes to risk management for broader strategic topics like disrupters to the marketplace or business transformation. They also said they tend to have a short-term perspective and find it challenging to focus on longer-term risks due to:
While budgets are being allocated, organizations’ level of preparedness for new risks may not change, as they may be using budgets for problems in the rear-view mirror rather than those on the horizon. As mentioned earlier, 48 percent of CFOs admitted that resource allocation is based on historical risk experiences (figure 4).
According to our research, 56 percent of CFOs indicate that they spend half or more of their budget on their top three risks and 62 percent indicated that their budget for the top three risks has grown in the past three years (figure 5). Another 55 percent expect their budget for their top three risks to grow in the next three years. However, even with these increases, organizations may still be spread too thin; besides, they are focused too narrowly, as indicated by the portion who spend more than half their budget on their top three risks.
The following use cases are intended to show that while emerging technologies represent exciting innovations for health care organizations, they also carry new and challenging risks. They highlight how a risk approach that creates more capacity and still effectively manages the risk is more useful than a rear-view mirror approach.
The ability of data to aid decision-making is transforming health care. From behavioral data to social determinants of health, the types of unique data being collected to drive organizational efficiencies and competitive advantage are immense. Organizations are striving to accelerate innovation and drive personalization of services using data-driven insights and to capitalize on its increasing value by monetizing it. However, the lack of standardized practices for collection, storage, and exchange is a challenge to data integrity and accuracy. Further, aggregating data from new and diverse sources—medical apps, smart wearables, social media portals—raises concerns about privacy and transparency. It also raises fundamental new questions: How to prepare for the reality that consumers may give consent for convenience but not understand what data is collected and how it is used.
Additionally, exchanging data in a distributed ecosystem with inadequate governance mechanisms increases quality, security, and confidentiality issues. Organizations that implement strong data quality and security strategies can gain the trust of patients, regulators, and ecosystem partners and reap significant benefits.
AI and intelligent automation are radically altering health care by helping enable better decision-making and driving efficiencies. However, the black-box nature of these self-learning algorithms can make them difficult to understand and manage. Algorithms are prone to human biases and faulty assumptions, and risks could be compounded by erroneous training data, unsuitable modeling techniques, and incorrect interpretation of algorithmic outputs. As algorithms become more pervasive and complex, organizations should adopt a risk-aware mindset to effectively manage the novel risks emerging from cognitive technologies.4 In doing so, they can reap immense benefits and provide more effective and personalized services to patients.
The survey results and use cases highlight that while risk functions at organizations are managing today’s risks, a fresh approach to risk management may be needed.
The industry may have reached a point where risk functions are barely keeping their heads above water and just keeping up. A tidal wave of new risks for the health care industry has the potential to rapidly bring new changes and challenges. Without changing how they approach risk, at what point will the risk function be forced to sink or swim—meaning it will be unprepared to address the magnitude and type of future risks? How do well-resourced enterprises protect themselves in an interconnected data-driven health care system?
As emerging technologies become more pervasive at organizations, they should be accompanied by a risk approach that builds technical capacity while effectively managing today’s top-of-mind risks. Technology is changing and maturing exponentially; to start behind the curve today will only make it more difficult to catch up later. By taking the time now to consider how to thoughtfully deploy new technologies, organizations can prepare for today’s risks and those of the future. Waiting to do this can result in greater, more complicated risks as organizations will have already started to invest in and use these new technologies.
Furthermore, risk departments should understand that the underlying components of emerging technologies—models and algorithms—while important, carry risks within themselves. These models will likely become more pervasive in the organization, helping to determine financial, business, and clinical decision-making. The more these decisions rely on these technologies and their underlying programming, the greater the risks and impact. These “black boxes” cloud the factors that create the outputs and could be potentially inaccurate, as the models themselves or the data that the models are built on are vulnerable to accidental or intentional biases, errors, or fraud. An example of algorithms that are still under development includes how the same person with identical saliva samples received different ancestry results from different genetic testing services.5
Organizations should test these models for accuracy, appropriate use, and protection from cyberattacks. Organizations leveraging bots, for example, should put in place policies, processes, and tracking procedures to prevent the bot from proliferating errors.
As a start, risk leaders should take ownership of educating the broader organization on potential risks with emerging technologies. This approach can help them get their foot in the door and be seen as enablers of strategies. Enhancing the organization’s knowledge and maturity can help position risk leaders as partners on initiatives for emerging technologies.
Other action steps for risk leaders to consider include:
Once risk leaders have the inventory and baseline processes and governance in place, the focus should be on maturing the risk function and maintaining risk programs. Additional action steps include:
Instead of using a rear-view mirror approach, much of this requires the risk function to “build the car while driving it.” Parallel workstreams should include:
The reality is that today’s risk functions don’t have the bandwidth, capabilities, and skills to move forward effectively. Risk leaders need additional resources and should build the business case for them immediately.