Enterprise Risk Management (ERM) has become a central concept in the CPHRM exam. The 2020 exam content revision reorganized the five domains to align with an ERM framework, and ASHRM has been actively promoting ERM adoption across the healthcare risk management profession. If you're preparing for the CPHRM, you need to understand not just what ERM is, but how it changes the way risk managers think, prioritize, and communicate across the organization.
What Is Enterprise Risk Management?
Traditional healthcare risk management focuses primarily on clinical risk — patient safety incidents, medical malpractice claims, and regulatory compliance. ERM takes a broader view. It's a structured, organization-wide approach to identifying, assessing, and managing all categories of risk that could affect a healthcare organization's ability to achieve its objectives.
In an ERM framework, the risk manager doesn't just look at patient safety and claims. They also consider strategic risk (market shifts, mergers, reputational threats), financial risk (revenue cycle, payer mix, capital allocation), operational risk (workforce shortages, supply chain disruptions, IT failures), and compliance/regulatory risk as interconnected categories that require coordinated management.
ERM vs. Traditional Risk Management
Understanding this distinction is critical for the exam. Traditional healthcare risk management operates within the risk management department — it's a function. ERM is a framework that operates across the entire organization — it's a strategy.
Traditional RM is reactive and department-centered. It responds to incidents, manages claims, and ensures regulatory compliance. Risk is managed in silos — clinical risk in one place, financial risk in another, IT risk in another.
ERM is proactive and enterprise-wide. It creates a unified risk language, develops a consolidated risk register, and reports risk exposure to the board and C-suite. Risk is managed as an interconnected portfolio where a failure in one area (e.g., cybersecurity) can cascade into others (regulatory penalties, reputational damage, operational disruption).
The CPHRM exam increasingly tests your ability to think in ERM terms — connecting risks across domains rather than treating them as isolated events.
Key ERM Concepts for the Exam
Risk Identification Methods
The exam expects you to know multiple approaches to identifying risk across the enterprise. These include risk assessments and surveys, SWOT analysis applied to risk, root cause analysis (RCA), failure mode and effects analysis (FMEA), hazard vulnerability analysis (HVA) for emergency preparedness, data analytics and trend analysis from incident reports, complaints, and claims, and proactive rounding and environmental assessments.
Know when each method is most appropriate. RCA is used after an event has occurred. FMEA is used proactively to identify potential failure points before harm occurs. HVA is used for emergency preparedness planning. The exam frequently tests this distinction.
Risk Assessment and Prioritization
Once risks are identified, they must be assessed and prioritized. The standard approach uses a risk matrix that evaluates each risk on two dimensions: likelihood (probability of occurrence) and severity (impact if it occurs). Risks that are both highly likely and highly severe receive the highest priority.
In an ERM context, this assessment happens across all risk categories — not just clinical. A cybersecurity vulnerability might score higher on the risk matrix than a clinical process issue, which means it should receive more immediate attention. The exam tests whether you understand this cross-domain prioritization.
Risk Treatment Strategies
The four classic risk treatment options appear repeatedly on the exam: avoidance (eliminate the activity that creates the risk), mitigation (reduce the likelihood or impact), transfer (shift the financial burden through insurance or contracts), and acceptance (acknowledge the risk and choose to bear it). Most exam questions involve mitigation strategies, since healthcare organizations can't avoid most operational risks.
The Risk Register
An enterprise risk register is the central tool for ERM. It catalogs all identified risks, their current assessment scores, assigned owners, treatment strategies, and status. Exam questions may test your understanding of how a risk register is maintained, who has access, and how it's used to communicate risk to leadership and the board.
A hospital's risk manager identifies that three separate departments have flagged concerns about the same third-party IT vendor's system reliability over the past quarter — the lab, pharmacy, and radiology. Each department filed concerns independently. Under an ERM approach, what is the risk manager's most appropriate action?
A. Forward each department's concern to the IT department for resolution
B. Consolidate the reports into a single enterprise risk entry, assess the cross-departmental impact, and escalate to the risk committee
C. Contact the vendor directly to demand a service-level agreement review
D. Advise each department to develop its own backup procedures
ERM and the CPHRM Exam Domains
ERM isn't a separate domain on the CPHRM exam — it's a lens that cuts across all five domains. Here's how it shows up in each:
Clinical/Patient Safety: ERM connects patient safety events to broader organizational risks. A pattern of medication errors isn't just a clinical issue — it's a workforce issue (staffing), a technology issue (EHR usability), and potentially a financial issue (increased claims exposure).
Legal & Regulatory: Regulatory non-compliance is an enterprise risk that affects accreditation, reimbursement, and reputation simultaneously. ERM helps organizations assess regulatory risk as part of a portfolio rather than as isolated compliance tasks.
Healthcare Operations: Operational disruptions — supply chain failures, workforce shortages, IT outages — are enterprise risks that cascade across clinical, financial, and reputational dimensions.
Claims & Litigation: Claims data is a lagging indicator of enterprise risk. ERM uses claims trends to identify systemic issues that need proactive intervention. Read more about the Claims & Litigation domain.
Risk Financing: ERM informs risk financing decisions by providing a comprehensive view of total organizational risk exposure, enabling better insurance purchasing, reserve setting, and capital allocation.
Emerging ERM Topics for 2026
The CPHRM exam content reflects current industry trends. These ERM-related topics deserve attention in your preparation:
Cybersecurity as an enterprise risk. Data breaches affect patient safety (disrupted care), finances (regulatory fines, lawsuits), operations (system downtime), and reputation simultaneously. The risk manager's role in cybersecurity governance is an increasingly tested concept.
Social inflation and rising verdicts. ASHRM has published research on social inflation's impact on medical malpractice claims. Understanding how this trend affects enterprise risk exposure and financing strategy is relevant across multiple domains.
Workforce risk. Staffing shortages, burnout, and workplace violence are enterprise risks that affect patient safety, operational capacity, and organizational sustainability. Expect questions that connect workforce challenges to broader risk management strategy.
Practice ERM-Focused Questions
500+ scenario-based CPHRM questions covering all 5 domains, including ERM-integrated scenarios with detailed explanations.
Start 50 Free Questions →Key Takeaways
ERM isn't just a buzzword on the CPHRM exam — it's the organizing framework. The exam rewards candidates who can connect risks across domains, think at the organizational level rather than the department level, and understand the risk manager's role as an integrator and communicator of enterprise risk. Study each domain individually, but always consider how the risks in one domain relate to risks in others. That cross-domain thinking is what separates passing scores from failing ones.
For a complete preparation plan, see our CPHRM Study Guide.
← Back to all articles