Hiroc Irm Guide June 2011

INTEGRATED RISK MANAGEMENT (IRM) FOR HEALTHCARE ORGANIZATIONS Risk Management Resource Guide

June 2011

IRM for Healthcare Organizations

© 2011 HIROC. For quality assurance purposes. For use by HIROC subscribers and members only.

Acknowledgements This document was prepared, in part, with the input of a number of HIROC subscribers in various stages of IRM implementation. Their candid reflections and advice is greatly appreciated. Comments This document will be updated as new information and insights arise. We are very interested in receiving questions, suggestions and feedback regarding this work. Please direct your comments to: Risk Management Healthcare Insurance Reciprocal of Canada (HIROC) 4711 Yonge St. Suite 1600 Toronto, Ontario M2N 6K8 Tel: 1-800-465-7357 Email: [email protected] Overview of Version Changes Originally published in May, 2011. This version includes an update to Appendix 4 – Top Ranked Risks from HIROC Claims Data which clarifies some risk descriptors and incorporates additional analysis of surgical claims resulting in some minor changes to the rankings and elimination of one risk category “Surgical – Inadequate performance / management.”

IRM for Healthcare Organizations 1


Contents

Introduction .................................................................................................................................................. 2

The IRM Imperative ...................................................................................................................................... 3

1. External Drivers ................................................................................................................................. 3

2. Internal Drivers ................................................................................................................................. 3

IRM Implementation ..................................................................................................................................... 4

1. Decide on a (Simple) Framework ...................................................................................................... 4

2. Ensure Oversight and Coordination .................................................................................................. 4

3. Confirm Organizational Context ....................................................................................................... 5

4. Assess Risks ....................................................................................................................................... 6

Assessment Question 1 – What can go wrong? .................................................................................... 7

Assessment Question 2 – How Bad? ..................................................................................................... 8

Assessment Question 3 – How Often?................................................................................................ 10

Assessment Question 4 – Is There a Need For Action? ...................................................................... 11

5. Report Risks..................................................................................................................................... 11

6. Manage Risks .................................................................................................................................. 12

Summary ..................................................................................................................................................... 14

References .................................................................................................................................................. 15

Appendix 1 – AS/NZS ISO 31000 Risk Management Framework ................................................................ 16

Appendix 2 – Sample Risk Categories by Function ..................................................................................... 17

Appendix 3 – Common Sources of Risk Information .................................................................................. 18

Appendix 4 – Top Ranked Risks from HIROC Claims Data .......................................................................... 19

Appendix 5 – Sample Consequence Domains and Risks ............................................................................. 20

Appendix 6 – Sample Risk Assessment Matrix with Scale Definitions ........................................................ 21

Appendix 7 – Simple Risk Register Outline and Field Descriptions............................................................. 22



Introduction

Many organizations manage major risks independently of one another as a patchwork of risk management activities within horizontal and vertical silos. The result is that one type of risk may receive excessive attention and resources at the expense of another, less well understood risk. Integrated risk management (IRM)1

• A continuous, proactive, systematic approach to identifying, assessing, understanding, acting on, and communicating risk from an organization-wide, aggregate perspective (TBS, 2002);

provides a common framework for understanding and prioritizing very different types of organizational risks, and for creating a concise list of the most significant risks facing the organization. Some helpful, published definitions of IRM include:

• A process for separating out the small, unlikely risks from the large, likely ones through a step wise process which includes identification of context, and risk identification, evaluation, mitigation, monitoring, reporting, and assurance (Decker, 2010);

• An approach for identifying critical risks; quantifying their potential impact and likelihood, prioritizing, and identifying risk management strategies to bring risks to acceptable levels (ECRI, 2009).

There are considerable challenges and costs associated with IRM implementation and unfortunately the value of IRM has not always been realized. In a recent survey of large multinational businesses that had adopted IRM (enterprise risk management, ERM), only 26% of respondents said that IRM’s influence on overall strategic planning was very significant or significant, with 64% saying it was partial or very little. When asked to identify barriers to successful IRM implementation, 40% said lack of tangible benefits; 34% - lack of skills and capability; 31% - lack of senior leadership support; and 30% - unclear ownership and responsibility for implementation. (Aon, 2010). Even in the National Health System (NHS) in the United Kingdom, a healthcare system with advanced IRM programs, it was found that there was considerable scope to improve the identification and specification of corporate risks, and to improve integration of risk management in the day-to-day running of organizations (Audit Commission, 2009). It has also been suggested that one of the biggest barriers to successful implementation of IRM is overly complicated structures and processes. “Why has it taken so long to get ERM up and running? There are a large number of common misconceptions about both the approach and the process that have become obstacles to successful implementation… Most of these stem from a common source: the failure to recognize that ERM is in fact an easier, simpler, and more logical undertaking than most people realize. The result has been needless complications that have in turn bred misunderstandings and frustration among implementers and senior management” (Fraser, 2007). The purpose of this resource guide is to review the basic elements of IRM and, without prescribing an exact format or critiquing any particular approach, to offer sensible, efficient, and effective techniques and tips for IRM implementation, therefore reducing the effort and frustration that may be experienced by organizations starting down this road.

1 The systematic application of risk management across an organization has many names. We view the terms “integrated” and “enterprise” as interchangeable. We have chosen to use “IRM” as it aligns with Accreditation Canada standards, it is used more frequently in the public sector, and it better reflects the bringing together of the many risk management processes already in place in most healthcare organizations.



The IRM Imperative 1. External Drivers

A number of external factors have provided impetus for implementation of IRM in healthcare, including: • Public accountability and reputation – Expectations for public accountability in healthcare are

increasing. Assurances are required that public funds are being managed in a fiscally responsible manner. This is also an important factor for attracting competent staff, volunteers, board members and private and institutional donors. Given the high rate of medical errors in healthcare, assurances are also required that healthcare leaders and senior executives adopt patient safety and quality as a strategic imperative within their organizations.

