Risk assessments can be conducted by looking at a variety of scopes, including the entire organization, a targeted high-risk patient care area (i.e., surgery, interventional radiology, medication management, or scope reprocessing), a new line of business or service, or compliance with standards, regulations, and guidelines. A risk assessment will highlight the potential risk areas that need further scrutiny.
Risk management constantly involves the need to manage new risks and uncertainty, making it challenging to recognize all the threats a healthcare system faces. Fortunately, through the use of data, institutional and industry knowledge, and collaboration with everyone—patients, families, employees, clinicians, administrators, and payers—risk managers can uncover threats and potentially litigious events that otherwise may be difficult to predict.
Now it is time to identify the risks that the health system is exposed to in its operating environment. There are many different types of risk—legal risks, environmental risks, market risks, regulatory risks, and much more. It is important to identify as many risk factors as possible using the following sources:
| Risk Category | Common Issues |
|---|---|
| Strategic planning | Marketing, expansion, mergers and acquisitions, additional medical specialties, capital needs, enterprise risk management |
| Human resources | Employment practices liability, scope of practice, credentialing, background checks, competency assessments, in-service education |
| Clinical risk | Standard of care, infection control, preventive care or screening, medication or pain management, referrals and consultations, drug or device recalls, patient and client education |
| Customer and community relations | Provider-patient/client relationships, complaints, satisfaction survey findings and subsequent actions taken, disclosure of unanticipated events, crisis management |
| Operational risk | Incident reporting, policies and procedures, performance improvement, scheduling and waiting times, missed appointments, patient/client tracking and follow-up, environment of care, fire safety, disaster or emergency preparedness, security, office physical plant and surroundings |
| Information technology | Electronic health records, data privacy and security, email, social media, facsimile, texting, telephone and other remote consultation |
| Legal or regulatory | Patient/client rights, informed consent, HIPAA privacy and confidentiality provisions, Clinical Laboratory Improvements Act (CLIA) regulations, patient/client termination, contract management, closing or leaving a practice |
| Financial | Insurance denial of care, billing and collections, Medicare/Medicaid reimbursement |
Once the risks are identified they should be entered into a Risk Management Assessment Tool such as the one below.
Source: Ali Yawar Alam (2016) Steps in the Process of Risk Management in Healthcare. J Epid Prev Med 2(2): 118.
Once risk is identified, it is essential to score, rank, and prioritize risks based on the likelihood and the impact of their occurrence, and then allocate resources and assign tasks based on these measures. The analysis can be conducted using risk matrices and heat maps that will help visualize risks and stimulate communication and collaborative decision-making.
The severity of impact represents the impact of harm to patients, employees, the environment, or the organization.
The risk score can be calculated by multiplying the likelihood by the severity of the impact.
Below are examples of tools to score the level of risk.
Table 1: Likelihood Guide Example (Depends on existing controls to prevent the occurrence and how robust they are)
| Rare/Remote (1) | Unlikely (2) | Possible (3) | Likely (4) | Almost certain (5) |
|---|---|---|---|---|
|
Frequency: Occurs every 5 years or more Probability: 1% |
Frequency: Occurs every 2-5 years or more Probability: 10% |
Frequency: Occurs every 1-2 years or more Probability: 50% |
Frequency: Bi-monthly Probability: 75% |
Frequency: At least monthly Probability: 99% |
Table 2: Severity of Impact Score Example (1-negligible to 5-extreme)
| Negligible (1) | Minor (2) | Moderate (3) | Major (4) | Extreme (5) |
|---|---|---|---|---|
|
Adverse event leading to minor injury not requiring first aid No impaired psychosocial functioning |
Minor injury or illness, first aid treatment required, <3 days absence, <3 days extended hospital stay Impaired psychosocial functioning greater than 3 days but less than one month |
Significant injury requiring medical treatment and/or counseling >3 Days absence, 3-8 days extended hospital stay Impaired psychosocial functioning greater than one month less than six months |
Major injuries or long term incapacity or disability (loss of limb) requiring medical treatment and/or counseling Impaired psychosocial functioning greater than six months |
Incident leading to death or major permanent incapacity Event that impacts large number of patients or members of the public Permanent psychosocial functioning incapacity |
Table 3: Risk Score classification cut-off values
| Risk Score | Description |
|---|---|
| 1-5 | Low risk |
| 6-12 | Medium risk |
| 15-25 | High risk |
Underlying causes are identified through Root Cause Analysis with subject matter experts. Root cause analysis (RCA) is a problem-solving method that is used to pinpoint the exact cause of a problem or event. The root cause is the actual cause of a specific problem or set of problems, and when that cause is removed it prevents the final undesirable effect from occurring. Grades can be defined on tables such as the severity of the injury, as in Table 2.
The 5 Whys technique is one of the most effective tools for root cause analysis in the Lean management arsenal. Using the 5 Whys will help you find the root cause of any problem and protect the process from recurring mistakes and failures. Consider the example below (Kanbanize, 2020).
EXAMPLE
Using the tables in the above Risk Analysis section, we would describe the risk score of the images not being available at the time of surgery as follows:
There were some control measures currently in place. STAT courier deliveries were one way to control the risk, although it was not always feasible or reliable. For instance, if the missing images went unnoticed until the surgeon arrived, it would be too late to make copies and deliver them in a timely manner. The courier could also be caught in traffic which could delay the delivery, resulting in the surgery being canceled. Therefore, this control is not robust and would only reduce the likelihood by a small margin for getting the images to the OR on time.
Risk Evaluation: In this situation, the risk should be controlled. Unfortunately, there is no way to avoid the risk or transfer the risk to a third party.
A performance improvement team was convened consisting of all departments, frontline staff, surgeons, and contracted hospital staff involved in the process. A flow chart of the current process was completed by going to the departments, observing the process, and speaking with frontline staff about issues they've observed or experienced with the process. This flow chart was used at the first meeting to allow everyone to appreciate the entire process. Root causes were identified, and existing controls were explored.
A new process was created using an index card with the information that each hospital needed to deliver the images to the OR on time. The process was tested at each facility and was fine-tuned based on feedback. After it was implemented, we added a safety net for physicians by texting them when the images were in the OR. After one month they trusted the process, and the texts stopped. Metrics were put into place to monitor the process. The results were sustained over time with 100 percent on-time delivery.
Improving the process for delivering images to the operation room is summarized in the table below (Ebner, 2009).
Authored by Cindy Ebner, MSN, RN, CPHRM, FASHRM
If you are struggling with a concept or terminology in the course, you may contact RiskManagementSupport@capella.edu for assistance.
If you are having technical issues, please contact learningcoach@sophia.org.
