You are on page 1of 25


June 2011

IRM for Healthcare Organizations

Acknowledgements This document was prepared, in part, with the input of a number of HIROC subscribers in various stages of IRM implementation. Their candid reflections and advice is greatly appreciated. Comments This document will be updated as new information and insights arise. We are very interested in receiving questions, suggestions and feedback regarding this work. Please direct your comments to: Risk Management Healthcare Insurance Reciprocal of Canada (HIROC) 4711 Yonge St. Suite 1600 Toronto, Ontario M2N 6K8 Tel: 1-800-465-7357 Email: Overview of Version Changes Originally published in May, 2011. This version includes an update to Appendix 4 Top Ranked Risks from HIROC Claims Data which clarifies some risk descriptors and incorporates additional analysis of surgical claims resulting in some minor changes to the rankings and elimination of one risk category Surgical Inadequate performance / management.

2011 HIROC. For quality assurance purposes. For use by HIROC subscribers and members only.

IRM for Healthcare Organizations

Introduction .................................................................................................................................................. 2 The IRM Imperative ...................................................................................................................................... 3 1. 2. 1. 2. 3. 4. External Drivers ................................................................................................................................. 3 Internal Drivers ................................................................................................................................. 3 Decide on a (Simple) Framework ...................................................................................................... 4 Ensure Oversight and Coordination .................................................................................................. 4 Confirm Organizational Context ....................................................................................................... 5 Assess Risks ....................................................................................................................................... 6 Assessment Question 1 What can go wrong?.................................................................................... 7 Assessment Question 2 How Bad?..................................................................................................... 8 Assessment Question 3 How Often?................................................................................................ 10 Assessment Question 4 Is There a Need For Action? ...................................................................... 11 5. 6. Report Risks..................................................................................................................................... 11 Manage Risks .................................................................................................................................. 12

IRM Implementation ..................................................................................................................................... 4

Summary ..................................................................................................................................................... 14 References .................................................................................................................................................. 15 Appendix 1 AS/NZS ISO 31000 Risk Management Framework ................................................................ 16 Appendix 2 Sample Risk Categories by Function ..................................................................................... 17 Appendix 3 Common Sources of Risk Information .................................................................................. 18 Appendix 4 Top Ranked Risks from HIROC Claims Data .......................................................................... 19 Appendix 5 Sample Consequence Domains and Risks ............................................................................. 20 Appendix 6 Sample Risk Assessment Matrix with Scale Definitions ........................................................ 21 Appendix 7 Simple Risk Register Outline and Field Descriptions............................................................. 22

2011 HIROC. For quality assurance purposes. For use by HIROC subscribers and members only.

IRM for Healthcare Organizations

Many organizations manage major risks independently of one another as a patchwork of risk management activities within horizontal and vertical silos. The result is that one type of risk may receive excessive attention and resources at the expense of another, less well understood risk. Integrated risk management (IRM) 1 provides a common framework for understanding and prioritizing very different types of organizational risks, and for creating a concise list of the most significant risks facing the organization. Some helpful, published definitions of IRM include: A continuous, proactive, systematic approach to identifying, assessing, understanding, acting on, and communicating risk from an organization-wide, aggregate perspective (TBS, 2002); A process for separating out the small, unlikely risks from the large, likely ones through a step wise process which includes identification of context, and risk identification, evaluation, mitigation, monitoring, reporting, and assurance (Decker, 2010); An approach for identifying critical risks; quantifying their potential impact and likelihood, prioritizing, and identifying risk management strategies to bring risks to acceptable levels (ECRI, 2009). There are considerable challenges and costs associated with IRM implementation and unfortunately the value of IRM has not always been realized. In a recent survey of large multinational businesses that had adopted IRM (enterprise risk management, ERM), only 26% of respondents said that IRMs influence on overall strategic planning was very significant or significant, with 64% saying it was partial or very little. When asked to identify barriers to successful IRM implementation, 40% said lack of tangible benefits; 34% - lack of skills and capability; 31% - lack of senior leadership support; and 30% - unclear ownership and responsibility for implementation. (Aon, 2010). Even in the National Health System (NHS) in the United Kingdom, a healthcare system with advanced IRM programs, it was found that there was considerable scope to improve the identification and specification of corporate risks, and to improve integration of risk management in the day-to-day running of organizations (Audit Commission, 2009). It has also been suggested that one of the biggest barriers to successful implementation of IRM is overly complicated structures and processes. Why has it taken so long to get ERM up and running? There are a large number of common misconceptions about both the approach and the process that have become obstacles to successful implementation Most of these stem from a common source: the failure to recognize that ERM is in fact an easier, simpler, and more logical undertaking than most people realize. The result has been needless complications that have in turn bred misunderstandings and frustration among implementers and senior management (Fraser, 2007). The purpose of this resource guide is to review the basic elements of IRM and, without prescribing an exact format or critiquing any particular approach, to offer sensible, efficient, and effective techniques and tips for IRM implementation, therefore reducing the effort and frustration that may be experienced by organizations starting down this road.

The systematic application of risk management across an organization has many names. We view the terms integrated and enterprise as interchangeable. We have chosen to use IRM as it aligns with Accreditation Canada standards, it is used more frequently in the public sector, and it better reflects the bringing together of the many risk management processes already in place in most healthcare organizations.