• Governance – A number of well publicized business scandals have resulted in a call for better corporate governance and improved oversight of risks. In the US, the Sarbanes-Oxley Act of 2002 was enacted, requiring increased involvement from the audit committee of the board of directors of public companies with regard to risk management (ECRI, 2006). In the health system, the movement towards improved governance practices has resulted in boards ensuring there are processes to identify and manage risk, particularly with respect to quality and patient safety (Health Governance Advisory Council, 2008).

• Accreditation – Accreditation Canada’s new Qmentum standards have articulated the need for leadership teams to implement an integrated risk management approach to the identification, reporting, assessing and managing risks, and for governing bodies to work with their chief executives to reduce these risks (Accreditation Canada, 2010). Other accrediting bodies also have requirements for addressing risk management in an integrated way.

• Provincial governments – IRM has been adopted in Ministries of Health in British Columbia, Alberta, and Ontario.

2. Internal Drivers

It has been suggested that there are two main reasons for implementing IRM; to reduce the chances of surprises in the future and to allocate valuable resources according to risk priorities (Fraser, 2007). An expanded list of reasons is articulated in the International Organization for Standardization (ISO) 31000 guide to risk management (AS/NZS, 2009), including to: • Increase the likelihood of achieving objectives; • Encourage proactive management; • Increase awareness of the need to identify and treat risk throughout the organization; • Improve the identification of opportunities and threats; • Comply with relevant legal and regulatory requirements and international norms; • Improve financial reporting; • Improve governance; • Improve stakeholder confidence and trust; • Establish a reliable basis for decision making and planning; • Improve controls; • Effectively allocate and use resources for risk treatment; • Improve operational effectiveness and efficiency; • Improve loss prevention and incident management; • Minimize losses; • Improve organizational learning; and • Improve organizational resilience.



IRM Implementation For those that have led IRM implementation efforts in healthcare organizations, their advice is consistent – keep it simple. The following are strategies and tips to help ensure IRM efforts are as effective and efficient as possible. 1. Decide on a (Simple) Framework

There are two prominent frameworks for implementing IRM: the ISO 31000 Risk Management Standards (2009; precursor standard AS/NZ 4360, 2004) and, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) ERM-Integrated Framework (2004). The ISO framework came out of a national and then international standards setting body, and COSO originated in the accounting/auditing profession. While the two frameworks are related in that they promote an organization-wide approach to assessing and managing risks, COSO is the more prescriptive of the two and has a decidedly financial sector slant. Some critics go so far as to say that “it is poorly written and difficult to understand.” (Rasmussen, 2007). The ISO framework is intended to be more flexible in that it provides generic guidelines seen as adaptable for any sector. An overview of this model is included in Appendix 1. An even more simplified framework for IRM, based on the strategies in this guide, is illustrated below. Enabled by clear oversight and dedicated resources for coordination, and taking into account organizational context, all significant organizational risks are assessed, reported and managed. This process continues in an iterative and ongoing manner.

Figure 1: Simplified IRM Framework

2. Ensure Oversight and Coordination

While there is no foolproof approach for IRM implementation, with each organization needing to define and customize it for themselves (Sarnie, 2010), there is a agreement on at least two elements: (1) getting senior leadership and board support up front; and (2) ensuring there is someone whose job it is to coordinate the overall program.

TIP Appoint an executive lead – It has been suggested that the shortest, most reliable path to a successful implementation of IRM is to get executive management and board level buy-in; ensure their agreement on the broad concepts, then build the more detailed analysis and structures that must follow (Fraser, 2007). The executive lead is typically the chief executive/executive director, but may also be the

Oversight and Coordination

Organizational Context

Assess Risks

Report Risks

Manage Risks



executive responsible for risk or for finance. The executive lead is required to facilitate change, command the necessary resources for IRM implementation, and be the conduit for IRM communications with the board.

TIP Appoint a coordinator – Someone in the organization needs to be appointed to coordinate the IRM program. “IRM does not create itself. It takes work and, over time, concentrated effort. Therefore, treating it like a corner of the desk project will be a sure guarantee of its untimely death, underachievement or quiet disappearance” (Graham, 2008). In healthcare, the director responsible for the risk portfolio has typically been the designated coordinator. Where available, the internal auditor may also participate in this function. The coordinator(s) may also elect to put together a small implementation team, carrying out the initial round of data gathering and assessment; drawing on expertise from other parts of an organization at appropriate stages in the process.

TIP Top-down to start – Organizations are cautioned from spending a lot of time and resources trying to engage their entire workforce in IRM efforts. IRM initially, is an executive-owned, top-down exercise that requires a bird’s eye view of risk. IRM can be taken deeper into the organization as the program matures. It has been suggested that in order to avoid the “fear and loathing” that may result from yet another management initiative, that IRM implementers should avoid creating unrealistic expectations about what the program will deliver (Graham, 2008).

TIP Don’t try to “overwrite” established patient and staff safety cultures – Organizations may struggle with trying to advance an IRM/risk management culture, not appreciating that much staff activity is, in effect, risk management, this is particularly so in clinical care although it may not be recognized as such (Audit Commission, 2009). In many organizations, the cultures of patient safety and staff safety (arguably the most important aspects of healthcare risk management) are already pervasive and efforts to supplant or translate these into the language of IRM should be avoided. 3. Confirm Organizational Context

With IRM, organizational context is key. “The nature of the industry will drive the nature of the risks and the risk management practices the organization adopts to manage those risks. For example, a pharmaceutical company will focus on managing its research and development pipeline because that is the lifeline to its future revenue streams. A utility will manage conformance risks in a nuclear power facility because that is the key to its reputation and future viability” (Protiviti, 2006). The classic approach for initiating IRM is to first describe an organization’s strategic objectives and to identify risks that can prevent these from being achieved. This has been a stumbling block for some healthcare organizations as strategic objectives may not be explicitly stated, or stated objectives may not address all significant aspects of organizational risk. It may be helpful in these cases to remember the primary reason why healthcare organizations exist – to provide high quality care. In healthcare, the biggest risks relate to core operations, specifically risks that result in patient harm, staff harm, loss of resources, service interruptions or closures, regulatory non-compliance, and loss of public confidence. It is operational events, such as a high profile death of a patient due to an adverse event or a fraud by a high profile employee, that can quickly escalate into strategic crises.

