• Create and protect value
• Be part of all processes
• Be part of decision making
• Be used to handle uncertainty
• Be systematic and timely
• Be based on the best data
• Be tailored to the environment
• Consider human factors
• Be transparent and inclusive
• Be responsive and iterative
• Support continual improvement
The ISO 31000 standard describes a risk management framework that becomes part of the management system of the organization. The process of creating this framework is described in Table 6.2.
Table 6.2
Creating a risk management framework
• Writing a risk management policy with indicators and objectives |
• Evaluating and describing the external environment and internal environment |
• Identifying risk owners within the organization with assigned accountability and responsibilities |
• Developing an organization-wide risk management plan |
• Allocating resources |
• Establishing internal communication mechanisms |
• Developing an external communication plan |
• Making the risk management process part of the organization’s management approach and culture |
Risk Management in Healthcare Organizations
Risk and patient safety are closely connected in healthcare organizations, and the disciplines of safety and risk management are therefore interrelated. While accreditation organizations such as The Joint Commission and DNV Healthcare have definite requirements related to patient safety and risk, most organizations go beyond these basic requirements and have adopted a business or quality management system incorporating risk analysis and patient safety as key elements [3]. This approach relies on the Donabedian model of healthcare delivery in which structure is created by the organization to ensure timely, efficient, and safe healthcare process delivery with favorable outcomes for the patients served [4]. The first step in assessing ERM is to identify where risk resides within the organization.
Identifying Risk
Risk can be categorized for any organization at the enterprise level, and commonly used risk domain s in healthcare are listed in Table 6.3. The domains are described with simple definitions and specific examples. The last column is devoted to key risk indicators (KRIs). A KRI is a metric for measuring how risky an organizational process or service line is and can be thought of as an early warning indicator of a potential event that may harm the process/organization/patient. Ideally the KRI is a leading indicator with a predictive value related to the particular risk identified. The ERM goal is to identify risks throughout the organization using risk domain s as a guide, and then to summarize the risks on a risk map/organizational dashboard or domain list as shown in Table 6.3. Measuring, quantifying, comparing, and prioritizing risks are the next steps.
Table 6.3
Sample risk domains
Risk domains | Description | Examples | Key risk indicators |
---|---|---|---|
Operational | • Risks resulting from failed processes or systems | • Failure to diagnose | • Number of active lawsuits |
• Insufficient discharge planning | • Readmission rate | ||
• Poor maintenance of equipment or facility | • Average age of plant/equipment | ||
Clinical/patient safety | • Risks associated with care delivery | • Inconsistent clinical appointment process | • Patient satisfaction with clinical appointments |
• Failure to monitor reappointment | • Reappointment failure rate | ||
• Failure to appropriately credential new technology procedures | • Complication rates associated with new technology | ||
• Failure to monitor patient complaints | • Patient survey—perception of safety within the hospital | ||
Strategic/external | • Risks associated with strategy and the direction of the organization | • Competition | • Market share of major service lines |
• Relationships with physicians | • Physician turnover | ||
• Regulatory changes | • Physician and staff satisfaction survey results | ||
Financial | • Risks and decisions associated with the financial stability of the organization | • Payment system changes | • Days cash on hand |
• Access to capital | • Expense per adjusted discharge | ||
• Revenue enhancement | • Long-term debt to capitalization | ||
• Operating and total margins | |||
Human capital | • Workforce-related risks | • Disruptive behavior | • Delinquent chart rate |
• Hiring and retention | • Employee turnover | ||
• Physician shortage | • % of RNs contracted through agencies | ||
• Organizational change | • State medical school retention rate for in-state residencies | ||
• Leadership change/year | |||
Legal/regulatory | • Risks associated with failing to understand and monitor legal and regulatory mandates and laws | • ACO issues | • Total cost of care |
• HIPAA, FTC issues | • Annual legal expenses | ||
• Conflicts of interest | |||
• ACA issues | |||
Technology | • Risks associated with monitoring, managing, and understanding all of the technology used by the organization | • IT/EHR issues | • EHR downtime episodes/month |
• Robotics and certification | • Robotic complication rate | ||
• Multiple vendors | • Number of vendors for specific service lines/implants/procedures | ||
Hazard | • Risks related to hazards causing business interruption or major catastrophe with effects upon patient care delivery and safety | • Natural disaster | • Monthly disaster plan review rate |
• Failure to plan for crisis contingencies | • Number of crisis mock exercises per quarter | ||
• Failure to provide redundancy and backup systems |
Measuring Risk
In Chapter 33 we provide several examples of surgical risk and describe the technique of measurement for individual risk parameters based on a failure mode effect analysis (FMEA) . A standard FMEA utilizes three parameters to calculate a risk priority number (RPN) for each risk identified. The three factors are frequency of occurrence, severity, and likelihood of detection. Although this rating system works well in the clinical setting, most organizations with formal ERM systems utilize a simpler version with only the parameters of frequency (likelihood) and severity (impact) to derive a Risk Score that typically is in the range of 1–100 (in the case of a scale of 1–5 rather than 1–10 for each factor, the range would be 1–25). Scales of 1–5 for each parameter are easier to use and make decisions while scales of 1–10 afford more precision and are preferred in engineering work (Figs. 6.1 and 6.2).
