The business of healthcare is becoming riskier. Capitation¹ is increasing the risk providers must assume; expansion of the populations they cover makes health-related events (and the cost) more difficult to predict; and competition among providers is eroding operating margins, making the effect of risk on profitability more pronounced. At the same time, the management of risk is becoming more complex as the delivery of healthcare becomes ever more fragmented.

Each trend implies a serious threat to healthcare organizations. HMOs, for example, face two options for trading off risk against profitability in the future—they can accept lower margins in the more commodity-like low-risk business, or take on higher risk for potentially higher margins (Exhibit 1). But each also provides opportunities for players who manage risks well and develop a risk portfolio that suits their appetite for risk, their skills, and customers’ needs. This is because healthcare organization margins are actually a "risk premium": the reward for taking on risk.

To take advantage of the opportunities, risk must be treated as a core business activity for which responsibility is taken at senior level, rather than as a technical skill to be handled by specialists. As competition and pressure on costs reduce margins, and covered populations become riskier, a more sophisticated approach to risk management is required. By understanding care provision in terms of risk as well as average cost, a payor or provider can evaluate all the available risk management roles and strategies to optimize its performance. The winners will be those that excel at this and integrate risk-management thinking into all aspects of their operating strategy.

Principal types of risk

To manage risk, healthcare organizations must first understand the size and characteristics of its four principal types:

• Clinical operating risk—the risk of variations in the costs incurred by a payor or provider in providing clinical services.
• Event risk—the risk associated with fluctuating demand for healthcare in the covered population.
• Pricing risk—the risk inherent in setting prices given the unpredictable expenses of event risk.
• Financial risk—the basic business risks faced by all companies: capital, partner insolvency, cash flow, liability, and regulatory risks.

The first three are especially important to healthcare organizations, which stand or fall by their ability to manage them. Managing and mitigating financial risk is also important, but because it is a risk all businesses face, we will not discuss it further here (Exhibit 2).

Event risk. Event risk is determined by the characteristics of the pool of covered lives—the members of a healthcare plan or the population managed by a risk-bearing provider—and has two elements: incidence and severity. The greater the variation in occurrence of any one condition among a given population over a year, the higher its incidence risk. Severity risk is determined by variations in a condition’s seriousness, and in how much treatment is required.

Take asthma. Of any population, the number who will be diagnosed with asthma and who seek treatment will vary. There will also be variations in the amount of treatment each patient requires, depending on the severity and course of the disease. Together, these two variables form the event risk for asthma for the covered pool of lives.

A subset of event risk is catastrophe risk. Catastrophe risk is determined by the probability of an abnormally high incidence and/or severity of a given condition, which would result in an extremely high total treatment cost. Because of the remote likelihood of such catastrophes—an epidemic, for example—this risk is usually managed as a distinct type.

Pricing risk. Pricing is obviously a critical skill for any company offering per case or capitated products and services. The key components of pricing risk are product design and underwriting, with product design the more difficult to manage. To control it, a healthcare organization must decide what type of population will be attracted to its plan or service, and how the incentives it offers will affect the utilization rates of the covered lives. Unless the organization understands these factors, the underwriting will be difficult and consequently riskier.

The underwriting risk for managed-care organizations is similar to that faced by indemnity insurers. Once they know the population that will take up the payor or provider’s plan or service, the underwriters can predict the likely experience for this population.

Clinical operating risk. In the simplest terms, clinical operating risk is the risk, for a given set of medical conditions, of not delivering a product or service at the projected cost. It has two components: treatment management risk and cost management risk.

Treatment management risk is the risk that the total cost of treatment or its results will not be as anticipated. The variation can arise from the doctor’s choice of treatment, or because different patients respond in different ways to the same treatment.

Cost management risk is driven by variations in the cost of the elements of care—wages, supplies, new technology, the implementation of regulations, or the unpredicted expense of new medications—and in the behavior of different links in the network that supply services to the payor or provider.

