Risk assessments can be conducted by looking at a variety of scopes, including the entire organization, a targeted high-risk patient care area (i.e., surgery, interventional radiology, medication management, or scope reprocessing), a new line of business or service, or compliance with standards, regulations, and guidelines. A risk assessment will highlight the potential risk areas that need further scrutiny.
Risk management constantly involves the need to manage new risks and uncertainty, making it challenging to recognize all the threats a healthcare system faces. Fortunately, through the use of data, institutional and industry knowledge, and collaboration with everyone—patients, families, employees, clinicians, administrators, and payers—risk managers can uncover threats and potentially litigious events that otherwise may be difficult to predict.
Now it is time to identify the risks that the health system is exposed to in its operating environment. There are many different types of risk—legal risks, environmental risks, market risks, regulatory risks, and much more. It is important to identify as many risk factors as possible using the following sources:
|Risk Category||Common Issues|
|Strategic planning||Marketing, expansion, mergers and acquisitions, additional medical specialties, capital needs, enterprise risk management|
|Human resources||Employment practices liability, scope of practice, credentialing, background checks, competency assessments, in-service education|
|Clinical risk||Standard of care, infection control, preventive care or screening, medication or pain management, referrals and consultations, drug or device recalls, patient and client education|
|Customer and community relations||Provider-patient/client relationships, complaints, satisfaction survey findings and subsequent actions taken, disclosure of unanticipated events, crisis management|
|Operational risk||Incident reporting, policies and procedures, performance improvement, scheduling and waiting times, missed appointments, patient/client tracking and follow-up, environment of care, fire safety, disaster or emergency preparedness, security, office physical plant and surroundings|
|Information technology||Electronic health records, data privacy and security, email, social media, facsimile, texting, telephone and other remote consultation|
|Legal or regulatory||Patient/client rights, informed consent, HIPAA privacy and confidentiality provisions, Clinical Laboratory Improvements Act (CLIA) regulations, patient/client termination, contract management, closing or leaving a practice|
|Financial||Insurance denial of care, billing and collections, Medicare/Medicaid reimbursement|
Once the risks are identified they should be entered into a Risk Management Assessment Tool such as the one below.
Once risk is identified, it is essential to score, rank, and prioritize risks based on the likelihood and the impact of their occurrence, and then allocate resources and assign tasks based on these measures. The analysis can be conducted using risk matrices and heat maps that will help visualize risks and stimulate communication and collaborative decision-making.
The severity of impact represents the impact of harm to patients, employees, the environment, or the organization.
The risk score can be calculated by multiplying the likelihood by the severity of the impact.
Below are examples of tools to score the level of risk.
Table 1: Likelihood Guide Example (Depends on existing controls to prevent the occurrence and how robust they are)
|Rare/Remote (1)||Unlikely (2)||Possible (3)||Likely (4)||Almost certain (5)|
Frequency: Occurs every 5 years or more
Frequency: Occurs every 2-5 years or more
Frequency: Occurs every 1-2 years or more
Frequency: At least monthly
Table 2: Severity of Impact Score Example (1-negligible to 5-extreme)
|Negligible (1)||Minor (2)||Moderate (3)||Major (4)||Extreme (5)|
Adverse event leading to minor injury not requiring first aid
No impaired psychosocial functioning
Minor injury or illness, first aid treatment required, <3 days absence, <3 days extended hospital stay
Impaired psychosocial functioning greater than 3 days but less than one month
Significant injury requiring medical treatment and/or counseling
>3 Days absence, 3-8 days extended hospital stay
Impaired psychosocial functioning greater than one month less than six months
Major injuries or long term incapacity or disability (loss of limb) requiring medical treatment and/or counseling
Impaired psychosocial functioning greater than six months
Incident leading to death or major permanent incapacity
Event that impacts large number of patients or members of the public
Permanent psychosocial functioning incapacity
Table 3: Risk Score classification cut-off values
Underlying causes are identified through Root Cause Analysis with subject matter experts. Root cause analysis (RCA) is a problem-solving method that is used to pinpoint the exact cause of a problem or event. The root cause is the actual cause of a specific problem or set of problems, and when that cause is removed it prevents the final undesirable effect from occurring. Grades can be defined on tables such as the severity of the injury, as in Table 2.
