MP91-2000 Healthcare Risk Management

MP912000
Dynamic approaches to
Healthcare risk management
Accessed by Clough Engineering on 07 Sep 2001
Selected proceedings from
Two International
H e a l t h c a re R i s k M a n a g e m e n t
Symposia
Apr il 1999
Fe br uar y 2000
S t a n d a r d s
A u s t r a l i a
Dynamic approaches
to healthcare
risk management
Selected proceedings from two symposia sponsored by
Standards Australia International
Sydney, April 1999 and Perth, February 2000 (in conjunction
with the Metropolitan Health Service, Western Australia and the National Health
Service, England
ISBN 0 7337 3352 2

Copyright Standards Australia International
All rights are reserved. No part of this work may be reproduced, copied, stored, distributed or
transmitted in any form, or by any means, including photocopying, scanning or other mechanical
or electronic methods without the prior written permission of the publisher.
Published by Standards Australia International, PO Box 1055, Strathfield NSW 2135
Design and typesetting by Write Result, 22 Firwood Trail, Woodvale WA 6026
email: write@iinet.net.au
Dynamic approaches to healthcare risk management
Contents
1 Introduction
Dr Maree Bellamy
3 Governance and risk management in the National

Health Service in England
And the application of the Australian Risk Management Standard
to risk management in healthcare
Colin Reeves, Neil McKay, Stuart Emslie
17 Personal accountability for clinical care in the British

NHS
Geoffrey Haynes
21 Assurance for the Board

Geoffrey Haynes
27 The introduction of clinical risk pooling and clinical

risk management standards within the National
Health Service
Steve Walker
31 The Bristol Paediatric Cardiac Surgery Inquiry

Dr Isabel Sanderson
35 Controls assurance
Involving the Board
Tim Crowley
43 Risk management
Kevin Knight
iii
69 The need for effective dynamic governance in

healthcare
Promoting accountability for quality
Dr Chris Brook
79 The responsibility of hospital boards for clinical

governance
Michael George, Tom Brennan and Dr Heather Wellington
83 Linking claims management with clinical risk

management
The NHS experience
E Jane Chapman
89 Early detection of major risk

Adopting a control self assessment methodology to identify risk
and opportunity and enhance learning
G Randolph Just
105 Risk management in the healthcare setting

Judith Napier
109 Role of clinical pathways and variance analysis in risk

management and quality improvement
Dr Elizabeth Mullins
113 Credentialling of hospital medical staff
Dr Lionel Wilson
121 A framework for managing the quality of health

services in NSW
Maureen Robinson
127 Iatrogenic injury in Australia

Dr Bill Runciman
133 Understanding clinical risk

Stephen McAndrew
iv
139 Clinical risk management

Dr Allan Wolff, Jo Bourke, Dr Rob Grenfell
141 Using radar logic to develop standards-based

management systems that work
Michael Paskavitz
147 Integrated risk management within the health

industry
Sue Williams
Introduction
Dr Maree Bellamy1
Healthcare is undergoing enormous change. On one hand, greater medical