Designing a risk-management strategy

While each risk has a different source, all affect a healthcare organization’s financial performance in the same way and, if unmonitored and unmanaged, can reduce earnings and growth. The effect of unmanaged or poorly managed risk will become more pronounced as the cumulative potential impact on earnings of unpredicted cost and revenue behavior—which currently amounts to less in most healthcare organizations than their expected margins—comes closer to the level of expected margins, whether because of increasing variability or declining margins, or both. When the impact of risk and the level of operating margins are equivalent, unmanaged risk presents a serious threat.

For an organization to understand the risks it holds is only the first step, therefore. The second is to design a management strategy. This involves a myriad of variables, including the company’s size and growth prospects, the likely evolution of the local market or portfolio of markets in which it operates, and its willingness to hold risk. But the basis for a strategy can be formed by:

• Understanding the key methods for managing the three types of risk.
• Understanding the evolution of risk holding in the managed-care market.
• Choosing an appropriate risk-management role.

Risk-management methods

Treatment management is challenging because the key is creating the right incentives to influence doctors’ behavior

In designing a risk-management strategy, a healthcare organization needs to treat the three types of risk individually. Clinical operating and pricing risks can generally be reduced by managing treatment better and using outside expertise. Treatment management is always challenging because the key to it is gathering information from disparate sources and enabling physicians to discuss it, and creating the right bundle of incentives to influence doctors’ behavior. Event risk can also be reduced, although to a lesser extent, by increasing the number of lives covered or by capturing a lower-risk population.

Managing event risk. The commonest way to manage event risk (and, potentially, the underwriting component of pricing risk) is to increase the number of covered lives in a given pool. While it may be difficult to predict the occurrence of any one condition with certainty, it is easier to predict the average outcome of a group of similar conditions because, as pool size increases, the risk of the condition occurring decreases. Exhibit 3 illustrates the total risk profile of a medium-sized HMO with a commercial population.

For an organization willing to accept a certain amount of event risk, the threshold size at which incidence and severity for a group equals that amount of risk can be actuarially determined. This minimum efficient risk-holding scale is quite low—for an HMO with a relatively healthy commercial population, the minimum efficient number of covered lives is about 20,000 (Exhibit 4). A sound understanding of the risk characteristics of the covered lives, combined with a strong reinsurance program (including stop-loss coverage), can reduce the number even further.

But as HMO populations change to include relatively less healthy groups, such as Medicare patients, the event risk and the minimum scale for risk holding will rise—although the greater the event risk, the greater the competitive advantage to be had from understanding the population’s risk characteristics and from launching a sophisticated reinsurance program.

Managing pricing risk. Many of the skills required to judge the characteristics of a population likely to subscribe to a specific managed-care product, to predict the experience of that population, and to estimate associated costs such as medical inflation, can be developed with tools used by the insurance industry.

Pricing risk is reduced by the fact that most health plan contracts are renewable annually, which means underwriting or product-design errors can be corrected relatively quickly. Yearly renewable pricing does not eliminate pricing risk, however, and organizations may find that in future their freedom to change prices or alter plan design will be limited by government regulation, or by state limitations on payors’ ability to restrict coverage for certain conditions or state-mandated benefits.

Some organizations share pricing risk through variable rate capitation on long-term contracts. This type of arrangement gives providers an incentive to provide cost-effective care while moving some long-term pricing risk back to the payor.

Managing clinical operating risk. Managing variation in clinical operating costs is conceptually straightforward, but can be difficult for many healthcare organizations. A small, high-performing group of doctors will usually manage it with ease, whereas an HMO with a large and broad provider network might find it a serious challenge.

Operating risk can be managed in three ways (Exhibit 5). First, the focus should be on reducing the average cost of treatment. Healthcare organizations typically focus on measures such as the average hospital admission rate, average length of hospital stay, average cost per day, variability in total cost of treatment, and variability in the length of stay. These measures are controlled by managing the type of provider (whether doctor or nurse, for example), negotiating purchase discounts, and utilization reviews.

