Risk management is the ongoing and systematic process of identifying, evaluating, and mitigating the potential threats, vulnerabilities, and events that negatively impact businesses or organizations. Its methods include analyzing the likelihood and severity of these threats on daily operations and developing strategies to help minimize or prevent losses while encouraging business growth. Consistent monitoring and reporting are implemented to assess the effectiveness of these strategies and to identify new or developing threats. This article focuses on two types of risk management: operational and clinical risk management.
Operational Risk Management
Operational risk refers to the potential weaknesses or issues a company or organization may exhibit in its routine functions and activities. There may be risks inherent in the priorities, policies, and decision-making of the organization, any of which can lead to disruptions or failures. Rather than focusing specifically on what is produced, operational risk management focuses on how businesses run, their workforces, and the human-made errors in processes, controls, and systems that effectively threaten a business’ assets and reputation.
The causes of risk are as unique as any organization, but these are the primary sources:
- People: Staff shortages, lack of knowledge or training, misappropriation of company resources or participation in fraud, high turnover, and poor retention
- Processes: Incomplete development or documentation of a process, improper performance of sequential steps (leading to breakdowns or slowed production), failed monitoring of internal controls, deployment of inadequate strategies, failure to implement safety measures, or meet government compliance
- Systems: Outdated or underperforming software, hardware failures, overestimation of system capabilities, vulnerabilities, and exposures (causing data breaches or other cybercrimes), insufficient equipment maintenance
- External Events: Natural disasters or weather events, political or economic changes, failed third-party business contracts, unreliable suppliers
All businesses in any industry incur at least some level of risk, and no risk management plan will eliminate every problem or shortcoming. Senior leaders must work across departments to assess and evaluate the impact and severity of risk in their organization, determine their appropriate risk tolerance, and develop a plan for handling both predictable and unforeseen challenges. A good risk management plan will help teams recognize and prioritize threats and develop effective, coordinated techniques to mitigate them. This helps a business run smoothly, reducing incidents of harm or loss while keeping costs down and avoiding heavy regulatory fines.
Assessing Operational Risk
Operational risk assessment begins with identifying what could go wrong in the day-to-day activities of a company and deciding which issues are most crucial to mitigate, and which may be more acceptable. A manufacturer, for example, may ask which vendor has been most consistent in delivering materials on time, while a radiology clinic may consider what might happen if one of their MRI machines breaks down. Organizations monitor key risk indicators (KRIs), quantifiable and trackable benchmarks that are applied to different components of a business or specific areas of concern:
- Customer Service (response times, complaints)
- Customer or Patient Satisfaction (survey scores)
- Team Member Performance (morale, absences)
- Efficiency of Processes (machine breakdowns, automations)
- Product Reliability (breakdowns, reviews)
- Security (IT patches, data breaches, recovery times)
These indicators provide insightful data that is collected and reported to guide the development of company best practices and policies and to maintain regulatory compliance. KRIs can answer important questions on the above components:
- Are current controls keeping risk levels within an acceptable threshold?
- Are there new areas of exposure?
- How effectively and proficiently are lower-level teams handling and resolving issues using the current processes?
- Where is there room for improvement?
Businesses will determine the KRIs that best suit their framework and needs. These may be developed through automated means using financial or industry data, or third-party surveys. IT services might include risk indicator systems as part of their packages.
Managing Operational Risk
Businesses use many different approaches and strategies to manage risk, but there are a few basic methods:
Avoidance of Unnecessary Risk: An organization might avoid taking on risks that do not bring reward. This requires continuous monitoring and evaluation of potential risks to determine whether they are worth the investment and provide good returns.
Performing Cost/Benefit Analysis: This method evaluates benefits versus costs. Does the benefit potential of a business decision outweigh the risk?
Delegation: The designation of a member of upper management to approach strategies and make decisions regarding risk management is usually appropriate. This individual will have a solid understanding of the company and the industry as a whole, but may counsel with legal teams, providers, and other stakeholders to gather more information.
Anticipation: An awareness for potential risks and their outcomes can assist businesses in formulating a plan of action for overseeing those risks. Gathering information or research (on consumer preferences or geographical limitations, for example) helps a team determine whether to manage or avoid that risk.
Clinical Risk Management
The purpose of clinical risk management is to identify, mitigate, and prevent risks associated with patient care and healthcare institutions. Clinical risk management addresses circumstances that contribute to medical errors, that compromise patient safety, and that have bearing on an organization’s financial health and reputation. The process endorses a culture of teamwork and transparency, relying on the understanding and willingness of all parties involved in patient care to participate in identifying, reporting, learning from, and preventing adverse events. Operational risk management is also applied to healthcare practices because of the potential for error in the human-created controls and systems that play a role in patient care and in the functioning of a hospital or other medical facility.
