Skip to main content
Poole College of Management
Enterprise Risk Management Initiative
ERM Leadership and Governance

ERM at HCA

February 25, 2005 2-min. read

The document titled “Enterprise Risk Management Program at HCA” is a presentation delivered by David Hughes, CPA, CIA, Assistant Vice President of the ERM Office at HCA, during the ERM Roundtable on February 25, 2005.

This presentation provides an overview of HCA’s Enterprise Risk Management (ERM) program, detailing its evolution, risk identification processes, and reporting mechanisms to management and the board.

Key Highlights:

  • About HCA: HCA, headquartered in Nashville, TN, operates 190 hospitals and 91 surgery centers across 23 states, England, and Switzerland. As a public company, it reported $21 billion in total assets, $22 billion in annual revenue, and employed 190,000 individuals at the time of the presentation.

  • Internal Auditing Definition: The presentation references the Institute of Internal Auditors’ definition, emphasizing internal auditing as an independent, objective assurance and consulting activity aimed at adding value and improving an organization’s operations.

  • Management and Board Responsibilities: It underscores that the CEO holds ultimate responsibility for ERM, with the board of directors providing essential oversight and aligning with the entity’s risk appetite, as outlined in the COSO ERM Integrated Framework.

  • Evolution of HCA’s ERM Program: The presentation traces the development of HCA’s ERM program from its inception in 2000, highlighting key milestones such as initial risk interviews, engagement with external consultants, the establishment of the ERM office, and the integration of risk assessments into strategic planning.

  • ERM Program Objective: HCA’s ERM program aims to establish an integrated approach to risk management by driving the process at strategic and operational levels, developing risk response processes, monitoring performance to ensure effectiveness, and periodically reporting to executive management and the board.

  • Risk Identification and Assessment: The presentation details the scope of risk interviews and surveys conducted with board members, executive management, division presidents, and hospital CEOs and CFOs. Participants were asked to identify the top three business risks that could significantly impact the company’s ability to achieve its strategic or financial objectives over the next two years.

  • Next Steps: Following risk identification, the outlined steps include identifying risk owners, facilitating risk assessment and response determination, implementing control activities, monitoring control effectiveness, and reporting results to executive management and the board.

This presentation offers valuable insights into HCA’s structured approach to enterprise risk management, emphasizing the importance of leadership involvement, systematic risk assessment, and continuous monitoring to support the organization’s strategic and financial objectives.

Original Article Source:ERM at HCA” David Hughes, ERM Roundtable. Feb. 25, 2005.

More From Enterprise Risk Management Initiative

Bonnie Hancock

The Role of Corporate Boards in Enterprise Risk Management
TradeTalks

How C-Suite Leaders Are Navigating Current and Future Risks
photo of a board room table

Board Oversight of Risks: Strengthening ERM for Effective Risk Governance