TIP Start with operations – Whether they are explicitly or implicitly stated, in healthcare there is consistency around objectives as they relate to core operations, such as:



• To provide high quality care and the prevent harm due to preventable adverse events; • To provide a safe environment for staff, to retain a highly skilled and engaged workforce; • To be fiscally responsible and use resources efficiently; • To sustain or enhance programs and services; • To preserve a favourable public reputation; and • To comply with legal and regulatory requirements.

Depending on the organization and academic affiliations, objectives may also include: to provide an excellent learning experience for students; and, to conduct high quality, high impact research. Some organizations have strategic objectives not related to the above which should also be captured in an IRM program such as to grow a specific program, to build a new facility, or to engage in new ventures and partnerships. 4. Assess Risks

The process of attaining a clear understanding of an organization’s risks can be lengthy and in an effort to take the broadest view possible, some organizations turn their minds to the concepts of downside risks (i.e., an event that could give rise to a loss or injury in the future) and upside risks (i.e., a potential outcome that is better than expected). This may unnecessarily complicate the IRM process.

TIP Focus on downside risks – Given their overwhelming prevalence in healthcare and the industry-wide focus on patient safety, downside risks must clearly be the focus in healthcare. “Much of the strategic risk literature that addresses upside risks gives the impression that everyone in the company should be constantly thinking of upside opportunities as well as downside risks. But if the concept of upside risk is useful and important in some circumstances, it is irrelevant and a distraction in others… The upside of risk should be dealt with only periodically, during periodic strategic planning exercises. Ongoing risk management activities clearly primarily focus on the downside risks” (Fraser, 2007). There are many terms in the risk management literature which represent similar concepts – risk identification, risk evaluation, risk analysis, and risk assessment. Drawing on guidance documents from the NHS, a jurisdiction with advanced, system-wide IRM processes, we have chosen to go with risk assessment – defined as a systematic, and efficient process for identifying and understanding the range of risks an organization faces, their potential impacts, their likelihood of occurrence, and the level of ability to control those risks (NPSA, 2008). The process of risk assessment seeks to answer four simple questions as illustrated below: what can go wrong; how bad; how often; and is there a need for action?

Figure 2: Risk Assessment Questions. NPSA, 2007.



Assessment Question 1 – What can go wrong?

What can go wrong? And what types of consequence or losses can result? The process of answering these questions and cataloging the seemingly endless number of risks in a healthcare organization can be quite overwhelming. For this reason, it is helpful to have a plan for systematic examination of the entire organization. One approach is to carry out a review of each department or program. Another is to assess risks within functional categories such as finance, legal and regulatory, and human resources. Healthcare examples of this approach are included in Appendix 2. Another prevailing view is that risks should be assessed from the perspective of an organization’s core operational and strategic objectives. Using examples described earlier, this would include identification of risks that could negatively impact high quality care such as hospital acquired infections, or risks that could lead to the regulatory non-compliance such a major privacy breach.

TIP Use internal and external information sources to identify risks – Most organizational risks are already described for healthcare organizations. Leadership teams do not need to start from scratch, rather they can build their list of key risks starting with the wealth of information that is available from internal and external sources such as incident reports, published literature, claims, and accreditations. A risk identification exercise based solely on internal experience, intuition, and opinion alone would have considerable limitations. Common sources of internal and external risk information is included in Appendix 3. HIROC claims data One of the most valuable resources that HIROC can provide in support of IRM is its extensive claims database. The risks described by these events not only result in claims, but also impact on organizational reputation and morale. Not all organizational risks are represented in claims data but they provide a reference for identification and assessment of risks associated with clinical care, property and contracts. See Appendix 4 for a rank ordered list of the top acute care risks based on total claims costs. A sub-set of years was sampled to facilitate in-depth risk management coding and analysis. The years 2004, 2005, and 2006 were selected as they are not too recent (addressing issues of claims immaturity, particularly with obstetrical claims); not too old (generally reflective of current trends); and have a high proportion of closed claims (to ensure accurate cost information).

TIP Aggregate similar types of risks – Comprehensive risk identification is critical, because a risk that is not identified at this stage will not be included in further analysis (AS/NZS, 2009). On the other hand it will be difficult to operationalize a list with several hundred or more risks. The risk inventory should be at a relatively high level, providing a bird’s eye view of the organization. Whenever possible, aggregate similar types of risks (e.g. identify one risk called “hospital acquired infections” versus separate risks for “MRSA,” “blood stream infections,” “C-diff, ”). The need for specificity may be dictated by differences in risk ownership or significant variances in mitigation categories. When a risk is identified it is helpful to understand the consequences that could result if that risk were realized.

TIP Articulate risk consequence domains – Understanding a risk entails understanding the losses, or consequences that could result if that risk were to be realized. In healthcare these losses align closely



with core objectives and commonly include patient harm, staff and visitor harm, financial losses, business interruption, reputational loss, and regulatory non-compliance. Specifying the type (or domain) of loss associated with a risk will provide the basis for the quantification and ranking of risks that will be outlined in the sections that follow. Appendix 5 lists commonly described risk consequence domains and examples of risks related to each. Note that some risks may result in more than one consequence, such as the death of a patient from an adverse event that results in significant and sustained negative publicity. In this case, the domain with the highest consequence level should be used. To promote ease of use and to ensure reliability of assessments, domains should be rationalized. For example, equipment/technology losses could have a separate domain, but it is the effects related to patient harm or service interruption that are most important. In another example, water damage from a burst pipe could be captured in a separate facility loss domain, however it is the disruption of operations (e.g. the shutting down of a unit for clean up and repairs) or the cost of cleanup (financial domain) that matters the most. Use of consultants While some organizations have chosen to engage external consultants to assist in identifying and prioritizing risks, others have been successful using internal resources and expertise only. The most commonly cited concerns with external consultants are costs, the application of a private sector, business-focused model of IRM with questionable clinical relevance, and lack of credibility with respect to knowledge of clinical risks and the unique operations of healthcare systems. Assessment Question 2 – How Bad?