knowledge and expertise accompanied by technical improvements are delivering
more sophisticated therapies to significant populations. On the other, we see
increased media and public attention to quality issues, with an unfortunate focus on
adverse events and unsatisfactory outcomes. This juxtaposition highlights the
potential problems and pitfalls for all stakeholders.
In many countries, a move toward integrated healthcare systems has resulted in a
change in emphasis for healthcare managers and providers. There is a greater
awareness of the need to provide care, which is acceptable and beneficial to the
broader community. Accompanying this is the task of coordinating care across
multiple entities and the challenge of developing a culture of system thinking.
Integrating medical practitioners within the totality of the scheme requires a change
in the approach of clinicians, with new roles for doctors charged with governance
responsibilities.
As an overarching principle, accountability has taken on a greater significance
accountability for multiple dimensions of performancefinancial, clinical,
management integration, quality, risk management, community satisfaction and
health outcomes.
The public demands improved patient safety. There is a concern that the financial
pressures and organizational change in healthcare will decrease doctors' expertise,
increase workload and reduce safety. The nature of training and certification of
practitioners and institutions have also become key issues.
According to James Reason2 the more safety researchers have looked at the sharp end,
the more they have realized that the real story behind accidents depends on the way
that resources, constraints, incentives, and demands produced by the blunt end shape
the environment and influence the behaviour of the people at the sharp end. Changes
in technology, procedures, and organizations, combine with economic pressures to
create new vulnerabilities and forms of failure at the same time that they create new
forms of economic and therapeutic success.
Managers and clinicians need tools and techniques to improve the quality of services
and to reduce risks to patients, staff and organizations. The wisdom of adopting an
integrated management approach, at both corporate and clinical levels, to achieve
continuous improvement and clinical effectiveness is receiving increasing
recognition.
In Britain, greater levels of accountability and a push for improved standards of quality
are being driven by a change in governance requirements. There is a similar emphasis
in the quality management framework released by NSW Health. That document
1. Director of Health, Standards Australia International.
2. James Reason 1997, Managing the risks of organizational accidents.
outlines the Departments wish to see accountability for budget and quality to be
viewed as equal performance indicators of health management. It acknowledges that
health services have a governance responsibility for the quality of care, and identifies
the need for a substantive change, involving redesign of processes and sub-systems to
improve health outcomes. The need for a comprehensive, healthcare risk
management strategy has, therefore, never been greater.
Of particular interest is the recent adoption of the Australian/New Zealand Standard
AS/NZS 4360 Risk management as a central component of the framework for corporate
and clinical governance in the National Health Service in England. The Standard will
initially formed the core of the proposed Non-Clinical, Non-Financial Controls
Assurance Standards. It provides a strategy and system for managing such risks as
infection control, medical equipment, information technology, professional and
product liability, security, waste management, health and safety, emergency
preparedness, environment, contractors, fire, human resources and transport.
The Standard is now being used to address the management of risk related to the
provision of clinical services. Comprehensive clinical risk management strategies have
been shown to deliver improved quality of care and patient satisfaction, more cost
effective use and allocation of resources and increased acceptance of clinical
effectiveness and evidence based practice. Clinical risk modification processes are
dynamic and have evolved in overseas markets, particularly in the USA, over the last
decade. One of the keys has been the early identification of new and emerging risks
through systematic collection and analysis of outcomes data, resulting in improved
clinical outcomes.
Corporate and clinical risk management formed the basis of a series of meetings held
in Australia in 1999 and 2000, where representatives from the United Kingdom, the
USA and New Zealand participated in discussions with local colleagues. Issues
addressed included clinical and corporate governance in healthcare and the links
between risk management, quality assurance and quality improvement. These
proceedings flow from those meetings, and from related projects work commissioned
over the last twelve months.
Risk management in healthcare is poised for growth and innovative development both
nationally and internationally. It gives Standards Australia International great pleasure
and satisfaction to play a pivotal role in improving the safety and standard of healthcare
provision at this time.
Governance and risk management in the

National Health Service in England
And the application of the Australian Risk Management
Standard to risk management in healthcare
Colin Reeves1, Neil McKay2, Stuart Emslie3
Part AGovernance and risk management in the NHS in

England
The NHS in England
The National Health Service (NHS) in England is one of the largest employers in the
world with around 1 million staff serving a population of some 50 million at a cost of
almost 40 billion (A$100 billion) per year. The NHS comprises an Executive HQ
with eight regional offices, 100 local health authorities, around 400 NHS Trusts (each
comprising one or a number of hospital facilities), and some 500 Primary Care
Groups (representing GP and other primary care services).
Development of governance in the NHS in England
The Cadbury Committee reported on the financial aspects of corporate governance in

1992.a In its report the committee defined corporate governance as the system by
which companies are directed and controlled and identified three fundamental
requirements for good corporate governance in organizations:
internal financial controls;
efficient and effective operations; and
compliance with applicable laws and regulations.
Subsequently, the Hampel and Greenbury Committees sought to improve upon the
Cadbury Code. The findings of these committees, together with the original
Cadbury findings, have been consolidated into one Combined Code of Principles of
Good Governance published by the London Stock Exchange. Fundamental to these
principles is the requirement that the board should maintain a sound system of internal control
to safeguard shareholders investment and the companys assets and that the directors should, at
least annually, conduct a review of the effectiveness of the groups system of internal control and
should.report to the shareholders that they have done so. The review should cover all controls,
including financial, operational and compliance controls, and risk management.
The NHS has embraced the principles of good governance through its
complementary Corporate and Clinical Governance initiatives.
1. Director of Finance and Performance, NHS, UK.
2. Executive Director, Trent Region, NHS, UK.
3. Reader, University of Strathclyde, Special Advisor to the NHS Executive, UK.
Corporate governance in the NHS has been a carefully managed three stage process,
which is on-going, involving:
development of a framework of corporate accountability;
improvements in the organization and staffing of internal audit; and
development of controls assurance, an innovative NHS Executive-conceived

