Online College Courses for Credit

Progressive Steps in the Risk Management Process
Risk Management
of 0 possible points
Progressive Steps in the Risk Management Process

Progressive Steps in the Risk Management Process

Author: Capella Healthcare

Progressive Steps in the Risk Management Process

See More

what's covered
In this lesson, you will identify the steps in the risk management process in more detail. Specifically, this lesson will cover:
  1. Establish the Context
  2. Identify Risk
  3. Analyze Risk
    1. Level of the Risk, or Risk Score
    2. Underlying Causes
    3. Existing Control Measures
  4. Evaluate and Treat and Manage Risk
  5. Monitor and Review
  6. Risk Management Process Example

1. Establish the Context

Risk assessments can be conducted by looking at a variety of scopes, including the entire organization, a targeted high-risk patient care area (i.e., surgery, interventional radiology, medication management, or scope reprocessing), a new line of business or service, or compliance with standards, regulations, and guidelines. A risk assessment will highlight the potential risk areas that need further scrutiny.

2. Identify Risk

Risk management constantly involves the need to manage new risks and uncertainty, making it challenging to recognize all the threats a healthcare system faces. Fortunately, through the use of data, institutional and industry knowledge, and collaboration with everyone—patients, families, employees, clinicians, administrators, and payers—risk managers can uncover threats and potentially litigious events that otherwise may be difficult to predict.

Now it is time to identify the risks that the health system is exposed to in its operating environment. There are many different types of risk—legal risks, environmental risks, market risks, regulatory risks, and much more. It is important to identify as many risk factors as possible using the following sources:

  • Discussion with department chiefs, managers, and staff
  • Patient Tracer Activity
  • Patient complaints
  • Patient satisfaction surveys and comments
  • Incident reporting system
  • Chart audits
  • Hospital-acquired conditions reports
  • Accreditation reports
  • Serious reportable events
  • Specialized Committee Reports
    • Infection Prevention
    • Morbidity & Mortality
    • Pharmacy & Therapeutics
    • Medical Executive
    • Safety
Another proactive approach is to look at risk categories and common issues to identify any risks at your organization. It is also advantageous to determine risks involved in a new service or a change in practice. Principles of Healthcare Risk Management (2014) outlines the following risk categories and corresponding common issues:

Risk Category Common Issues
Strategic planning Marketing, expansion, mergers and acquisitions, additional medical specialties, capital needs, enterprise risk management
Human resources Employment practices liability, scope of practice, credentialing, background checks, competency assessments, in-service education
Clinical risk Standard of care, infection control, preventive care or screening, medication or pain management, referrals and consultations, drug or device recalls, patient and client education
Customer and community relations Provider-patient/client relationships, complaints, satisfaction survey findings and subsequent actions taken, disclosure of unanticipated events, crisis management
Operational risk Incident reporting, policies and procedures, performance improvement, scheduling and waiting times, missed appointments, patient/client tracking and follow-up, environment of care, fire safety, disaster or emergency preparedness, security, office physical plant and surroundings
Information technology Electronic health records, data privacy and security, email, social media, facsimile, texting, telephone and other remote consultation
Legal or regulatory Patient/client rights, informed consent, HIPAA privacy and confidentiality provisions, Clinical Laboratory Improvements Act (CLIA) regulations, patient/client termination, contract management, closing or leaving a practice
Financial Insurance denial of care, billing and collections, Medicare/Medicaid reimbursement

Once the risks are identified they should be entered into a Risk Management Assessment Tool such as the one below.

Risk Management Assessment Tool
Source: Ali Yawar Alam (2016) Steps in the Process of Risk Management in Healthcare. J Epid Prev Med 2(2): 118.

You can find templates in Excel or possibly in your RMIS and will need to be included as part of the Risk Management Program Plan.

3. Analyze Risk

Once risk is identified, it is essential to score, rank, and prioritize risks based on the likelihood and the impact of their occurrence, and then allocate resources and assign tasks based on these measures. The analysis can be conducted using risk matrices and heat maps that will help visualize risks and stimulate communication and collaborative decision-making.

Risk analysis refers to developing an understanding of identified risks.

3a. Level of the Risk, or Risk Score
Likelihood scoring is based on the expertise, knowledge, and experience of the group scoring the likelihood. It is important to keep in mind the nature of the risk.

The severity of impact represents the impact of harm to patients, employees, the environment, or the organization.

The risk score can be calculated by multiplying the likelihood by the severity of the impact.