Risk assessments are inherently subjective exercises. This is particularly true in healthcare where there is a great deal of uncertainty about outcomes due to variations in human physiology, advanced and potentially hazardous treatments, and a diverse professional and non-professional workforce. Objective risks assessments usually entail combining of estimates of the consequence (i.e., “how bad,” also described as severity or outcome) and likelihood (i.e., “how often,” also described as frequency or probability). Most commonly, the risk magnitude or rating is established using a two-dimensional grid or matrix, with consequence (from very low/negligible to very high/catastrophic) on one axis and likelihood (from very low/rare to very high/almost certain) on the other (NPSA, 2008). It is this score that allows for a relative ranking of different kinds of risks, and establishes a baseline from which to measure progress and trends over time (ECRI, 2006). The figure below depicts a 5 x 5 matrix. Color coding has been added to help visualize increasing levels of risks. This is also commonly referred to as a “heat map.”

Figure 3: Risk Assessment Matrix (5 x 5)

TIP Focus on residual risks – Risks are sometimes described as inherent – risk before taking into account controls or mitigation strategies (e.g. the risk of an adverse medication event without any controls such as unit dose systems and double-checking processes) or residual – risk that remains with

V. Hi

H

M

L

V. Low

V. Low L M H V. Hi

Cons

eque

nce

Likelihood



mitigation strategies in place. Sometimes significant effort is expended by IRM practitioners in assessing inherent risks. This is a theoretical exercise with limited utility, as it is residual risk that largely drives risk management activities (Audit Commission, 2009). “In many cases, the concept of ‘inherent risk’ is impossible to measure or even define. The idea of looking at risk absent all hard controls, soft controls, or mitigations, provides little or no useful information in most cases” (Fraser, 2007). Consequences can be rated on a generically defined scale, applicable to all domains, such as ‘very low,’ ‘low,’ ‘medium,’ ‘high,’ and ‘very high.’ However, further refinement may improve the effectiveness of the assessment process.

TIP Establish domain-specific, incremental definitions for the consequence scale – Organizations can take steps to make risk assessments more objective and meaningful through the use of a domain specific, clearly defined consequence scale. “Staff are sometimes asked to decide whether given risks are ‘high’ or ‘low.’ To make an informed decision, however, participants need clear definitions of what is considered ‘high’ versus ‘low.’ One of the most effective ways of quantifying and gaining agreement on risk tolerances has been to establish definitions on a five-point (or similar) scale that can be discussed and agreed to by all parties in advance” (Fraser, 2007). If this cross-domain calibration is not established then financial, operational and clinical risks cannot be compared against each other and appropriately prioritized (NHS, 2008). For instance, if an organization defines ‘very high’ as being death for the ‘patient harm’ domain, they would then have to define ‘very high’ for the ‘financial loss’ domain as a loss that would truly be significant in terms of dollars. Recognizing, ethically, that there is no financial loss that could compare to the loss of a human life, if a proxy for cross domain equivalency is not achieved, then risk prioritization efforts would be flawed. Appendix 6 provides an example of a risk scoring matrix from one healthcare organization with domain specific, incremental definitions for the consequence scale. The NHS resource “A Risk Matrix for Risk Managers” (see references) provides another good example.

TIP Beware of cognitive biases – IRM practitioners need to appreciate that people are prone to a number of errors in judgment when assessing risks. There are important psychological biases at play when people identify risks and their relative probability and importance. The “availability heuristic” means that risk assessments can be impacted by how easily events can be called to mind, with sensational and more recent events being over estimated; the “affect heuristic” means that they can be impacted by how people feel (Graham, 2008; Crosby, 2011).

TIP Beware of “groupthink” and defer to experts – A common approach to risk assessment is to assemble a group of leaders in a room to solicit their opinions on the identity, consequence, and likelihood of risks. There is a concern that there is a tendency in such large settings for individuals to gravitate towards a common view of the world without appropriate push-back or demand for evidence to support the identified risks. (Graham, 2008). Treated, however, as a significant but not conclusive input into the process, this could be beneficial. Regardless of how accurate group based risks assessments may or may not be, the discussions alone can be valuable, leading to a elevated understanding of risks and clarity around the process for risk prioritization. (Aabo, 2005). “In a group risk assessment setting, there will always be one or two individuals who know a great deal more about a risk than the others. Those closest to the risk may be best positioned to evaluate that risk. Effective



assessment of the likelihood and impact of a potential future event is not necessarily the result of the total number of votes or responses” (Protiviti, 2006). Assessment Question 3 – How Often?

As with consequence, when assessing likelihood, it is important to take into consideration the controls already in place. Likelihood can be scored by considering: frequency (i.e., how many times will the adverse consequence be realized) or probability (i.e., what is the chance the adverse consequence will occur in a given reference period) (NPSA, 2008).

TIP Establish incremental definitions for the risk likelihood scale – “If risk probability assessments are faulty, the accuracy of risk prioritization will be affected, leading to a potential failure to focus on the most significant risks. This in turn could lead to selection of inappropriate responses, with attention being paid to wrongly-prioritized risks” (Hillson, 2004). As with the consequence scale, it is preferable to articulate specific definitions for the likelihood scale – descriptions of how often the adverse consequence will be realized. A simple set of time-framed definitions for frequency is outlined in Appendix 4 and in the “A Risk Matrix for Risk Managers” reference. Frequency, however, is not a useful way of scoring certain risks, especially those associated with the success of time-limited or one-off initiatives, such as achievement of a key objective or project. For these kinds of risks, the score cannot be based on how often the consequence will materialize. Instead, it must be based on the probability that it will occur at all in a given time period (NPSA, 2008).