2011 HIROC. For quality assurance purposes. For use by HIROC subscribers and members only.

IRM for Healthcare Organizations

The IRM Imperative

1. External Drivers
A number of external factors have provided impetus for implementation of IRM in healthcare, including: Public accountability and reputation Expectations for public accountability in healthcare are increasing. Assurances are required that public funds are being managed in a fiscally responsible manner. This is also an important factor for attracting competent staff, volunteers, board members and private and institutional donors. Given the high rate of medical errors in healthcare, assurances are also required that healthcare leaders and senior executives adopt patient safety and quality as a strategic imperative within their organizations. Governance A number of well publicized business scandals have resulted in a call for better corporate governance and improved oversight of risks. In the US, the Sarbanes-Oxley Act of 2002 was enacted, requiring increased involvement from the audit committee of the board of directors of public companies with regard to risk management (ECRI, 2006). In the health system, the movement towards improved governance practices has resulted in boards ensuring there are processes to identify and manage risk, particularly with respect to quality and patient safety (Health Governance Advisory Council, 2008). Accreditation Accreditation Canadas new Qmentum standards have articulated the need for leadership teams to implement an integrated risk management approach to the identification, reporting, assessing and managing risks, and for governing bodies to work with their chief executives to reduce these risks (Accreditation Canada, 2010). Other accrediting bodies also have requirements for addressing risk management in an integrated way. Provincial governments IRM has been adopted in Ministries of Health in British Columbia, Alberta, and Ontario.

2. Internal Drivers
It has been suggested that there are two main reasons for implementing IRM; to reduce the chances of surprises in the future and to allocate valuable resources according to risk priorities (Fraser, 2007). An expanded list of reasons is articulated in the International Organization for Standardization (ISO) 31000 guide to risk management (AS/NZS, 2009), including to: Increase the likelihood of achieving objectives; Encourage proactive management; Increase awareness of the need to identify and treat risk throughout the organization; Improve the identification of opportunities and threats; Comply with relevant legal and regulatory requirements and international norms; Improve financial reporting; Improve governance; Improve stakeholder confidence and trust; Establish a reliable basis for decision making and planning; Improve controls; Effectively allocate and use resources for risk treatment; Improve operational effectiveness and efficiency; Improve loss prevention and incident management; Minimize losses; Improve organizational learning; and Improve organizational resilience. 2011 HIROC. For quality assurance purposes. For use by HIROC subscribers and members only.

IRM for Healthcare Organizations

IRM Implementation
For those that have led IRM implementation efforts in healthcare organizations, their advice is consistent keep it simple. The following are strategies and tips to help ensure IRM efforts are as effective and efficient as possible.

1. Decide on a (Simple) Framework

There are two prominent frameworks for implementing IRM: the ISO 31000 Risk Management Standards (2009; precursor standard AS/NZ 4360, 2004) and, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) ERM-Integrated Framework (2004). The ISO framework came out of a national and then international standards setting body, and COSO originated in the accounting/auditing profession. While the two frameworks are related in that they promote an organization-wide approach to assessing and managing risks, COSO is the more prescriptive of the two and has a decidedly financial sector slant. Some critics go so far as to say that it is poorly written and difficult to understand. (Rasmussen, 2007). The ISO framework is intended to be more flexible in that it provides generic guidelines seen as adaptable for any sector. An overview of this model is included in Appendix 1. An even more simplified framework for IRM, based on the strategies in this guide, is illustrated below. Enabled by clear oversight and dedicated resources for coordination, and taking into account organizational context, all significant organizational risks are assessed, reported and managed. This process continues in an iterative and ongoing manner.
Oversight and Coordination

Assess Risks

Report Risks

Manage Risks

Organizational Context
Figure 1: Simplified IRM Framework

2. Ensure Oversight and Coordination

While there is no foolproof approach for IRM implementation, with each organization needing to define and customize it for themselves (Sarnie, 2010), there is a agreement on at least two elements: (1) getting senior leadership and board support up front; and (2) ensuring there is someone whose job it is to coordinate the overall program.

TIP Appoint an executive lead It has been suggested that the shortest, most reliable path to a
successful implementation of IRM is to get executive management and board level buy-in; ensure their agreement on the broad concepts, then build the more detailed analysis and structures that must follow (Fraser, 2007). The executive lead is typically the chief executive/executive director, but may also be the 2011 HIROC. For quality assurance purposes. For use by HIROC subscribers and members only.

IRM for Healthcare Organizations

executive responsible for risk or for finance. The executive lead is required to facilitate change, command the necessary resources for IRM implementation, and be the conduit for IRM communications with the board.

TIP Appoint a coordinator Someone in the organization needs to be appointed to coordinate the IRM program. IRM does not create itself. It takes work and, over time, concentrated effort. Therefore, treating it like a corner of the desk project will be a sure guarantee of its untimely death, underachievement or quiet disappearance (Graham, 2008). In healthcare, the director responsible for the risk portfolio has typically been the designated coordinator. Where available, the internal auditor may also participate in this function. The coordinator(s) may also elect to put together a small implementation team, carrying out the initial round of data gathering and assessment; drawing on expertise from other parts of an organization at appropriate stages in the process. TIP Top-down to start Organizations are cautioned from spending a lot of time and resources trying to engage their entire workforce in IRM efforts. IRM initially, is an executive-owned, top-down exercise that requires a birds eye view of risk. IRM can be taken deeper into the organization as the program matures. It has been suggested that in order to avoid the fear and loathing that may result from yet another management initiative, that IRM implementers should avoid creating unrealistic expectations about what the program will deliver (Graham, 2008). TIP Dont try to overwrite established patient and staff safety cultures Organizations may struggle
with trying to advance an IRM/risk management culture, not appreciating that much staff activity is, in effect, risk management, this is particularly so in clinical care although it may not be recognized as such (Audit Commission, 2009). In many organizations, the cultures of patient safety and staff safety (arguably the most important aspects of healthcare risk management) are already pervasive and efforts to supplant or translate these into the language of IRM should be avoided.

3. Confirm Organizational Context

With IRM, organizational context is key. The nature of the industry will drive the nature of the risks and the risk management practices the organization adopts to manage those risks. For example, a pharmaceutical company will focus on managing its research and development pipeline because that is the lifeline to its future revenue streams. A utility will manage conformance risks in a nuclear power facility because that is the key to its reputation and future viability (Protiviti, 2006). The classic approach for initiating IRM is to first describe an organizations strategic objectives and to identify risks that can prevent these from being achieved. This has been a stumbling block for some healthcare organizations as strategic objectives may not be explicitly stated, or stated objectives may not address all significant aspects of organizational risk. It may be helpful in these cases to remember the primary reason why healthcare organizations exist to provide high quality care. In healthcare, the biggest risks relate to core operations, specifically risks that result in patient harm, staff harm, loss of resources, service interruptions or closures, regulatory non-compliance, and loss of public confidence. It is operational events, such as a high profile death of a patient due to an adverse event or a fraud by a high profile employee, that can quickly escalate into strategic crises.