Fig. 6.1
Calculation of Risk Score
Fig. 6.2
Rating scales for calculating Risk Scores
After the risks have been categorized and listed using a risk domain , a Risk Score is assigned to each specific risk identified. For example, the risk of failure to appropriately credential new technology procedures may be assigned a frequency score of 2 (since the credentialing is usually done correctly) and a severity score of 6 (because the patient safety risk and liability may be high if a mishap occurs involving a provider who has not been credentialed appropriately). The Risk Score in this case would be 12. Risks may be scored using this system and they can then be grouped and compared. The numbers assigned to each risk are estimates derived by the team performing the assessment, although various data sources may certainly be used to improve accuracy in making the estimates. Risks with higher Risk Scores, or those above a given threshold value, may then be carefully evaluated and monitored.
Culture
The culture of an organization is of immense importance, and developing a great culture focused on improving patient safety and quality is paramount to success. A major component of a just culture in healthcare is trust. Without trust among peers, subordinates, clinicians, providers, and administration, many healthcare organizations will merely go through the motions and never achieve true quality improvements. Healthcare organizations, and hospitals in particular, are often highly political with poor lines of communication among various departments, and may harbor tension between administration and those clinicians that serve the needs of the patient. Individuals at varying levels within the organization may have personal agendas that impact honest communication and limit the sharing of information that would enhance higher quality and patent outcomes. One noted hospital turnaround executive, when asked how he had been so successful with institutions that struggled to provide good results, stated, “It’s simple. When faced with any decision I always ask if this action will improve servicing the needs of the patient and improve quality. If the answer is no, then we don’t do it.”
Communication and trust must drive culture with an unwavering focus on the needs of the patient [5]. If a policy or procedure does not improve patient outcomes, then it shouldn’t be adopted. In many instances, the larger and more complex the organization, the more the tendency to focus on organizational rather than customer (i.e., patient) needs. As healthcare moves to increased transparency and disclosure of both quality and costs, patients will demand higher quality services at a lower cost in the new retail environment. The organizations that can make significant improvements in patient outcomes will have the upper hand in attracting and retaining patients. This will not be accomplished without breaking down the communication barriers and increasing trust through a broader enterprise-wide risk management structure.
Risk is inherent in every business, and organizations that embed risk management practices into business planning and performance management are more likely to achieve their strategic and operational objectives [6]. Healthcare is often characterized by the statement, “good people, bad system.” Frequently the “system” (administration, politics, bureaucracy, regulations) gets in the way of individuals doing their job or doing the right thing when it is needed. The ERM processes should include both identifying issues that get in the way of better quality and patient outcomes and documenting situations in which successful workarounds occurred to avoid a bad outcome. Due to incident reporting mandates, there is often a focus on bad outcomes with limited learning about what was done correctly [7]. The true learning that should be taking place to improve quality comes from the avoidance of a bad outcome or “near miss,” with appropriate recording of the events and subsequent follow-up using an organizational structure such as a morbidity and mortality conference. A number of organizations have utilized various programs supporting a culture of ERM, including Organizing for High Reliability (HRO), Crew Resource Management (CRM), and TeamSTEPPS (from AHRQ) [8].
Avoiding a Culture of Fear
One barrier to improved patient outcomes and quality has been the pervasive culture of fear in many organizations that usually stems from a combination of a strict clinical hierarchy and the threat of litigation. Unfortunately, this culture of fear has been fairly common in healthcare. Concerns over patient privacy, reputational risk, and cost of litigation in both settlement value and impact on medical malpractice premiums have stifled open communication and learning [9]. Such concerns also inhibit reporting of near misses, which are critical for an organization to study in order to learn and improve [10]. Tort reform and reduced frequency and severity of claims have improved the market conditions and availability of medical malpractice insurance over the past several years. Consequently, there is an opportunity to break this cycle of fear and communicate appropriate information in order to improve both patient experience and outcomes.