TIP Go with the highest combined consequence-likelihood score – Sometimes risks can be assigned different combinations of scores. For example, less serious patient falls may occur frequently, while serious falls may occur infrequently. The most conservative approach would suggest that the scores with the highest net rating be used. Note that consequence and likelihood scores can be added (see figure 4 below) or multiplied (see figure 5).

Figure 4: Risk Ratings with Scores Added Figure 5: Risk Ratings with Scores Multiplied

TIP Don’t worry about “mapping” risks – A common step in IRM implementation is the creation of a risk map. This is the process whereby risks are graphed with consequence scores on the vertical axis and likelihood scores on the horizontal axis. Critical risks, deserving top priority and attention are concentrated in the upper right. Low-priority risks are those found in the lower left (see figure below). For some this is a very useful exercise, and for others it is labour-intensive, painstaking exercise, with limited utility. An appropriately formatted risk register (discussed later) may be easier to execute, more informative, and able to provide similar visual cues related to the most important risks.

V. Hi 6 7 8 9 10

H 5 6 7 8 9

M 4 5 6 7 8

L 3 4 5 6 7

V. Low 2 3 4 5 6

V. Low L M H V. Hi

Cons

eque

nce

Likelihood

V. Hi 5 10 15 20 25

H 4 8 12 16 20

M 3 6 9 12 15

L 2 4 6 8 10

V. Low 1 2 3 4 5

V. Low L M H V. Hi

Cons

eque

nce

Likelihood



Figure 6: Risk Map Example. Treasury Board Secretariat, Canada Assessment Question 4 – Is There a Need For Action?

Once risks are identified and rated, current risk mitigation strategies should be evaluated for risks at unacceptably high levels. This could include an assessment of whether controls are still current and they are being consistently applied. Risk tolerance Risk “tolerance” is a term frequently used in IRM discussions, however there is considerable confusion about the concept (Fraser, 2007). In practice, tolerance plays out in several ways – when establishing a consequence scale for risk assessment; when making informed decisions to accept (or not accept) the likelihood or consequence of a particular risk; and when establishing targets for key risk indicators, such as infection rates and wait times. These determinations will typically occur in meetings between risk experts/owners and the IRM coordinator, and during facilitated discussions around the senior management table. 5. Report Risks

The results of risk assessments should be documented to capture the valuable corporate intelligence and history that has been created. The most commonly used documentation tool is called the risk register.

TIP Set up a risk register – A risk register is a document or database that summarizes the results of the risk assessment exercise. It is one of the most tangible outputs of an IRM program, providing a means to discuss, compare, and evaluate very different types of risks on the same page. It is a summarized list of all significant risks known to the organization, usually displaying them in rank order according to their risk rating score. Risks do not remain static, and a register is produced as an ‘evergreen’ or ‘living’ document, subject to frequent review at scheduled intervals and as new information about new or existing risks comes to light. Risk register software Risk registers can be very elaborate and specialized software packages can be purchased to manage them. A basic spreadsheet or database program, however, could be sufficient for most healthcare organizations, at least to start. Appendix 7 provides an outline and field descriptions for a simple risk register.



Reports to senior management and the board The risk register, or most likely excerpts from it, will form the basis for IRM reporting to senior leaders and the board. This could entail a report including one or more of the following:

• The top 5, 10, or 20 ranked risks; • All risks above a certain threshold rating; • Risks specifically linked to stated strategic objectives; • Highly rated risks requiring significant remedial action; and • Changes made to the register between reporting cycles.

The format and contents of reports will likely evolve over time as the program matures and stakeholder fluency in IRM develops. Link to strategic planning Once a register is populated, it becomes a fertile tool for setting corporate priorities. It can flow into or out of an organization’s strategic planning process. 6. Manage Risks

If an informed decision is made that a specific risk is not at a tolerable level and that existing mitigation strategies are not adequate, then plans for modifying the risk level should be developed and accountability for implementation and monitoring assigned. This is often referred to as risk mitigation or treatment. There are a number of risk treatment options, though all will be appropriate in a particular circumstance. These include:

• Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk; • Removing the risk source; • Changing the likelihood; • Changing the consequence; • Sharing the risk with another party or parties (e.g., contracts and insurance); and • Retaining the risk by informed decision. (AS/NZS, 2009).

Realistically, decisions related to allocation of resources to decrease specific risks will reflect resource and other constraints, opportunity costs, and tradeoffs across the entire risk portfolio. “Not all risks can be eliminated in an affordable way. Organizations have to carefully weight just how much time and effort they are prepared to put into risk mitigation” (Graham, 2008). Risk mitigation plans could include strategies for improving compliance with already established risk control measures (e.g., hand hygiene practices or ventilator associated pneumonia bundles), or new strategies can be adopted or developed. Look to established best practices to identify possible options, or consider implementing a quality improvement project to work towards a solution in an iterative way. And as we have learned from the science of patient safety, publishing a new policy or procedure will likely not suffice. Audits of mitigation strategies for high priority risks should be carried out on a periodic basis.

TIP Recognize IRM limitations – In healthcare, events that have never happened before happen all of the time. Not all risks can be anticipated, nor is it always possible to accurately predict the consequence or likelihood of future events. IRM is not a panacea for all the uncertainties facing organizations



however, IRM should decrease the number of unexpected crises and increase overall capacity to manage them when they occur (Graham, 2008). Program Evaluation and Improvement An organization’s IRM program can be evaluated by assessing progress against expected benefits (articulated previously under “Internal drivers”) such as identification of key risks that would otherwise been overlooked; improved resource allocation decisions; improved preparedness for crises; improved audit planning and assurance; and increased board and stakeholder confidence in risk monitoring and management processes. Changes in risk ratings over time can also be tracked. Increased use of IRM assessment tools and processes in everyday operations (e.g., project reporting) is another way to evaluate the effectiveness of the program (Behamdouni, 2010). Once an IRM program has been established a risk management policy may be developed to formalize a statement of the organization’s overall approach to managing risks, and key accountabilities and processes. “Based on results of monitoring and reviews, decisions should be made on how the risk management framework, policy and plan can be improved. These decisions should lead to improvements in the organization's management of risk and its risk management culture” (AS/NZS, 2009). Transparency Organizational leaders should determine how transparent they intend to be in terms of sharing potentially sensitive risk assessments and management plans with internal and external stakeholders. They should anticipate and be prepared for intended or unintended public disclosures. In the NHS, many healthcare systems (trusts) post risk registers on their external websites.