TIP Start with operations Whether they are explicitly or implicitly stated, in healthcare there is
consistency around objectives as they relate to core operations, such as: 2011 HIROC. For quality assurance purposes. For use by HIROC subscribers and members only.

IRM for Healthcare Organizations

To provide high quality care and the prevent harm due to preventable adverse events; To provide a safe environment for staff, to retain a highly skilled and engaged workforce; To be fiscally responsible and use resources efficiently; To sustain or enhance programs and services; To preserve a favourable public reputation; and To comply with legal and regulatory requirements.

Depending on the organization and academic affiliations, objectives may also include: to provide an excellent learning experience for students; and, to conduct high quality, high impact research. Some organizations have strategic objectives not related to the above which should also be captured in an IRM program such as to grow a specific program, to build a new facility, or to engage in new ventures and partnerships.

4. Assess Risks
The process of attaining a clear understanding of an organizations risks can be lengthy and in an effort to take the broadest view possible, some organizations turn their minds to the concepts of downside risks (i.e., an event that could give rise to a loss or injury in the future) and upside risks (i.e., a potential outcome that is better than expected). This may unnecessarily complicate the IRM process.

TIP Focus on downside risks Given their overwhelming prevalence in healthcare and the industrywide focus on patient safety, downside risks must clearly be the focus in healthcare. Much of the strategic risk literature that addresses upside risks gives the impression that everyone in the company should be constantly thinking of upside opportunities as well as downside risks. But if the concept of upside risk is useful and important in some circumstances, it is irrelevant and a distraction in others The upside of risk should be dealt with only periodically, during periodic strategic planning exercises. Ongoing risk management activities clearly primarily focus on the downside risks (Fraser, 2007).
There are many terms in the risk management literature which represent similar concepts risk identification, risk evaluation, risk analysis, and risk assessment. Drawing on guidance documents from the NHS, a jurisdiction with advanced, system-wide IRM processes, we have chosen to go with risk assessment defined as a systematic, and efficient process for identifying and understanding the range of risks an organization faces, their potential impacts, their likelihood of occurrence, and the level of ability to control those risks (NPSA, 2008). The process of risk assessment seeks to answer four simple questions as illustrated below: what can go wrong; how bad; how often; and is there a need for action?

Figure 2: Risk Assessment Questions. NPSA, 2007.

2011 HIROC. For quality assurance purposes. For use by HIROC subscribers and members only.

IRM for Healthcare Organizations

Assessment Question 1 What can go wrong? What can go wrong? And what types of consequence or losses can result? The process of answering these questions and cataloging the seemingly endless number of risks in a healthcare organization can be quite overwhelming. For this reason, it is helpful to have a plan for systematic examination of the entire organization. One approach is to carry out a review of each department or program. Another is to assess risks within functional categories such as finance, legal and regulatory, and human resources. Healthcare examples of this approach are included in Appendix 2. Another prevailing view is that risks should be assessed from the perspective of an organizations core operational and strategic objectives. Using examples described earlier, this would include identification of risks that could negatively impact high quality care such as hospital acquired infections, or risks that could lead to the regulatory non-compliance such a major privacy breach.

TIP Use internal and external information sources to identify risks Most organizational risks are already described for healthcare organizations. Leadership teams do not need to start from scratch, rather they can build their list of key risks starting with the wealth of information that is available from internal and external sources such as incident reports, published literature, claims, and accreditations. A risk identification exercise based solely on internal experience, intuition, and opinion alone would have considerable limitations. Common sources of internal and external risk information is included in Appendix 3.
HIROC claims data One of the most valuable resources that HIROC can provide in support of IRM is its extensive claims database. The risks described by these events not only result in claims, but also impact on organizational reputation and morale. Not all organizational risks are represented in claims data but they provide a reference for identification and assessment of risks associated with clinical care, property and contracts. See Appendix 4 for a rank ordered list of the top acute care risks based on total claims costs. A sub-set of years was sampled to facilitate in-depth risk management coding and analysis. The years 2004, 2005, and 2006 were selected as they are not too recent (addressing issues of claims immaturity, particularly with obstetrical claims); not too old (generally reflective of current trends); and have a high proportion of closed claims (to ensure accurate cost information).

TIP Aggregate similar types of risks Comprehensive risk identification is critical, because a risk that is
not identified at this stage will not be included in further analysis (AS/NZS, 2009). On the other hand it will be difficult to operationalize a list with several hundred or more risks. The risk inventory should be at a relatively high level, providing a birds eye view of the organization. Whenever possible, aggregate similar types of risks (e.g. identify one risk called hospital acquired infections versus separate risks for MRSA, blood stream infections, C-diff, ). The need for specificity may be dictated by differences in risk ownership or significant variances in mitigation categories. When a risk is identified it is helpful to understand the consequences that could result if that risk were realized.

TIP Articulate risk consequence domains Understanding a risk entails understanding the losses, or
consequences that could result if that risk were to be realized. In healthcare these losses align closely 2011 HIROC. For quality assurance purposes. For use by HIROC subscribers and members only.