Next, organizations can attempt to standardize performance of procedures around the average approach to treatment for each high-frequency, high-cost disease or condition. This will reduce the risk, although it does not significantly bring down the average cost. Substantial benefits are likely to be gained, however, because most operating risks are skewed toward higher costs. So as treatment patterns are standardized, this high-cost skew diminishes, along with the clinical operating risk.

The third and most difficult way to reduce clinical operating risk is to standardize care around best practices. This brings down the average cost of treatment and reduces variability around the mean, minimizing the risk associated with treating a given condition.

The key to the three methods of managing operating risk lies in influencing doctors’ behavior. Healthcare organizations must build the information infrastructure, professional development processes, and incentives that will align clinical practice with better cost and outcome performance. Changing physicians’ behavior becomes more critical, and even more difficult, when an organization also has to manage the interactions among network members. The payor or provider must understand how the contractual relationships (or incentives) among subcontracted organizations will affect costs and utilization. While this is of most concern for HMOs and other payors, an increasing number of large multispecialty groups and integrated provider organizations (particularly those developing their own provider networks) are beginning to face this issue.

How risk evolved, and how to unbundle it

For most of this century, indemnity insurers (and self-insured employers) held almost all healthcare risk in the United States. Because most healthcare providers operated on a fee-for-service basis, they were usually able to pass on unexpectedly high treatment costs directly to insurers, which in turn raised premiums to employers.

During the 1970s and 1980s, many felt healthcare spending was increasing at an unsustainable rate and that the fee-for-service system was largely to blame. In response (and thanks to favorable legislation), managed care in the form of HMOs grew quickly. By the early 1990s, HMOs were joined by a host of provider organizations such as physician groups, carve-outs and disease-management companies, and integrated delivery systems, all of which were beginning to take on risk from employers or HMOs and to manage care. The result is that today’s system has a diverse group of organizations holding a mix of risk under a complicated set of contractual relationships (Exhibit 6).

When risk is transferred between healthcare organizations, typically only a segment of it is involved. Under such "unbundling," organizations in the chain bear different types of risk for the same covered life. An HMO may pass primary care risk to a capitated physician group with which it contracts, for example, but choose to hold the risk for the specialist or hospital care of such "catastrophic" treatments as organ transplants. This unbundling results in a complex environment in which organizations hold a certain segment of risks for some covered lives, and a different segment of risks for others.

Risk unbundling is important because it works as a powerful lever to improve healthcare economics. It enables one payor or provider to give an associated provider an incentive to deliver cost-effective care. Usually this means the risk is transferred to the provider closest to the care and with the tightest control on spending. By capitating physician groups, for example, HMOs have successfully managed utilization and driven down the cost of unnecessary care, although the HMO itself may not capture much of the surplus created.

Certain types of risk may be sought out by providers who have the expertise and network capacity to manage them, thus transferring the risk to the lowest-cost bearer. One provider may contract out specific disease-state management to a carve-out on a capitated or case-rate basis, for example, while another with a small pool of members purchases stop-loss reinsurance. Or an HMO might enter into a capitated contract with a pharmacy benefit manager that has strong expense-management skills.

Risk unbundling is the fundamental method by which healthcare networks are created. It creates a web of diverse players, all of which have an incentive to provide efficient services. It carries two potentially significant costs, however. First, by transferring the risk, the organization loses the premium associated with holding the risk and retains only a relatively small trans-action fee. If a large amount of risk is transferred, the lost revenue may be substantial.

Once a healthcare organization ceases to hold risk, it moves further from its customers and could ultimately lose control over its member lives

The second cost is indirect, but potentially greater. Once a healthcare organization ceases to hold risk, it moves further from its customers and could ultimately lose control over its member lives. Consider an HMO entering into a global capitation agreement with a multispecialty physician group. The more risk (and hence responsibility) the physician group takes, the more actively it manages all the healthcare services for its patient population. This will tend to increase patients’ loyalty to the physician group, distancing them further from the HMO. The physician group also gains the opportunity to develop the risk-management skills previously provided by the HMO. Once this occurs, the HMO can find itself becoming little more than an intermediary, losing control of its customers to its one-time ally, the physician group.