approach to governance built on world-wide best practice relating to all
non-clinical internal controls (not just finance) and risk management.
Clinical Governance is the lynchpin of the UK Governments strategy for ensuring

that quality of care becomes the driving force for the development of health services
in England. It is defined as a framework through which NHS organizations are
accountable for continuously improving the quality of their services and safeguarding
high standards of care by creating an environment in which excellence in clinical care
will flourish.b It aims to deliver a new approach to quality through creation of a
systematic set of mechanisms, or controls, many of which echo the principles of
corporate governance. The task of implementing clinical governance is at this stage
primarily developmental and will require a fundamental shift in the culture of many
NHS organizations, a shift that may take several years to effect.
Controls assurance
Controls assurance is a holistic concept based on best governance practice. It is a key
component of the NHS Executives performance management programme. It is a
process designed to provide evidence that NHS organizations are doing their
reasonable best to manage, direct and control themselves so as to meet their
objectives and protect employees, patients, the public and stakeholders against risks of
all kinds. Fundamental to the process is the effective involvement of people and
functions within the organization through application of risk and control selfassessment techniques to ensure objectives are met and risks are properly controlled.
Chief Executives of NHS Trusts and Health Authorities are currently required to
sign, on behalf of the Board, a controls assurance statement in respect of the system of
internal financial control in their Annual Accounts. This requirement is now
extended to organizational controls covering inter alia aspects of non-financial,
non-clinical risk by the production of a suitable controls assurance statement to
accompany the Annual Report from 1999/2000.
At a time when many other management challenges face NHS organizations, one of
the key objectives of the NHS Executives Controls Assurance Team is to ensure that
the task is made less onerous through the development of a comprehensive and
comprehensible control framework comprising key risk management and controls
standards (see Table 1). This framework will be available by October 1999 and will
comprise detailed standards and assessment criteria supported by guidance, training
and benchmarking.
The standards and criteria contained in the control framework are being drawn from
existing statutory and mandatory requirements together with relevant best practice
guidance. The aim to is integrate the many and varied existing requirements within a
common standards framework. NHS organizations that currently meet existing
requirements will have little difficulty in meeting controls assurance demands. Others
who are less advanced will benefit from having the control framework to assist their
efforts in implementing risk management and organizational controls.
Governance and risk management in the National Health Service in England
Controls assurance and clinical governance

Clinical governance provides a framework within which local organizations can work
to improve and assure the quality of clinical services for patients. Implementing and
maintaining effective organizational controls is fundamental to ensuring the success
of clinical governance, providing a solid foundation upon which to build an
environment in which quality care can be provided and clinical excellence can flourish
(Figure 1). Getting the organization right will significantly increase the likelihood of
achieving the desired outcomes in relation to meeting the needs of patients.
Clinical care
The environment
of care
Financial
resources
Clinical
governance
Organizational
controls
Financial controls
Clinical assurances
(Clinical governance report/
Annual report)
Organizational assurances
(Annual report)
Financial assurances
(Annual accounts)
Figure 1
The development of risk management in the NHS in England
The development of risk management in the NHS in England is a relatively recent

phenomenon. Prior to the early 1990s very few hospitals had any form of risk
management program or system covering either clinical or non-clinical (including
financial) risk contexts. Risk management had not been seen as a priority principally
because the costs of clinical negligence were low and individual healthcare providers
did not, at the end of the day, fund the costs of poor risk management. These costs
were borne by the NHS at a higher level.
With the introduction of self-governing NHS Trusts as statutory bodies, combined
with an increase in litigation associated with clinical negligence, risk management has
in recent years become increasingly important. In 1993 the NHS Executive issued
detailed guidance encouraging NHS organizations to establish effective arrangements
for all aspects of risk management, clinical and non-clinical.d Within the guidance a
framework for risk management was given and is described in Figure 2. In 1994
dedicated software for health and safety risk management was issued to all NHS
Trusts.e This software was expanded to cover wider clinical and non-clinical risk
management issues in 1997.
The Department of Health also established a risk-pooling scheme called the Clinical
Negligence Scheme for Trusts (CNST) in which NHS providers share responsibility
for funding the costs of clinical negligence. More recently, new risk pooling
arrangements covering non-clinical negligence liabilities have been established.f In
addition, the widening of Controls Assurance beyond financial controls to cover risk
management and organizational controls, and the parallel developments in clinical
5
risk management to meet Clinical Governance requirements, will ultimately ensure

