Online College Courses for Credit

Progressive Steps in the Risk Management Process

Progressive Steps in the Risk Management Process

Author: Capella Healthcare

Progressive Steps in the Risk Management Process

See More
Fast, Free College Credit

Developing Effective Teams

Let's Ride
*No strings attached. This college course is 100% free and is worth 1 semester credit.

37 Sophia partners guarantee credit transfer.

299 Institutions have accepted or given pre-approval for credit transfer.

* The American Council on Education's College Credit Recommendation Service (ACE Credit®) has evaluated and recommended college credit for 32 of Sophia’s online courses. Many different colleges and universities consider ACE CREDIT recommendations in determining the applicability to their course and degree programs.


what's covered
In this lesson, you will identify the steps in the risk management process in more detail. Specifically, this lesson will cover:
  1. Establish the Context
  2. Identify Risk
  3. Analyze Risk
    1. Level of the Risk, or Risk Score
    2. Underlying Causes
    3. Existing Control Measures
  4. Evaluate and Treat and Manage Risk
  5. Monitor and Review
  6. Risk Management Process Example

1. Establish the Context

Risk assessments can be conducted by looking at a variety of scopes, including the entire organization, a targeted high-risk patient care area (i.e., surgery, interventional radiology, medication management, or scope reprocessing), a new line of business or service, or compliance with standards, regulations, and guidelines. A risk assessment will highlight the potential risk areas that need further scrutiny.

2. Identify Risk

Risk management constantly involves the need to manage new risks and uncertainty, making it challenging to recognize all the threats a healthcare system faces. Fortunately, through the use of data, institutional and industry knowledge, and collaboration with everyone—patients, families, employees, clinicians, administrators, and payers—risk managers can uncover threats and potentially litigious events that otherwise may be difficult to predict.

Now it is time to identify the risks that the health system is exposed to in its operating environment. There are many different types of risk—legal risks, environmental risks, market risks, regulatory risks, and much more. It is important to identify as many risk factors as possible using the following sources:

  • Discussion with department chiefs, managers, and staff
  • Patient Tracer Activity
  • Patient complaints
  • Patient satisfaction surveys and comments
  • Incident reporting system
  • Chart audits
  • Hospital-acquired conditions reports
  • Accreditation reports
  • Serious reportable events
  • Specialized Committee Reports
    • Infection Prevention
    • Morbidity & Mortality
    • Pharmacy & Therapeutics
    • Medical Executive
    • Safety
Another proactive approach is to look at risk categories and common issues to identify any risks at your organization. It is also advantageous to determine risks involved in a new service or a change in practice. Principles of Healthcare Risk Management (2014) outlines the following risk categories and corresponding common issues:

Risk Category Common Issues
Strategic planning Marketing, expansion, mergers and acquisitions, additional medical specialties, capital needs, enterprise risk management
Human resources Employment practices liability, scope of practice, credentialing, background checks, competency assessments, in-service education
Clinical risk Standard of care, infection control, preventive care or screening, medication or pain management, referrals and consultations, drug or device recalls, patient and client education
Customer and community relations Provider-patient/client relationships, complaints, satisfaction survey findings and subsequent actions taken, disclosure of unanticipated events, crisis management
Operational risk Incident reporting, policies and procedures, performance improvement, scheduling and waiting times, missed appointments, patient/client tracking and follow-up, environment of care, fire safety, disaster or emergency preparedness, security, office physical plant and surroundings
Information technology Electronic health records, data privacy and security, email, social media, facsimile, texting, telephone and other remote consultation
Legal or regulatory Patient/client rights, informed consent, HIPAA privacy and confidentiality provisions, Clinical Laboratory Improvements Act (CLIA) regulations, patient/client termination, contract management, closing or leaving a practice
Financial Insurance denial of care, billing and collections, Medicare/Medicaid reimbursement

Once the risks are identified they should be entered into a Risk Management Assessment Tool such as the one below.

Risk Management Assessment Tool
Source: Ali Yawar Alam (2016) Steps in the Process of Risk Management in Healthcare. J Epid Prev Med 2(2): 118.

You can find templates in Excel or possibly in your RMIS and will need to be included as part of the Risk Management Program Plan.