Summary Responding to internal and external drivers, many healthcare organizations have implemented or are contemplating implementation of an IRM program to provide assurance that all significant organizational risks have been assessed and managed. There are many challenges associated with IRM implementation including the use of overly complicated structures and processes. This guide has provided an overview of basic IRM concepts and outlined strategies and tips for efficient and effective IRM implementation including:

• Ensuring oversight and coordination; • Confirming organizational context and key objectives; • Assessing risks (what can go wrong, how bad, how often, is there a need for action) with clearly

defined scales for scoring consequence and likelihood; • Reporting risks using a risk register; • Managing risks; and • Evaluating the program.

A number of sample tools and lists were also provided. This guide will be updated as new information and insights arise, and as IRM experience in healthcare matures. With participation of subscriber organizations, we hope to develop additional shared resources such as sample IRM policies and a master list of significant risks.



References 1. Aabo T, Fraser J, Simkins B. (2005). The rise and evolution of the chief risk officer: enterprise risk

management at Hydro One. J App Corp Fin. 17(3):18-31.

2. Accreditation Canada. (2010). Effective organization standards. Qmentum program.

3. Aon. (2010). Global enterprise risk management survey. http://www.rims.org/ERM/Pages/default2.aspx

4. Audit Commission. (2009). Taking it on trust: a review of how boards of NHS trusts and foundation trusts get their assurance. http://www.audit-commission.gov.uk/nationalstudies/health/financialmanagement/Pages/takingitontrust29april2009.aspx.

5. Behamdouni G, Millar K. (2010). Implementation of an enterprise risk-management program in a community teaching hospital. Healthcare Quarterly. 13(1): 72-78.

6. Crosby D. (2011). Risk management (and why you stink at it) – pt. 1 – the availability heuristic. http://www.bullishbrain.com.

7. Crosby D. (2011). Risk management (and why you stink at it) – pt. 2 – the affect heuristic. http://www.bullishbrain.com.

8. Decker A, Galer D. (2010). Getting the focus on enterprise risk management right. Risk and Insurance Management Society (RIMS), Inc. http://www.rims.org/ERM/Pages/default2.aspx.

9. ECRI. (2006). Enterprise risk management: an overview. Healthcare Risk Control Risk Analysis, Supplement A. Risk and Quality Management Strategies 22. http://www.ecri.org.

10. Fraser J, Simkins B. (2007). Ten common misconceptions about enterprise risk management. J App Corp Fin. 19(4):75-81.

11. Graham A. (2008). Integrated risk management implementation guide. http://post.queensu.ca/~grahama/.

12. Health Governance Advisory Council. (2009). Final report. Department of Health. Prince Edward Island. http://www.gov.pe.ca/photos/original/health_adv_09.pdf.

13. Hillson D, Hulett D. (2004). Assessing risk probability: alternative approaches. PMI Global Congress Proceedings. http://www.risk-doctor.com/pdf-files/hha0404.pdf.

14. National Patient Safety Agency (NPSA). (2007). Healthcare risk assessment made easy. NHS. UK. http://www.nrls.npsa.nhs.uk/resources/?entryid45=59825&q=0%c2%acrisk%c2%ac&p=3

15. National Patient Safety Agency (NPSA). (2008). A risk matrix for risk managers. NHS. UK. http://www.nrls.npsa.nhs.uk/resources/?entryid45=59833&q=0%c2%acrisk%c2%ac&p=1

16. Protiviti Inc. (2006). Guide to enterprise risk management; frequently asked questions.

17. Rasmussen M. (2007). AS/NZ 4360 – a practical choice over COSO ERM. Forrester Research Inc.

18. Sarnie R. (2010). ERM: Do you know what it means? Risk and Insurance Management Society (RIMS), Inc.

19. Standards Australia/Standards New Zealand (AS/NZS). (2009). AS/NZS ISO 31000 – Risk management principles and guidelines.

20. Treasury Board Secretariat (TBS). (2002). Integrated risk management implementation guide. Government of Canada. http://www.tbs-sct.gc.ca/pubs_pol/dcgpubs/riskmanagement/guide-eng.asp.



Appendix 1 – AS/NZS ISO 31000 Risk Management Framework

© 2009 Standards Australia/Standards New Zealand.



Appendix 2 – Sample Risk Categories by Function

Business Risk Risks that relate to the delivery of

healthcare that include internal and external factors impacting on the

operations

Resource Risk Risks that relate to the resources used by the organization to accomplish its

objectives

Compliance Risk Risks that originate from the

requirement to comply with a regulatory framework, policies, directives or legal

agreements Quality Care And Patient Safety

Informed Consent, Care Plans Consults, Referrals

Human Resources And Staff Relations

HR Planning, Competency And Staff Development, Performance

Management, Labour Relations

Environment, Health And Safety Hazardous Material Handling,

Occupational Health And Safety, Infection Control

Corporate Governance Strategic Goals And Objectives,

Performance Reporting, Culture, Ethics, Org Structure, Partnerships And

Alliances

Financial Funding Allocation, Planning And Budgeting, Insurance, Financial

Management And Reporting, Fraud

Legal And Regulatory Medical Staff By-laws, Legislation And

Regulations, Contracts And Agreements, Credentialing And Licensing

Operations And Business Support Quality And Risk , Supply Chain, Health

Information Management, Security, Disaster Management

Information, Systems And Technology

E Health Strategy, Infrastructure, Access Control, Data Integrity, User Support

Policies Clinical Policies, Administrative Policies,

Internal Guidelines And External Directives

Reputation And Public Image Public Relations, Media Relations,

Government Relations, Pt Relations

Physical Assets Asset Management, Capital

Construction, Equipment Acquisition, Replacement

And Maintenance

Standards CCHSA Accreditation Standards,

Professional Regulatory Bodies And Standards Committees

© 2011 North York General Hospital, Toronto (with credit to D Rubel and M Cendou, Winnipeg Regional Health Authority). Used with permission.

