By Jerod Holloway, Weaver Health Care Advisory Services
For many health care organizations, risk is no longer something to manage on the margins. It is a driver of success, shaping financial performance, operational stability and strategic direction in real time.
Sustained margin pressure, expanding regulatory demands and accelerating digital transformation are introducing new dependencies across the enterprise. At the same time, traditional risk categories are converging. Cyber incidents disrupt revenue cycles and patient care. Workforce challenges affect compliance and quality. Policy changes tied to reimbursement and pricing can quickly alter financial outcomes.
Risk is no longer a peripheral concern. It is a central determinant of performance.
Yet many organizations continue to rely on fragmented approaches that were not designed for this level of complexity. Risks are identified, but not fully understood, and managed, but not strategically leveraged.
As the industry moves deeper into 2026, leading organizations are rethinking enterprise risk management (ERM) — an enterprise-wide framework for understanding how risks interact and impact performance — alongside governance, risk and compliance (GRC), not as control functions, but as strategic capabilities.
Why Legacy Risk Models Are Falling Short
Risk management in health care has largely evolved in response to specific regulatory and operational requirements. Compliance, internal audit, legal, IT security and clinical risk functions often operate independently, each focused on its own scope.
This structure can meet baseline expectations, but it limits enterprise visibility. Risks are frequently assessed in isolation, with limited insight into how financial, operational and regulatory exposures interact. Leadership may receive detailed reporting within functions but lack a clear view of enterprise-wide risk.
As risks become more interconnected, these limitations become more consequential. A cyber incident may originate in IT but quickly affect billing, cash flow, patient access and regulatory exposure. Without an integrated view, organizations are left responding to downstream effects rather than anticipating them.
Traditional GRC models reinforce this gap. Many programs are designed to document controls and address known risks but are less effective in environments defined by rapid change and interdependence. Static assessments become outdated quickly, and reporting often emphasizes past issues rather than emerging exposure.
As a result, GRC functions are often treated as necessary but not strategic.
From Risk Aggregation to Risk Integration
Leading organizations are shifting from identifying risks to understanding how they interact.
ERM in 2026 is defined less by the number of risks tracked and more by the ability to evaluate how those risks combine, amplify one another and influence strategic outcomes. This requires moving beyond siloed assessments toward an integrated, enterprise-level view.
Interconnected Risks Are Reshaping the Enterprise
Several risk domains continue to dominate executive agendas, but their impact is best understood in combination.
Cyber risk now extends well beyond internal systems. Reliance on third-party vendors, partners and digital platforms has expanded the threat surface significantly. The 2024 ransomware attack on Change Healthcare demonstrated how a single third-party incident can halt claims processing nationwide, disrupt revenue cycles, delay patient access to medications and create immediate liquidity pressure. Cyber risk is now an enterprise resilience issue, requiring coordination across ERM and GRC frameworks to align risk visibility with control and response capabilities.
Regulatory change is also reshaping financial and operational strategy. Federal policy shifts, including provisions under the Inflation Reduction Act and the One Big Beautiful Bill Act, are altering reimbursement dynamics through drug price negotiation, caps on patient out-of-pocket costs and changes in financial responsibility across stakeholders. These developments — combining reimbursement variability, evolving compliance requirements and operational complexity — introduce layered exposure and directly affect financial planning and execution. Coordinated GRC processes are essential to translate regulatory change into actionable compliance, reporting and control requirements across the enterprise.
Financial performance remains highly sensitive to converging risks. Labor cost inflation, supply chain instability and reimbursement constraints continue to compress margins. The experience of Kaiser Permanente, which reported significant operating losses driven largely by labor and utilization pressures, illustrates how quickly performance can deteriorate when multiple factors align.
At the same time, adoption of artificial intelligence, automation and advanced analytics is accelerating. These technologies offer meaningful efficiency gains but also introduce risks related to model integrity, data governance, regulatory uncertainty and overreliance on automated decision-making. As innovation advances, governance must keep pace, supported by GRC structures that establish accountability, monitoring and control over emerging technology risks.
ERM as a Strategic Capability
In response, leading organizations are repositioning ERM as a core component of decision-making.
ERM is increasingly used to evaluate trade-offs under uncertainty, enabling leadership to assess how different scenarios may affect financial performance, operations and strategic objectives. It also supports alignment between strategic initiatives and defined risk appetite, ensuring that growth decisions are deliberate and measured.
This approach improves resource allocation by identifying where risk mitigation efforts will have the greatest impact. More importantly, it strengthens resilience by clarifying how risks interact and how disruptions may propagate across the enterprise.
In this model, ERM informs strategy rather than operating alongside it. GRC functions play a complementary role by operationalizing these insights through controls, monitoring and reporting mechanisms that support consistent execution.
What Differentiates Leading Organizations
Organizations advancing this approach share several common characteristics. They operate with integrated governance structures, supported by aligned ERM and GRC capabilities, that establish clear accountability at the executive and board level. They maintain real-time visibility into enterprise risk through improved data integration and reporting. And they foster collaboration across finance, operations, IT and clinical leadership to ensure that risk is evaluated in a broader business context.
They also emphasize forward-looking assessment, using scenario planning and analytics to anticipate potential outcomes rather than relying solely on retrospective analysis. Critically, they connect risk insights directly to financial and strategic performance.
Risk as a Competitive Advantage
As uncertainty persists, the ability to manage risk effectively will increasingly distinguish high-performing organizations.
Those that continue to rely on fragmented, reactive approaches may find themselves exposed not only to adverse events, but also to missed opportunities for growth and innovation. In contrast, organizations that integrate ERM, supported by aligned GRC capabilities, into strategic and operational decision-making are better positioned to respond to change, protect performance and pursue innovation with greater confidence.
In 2026, enterprise risk management is not just a safeguard. It is a driver of performance, resilience and long-term competitive advantage.