that risk management covering all contexts, clinical, non-clinical and financial, is a key
concern of the Boards of all NHS organizations.
Monitor
Monitor
Identify
Analyse/
evaluate
Avoid
Control
Prevent
Accept
Assume
Fund
Transfer
Figure 2: Risk management framework

(from Risk management in the NHS, 1993)
Risk management in the NHS as part of a wider quality

framework
Quality and risk are two sides of the same coin. Increasingly, and particularly in
response to the Government's quality agenda through clinical governance, NHS
organizations are turning to use of high level management models to provide a
framework for self-assessment against key quality objectives, and for identifying risks.
Perhaps one of the better quality models in use in the UK is the European Foundation
Quality Model (EFQM Figure 3). This model is strongly supported by the UK
Cabinet Office, is widely applied in the public sector, and is increasingly being used
by NHS organizations. Further information can be obtained from the European
Foundation for Quality Management (http://www.efqm.org).
The principal strength of the EFQM is its reliance not just on structural and process
elements, but also outcomes, i.e. results. With reference to Figure 1 it can be seen that
results, expressed as key performance results (clinical, organizational or financial),
staff satisfaction, patient/referrer/health commissioner satisfaction, and additional
impact on society, are delivered by effective and efficient processes driven by good
human and non-human resources management, suitable policies and strategies and,
above all, effective clinical and managerial leadership.
Using a model such as EFQM it is a straightforward process to self-assessment and
benchmark healthcare organizations against a range of key assessment criteria. In
addition, it is a straightforward process to map more technically detailed management
models (e.g. AS/NZS 4360:1999 Risk managementsee below) onto the wider EFQM
quality model.
Clinical and
managerial
leadership
Human
resources
Staff
satisfaction
Policy and
strategy
Patient/referrer/
Commissioner
satisfaction
Processes
Partnerships
and non-human
resources
Enablers
Improving the efficiency of health care delivery
Key performance
results
(Clinical,
organizational
and financial)
Additional
impact on
society
Results
Improving effectiveness
Figure 3: European Foundation Quality model

applied to healthcare
Part BThe application of AS/NZS 4360:1999 to risk

management in healthcare
Overview of AS/NZS 4360:1999
The Australian/New Zealand Standard on risk management is a world first
publication providing a generic and non-prescriptive framework for the assessment
and management of risk. Originally published in 1995, sets down a universal
language for risk management which enables any organization to implement a robust
risk management system based on the Standard. In consequence the Standard
facilitates risk management benchmarking within organizations and with other
organizations nationally and internationally as part of a continuous quality
improvement process.
The Standard defines risk management as:
the culture, processes and structures that are directed towards the effective
management of potential opportunities and adverse effects
and defines the risk management process as:

the systematic application of management policies, procedures and practices to
the tasks of establishing the context, identifying, analysing, evaluating, treating,
monitoring and communicating risk.
An overview of the risk management process, as defined in the Standard, is presented

in Figure 4. This framework is similar to that described in Figure 2, but is more
comprehensive.
The Standard contains the following key sections:
1) Scope, application and definitionsoutlines the scope and application of the Standard
plus definitions for key risk management terminology.
Identify risks
Analyse risks
M o ni t o r a nd revi ew
C o mmuni ca t e a nd co nsul t
Establish the context
Evaluate risks
Assess risks
Treat risks
Figure 4: Risk management overview