Which role to play?

The third element of a risk-management strategy is to determine which role the healthcare organization should play—whether risk holder, risk intermediary, or risk advisor (Exhibit 7).

It may choose to take on different roles for different types of risk or types of care. Additionally, the optimal role for each strategy may change as it grows or changes goals or as the managed-care environment changes. The roles are not mutually exclusive and it is common for some organizations to play all three simultaneously for different risks or different population segments.

Risk holder. A healthcare organization takes on the role of risk holder when it holds risk and thereby captures risk premium. Many consciously choose this role as their primary strategy for handling risk—especially when, as now, the risk premium is large. A reinsurer holds a provider’s event risk (and by necessity some operational and pricing risk) when it sells excess loss coverage, for example. Likewise, any provider subject to full capitation holds event, operating, and pricing risk for the lives covered by the capitation agreement. A case-rate provider (such as a hospital) holds event (severity), operating, and pricing risk.

A risk holder can have any of at least three broad motivations. It can be an active risk seeker, because it has the skills to manage a specific risk component and potentially enhance the average risk premium. It can be a risk mitigator, because it can aspire to a scale of lives covered, an underwriting ability, or a degree of care standardization that enables it to reduce risk more effectively than other industry players. Or it can be a risk manager, choosing to enhance the risk premium and manage day-to-day operations to create some value for managing risk and care efficiently.

Where premiums are large, it may not be optimal to hold the risk if transferring it would provide incentives to a more efficient risk holder

While many healthcare organizations are risk holders, they may not have explicitly chosen the role. Some providers fail to recognize that their margins are in fact a risk premium. Even those which are aware of the risks they hold may not fully appreciate their scope, or have considered whether they have the skills to manage them. Where risk premiums are large, it may not be optimal for a given player to hold the risk if transferring it would provide useful economic incentives to a more efficient risk holder.

Risk intermediary. If a healthcare organization decides not to hold the entire risk for a set of lives, it can be a risk intermediary instead. In this role, it takes the risk from one party and transfers it to another, either as agent or principal. A provider might transfer event risk (and by necessity some operational and pricing risk) to a reinsurer, for example, while an HMO might transfer all risk associated with providing a dermatology service, say, by signing a capitation contract with a dermatology group. A sophisticated HMO could transfer all severity risk associated with hospitalization by signing a case-rate contract with a hospital, or decide to transfer incidence risk for three disease states and for pharmacy benefits to carve-outs, while holding the rest of its risk portfolio in-house. An organization that passes along risk as an intermediary will of course sacrifice some of the risk premium that could be gained by being a risk holder.

Risk advisor. Traditionally, a risk advisor has been a reinsurer or consultancy that supports a payor’s risk strategy by advising it on underwriting, for example. But it is becoming common for sophisticated HMOs also to take on this role, providing allied physician groups with underwriting and actuarial support and sharing experience and cost data, practice guidelines, cost-management techniques, and utilization reviews. In this way, an HMO can help its capitated physician groups succeed as covered populations change and margins fall, and make its healthcare delivery network more secure.

The CEO’s agenda

How should a CEO think about his or her organization’s risk-management agenda? At the least, the following steps should be considered:

• Establish a risk-management committee reporting directly to the CEO or CFO.
• Reexamine the company’s current risk profile to understand:

• The types of risk it holds and their implications for strategy.
• Pool sizes for each type of risk held versus minimum efficient scale.
• Incentives created by existing risk-transfer arrangements.
• Current underwriting skills and potential risk-management problems arising from specific weaknesses.

• Strengthen pricing and underwriting skills and capabilities.
• Examine the existing reinsurance program to be sure that risk transferred and rates paid are appropriate.
• Determine which risk-management roles are consistent with the organization’s long-term goals and skills.

These basic steps can help senior management define and implement a risk-management strategy that supports the healthcare organization’s overall strategy and improves its financial performance.