IRM for Healthcare Organizations

with core objectives and commonly include patient harm, staff and visitor harm, financial losses, business interruption, reputational loss, and regulatory non-compliance. Specifying the type (or domain) of loss associated with a risk will provide the basis for the quantification and ranking of risks that will be outlined in the sections that follow. Appendix 5 lists commonly described risk consequence domains and examples of risks related to each. Note that some risks may result in more than one consequence, such as the death of a patient from an adverse event that results in significant and sustained negative publicity. In this case, the domain with the highest consequence level should be used. To promote ease of use and to ensure reliability of assessments, domains should be rationalized. For example, equipment/technology losses could have a separate domain, but it is the effects related to patient harm or service interruption that are most important. In another example, water damage from a burst pipe could be captured in a separate facility loss domain, however it is the disruption of operations (e.g. the shutting down of a unit for clean up and repairs) or the cost of cleanup (financial domain) that matters the most. Use of consultants While some organizations have chosen to engage external consultants to assist in identifying and prioritizing risks, others have been successful using internal resources and expertise only. The most commonly cited concerns with external consultants are costs, the application of a private sector, business-focused model of IRM with questionable clinical relevance, and lack of credibility with respect to knowledge of clinical risks and the unique operations of healthcare systems. Assessment Question 2 How Bad? Risk assessments are inherently subjective exercises. This is particularly true in healthcare where there is a great deal of uncertainty about outcomes due to variations in human physiology, advanced and potentially hazardous treatments, and a diverse professional and non-professional workforce. Objective risks assessments usually entail combining of estimates of the consequence (i.e., how bad, also described as severity or outcome) and likelihood (i.e., how often, also described as frequency or probability). Most commonly, the risk magnitude or rating is established using a two-dimensional grid or matrix, with consequence (from very low/negligible to very high/catastrophic) on one axis and likelihood (from very low/rare to very high/almost certain) on the other (NPSA, 2008). It is this score that allows for a relative ranking of different kinds of risks, and establishes a baseline from which to measure progress and trends over time (ECRI, 2006). The figure below depicts a 5 x 5 matrix. Color coding has been added to help visualize increasing levels of risks. This is also commonly referred to as a heat map.
V. Hi H M L V. Low V. Low L M H V. Hi


Figure 3: Risk Assessment Matrix (5 x 5)

TIP Focus on residual risks Risks are sometimes described as inherent risk before taking into account controls or mitigation strategies (e.g. the risk of an adverse medication event without any controls such as unit dose systems and double-checking processes) or residual risk that remains with
2011 HIROC. For quality assurance purposes. For use by HIROC subscribers and members only.

IRM for Healthcare Organizations

mitigation strategies in place. Sometimes significant effort is expended by IRM practitioners in assessing inherent risks. This is a theoretical exercise with limited utility, as it is residual risk that largely drives risk management activities (Audit Commission, 2009). In many cases, the concept of inherent risk is impossible to measure or even define. The idea of looking at risk absent all hard controls, soft controls, or mitigations, provides little or no useful information in most cases (Fraser, 2007). Consequences can be rated on a generically defined scale, applicable to all domains, such as very low, low, medium, high, and very high. However, further refinement may improve the effectiveness of the assessment process.

TIP Establish domain-specific, incremental definitions for the consequence scale Organizations can take steps to make risk assessments more objective and meaningful through the use of a domain specific, clearly defined consequence scale. Staff are sometimes asked to decide whether given risks are high or low. To make an informed decision, however, participants need clear definitions of what is considered high versus low. One of the most effective ways of quantifying and gaining agreement on risk tolerances has been to establish definitions on a five-point (or similar) scale that can be discussed and agreed to by all parties in advance (Fraser, 2007). If this cross-domain calibration is not established then financial, operational and clinical risks cannot be compared against each other and appropriately prioritized (NHS, 2008).
For instance, if an organization defines very high as being death for the patient harm domain, they would then have to define very high for the financial loss domain as a loss that would truly be significant in terms of dollars. Recognizing, ethically, that there is no financial loss that could compare to the loss of a human life, if a proxy for cross domain equivalency is not achieved, then risk prioritization efforts would be flawed. Appendix 6 provides an example of a risk scoring matrix from one healthcare organization with domain specific, incremental definitions for the consequence scale. The NHS resource A Risk Matrix for Risk Managers (see references) provides another good example.

TIP Beware of cognitive biases IRM practitioners need to appreciate that people are prone to a number of errors in judgment when assessing risks. There are important psychological biases at play when people identify risks and their relative probability and importance. The availability heuristic means that risk assessments can be impacted by how easily events can be called to mind, with sensational and more recent events being over estimated; the affect heuristic means that they can be impacted by how people feel (Graham, 2008; Crosby, 2011). TIP Beware of groupthink and defer to experts A common approach to risk assessment is to
assemble a group of leaders in a room to solicit their opinions on the identity, consequence, and likelihood of risks. There is a concern that there is a tendency in such large settings for individuals to gravitate towards a common view of the world without appropriate push-back or demand for evidence to support the identified risks. (Graham, 2008). Treated, however, as a significant but not conclusive input into the process, this could be beneficial. Regardless of how accurate group based risks assessments may or may not be, the discussions alone can be valuable, leading to a elevated understanding of risks and clarity around the process for risk prioritization. (Aabo, 2005). In a group risk assessment setting, there will always be one or two individuals who know a great deal more about a risk than the others. Those closest to the risk may be best positioned to evaluate that risk. Effective 2011 HIROC. For quality assurance purposes. For use by HIROC subscribers and members only.

IRM for Healthcare Organizations


assessment of the likelihood and impact of a potential future event is not necessarily the result of the total number of votes or responses (Protiviti, 2006). Assessment Question 3 How Often? As with consequence, when assessing likelihood, it is important to take into consideration the controls already in place. Likelihood can be scored by considering: frequency (i.e., how many times will the adverse consequence be realized) or probability (i.e., what is the chance the adverse consequence will occur in a given reference period) (NPSA, 2008).

TIP Establish incremental definitions for the risk likelihood scale If risk probability assessments are faulty, the accuracy of risk prioritization will be affected, leading to a potential failure to focus on the most significant risks. This in turn could lead to selection of inappropriate responses, with attention being paid to wrongly-prioritized risks (Hillson, 2004). As with the consequence scale, it is preferable to articulate specific definitions for the likelihood scale descriptions of how often the adverse consequence will be realized. A simple set of time-framed definitions for frequency is outlined in Appendix 4 and in the A Risk Matrix for Risk Managers reference.
Frequency, however, is not a useful way of scoring certain risks, especially those associated with the success of time-limited or one-off initiatives, such as achievement of a key objective or project. For these kinds of risks, the score cannot be based on how often the consequence will materialize. Instead, it must be based on the probability that it will occur at all in a given time period (NPSA, 2008).