3. Analyze Risk

Once risk is identified, it is essential to score, rank, and prioritize risks based on the likelihood and the impact of their occurrence, and then allocate resources and assign tasks based on these measures. The analysis can be conducted using risk matrices and heat maps that will help visualize risks and stimulate communication and collaborative decision-making.

Risk analysis refers to developing an understanding of identified risks.

3a. Level of the Risk, or Risk Score
Likelihood scoring is based on the expertise, knowledge, and experience of the group scoring the likelihood. It is important to keep in mind the nature of the risk.

The severity of impact represents the impact of harm to patients, employees, the environment, or the organization.

The risk score can be calculated by multiplying the likelihood by the severity of the impact.

Below are examples of tools to score the level of risk.

Table 1: Likelihood Guide Example (Depends on existing controls to prevent the occurrence and how robust they are)

Rare/Remote (1) Unlikely (2) Possible (3) Likely (4) Almost certain (5)
Frequency: Occurs every 5 years or more

Probability: 1%
Frequency: Occurs every 2-5 years or more

Probability: 10%
Frequency: Occurs every 1-2 years or more

Probability: 50%
Frequency: Bi-monthly

Probability: 75%
Frequency: At least monthly

Probability: 99%

Table 2: Severity of Impact Score Example (1-negligible to 5-extreme)

Negligible (1) Minor (2) Moderate (3) Major (4) Extreme (5)
Adverse event leading to minor injury not requiring first aid

No impaired psychosocial functioning
Minor injury or illness, first aid treatment required, <3 days absence, <3 days extended hospital stay

Impaired psychosocial functioning greater than 3 days but less than one month
Significant injury requiring medical treatment and/or counseling

>3 Days absence, 3-8 days extended hospital stay

Impaired psychosocial functioning greater than one month less than six months
Major injuries or long term incapacity or disability (loss of limb) requiring medical treatment and/or counseling

Impaired psychosocial functioning greater than six months
Incident leading to death or major permanent incapacity

Event that impacts large number of patients or members of the public

Permanent psychosocial functioning incapacity

Table 3: Risk Score classification cut-off values

Risk Score Description
1-5 Low risk
6-12 Medium risk
15-25 High risk

big idea
Multiply the likeliness score by the severity score to calculate the risk score.

3b. Underlying Causes

Underlying causes are identified through Root Cause Analysis with subject matter experts. Root cause analysis (RCA) is a problem-solving method that is used to pinpoint the exact cause of a problem or event. The root cause is the actual cause of a specific problem or set of problems, and when that cause is removed it prevents the final undesirable effect from occurring. Grades can be defined on tables such as the severity of the injury, as in Table 2.

The 5 Whys technique is one of the most effective tools for root cause analysis in the Lean management arsenal. Using the 5 Whys will help you find the root cause of any problem and protect the process from recurring mistakes and failures. Consider the example below (Kanbanize, 2020).


Problem: Ran through a red light
Why? Late for work.
Why? Woke up late.
Why? Alarm clock broke.
Why? Didn’t check if it worked.
Why? Forgot to do it last night.

"The basis of Toyota’s scientific approach is to ask why five times whenever we find a problem … By repeating why five times, the nature of the problem as well as its solution becomes clear."
Taiichini Ohno (Kanbanize, 2020)

3c. Existing Control Measures
All measures currently in place to eliminate or reduce the risk should be considered. Examples of measures include
  • alarms
  • policies
  • guidelines
  • barcode scanners
  • insurance coverage
  • rapid response teams
  • preventative maintenance
Consideration should be given to their effectiveness in lowering the risk to the lowest possible level.

big idea
Low risk incidents by themselves may not warrant a root cause analysis. However, they are a system alert that shows us where a process is unreliable. The low risk incidents should undergo trending and surveillance in case the incident appears again somewhere else in the organization. It is a way to be proactive before a serious safety event occurs.

4. Evaluate and Treat and Manage Risk

This step involves prioritizing the risks based on the risk analysis score and determining which risks need to be mitigated or reduced and by what means. The following are approaches to managing the risk based on the evaluation.