(from AS 4360:1999)
2) Risk management requirementssets out key requirements for a risk management

system comprising policy, planning and resourcing, implementation program and
management review.
3) Risk management overviewprovides an overview of the risk management process (Figure 2).
4) Risk management processgives a detailed account of the key risk management process elements of establishing the context, risk identification, risk analysis, risk evaluation,
risk treatment (avoid/reduce/transfer all or part/accept), monitoring and review, and
communication and consultation.
5) Documentationspecifies minimum requirements for maintaining documentation for
risk management.
The Standard also contains useful appendices giving illustrative information on the
applications of risk management; steps in developing and implementing a risk
management program; identification of potential stakeholders; sample generic sources
of risk and their areas of impact; examples of risk definition and classification;
examples of quantitative risk expressions; identifying options for risk treatment; and
risk management documentation.
Application of AS/NZS 4360:1999 to risk management in the

NHS
In view of its generic, non-prescriptive nature the Standard is ideally suited for
application in healthcare. In the NHS in England, the NHS Executive's Controls
Assurance team, assisted by a number of key NHS organizations, has embarked on a
process of mapping existing risk management activities to the generic requirements of
the Standard. This work is anticipated to be essentially complete by October 1999 and
will result in AS/NZS 4360:1999 forming the bones of the risk management
framework for the NHS in England. The meat of the risk management framework
will be contained in new guidelines for managing risk in the NHS which will largely
replace the existing risk management in the NHS publication.d The individual
elements of the risk management process identified in Figure 4 will now be
considered, briefly, in turn.
Context
Fundamental to this mapping process is the establishment of context. From a detailed
consideration of the overall context within which most NHS organizations operate,
three distinct sub-contexts of risk management can be identified:
Risk management system
Financial controls
Organizational controls
Clinical controls
Within each of these sub-contexts, a range of standards and supporting assessment

criteria are being development. The standards are outlined in Table 1. The financial
control standards are existing standards developed for financial controls assurance.
The clinical control standards reflect the existing Clinical Negligence Scheme for
Trusts (CNST) standards which have been in place since 1996. As part of the mapping
exercise both the financial and clinical standards are being expanded, updated and
improved.
Risk identification
A range of techniques are used by healthcare organizations to identify risks, from
informal brainstorming or interviews to more elaborate risk profiling or facilitated
control and risk self-assessment techniques, including self-assessment against the
key standards outlined in Table 1. A review of the various techniques is being writtenup for inclusion in the forthcoming guidelines for managing risk in the NHS due for
issue by October 1999.
Risk assessment
The analysis and evaluation and ranking of risks is also carded out using a range of
techniques, from simple single attribute rating scales, such as exemplified in AS/
NZS 4360:1999, to more rigorous multi-attribute risk ranking techniques (e.g. see
Figure 5, below). The concept of a risk register, again as exemplified in the Standard,
is promulgated and software has been developed to assist with generating and
maintaining such a register. Further details will be included in the forthcoming
guidelines for managing risk in the NHS.
Risk treatment
It is the treatment of risk that typically proves the most challenging aspect of risk
management in healthcare. Having carried out a full risk profiling exercise on, say, an
average acute NHS Trust with an annual income of A$250300 million, it is not
uncommon to identify many hundreds of required risk treatment options with a
cumulative cost from A$230 million depending on the age and condition of the
facility. Given that financial resources are inevitably scarce, it is usually the case that
robust, defensible investment priorities need to be set across the range of treatments
required. A case study involving the setting of priorities is given below.
Figure 1: Standards for risk management and control in the NHS
Risk management
10
1) Policy system
2)
3)
4)
5)
6)
7)
Planning and resourcing

Implementation
Incident recording, investigation and analysis
Complaints recording, investigation and analysis
Claims management and analysis
Management review
Financial controls
1)
2)
3)
4)
5)
Control environment
Identification and evaluation of business risk
Information and communication
Control processes
Monitoring
Organizational controls
1)
2)
3)
4)
5)
6)
7)
8)
9)
10)
11)
12)
13)
14)
15)
16)
17)
Buildings, land, plant and non-medical equipment

Contracts and contractor control
Emergency preparedness
Environmental management
Fire safety
Food safety and hygiene
Health and safety
Human resources
Infection control
Information management and technology
Medical equipment and devices
Medicines management
Professional and product liability
Records management
Security
Transport
Waste management
Clinical controls
(CNST standards)
1)
2)
3)
4)
5)
6)
7)
8)
9)
10)
11)
Board clinical risk management strategy

