The future of healthcare risk assessment is here

Shameka Smith, Louise Garrett, Tracy Young
| 11/29/2023
The future of healthcare risk assessment is here

Risk assessment in today’s healthcare landscape requires data, technology, and deep subject-matter expertise.

The healthcare industry is constantly evolving, and so, too, is a healthcare organization’s risk exposure. In a landscape marked by frequently changing regulatory requirements, increasing volumes of patient data, new and diverse treatment methods, and myriad other changes, many organizations’ current risk assessment methods might not be keeping up.

Within this complex climate, healthcare provider organizations require a new, innovative approach: one that takes the best of traditional risk assessment and entwines it with data, technology, and deep subject-matter expertise to help today’s healthcare organizations gain more insights into their risk areas.

Traditional risk assessment benefits … and challenges

Internal auditors use risk assessments to identify and analyze risks that could affect an organization’s achievement of strategic objectives, to develop processes for managing those risks, and to create the organization’s internal audit plan. Most healthcare organizations today conduct their risk assessments using traditional methods. These methods have served internal audit teams well for many years, and they have their benefits. But they also have their challenges.

A major benefit of the traditional risk assessment approach is that it is a simple framework that uses readily available inputs such as the organization’s mission, vision, values, strategic plan, and financials. The traditional risk assessment’s simplicity makes it easily repeatable. Traditional risk assessments are also trusted and expected by stakeholders, including the executives that internal auditors interview. These methods also require minimal investments in technology.

Despite these and other benefits, traditional risk assessment processes have downsides. One is finger-pointing, when one department blames another department for organizational problems. Unfortunately, internal auditors sometimes receive information that is more focused on complaining about management or another department than discussing a risk that might affect a strategic objective.

Another downside to the traditional approach is executives not reporting potential risks for fear of triggering an audit or casting blame on themselves or their department. Conversely, executives might intentionally bring up false or overstated risks to attack a rival executive or expose an underperformer in their own department. In extreme cases, particularly in organizations with misaligned reporting structures, the internal audit function might even lose its independence if auditors become order-takers for certain departments or executives requesting audits for political reasons such as seeking more resources.

Finally, although traditional risk assessments start by reviewing organizational information such as strategic plans, budgets, and operational reports, often that information does not end up in the final risk ranking. This is seen especially in manual risk assessment processes, when what often ends up in the audit plan is based on whatever a certain group of executives last had a meeting about. Other risks might be missed, depending on which audit members are assigned to the assessments, their skill sets, and what else they have on their plate. Even the best auditor can have a bad day.

These challenges, and others, can cause large gaps in audit plans such as important strategic areas being left out entirely. To address such issues, internal audit teams should move toward a more comprehensive, innovative risk assessment style.

A new approach to healthcare risk assessment

An evolved risk assessment process uses innovative technology tools, including artificial intelligence (AI) and data analytics, combined with human expertise, to identify risks more effectively.

  • Data is abundant in healthcare provider organizations today. Organizations that can turn data into actionable information are better positioned to manage risk. This is because data can provide a broader view of an organization’s risk – something that even hours of interviews can miss (especially when interviewees naturally discuss what is top of mind rather than big-picture issues). 
  • Technology enables internal audit teams to conduct a more robust risk assessment versus using standard interview methods only. AI, for example, can analyze complex data sets – quickly – for patterns and trends, which can point internal audit teams in the direction of where an organization’s risks lie, guiding their investigation. For situations in which AI is impractical or unable to be applied, data analytics can be used to identify risks, providing insights via broad data sets. Internal audit teams can use analytics throughout the entire risk assessment process to guide interview questions at the beginning, gain a better understanding of risks highlighted through the data sets, and confirm that the risks identified during the assessment process are supported by data.
  • Subject-matter specialists who can understand, interpret, and act on the data uncovered using technology are essential to a successful risk assessment process. These specialists can be part of the internal audit team or external, such as individuals from the organization’s key business areas (for example, revenue cycle, finance, quality, and nursing) or third-party specialists with expertise in knowledge areas in which the organization might need support. Internal audit teams also can consider using audit workflow tools, such as Audivate, which contain knowledge resources about a wide variety of healthcare areas.

A new healthcare risk assessment approach in action

Consider this example in which an internal audit team’s traditional risk assessment interview process was enhanced through use of AI and, as a result, the organization’s risk assessment culture was transformed:

To better identify its risk areas, a health system moved from traditional risk assessment to a more evolved, technology-driven process. One of the biggest transformations was a shift from an annual interview of the same 16 executives – who frequently identified the same types of risks each year, despite the changing industry landscape – to using data analytics and insights from subject-matter specialists to increase their understanding of the organization’s risk areas.

Use of data analytics helped internal auditors develop risk assessment questions, which were then used in anonymous, virtual interviews conducted across the organization’s various business areas using AI technology. This resulted in input from nearly 300 individuals – a much larger sample than 16 executives. Amassing insights from so many individuals within the organization enabled a much broader understanding of the organization’s risks. The internal audit team then deployed AI tools and subject-matter specialists to analyze the large amount of data and finalize the healthcare risk assessment.

In addition to improving the organization’s ability to identify the most pressing risks, the move away from a traditional risk assessment to a more innovative one had a positive effect on staff members. This included clinical staff members, who felt they had a bigger voice and role in identifying risk within the organization. These staff members appreciated being included as interviewees, as they had never before been asked about risks or about how internal audit could help address risks. Including so many more interviewees contributed to the organization’s overall risk assessment culture transformation.

The future of healthcare risk assessment

Evaluating and managing risks effectively and efficiently is crucial to healthcare organizations’ ability to provide quality patient care and achieve operational and financial success. Healthcare organizations that build on the successful components of their current, more traditional risk assessment approaches and evolve toward more innovative methods will be better positioned to assess risks in a quickly moving industry.

Contact us

Shameka Smith
Shameka Smith
Vice President, Risk and Compliance, Kodiak Solutions
Louise Garrett
Louise Garrett
Kodiak Solutions 
Tracy Young at Kodiak Solutions
Tracy Young
Kodiak Solutions