Some healthcare organizations avoid any discussions involving errors or mistakes that take place in the hospital setting for fear of discovery in a litigated matter [11]. As a result, they may not always be forthright with patients and relatives regarding the specifics of the event that occurred. Communicating, studying, and understanding what went wrong benefit everyone and lead to higher patient quality in the future [12]. Effective apologies, experts tell us, are those that are made as quickly as possible after the event, and should occur within 24 h to be effective [13]. There has been interest in such programs as “Sorry as a strategy,” and related “I’m sorry” legislation that has evolved over the last 10 years. These strategies have created progress towards breaking the culture of fear, but only if implemented on an enterprise-wide basis, since they will not be as effective and could potentially be more damaging when applied inconsistently [14, 15].
Investing in an enterprise-wide risk management strategy can be time consuming and involves a significant investment for many organizations. A comprehensive risk program is a wise investment for an organization interested in improving quality, lowering costs, and reducing risks for the patients it serves.
Defining a Culture of Prevention
Much has been written about the complexities of understanding and establishing a culture of safety. This concept is illustrated by the onion model of Schein adapted as the Helsinki Onion and the Culture of Prevention [16]. One can immediately appreciate the complexity surrounding the path to building a culture that moves “from risk to a zero incident organization.” A safety culture is defined as “the ways in which safety is managed in the workplace, and often reflects the attitudes, beliefs, perceptions and values that employees share in relation to safety” [17]. The first step in establishing a culture of safety is to study the current state of an organization utilizing a risk assessment. If an organization is indeed defined by its culture, harnessing that culture requires understanding the culture through two lenses: vertical alignment and horizontal alignment. That means evaluating leadership all the way from the CEO down to the managerial level, and then performing a horizontal examination of each through a common framework.
The following case study uses a four-dimension framework: just culture, organizational structure, engagement, and alignment measures. Nested within the four dimensions are 21 analysis measures, including measures from just culture, ethics, leadership, and staff attitudes and behaviors. The analysis measures provide an assessment of how well the staff feel they are delivering high-quality and safe care to the patients. Figure 6.3 illustrates the important cultural measures of this hospital study. The findings of our survey suggest that a fundamental set of behaviors must exist before operational actions will have any significant impact in implementing a culture of safety and prevention .
Fig. 6.3
The employee survey and four-dimension framework: just culture, organizational structure, engagement, and alignment measures
- 1.
A Culture of Prevention is more easily established when leadership first creates a culture of “continuous improvement.”
The question which was asked in the study: “Compared to last year, we have made improvements in serving our patients and in patient safety.”
35 % of respondents answered: “A Great Deal”
36 % of respondents answered: “Somewhat”
17 % of respondents answered: “Not Really/No change”
Continuous improvement could be an important strategic objective in developing a culture of patient safety. The following two figures illustrate the tangible impact on employee perceptions, culture, and patient safety performance when people perceive that there has been “A Great Deal” of improvement or “Not Really/No Change” (Figs. 6.4 and 6.5). The 103 respondents that voted “A Great Deal” of improvement showed remarkable scoring results (80 and above is green) against all 21 culture measures (Fig. 6.4). Contrast that to the findings illustrated in Fig. 6.5 where 49 respondents voted “Not Really/No Change” to the same question. Scores of 55 and below are red, and it is worth noting the low scores on Patient Care and Patient Safety in the just culture dimension.
Fig. 6.4
Respondents that voted “A Great Deal” of improvement (n = 103)
Fig. 6.5
Respondents that voted “Not Really/No Change” in response to question of making improvements (n = 49)
- 2.
A culture of prevention is enhanced when there is a caring culture.
The question asked in the study: “My immediate supervisor cares about my personal growth and development.”
57 % of respondents answered: “Yes”
25 % of respondents answered: “Not Sure”
10 % of respondents answered: “No”
Table 6.4 lists the top ten scores in the study of people who perceive that their managers care about their growth and development. The behavior scores that are core to patient care and safety rank at the top, and pride of employment has the strongest score. Managers who care about their workgroups have workgroups who are proud to work for the organization (Figs. 6.6 and 6.7).
Table 6.4
Top scores of employees who feel that managers care about their growth and development
No.
Factor
Item
Score
1
Employee behavior
Nurses should always question decisions made by an attending if they perceive a problem with patient care or safety
93
2
Pride in the organization
I am proud to work for this facility
93
3
Employee behavior
I would report at-risk patient safety behavior from any of my coworkers to my immediate supervisor
92
4
My immediate supervisor
My immediate supervisor values me
92
5
My immediate supervisor
My immediate supervisor cares for me
92Stay updated, free articles. Join our Telegram channel
Full access? Get Clinical Tree
Get Clinical Tree app for offline access