TIP Go with the highest combined consequence-likelihood score Sometimes risks can be assigned
different combinations of scores. For example, less serious patient falls may occur frequently, while serious falls may occur infrequently. The most conservative approach would suggest that the scores with the highest net rating be used. Note that consequence and likelihood scores can be added (see figure 4 below) or multiplied (see figure 5).
Consequence Consequence
V. Hi H M L V. Low
6 5 4 3 2 7 6 5 4 3 8 7 6 5 4 9 8 7 6 5 10 9 8 7 6

V. Hi H M L V. Low

5 4 3 2 1

10 8 6 4 2

15 12 9 6 3

20 16 12 8 4

25 20 15 10 5

V. Low

V. Hi

V. Low

V. Hi

Likelihood Figure 4: Risk Ratings with Scores Added

Likelihood Figure 5: Risk Ratings with Scores Multiplied

TIP Dont worry about mapping risks A common step in IRM implementation is the creation of a
risk map. This is the process whereby risks are graphed with consequence scores on the vertical axis and likelihood scores on the horizontal axis. Critical risks, deserving top priority and attention are concentrated in the upper right. Low-priority risks are those found in the lower left (see figure below). For some this is a very useful exercise, and for others it is labour-intensive, painstaking exercise, with limited utility. An appropriately formatted risk register (discussed later) may be easier to execute, more informative, and able to provide similar visual cues related to the most important risks.

2011 HIROC. For quality assurance purposes. For use by HIROC subscribers and members only.

IRM for Healthcare Organizations


Figure 6: Risk Map Example. Treasury Board Secretariat, Canada

Assessment Question 4 Is There a Need For Action? Once risks are identified and rated, current risk mitigation strategies should be evaluated for risks at unacceptably high levels. This could include an assessment of whether controls are still current and they are being consistently applied. Risk tolerance Risk tolerance is a term frequently used in IRM discussions, however there is considerable confusion about the concept (Fraser, 2007). In practice, tolerance plays out in several ways when establishing a consequence scale for risk assessment; when making informed decisions to accept (or not accept) the likelihood or consequence of a particular risk; and when establishing targets for key risk indicators, such as infection rates and wait times. These determinations will typically occur in meetings between risk experts/owners and the IRM coordinator, and during facilitated discussions around the senior management table.

5. Report Risks
The results of risk assessments should be documented to capture the valuable corporate intelligence and history that has been created. The most commonly used documentation tool is called the risk register.

TIP Set up a risk register A risk register is a document or database that summarizes the results of the risk assessment exercise. It is one of the most tangible outputs of an IRM program, providing a means to discuss, compare, and evaluate very different types of risks on the same page. It is a summarized list of all significant risks known to the organization, usually displaying them in rank order according to their risk rating score. Risks do not remain static, and a register is produced as an evergreen or living document, subject to frequent review at scheduled intervals and as new information about new or existing risks comes to light.
Risk register software Risk registers can be very elaborate and specialized software packages can be purchased to manage them. A basic spreadsheet or database program, however, could be sufficient for most healthcare organizations, at least to start. Appendix 7 provides an outline and field descriptions for a simple risk register.

2011 HIROC. For quality assurance purposes. For use by HIROC subscribers and members only.

IRM for Healthcare Organizations


Reports to senior management and the board The risk register, or most likely excerpts from it, will form the basis for IRM reporting to senior leaders and the board. This could entail a report including one or more of the following: The top 5, 10, or 20 ranked risks; All risks above a certain threshold rating; Risks specifically linked to stated strategic objectives; Highly rated risks requiring significant remedial action; and Changes made to the register between reporting cycles. The format and contents of reports will likely evolve over time as the program matures and stakeholder fluency in IRM develops. Link to strategic planning Once a register is populated, it becomes a fertile tool for setting corporate priorities. It can flow into or out of an organizations strategic planning process.

6. Manage Risks
If an informed decision is made that a specific risk is not at a tolerable level and that existing mitigation strategies are not adequate, then plans for modifying the risk level should be developed and accountability for implementation and monitoring assigned. This is often referred to as risk mitigation or treatment. There are a number of risk treatment options, though all will be appropriate in a particular circumstance. These include: Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk; Removing the risk source; Changing the likelihood; Changing the consequence; Sharing the risk with another party or parties (e.g., contracts and insurance); and Retaining the risk by informed decision. (AS/NZS, 2009). Realistically, decisions related to allocation of resources to decrease specific risks will reflect resource and other constraints, opportunity costs, and tradeoffs across the entire risk portfolio. Not all risks can be eliminated in an affordable way. Organizations have to carefully weight just how much time and effort they are prepared to put into risk mitigation (Graham, 2008). Risk mitigation plans could include strategies for improving compliance with already established risk control measures (e.g., hand hygiene practices or ventilator associated pneumonia bundles), or new strategies can be adopted or developed. Look to established best practices to identify possible options, or consider implementing a quality improvement project to work towards a solution in an iterative way. And as we have learned from the science of patient safety, publishing a new policy or procedure will likely not suffice. Audits of mitigation strategies for high priority risks should be carried out on a periodic basis.

TIP Recognize IRM limitations In healthcare, events that have never happened before happen all of
the time. Not all risks can be anticipated, nor is it always possible to accurately predict the consequence or likelihood of future events. IRM is not a panacea for all the uncertainties facing organizations 2011 HIROC. For quality assurance purposes. For use by HIROC subscribers and members only.

IRM for Healthcare Organizations

however, IRM should decrease the number of unexpected crises and increase overall capacity to manage them when they occur (Graham, 2008).