© 2010 St. Joseph’s Health Centre, Toronto. Used with permission.

Catalogued Areas of Risk

Legal and Regulatory

Operational

Finance

Human Capital

Technology

Strategy

Patient



Appendix 3 – Common Sources of Risk Information Organizational specific / internal sources of information include:

• Critical incident reviews and recommendations; • Incident/hazard reports; • Morbidity and mortality reviews; • Medical legal and property insurance claims; • Patient/client/resident/family complaints; • Patient/client/resident satisfaction surveys; • Proactive risk assessments and process analysis (e.g., HIROC RMSAMTM and FM Global (property)

reviews; failure modes and effect analysis); • Recommendations and reports from external agencies (e.g., Accreditation Canada road map,

and required organizational practices; accreditations of lab and educational programs); • Recommendations and reports from internal and external auditors; • Financial/business plans/IT reports; • Key performance indicators; • HR staffing reviews and plans; and • Leadership discussions (e.g., “what keeps you up at night?”).

External sources of information include:

• Product/hazard alerts, recalls; • Medication Safety Bulletins (ISMP Canada); • Legislative/legal updates; • Global patient safety alerts (CPSI); • Coroners reports, inquests; • Communicable diseases surveillance reports; • Professional regulatory bodies’ communications; • Insurance alerts, advice, and aggregate claims data; • Audits/accreditations; and • Benchmarking, literature.



Appendix 4 – Top Ranked Risks from HIROC Claims Data

Risk (Allegation) Rank

Obstetrics – Failure to identify/respond to atypical and/or abnormal fetal status 1

Diagnostics – Misinterpreted laboratory results 2

Medical – Inadequate triage assessment and documentation 3

Obstetrics – Mismanagement of oxytocin administration 4

Diagnostics – Failure to communicate critical test results 5

Obstetrics – Failure to monitor fetal status 6

Falls – Visitor 7

Obstetrics – Lack of communication regarding fetal status 8

Property – Water damage 9

Medical / Surgical – Failure to appreciate status changes and/or deteriorating condition 10

Infection Control – Healthcare associated infections/inadequate infection prevention and control 11

Medication – Wrong medication/dose/preparation/regimen 12

Falls – Patient 13

Medical – Failure to identify and/or monitor hyperbilirubinemia 14

Medical – Inadequate quality checks for contracted nursing staff 15

Safety – Assault 16

Medical – Failure to provide discharge and/or follow-up instructions 17

Equipment malfunction 18

Medical – IV infiltration identification and documentation 19

Fiduciary – Employee fraud 20

Surgical / Medical - Wrong patient/site/treatment 21

Employment – Wrongful termination 22

Mental Health – Suicide of in-patient 23

Surgical – Unnecessary and/or obsolete surgery 24

Medical – Facility acquired pressure ulcers 25

Employment – Failure to pay benefits/overtime 26

Surgical – Retained foreign body 27

Property – Fire damage 28

Surgical – Inadequate sterility 29

Rights – Privacy breach 30

Source: HIROC claims data for acute care hospitals, 2004-06.



Appendix 5 – Sample Consequence Domains and Risks Common risk consequence domains (and risk examples) include:

• Patient/client/resident harm o Falls o Adverse medication events o Healthcare associated infections o Facility acquired pressure ulcers o Improper/inadequate monitoring o Assault/altercation o Wrong site surgery o Critical equipment failure o Compromised infant events o Improper performance of sub-

contracted care provider o Lack of case management

coordination o Inadequate communication at

transitions o Infant abduction o Unsafe sleep environment o Entanglement/entrapment o Delay in treatment o Inadequate pain management o Blood product mix-up

• Staff and visitor harm o Falls o Muscular skeletal injuries o Needlestick injuries o Assault o Stress

• Financial loss o Government funding instability

o Inability to meet budget commitments

o Accounting irregularities o Employee fraud o Improper administration of resident

funds o Loss/theft of resident property

• Business interruption o Inability to obtain needed supplies o Flood; escaped liquids o Fire o Inadequate human resources

• Standards/legislative non-compliance/loss of license

o Unfavourable accreditation decisions

o Unfavourable site inspections o Inappropriate use of research grant

money o Human rights violations

/discrimination o Inappropriate IT systems access o Privacy breaches o Healthcare provider practicing

outside their scope • Reputation

o Poor satisfaction survey results o Poor community relations, lack of

public confidence

Additional consequence categories include:

• Business objectives / project failure o Failed ventures, targets, or

projects • Staff shortages

o Staff disengagement o Loss of key medical staff o Senior management turnover o Aging workforce o Minimal full-time complement

• Patient/client/resident/family complaints

o Poor customer service o Lack of coordination amongst

service providers o Long waits

• Environmental loss o Soil contamination



Appendix 6 – Sample Risk Assessment Matrix with Scale Definitions Impact / Loss Scale

Note: Loss in one domain may result in loss in another (e.g. negative publicity resulting from death of a patient), however loss could occur in any domain independently.

Probability Scale

1. Very Low 2. Low 3. Medium 4. High 5. Very High

Description - Rare occurrence -E.g.

once in 10 or more years - Unlikely occurrence - E.g. every 5-10 years

- Occasional occurrence - E.g. every 1 - 5 years

- Likely occurrence - E.g. every six months – 1 year

- Common occurrence - E.g. every one – six months

Risk Ranking

Probability

1. Very Low 2. Low 3. Medium 4. High 5. Very High

Impa

ct

5. Very High 6 7 8 9 10 4. High 5 6 7 8 9 3. Medium 4 5 6 7 8 2. Low 3 4 5 6 7 1. Very Low 2 3 4 5 6

Risk Oversight and Reporting

9 – 10 Extreme risk CEO oversight with reporting to the Board. 7 – 8 High risk VP oversight with reporting to the CEO. 5 – 6 Moderate risk Director oversight with reporting to VP. 2 – 4 Low risk Manager oversight with reporting to Director.