Below are examples of tools to score the level of risk.

Table 1: Likelihood Guide Example (Depends on existing controls to prevent the occurrence and how robust they are)

Rare/Remote (1) Unlikely (2) Possible (3) Likely (4) Almost certain (5)
Frequency: Occurs every 5 years or more

Probability: 1%
Frequency: Occurs every 2-5 years or more

Probability: 10%
Frequency: Occurs every 1-2 years or more

Probability: 50%
Frequency: Bi-monthly

Probability: 75%
Frequency: At least monthly

Probability: 99%

Table 2: Severity of Impact Score Example (1-negligible to 5-extreme)

Negligible (1) Minor (2) Moderate (3) Major (4) Extreme (5)
Adverse event leading to minor injury not requiring first aid

No impaired psychosocial functioning
Minor injury or illness, first aid treatment required, <3 days absence, <3 days extended hospital stay

Impaired psychosocial functioning greater than 3 days but less than one month
Significant injury requiring medical treatment and/or counseling

>3 Days absence, 3-8 days extended hospital stay

Impaired psychosocial functioning greater than one month less than six months
Major injuries or long term incapacity or disability (loss of limb) requiring medical treatment and/or counseling

Impaired psychosocial functioning greater than six months
Incident leading to death or major permanent incapacity

Event that impacts large number of patients or members of the public

Permanent psychosocial functioning incapacity

Table 3: Risk Score classification cut-off values

Risk Score Description
1-5 Low risk
6-12 Medium risk
15-25 High risk

big idea
Multiply the likeliness score by the severity score to calculate the risk score.

3b. Underlying Causes

Underlying causes are identified through Root Cause Analysis with subject matter experts. Root cause analysis (RCA) is a problem-solving method that is used to pinpoint the exact cause of a problem or event. The root cause is the actual cause of a specific problem or set of problems, and when that cause is removed it prevents the final undesirable effect from occurring. Grades can be defined on tables such as the severity of the injury, as in Table 2.

The 5 Whys technique is one of the most effective tools for root cause analysis in the Lean management arsenal. Using the 5 Whys will help you find the root cause of any problem and protect the process from recurring mistakes and failures. Consider the example below (Kanbanize, 2020).


Problem: Ran through a red light
Why? Late for work.
Why? Woke up late.
Why? Alarm clock broke.
Why? Didn’t check if it worked.
Why? Forgot to do it last night.

"The basis of Toyota’s scientific approach is to ask why five times whenever we find a problem … By repeating why five times, the nature of the problem as well as its solution becomes clear."


Using the tables in the above Risk Analysis section, we would describe the risk score of the images not being available at the time of surgery as follows:

  • Likelihood of risk: 5
  • Severity of the impact of risk: 4
  • Risk Score: Likelihood (5) x Impact (4) = 20
Images not getting to the OR on time for surgery would be considered High Risk based on the classification in the example table above.

There were some control measures currently in place. STAT courier deliveries were one way to control the risk, although it was not always feasible or reliable. For instance, if the missing images went unnoticed until the surgeon arrived, it would be too late to make copies and deliver them in a timely manner. The courier could also be caught in traffic which could delay the delivery, resulting in the surgery being canceled. Therefore, this control is not robust and would only reduce the likelihood by a small margin for getting the images to the OR on time.

Risk Evaluation: In this situation, the risk should be controlled. Unfortunately, there is no way to avoid the risk or transfer the risk to a third party.

A performance improvement team was convened consisting of all departments, frontline staff, surgeons, and contracted hospital staff involved in the process. A flow chart of the current process was completed by going to the departments, observing the process, and speaking with frontline staff about issues they've observed or experienced with the process. This flow chart was used at the first meeting to allow everyone to appreciate the entire process. Root causes were identified, and existing controls were explored.

A new process was created using an index card with the information that each hospital needed to deliver the images to the OR on time. The process was tested at each facility and was fine-tuned based on feedback. After it was implemented, we added a safety net for physicians by texting them when the images were in the OR. After one month they trusted the process, and the texts stopped. Metrics were put into place to monitor the process. The results were sustained over time with 100 percent on-time delivery.

Improving the process for delivering images to the operation room is summarized in the table below (Ebner, 2009).

Authored by Cindy Ebner, MSN, RN, CPHRM, FASHRM


If you are struggling with a concept or terminology in the course, you may contact for assistance.

If you are having technical issues, please contact