Program Evaluation and Improvement An organizations IRM program can be evaluated by assessing progress against expected benefits (articulated previously under Internal drivers) such as identification of key risks that would otherwise been overlooked; improved resource allocation decisions; improved preparedness for crises; improved audit planning and assurance; and increased board and stakeholder confidence in risk monitoring and management processes. Changes in risk ratings over time can also be tracked. Increased use of IRM assessment tools and processes in everyday operations (e.g., project reporting) is another way to evaluate the effectiveness of the program (Behamdouni, 2010). Once an IRM program has been established a risk management policy may be developed to formalize a statement of the organizations overall approach to managing risks, and key accountabilities and processes. Based on results of monitoring and reviews, decisions should be made on how the risk management framework, policy and plan can be improved. These decisions should lead to improvements in the organization's management of risk and its risk management culture (AS/NZS, 2009). Transparency Organizational leaders should determine how transparent they intend to be in terms of sharing potentially sensitive risk assessments and management plans with internal and external stakeholders. They should anticipate and be prepared for intended or unintended public disclosures. In the NHS, many healthcare systems (trusts) post risk registers on their external websites.

2011 HIROC. For quality assurance purposes. For use by HIROC subscribers and members only.

IRM for Healthcare Organizations


Responding to internal and external drivers, many healthcare organizations have implemented or are contemplating implementation of an IRM program to provide assurance that all significant organizational risks have been assessed and managed. There are many challenges associated with IRM implementation including the use of overly complicated structures and processes. This guide has provided an overview of basic IRM concepts and outlined strategies and tips for efficient and effective IRM implementation including: Ensuring oversight and coordination; Confirming organizational context and key objectives; Assessing risks (what can go wrong, how bad, how often, is there a need for action) with clearly defined scales for scoring consequence and likelihood; Reporting risks using a risk register; Managing risks; and Evaluating the program. A number of sample tools and lists were also provided. This guide will be updated as new information and insights arise, and as IRM experience in healthcare matures. With participation of subscriber organizations, we hope to develop additional shared resources such as sample IRM policies and a master list of significant risks.

2011 HIROC. For quality assurance purposes. For use by HIROC subscribers and members only.

IRM for Healthcare Organizations


1. Aabo T, Fraser J, Simkins B. (2005). The rise and evolution of the chief risk officer: enterprise risk management at Hydro One. J App Corp Fin. 17(3):18-31. 2. Accreditation Canada. (2010). Effective organization standards. Qmentum program. 3. Aon. (2010). Global enterprise risk management survey. 4. Audit Commission. (2009). Taking it on trust: a review of how boards of NHS trusts and foundation trusts get their assurance. aspx. 5. Behamdouni G, Millar K. (2010). Implementation of an enterprise risk-management program in a community teaching hospital. Healthcare Quarterly. 13(1): 72-78. 6. Crosby D. (2011). Risk management (and why you stink at it) pt. 1 the availability heuristic. 7. Crosby D. (2011). Risk management (and why you stink at it) pt. 2 the affect heuristic. 8. Decker A, Galer D. (2010). Getting the focus on enterprise risk management right. Risk and Insurance Management Society (RIMS), Inc. 9. ECRI. (2006). Enterprise risk management: an overview. Healthcare Risk Control Risk Analysis, Supplement A. Risk and Quality Management Strategies 22. 10. Fraser J, Simkins B. (2007). Ten common misconceptions about enterprise risk management. J App Corp Fin. 19(4):75-81. 11. Graham A. (2008). Integrated risk management implementation guide. 12. Health Governance Advisory Council. (2009). Final report. Department of Health. Prince Edward Island. 13. Hillson D, Hulett D. (2004). Assessing risk probability: alternative approaches. PMI Global Congress Proceedings. 14. National Patient Safety Agency (NPSA). (2007). Healthcare risk assessment made easy. NHS. UK. 15. National Patient Safety Agency (NPSA). (2008). A risk matrix for risk managers. NHS. UK. 16. Protiviti Inc. (2006). Guide to enterprise risk management; frequently asked questions. 17. Rasmussen M. (2007). AS/NZ 4360 a practical choice over COSO ERM. Forrester Research Inc. 18. Sarnie R. (2010). ERM: Do you know what it means? Risk and Insurance Management Society (RIMS), Inc. 19. Standards Australia/Standards New Zealand (AS/NZS). (2009). AS/NZS ISO 31000 Risk management principles and guidelines. 20. Treasury Board Secretariat (TBS). (2002). Integrated risk management implementation guide. Government of Canada.

2011 HIROC. For quality assurance purposes. For use by HIROC subscribers and members only.

IRM for Healthcare Organizations


Appendix 1 AS/NZS ISO 31000 Risk Management Framework

2009 Standards Australia/Standards New Zealand.

2011 HIROC. For quality assurance purposes. For use by HIROC subscribers and members only.

IRM for Healthcare Organizations


Appendix 2 Sample Risk Categories by Function

Business Risk
Risks that relate to the delivery of healthcare that include internal and external factors impacting on the operations

Resource Risk
Risks that relate to the resources used by the organization to accomplish its objectives

Compliance Risk
Risks that originate from the requirement to comply with a regulatory framework, policies, directives or legal agreements

Quality Care And Patient Safety

Informed Consent, Care Plans Consults, Referrals

Human Resources And Staff Relations

HR Planning, Competency And Staff Development, Performance Management, Labour Relations

Environment, Health And Safety

Hazardous Material Handling, Occupational Health And Safety, Infection Control

Corporate Governance
Strategic Goals And Objectives, Performance Reporting, Culture, Ethics, Org Structure, Partnerships And Alliances

Funding Allocation, Planning And Budgeting, Insurance, Financial Management And Reporting, Fraud

Legal And Regulatory

Medical Staff By-laws, Legislation And Regulations, Contracts And Agreements, Credentialing And Licensing

Operations And Business Support

Quality And Risk , Supply Chain, Health Information Management, Security, Disaster Management

Information, Systems And Technology

E Health Strategy, Infrastructure, Access Control, Data Integrity, User Support

Clinical Policies, Administrative Policies, Internal Guidelines And External Directives

Reputation And Public Image

Public Relations, Media Relations, Government Relations, Pt Relations

Physical Assets
Asset Management, Capital Construction, Equipment Acquisition, Replacement And Maintenance

CCHSA Accreditation Standards, Professional Regulatory Bodies And Standards Committees

2011 North York General Hospital, Toronto (with credit to D Rubel and M Cendou, Winnipeg Regional Health Authority). Used with permission.