  • Accept the Risk if it is so low it may not make sense to expend resources on it.
  • Reduce or Treat the Risk by doing one of the following:
    • Control the risk: This entails redesigning the systems and processes to reduce the potential for an adverse outcome. Other approaches could be to reduce the likelihood or the severity of the impact. This will require an action plan that specifies responsible persons, the needed action, and timeframes for completion.
    • Avoid the risk: Either decide not to do the activity that carries an unacceptable risk or choose an alternative that has lower risk.
    • Transfer the risk: This involves another party sharing or bearing the risk through contractual arrangements, insurers, joint ventures, etc.
  • Exploit the risk by looking for an opportunity or an upside to the risk and make sure the opportunity is realized. This is not used in healthcare as much, although you could use it with Value-Based Purchasing—where a percentage of the payments received by the healthcare system from a payer for services rendered are withheld (risk) pending your performance (opportunity) on agreed-upon quality goals. If you exceed the goals, there is a greater financial gain above the break-even point (opportunity is realized).
Please note, if we are reducing risk to an acceptable level, there may be risk that remains after the controls are applied—this is residual risk.

5. Monitor and Review

Any system or process changes that were implemented must be monitored according to the process, outcome, and balancing measures that are associated with them. Risk management should review these and address any failures. It also needs to include system-wide monitoring of the risks through incident reporting, patient complaints, clinical audit indicators, safety rounds, satisfaction surveys, staff complaints, and medical records.

6. Risk Management Process Example

The following is an actual example from the Ohio Safety Action Teams.

Context: An employed surgeon contacted the risk manager to lodge a complaint that radiologic images were frequently not available in the OR in time for surgery. The ambulatory healthcare organization (AHO) that employed the surgeon had 30 medical offices with radiology, pharmacy, lab, emergency services, and an ambulatory surgery center. However, they contracted with several local hospitals for inpatient services. The images were taken at the AHO, and then were delivered to the designated facility where the surgery was scheduled.

Risk Identification: Not having images available in the OR in time for surgery resulted in delayed or canceled surgeries, repeated x-rays, production of redundant copies, the need for STAT courier deliveries, and dissatisfaction from everyone involved. The potential costs to the patient included further radiation exposure, additional expenses, increased stress, and increased risk of a complication or adverse event.

Risk Analysis: The number of times the images were unavailable at the time of surgery was not tracked to validate the concern. However, several surgeons, hospital surgery staff, and the members of the radiology department were interviewed to determine the frequency. It was noted that it happened several times per month. The potential effects on the patient are listed in "risk identification."

Using the tables in the above Risk Analysis section, we would describe the risk score of the images not being available at the time of surgery as follows:

  • Likelihood of risk: 5
  • Severity of the impact of risk: 4
  • Risk Score: Likelihood (5) x Impact (4) = 20
Images not getting to the OR on time for surgery would be considered High Risk based on the classification in the example table above.

There were some control measures currently in place. STAT courier deliveries were one way to control the risk, although it was not always feasible or reliable. For instance, if the missing images went unnoticed until the surgeon arrived, it would be too late to make copies and deliver them in a timely manner. The courier could also be caught in traffic which could delay the delivery, resulting in the surgery being canceled. Therefore, this control is not robust and would only reduce the likelihood by a small margin for getting the images to the OR on time.

Risk Evaluation: In this situation, the risk should be controlled. Unfortunately, there is no way to avoid the risk or transfer the risk to a third party.

A performance improvement team was convened consisting of all departments, frontline staff, surgeons, and contracted hospital staff involved in the process. A flow chart of the current process was completed by going to the departments, observing the process, and speaking with frontline staff about issues they've observed or experienced with the process. This flow chart was used at the first meeting to allow everyone to appreciate the entire process. Root causes were identified, and existing controls were explored.

A new process was created using an index card with the information that each hospital needed to deliver the images to the OR on time. The process was tested at each facility and was fine-tuned based on feedback. After it was implemented, we added a safety net for physicians by texting them when the images were in the OR. After one month they trusted the process, and the texts stopped. Metrics were put into place to monitor the process. The results were sustained over time with 100 percent on-time delivery.

Improving the process for delivering images to the operation room is summarized in the table below (Ebner, 2009).


Authored by Cindy Ebner, MSN, RN, CPHRM, FASHRM