Adverse and Sentinel Events
An “adverse event” is broadly defined as a negative outcome that occurs when a patient is provided medical care such as a medication, procedure, or other treatment. The event is either preventable or nonpreventable, may prolong hospitalization and can be any level of severity from injury to disability, psychological trauma, and even patient death. An adverse event is often caused not by the natural course of an illness or condition, but by error associated with patient care including errors of commission or omission, substandard practice, near misses, or close calls.
According to The Joint Commission, a “sentinel event,” a subcategory of medical error, is “a patient safety event that results in death, permanent harm, or severe, temporary harm.” A medical error will fall under this category if it is considered severe. There are many processes and dynamics in day-to-day healthcare and, with them, a myriad of opportunities for errors or mistakes. The following, however, are commonly cited “high-risk processes” or conditions and their potential implications:
- Surgical Site Verification (wrong-site surgeries)
- Patient Handoffs
- Specimen Labeling (mislabeling)
- Diagnoses (incorrect or missed)
- Patient Identification (wristbands)
- Device or Equipment Function (failures, breakdowns)
- Medication Dosing (incorrect medication or missed dose)
- Staffing (shortage, high patient-to-provider ratios)
- Work-Related Falls (injuries)
- Provider Condition (sleep deprivation, burnout)
The Joint Commission requires that each accredited healthcare organization establish its own definition of a sentinel event in order to develop an appropriate risk management plan for investigation, reporting, response, and prevention. Effective risk-mitigation strategies will help reduce future incidents and promote safety for patients and team members, facilitating an improved quality of care. As stated, the safety of patients and prevention of negative events and injuries is a team effort. Clinical risk management encourages all parties (regardless of status or longevity) from administrators and physicians to nurses and technicians, support staff, patients, family members, and volunteers to openly participate in patient safety and voice any concerns they may have. It may be individual actions that lead to error, but effective clinical risk management ultimately falls to the institution, focusing not on performance but on established and implemented systemic policies and protocols.
Key Components of Clinical Risk Management
The practice of risk management in healthcare has become more complex over time, with greater consideration of expanding technologies, a high incidence of cybersecurity issues, and a constantly evolving regulatory, legal, and reimbursement landscape. Because of this, hospitals and healthcare systems are taking more of a proactive approach to risk management. They are focusing not just on promotion of patient safety and prevention of legal exposures, but on viewing risk in terms of the “big picture,” or the healthcare ecosystem. Risk management plans develop from regular communication and cooperation between the risk manager and multiple stakeholders across all departments. An effective plan will serve as a “living document.” Both clinical and administrative systems and reporting criteria are updated and improved based on new and emerging risks, lessons learned, and changes to healthcare systems and practice trends. Continuous monitoring of these dynamics is necessary, as is ongoing education and training (including for emergencies and contingencies) to help team members stay prepared for change and give providers the tools to provide quality care with fewer potential liabilities.
An effective clinical risk management plan should:
Identify Risks: Uncovering current and developing threats that may compromise patient safety or lead to a liability or compensatory event. A risk manager will lead their team in proactively recognizing and identifying all threats to the healthcare institution. This includes using data benchmarking and applying organizational and industry knowledge. It means engaging with patients, healthcare team members, insurers, and administrators to find risks that might not be immediately apparent.
Quantify and Prioritize: Assigning a score to the risk or event based on its likelihood to occur and its impact or severity. The appropriate risk-mitigating resources are chosen and tasks assigned based on these metrics and on communication and collaboration.
Investigate and Report Adverse and Sentinel Events: Timely response and thorough investigation and evaluation following an adverse event, which reduces the chance of recurrence. This means having an established plan that encourages a calm response with appropriate and measured corrective action to address any safety issues. Cooperation and trust between teams and leaders enable transparency and a more complete evaluation of those corrective actions.
Perform Compliance Reporting: Documentation, coding, and reporting of events such as medication errors, device malfunctions, or injuries to state and federal governing bodies to maintain compliance and avoid fines.
Catch Near-Misses/Learn from Mistakes: Identifying risks by chance or catching “near-misses,” mistakes that could have led to an adverse event. Providers should encourage reporting of these instances, as the information gleaned helps guide best practices and prevent future risk events.
Use Analysis Models: Applying proven models for error and accident analysis. Analysis models like Failure Mode and Effects Analysis (FMEA) or Root Cause Analysis help improve efficiency and effectiveness of a risk management plan by helping uncover the causes and effects of mistakes in a healthcare practice.
Invest in a Risk Management Information System (RMIS): These aid risk management efforts by providing a platform and tools for documenting incidents, reporting trends, and collecting and comparing data. Information systems generate reports for incidents, injuries, claims, and other statistics. They also keep costs down by automating processes.
Find a Balance: Financing risk, applying methods to fund losses, and transferring risk through an insurance policy or risk retention (self-insurance or captive insurance).