Catalogued Areas of Risk

Human Capital Operational Strategy


Legal and Regulatory


2010 St. Josephs Health Centre, Toronto. Used with permission.

2011 HIROC. For quality assurance purposes. For use by HIROC subscribers and members only.

IRM for Healthcare Organizations


Appendix 3 Common Sources of Risk Information

Organizational specific / internal sources of information include: Critical incident reviews and recommendations; Incident/hazard reports; Morbidity and mortality reviews; Medical legal and property insurance claims; Patient/client/resident/family complaints; Patient/client/resident satisfaction surveys; Proactive risk assessments and process analysis (e.g., HIROC RMSAMTM and FM Global (property) reviews; failure modes and effect analysis); Recommendations and reports from external agencies (e.g., Accreditation Canada road map, and required organizational practices; accreditations of lab and educational programs); Recommendations and reports from internal and external auditors; Financial/business plans/IT reports; Key performance indicators; HR staffing reviews and plans; and Leadership discussions (e.g., what keeps you up at night?). External sources of information include: Product/hazard alerts, recalls; Medication Safety Bulletins (ISMP Canada); Legislative/legal updates; Global patient safety alerts (CPSI); Coroners reports, inquests; Communicable diseases surveillance reports; Professional regulatory bodies communications; Insurance alerts, advice, and aggregate claims data; Audits/accreditations; and Benchmarking, literature.

2011 HIROC. For quality assurance purposes. For use by HIROC subscribers and members only.

IRM for Healthcare Organizations


Appendix 4 Top Ranked Risks from HIROC Claims Data

Risk (Allegation)
Obstetrics Failure to identify/respond to atypical and/or abnormal fetal status Diagnostics Misinterpreted laboratory results Medical Inadequate triage assessment and documentation Obstetrics Mismanagement of oxytocin administration Diagnostics Failure to communicate critical test results Obstetrics Failure to monitor fetal status Falls Visitor Obstetrics Lack of communication regarding fetal status Property Water damage Medical / Surgical Failure to appreciate status changes and/or deteriorating condition Infection Control Healthcare associated infections/inadequate infection prevention and control Medication Wrong medication/dose/preparation/regimen Falls Patient Medical Failure to identify and/or monitor hyperbilirubinemia Medical Inadequate quality checks for contracted nursing staff Safety Assault Medical Failure to provide discharge and/or follow-up instructions Equipment malfunction Medical IV infiltration identification and documentation Fiduciary Employee fraud Surgical / Medical - Wrong patient/site/treatment Employment Wrongful termination Mental Health Suicide of in-patient Surgical Unnecessary and/or obsolete surgery Medical Facility acquired pressure ulcers Employment Failure to pay benefits/overtime Surgical Retained foreign body Property Fire damage Surgical Inadequate sterility Rights Privacy breach

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30

Source: HIROC claims data for acute care hospitals, 2004-06.

2011 HIROC. For quality assurance purposes. For use by HIROC subscribers and members only.

IRM for Healthcare Organizations


Appendix 5 Sample Consequence Domains and Risks

Common risk consequence domains (and risk examples) include: o Inability to meet budget Patient/client/resident harm commitments o Falls o Accounting irregularities o Adverse medication events o Employee fraud o Healthcare associated infections o Improper administration of resident o Facility acquired pressure ulcers funds o Improper/inadequate monitoring o Loss/theft of resident property o Assault/altercation Business interruption o Wrong site surgery o Inability to obtain needed supplies o Critical equipment failure o Flood; escaped liquids o Compromised infant events o Fire o Improper performance of subo Inadequate human resources contracted care provider o Lack of case management Standards/legislative non-compliance/loss coordination of license o Inadequate communication at o Unfavourable accreditation transitions decisions o Infant abduction o Unfavourable site inspections o Unsafe sleep environment o Inappropriate use of research grant o Entanglement/entrapment money o Delay in treatment o Human rights violations o Inadequate pain management /discrimination o Blood product mix-up o Inappropriate IT systems access o Privacy breaches Staff and visitor harm o Healthcare provider practicing o Falls outside their scope o Muscular skeletal injuries o Needlestick injuries Reputation o Assault o Poor satisfaction survey results o Stress o Poor community relations, lack of public confidence Financial loss o Government funding instability Additional consequence categories include: Business objectives / project failure o Failed ventures, targets, or projects Staff shortages o Staff disengagement o Loss of key medical staff o Senior management turnover o Aging workforce o Minimal full-time complement

Patient/client/resident/family complaints o Poor customer service o Lack of coordination amongst service providers o Long waits Environmental loss o Soil contamination

2011 HIROC. For quality assurance purposes. For use by HIROC subscribers and members only.

IRM for Healthcare Organizations


Appendix 6 Sample Risk Assessment Matrix with Scale Definitions

Impact / Loss Scale
Domains A Patient / Research Subject
Harm from care, environment, others (e.g. assault)

1. Very Low
- Mild injury or illness - No or minimal treatment - No increased length of stay

2. Low
- Minor injury or illness - Minor intervention - E.g. increase LOS by <3 days - Short term illness or injury - First aid required

3. Medium
- Moderate injury requiring significant medical treatment - E.g. increase LOS by 4-14 days - Moderate injury or illness - Not admitted to hospital