© 2010 The Hospital for Sick Children, Toronto. Used with permission.

Domains 1. Very Low 2. Low 3. Medium 4. High 5. Very High A Patient / Research Subject Harm from care, environment, others (e.g. assault)

- Mild injury or illness - No or minimal treatment - No increased length of stay

- Minor injury or illness - Minor intervention - E.g. increase LOS by

<3 days

- Moderate injury requiring significant medical treatment

- E.g. increase LOS by 4-14 days

- Major injury requiring major medical care

- Semi-permanent disability - E.g. increase LOS by >14 days

- Catastrophic injury leading to death or permanent disability

B Staff / Visitor Harm from environment, others (e.g. assault)

- Mild injury or illness - No first aid required

- Short term illness or injury

- First aid required

- Moderate injury or illness - Not admitted to hospital

- Major injury requiring major medical care / hospitalization

- Semi-permanent disability

- Severe injury leading to death or permanent disability

- Multiple fatalities / permanent injuries

C Financial Increase in expenses or loss of revenue / assets

- Insignificant financial loss - E.g. < $1m

- Minor financial loss -E.g. $1 – 5m

- Minor financial loss -E.g. $5-15m

- E.g. 1% budget

- Major financial loss - E.g. $15-30m - E.g. 2.5-5% budget

- Catastrophic financial loss - E.g. >$30M (liability limit);

>5% budget

D Service /business interruption

- Loss /interruption of > 1 hour

- Loss/interruption of >8 hours

- Loss/interruption of > 1 day - Loss/interruption > 1 week - Permanent loss of service or facility

E Standards Compliance (e.g. research standards, industry legislation / accreditations)

- Minor noncompliance - Single failure to meet external standards or follow protocol

- Written recommendation to comply by an external agency

- Repeated failures to meet external standards or follow protocols

- Report required to external agency

- Orders or tickets issued by external agency

- Non-compliance with external standards

- Prolonged inspection with significant findings

- Prosecution initiated for non compliance (charges against organization or individual)

- Public inquiry

- Gross failure to meet standards

- Maximum fines - Criminal code violation - Impact on affiliation

agreements

F Organizational development /staffing

- Short-term low staffing level that temporarily reduces service quality (<1 day)

- Low staffing level that reduces the service quality

- Unsafe staffing level or competence (>1 day)

- Low staff morale

- Unsafe staffing level or competence (>5 days)

- Loss of key staff - Very low staff morale

- Ongoing unsafe staffing levels or competence

- Loss of several key staff

G Adverse publicity/ reputation

- Rumors - Potential for public concern

- Minor negative media coverage

- Moderate negative media coverage

- Short-term reduction in public confidence

- Sustained negative media coverage

- Medium-term reduction in public confidence

- Public inquiry

- Government involvement/ supervisor

- Sustained reduction in public confidence

- CEO termination



Appendix 7 – Simple Risk Register Outline and Field Descriptions

Ref #

Risk

Ow

ner

Cons

eque

nce

Like

lihoo

d

Rati

ng

Mitigations in Place Additional Actions Required

# Text Int. # # # Text Text








Date of report: dd mmm yyy Common field descriptions (and tips) include:

• Reference # – a unique identifier for each risk to help keep track of changes and additions; risks will move around on the list as new information is assessed and the rankings change;

• Risk – a short description of the risk; • Owner – usually a member of the executive; (keep to initials to save space); • Consequence – the score (e.g., 1-5); • Likelihood – the score (e.g., 1-5); • Rating – the combined score (e.g., 2-10 or 1-25); (color code the cell to help visualize relative

magnitude; this is mostly likely the field that will be used to sort risks in the register – from highest to lowest);

• Mitigations in place – a short description of mitigation strategies implemented; and • Additional actions required – used when the risk rating is not acceptable, a short description of

actions to be taken to lower the risk level. Additional fields (and tips) include:

• Consequence domain – a letter or number denoting the relevant consequence domain (e.g., “A” for patient harm); (it may also be helpful to note a secondary domain in some circumstances);

• Strategic objective – noting which strategic objective the risk relates to; • Program or department – noting which program or department the risk relates to; • Constraints – a short explanation where it is noted that risk levels cannot be lowered due to

functional or logistical reasons (such as an older building that is slated for demolition in a few years time and it is therefore not appropriate to retrofit with sprinklers to reduce the consequence or likelihood of fire);

• Trend – to note a change in the rating since the last reporting period (e.g., ↑,↓,↔); • Date due – the date actions are expected to be completed by; • Indicators – if relevant to the particular risk; and • Notes – a field, either visible on the report or for the eyes of the IRM coordinator only; to keep

track of details, such as the reason for a change.



Additional tips:

• Keep the register as simple as possible; keep paperwork to a minimum; • When using a basic spreadsheet program some helpful techniques include: using landscape

page orientation to allow for more space for describing risks, mitigations, actions required; using the sort function to list risks in the register by rating level, by owner, by domain, etc.; using cell alignment/wrap text to keep longer descriptions within the set column width;

• The print range can be limited, such as when preparing reports for the board (e.g., top 10, those ranked >7 on a 10 point scale);

• While they may not be reported up, low priority risks could change quickly; keeping them on the list will ensure periodic review; and

• The coordinator should keep separate notes and evidence to support the risk scoring, progress on actions taken, notes for discussion, etc. These should be retained in a centralized, secure location to facilitate transfer of knowledge from one coordinator to the next.

Hiroc Irm Guide June 2011

Documents

integrated risk management

assessment question

number of hiroc subscribers

irm imperative

hiroc claims data

risk descriptors

ranked risks

report risks