The 5 Whys technique is one of the most effective tools for root cause analysis in the Lean management arsenal. Using the 5 Whys will help you find the root cause of any problem and protect the process from recurring mistakes and failures. Consider the example below (Kanbanize, 2020).
"The basis of Toyota’s scientific approach is to ask why five times whenever we find a problem … By repeating why five times, the nature of the problem as well as its solution becomes clear."|
Taiichini Ohno (Kanbanize, 2020)
This step involves prioritizing the risks based on the risk analysis score and determining which risks need to be mitigated or reduced and by what means. The following are approaches to managing the risk based on the evaluation.
Any system or process changes that were implemented must be monitored according to the process, outcome, and balancing measures that are associated with them. Risk management should review these and address any failures. It also needs to include system-wide monitoring of the risks through incident reporting, patient complaints, clinical audit indicators, safety rounds, satisfaction surveys, staff complaints, and medical records.
The following is an actual example from the Ohio Safety Action Teams.
Context: An employed surgeon contacted the risk manager to lodge a complaint that radiologic images were frequently not available in the OR in time for surgery. The ambulatory healthcare organization (AHO) that employed the surgeon had 30 medical offices with radiology, pharmacy, lab, emergency services, and an ambulatory surgery center. However, they contracted with several local hospitals for inpatient services. The images were taken at the AHO, and then were delivered to the designated facility where the surgery was scheduled.
Risk Identification: Not having images available in the OR in time for surgery resulted in delayed or canceled surgeries, repeated x-rays, production of redundant copies, the need for STAT courier deliveries, and dissatisfaction from everyone involved. The potential costs to the patient included further radiation exposure, additional expenses, increased stress, and increased risk of a complication or adverse event.
Risk Analysis: The number of times the images were unavailable at the time of surgery was not tracked to validate the concern. However, several surgeons, hospital surgery staff, and the members of the radiology department were interviewed to determine the frequency. It was noted that it happened several times per month. The potential effects on the patient are listed in "risk identification."
Using the tables in the above Risk Analysis section, we would describe the risk score of the images not being available at the time of surgery as follows:
There were some control measures currently in place. STAT courier deliveries were one way to control the risk, although it was not always feasible or reliable. For instance, if the missing images went unnoticed until the surgeon arrived, it would be too late to make copies and deliver them in a timely manner. The courier could also be caught in traffic which could delay the delivery, resulting in the surgery being canceled. Therefore, this control is not robust and would only reduce the likelihood by a small margin for getting the images to the OR on time.
Risk Evaluation: In this situation, the risk should be controlled. Unfortunately, there is no way to avoid the risk or transfer the risk to a third party.
A performance improvement team was convened consisting of all departments, frontline staff, surgeons, and contracted hospital staff involved in the process. A flow chart of the current process was completed by going to the departments, observing the process, and speaking with frontline staff about issues they've observed or experienced with the process. This flow chart was used at the first meeting to allow everyone to appreciate the entire process. Root causes were identified, and existing controls were explored.
A new process was created using an index card with the information that each hospital needed to deliver the images to the OR on time. The process was tested at each facility and was fine-tuned based on feedback. After it was implemented, we added a safety net for physicians by texting them when the images were in the OR. After one month they trusted the process, and the texts stopped. Metrics were put into place to monitor the process. The results were sustained over time with 100 percent on-time delivery.
Improving the process for delivering images to the operation room is summarized in the table below (Ebner, 2009).
Authored by Cindy Ebner, MSN, RN, CPHRM, FASHRM