4. High
- Major injury requiring major medical care - Semi-permanent disability - E.g. increase LOS by >14 days - Major injury requiring major medical care / hospitalization - Semi-permanent disability - Major financial loss - E.g. $15-30m - E.g. 2.5-5% budget - Loss/interruption > 1 week - Non-compliance with external standards - Prolonged inspection with significant findings - Prosecution initiated for non compliance (charges against organization or individual) - Public inquiry - Unsafe staffing level or competence (>5 days) - Loss of key staff - Very low staff morale - Sustained negative media coverage - Medium-term reduction in public confidence - Public inquiry

5. Very High
- Catastrophic injury leading to death or permanent disability

B Staff / Visitor
Harm from environment, others (e.g. assault)

- Mild injury or illness - No first aid required

C Financial
Increase in expenses or loss of revenue / assets

- Insignificant financial loss - E.g. < $1m

- Minor financial loss E.g. $1 5m

Minor financial loss -E.g. $515m E.g. 1% budget Loss/interruption of > 1 day Repeated failures to meet external standards or follow protocols Report required to external agency Orders or tickets issued by external agency Unsafe staffing level or competence (>1 day) Low staff morale Moderate negative media coverage Short-term reduction in public confidence

- Severe injury leading to death or permanent disability - Multiple fatalities / permanent injuries - Catastrophic financial loss - E.g. >$30M (liability limit); >5% budget - Permanent loss of service or facility - Gross failure to meet standards - Maximum fines - Criminal code violation - Impact on affiliation agreements

D Service /business interruption E Standards Compliance

(e.g. research standards, industry legislation / accreditations)

- Loss /interruption of > 1 hour - Minor noncompliance

- Loss/interruption of >8 hours - Single failure to meet external standards or follow protocol - Written recommendation to comply by an external agency - Low staffing level that reduces the service quality - Minor negative media coverage

F Organizational development /staffing G Adverse publicity/ reputation

- Short-term low staffing level that temporarily reduces service quality (<1 day) - Rumors - Potential for public concern

- Ongoing unsafe staffing levels or competence - Loss of several key staff - Government involvement/ supervisor - Sustained reduction in public confidence - CEO termination

Note: Loss in one domain may result in loss in another (e.g. negative publicity resulting from death of a patient), however loss could occur in any domain independently.

Probability Scale
Description 1. Very Low - Rare occurrence -E.g. once in 10 or more years 2. Low - Unlikely occurrence - E.g. every 5-10 years 3. Medium - Occasional occurrence - E.g. every 1 - 5 years 4. High - Likely occurrence - E.g. every six months 1 year 5. Very High - Common occurrence - E.g. every one six months

Risk Ranking
1. Very Low 6 5 4 3 2 2. Low 7 6 5 4 3 Probability 3. Medium 8 7 6 5 4 4. High 9 8 7 6 5 5. Very High 10 9 8 7 6

5. Very High 4. High 3. Medium 2. Low 1. Very Low


Risk Oversight and Reporting

9 10 78 56 24 Extreme risk High risk Moderate risk Low risk CEO oversight with reporting to the Board. VP oversight with reporting to the CEO. Director oversight with reporting to VP. Manager oversight with reporting to Director.

2010 The Hospital for Sick Children, Toronto. Used with permission.

2011 HIROC. For quality assurance purposes. For use by HIROC subscribers and members only.

IRM for Healthcare Organizations


Appendix 7 Simple Risk Register Outline and Field Descriptions

Consequence Likelihood Owner Rating Ref #


Mitigations in Place

Additional Actions Required

# Text # Text # Text # # # # # Text Text Text Text Text

Int. Int. Int. Int. Int. Int. Int. Int.

# # # # # # # #

# # # # # # # #

# # # # # # # #

Text Text Text Text Text Text Text Text

Text Text Text Text Text Text Text Text

Date of report: dd mmm yyy

Common field descriptions (and tips) include: Reference # a unique identifier for each risk to help keep track of changes and additions; risks will move around on the list as new information is assessed and the rankings change; Risk a short description of the risk; Owner usually a member of the executive; (keep to initials to save space); Consequence the score (e.g., 1-5); Likelihood the score (e.g., 1-5); Rating the combined score (e.g., 2-10 or 1-25); (color code the cell to help visualize relative magnitude; this is mostly likely the field that will be used to sort risks in the register from highest to lowest); Mitigations in place a short description of mitigation strategies implemented; and Additional actions required used when the risk rating is not acceptable, a short description of actions to be taken to lower the risk level. Additional fields (and tips) include: Consequence domain a letter or number denoting the relevant consequence domain (e.g., A for patient harm); (it may also be helpful to note a secondary domain in some circumstances); Strategic objective noting which strategic objective the risk relates to; Program or department noting which program or department the risk relates to; Constraints a short explanation where it is noted that risk levels cannot be lowered due to functional or logistical reasons (such as an older building that is slated for demolition in a few years time and it is therefore not appropriate to retrofit with sprinklers to reduce the consequence or likelihood of fire); Trend to note a change in the rating since the last reporting period (e.g., ,,); Date due the date actions are expected to be completed by; Indicators if relevant to the particular risk; and Notes a field, either visible on the report or for the eyes of the IRM coordinator only; to keep track of details, such as the reason for a change. 2011 HIROC. For quality assurance purposes. For use by HIROC subscribers and members only.

IRM for Healthcare Organizations


Additional tips: Keep the register as simple as possible; keep paperwork to a minimum; When using a basic spreadsheet program some helpful techniques include: using landscape page orientation to allow for more space for describing risks, mitigations, actions required; using the sort function to list risks in the register by rating level, by owner, by domain, etc.; using cell alignment/wrap text to keep longer descriptions within the set column width; The print range can be limited, such as when preparing reports for the board (e.g., top 10, those ranked >7 on a 10 point scale); While they may not be reported up, low priority risks could change quickly; keeping them on the list will ensure periodic review; and The coordinator should keep separate notes and evidence to support the risk scoring, progress on actions taken, notes for discussion, etc. These should be retained in a centralized, secure location to facilitate transfer of knowledge from one coordinator to the next.

2011 HIROC. For quality assurance purposes. For use by HIROC subscribers and members only.