Executive director and clinical risk
Clinical risk manager/group
Clinical incident reporting system
Rapid follow-up of serious injury or death
Managing complaints
Risks/benefits of proposed treatment/investigation
Standards/use/storage/retrieval of medical records
Induction/orientation programmes
Clinical risk management system
Management and communication in maternity care
Monitoring, review, communication and consultation

It is crucially important that NHS organizations establish proper arrangements for the
monitoring and review of risks as well as communicating and consulting with relevant
stakeholders. Stakeholder will include, where appropriate, patients, employees,
contractors, visitors and other members of the public, the local community, health
purchasers/commissioners, referring General Practitioners, the NHS Executive and
politicians.
A practical exemplar of compliance with AS/NZS 4360:1999

Assessing and prioritizing risk treatment options
One of the many goals facing NHS organizations is demonstrable achievement of
high standards of risk management, funded by limited budgets. It is of the utmost
importance that resources are targeted towards the areas of need which are judged to
be key, and are used in a manner which ensures optimum effectiveness and value for
money. Where choice is exercised in the application of scare resources it is critical that
such choices are made in an informed, objective and methodical manner.
The following describes how existing risk management activity within the NHS has
been mapped to the requirements of the Standard. The exemplar considers a
methodical approach developed by the NHS to help set priorities for investing in risk
treatment options.
Clause 4.1.5 states that an organization should: Decide the criteria against which risk is to
be evaluated. Decisions concerning risk acceptability and risk treatment may be based on
operational, technical, financial, legal, social, humanitarian or other criteria.
Clause 4.5.2 states that: [Risk treatment] Options should be assessed on the basis of the extent
of risk reduction, and the extent of any additional benefits or opportunities created, taking into
account the criteria developed in Clause 4.1.5. Further, Clause 4.5.3 states that: Where the
cumulative cost of implementing all risk treatments exceeds the available budget, the [risk
treatment] plan should clearly identify the priority order in which individual risk treatments should
be implemented. Priority ordering can be established using various techniques, including risk
ranking and cost-benefit analysis.
In developing its own risk management methodologies since 1991, the NHS has paid
particular attention to the development of criteria for evaluating risks and benefits, and
has devised a decision methodology and associated computer software to aid the
setting of priorities for implementing risk treatment options based on risk ranking and
cost-benefit analysis.f, g, h, i
Numerous methods have been devised to assist with investment decision-making in
risk management (e.g. refer to endnotes j and k). The decision analysis method
employed in the NHSs PRIORITY module, forming part of the SAFECODE risk
management software, is based on the Simple Multi-Attribute Rating Technique
(SMART). Because of the simplicity of the responses required by the decision
maker(s) and the manner in which these responses are analysed, SMART has been
widely applied.l The analysis involved is transparent and the method usually results in
an enhanced understanding of the problem, leading to more robust decision making.
In the context of risk management it is desirable to optimize risk treatment options on
the basis of value for money or, expressed another way, cost-benefit. PRIORITY
utilizes a SMART model which trades off the costs and benefits of investing in
competing risk investment opportunities. With reference to Figure 4, costs are
defined in terms of capital and/or revenue expenditure, and principal benefits are
expressed in terms of risk reduction and additional benefits (e.g. quality
improvements). In the model, users can define a maximum of six risk and six
11
benefits attributes. Figure 4 shows the default attributes relating to use of the
model in a healthcare environment. Each attribute is weighted and assigned a value
function' (i.e. various options are defined, each with an associated value, or scoresee
Table 2) and the performance of the proposed risk treatment is measured (i.e. rated)
against each attribute, by selecting the relevant option, to determine the overall
benefit rating. Risk reduction is measured by rating the risk attributes (in terms of
most likely consequences and likelihood) both before and after making the
investment. The risk before minus the risk after is a measure of the risk reduction
potential offered by the investment. The overall benefit rating is calculated by adding
the risk reduction and additional benefits and is expressed as a number between 0 and
100, and the cost per unit benefit (cost/benefit) is calculated by dividing the
equivalent annual cost of the investment by the benefit rating to give a measure of
cost effectiveness.
Benefits
Costs
Capital
Revenue
Additional
benefits
Risk
reduction
Contract
volumes/
activity
Personal injury/ Civil claim/

ill health
compensation
Enforcement
action
Property
damage/loss
Clinical
care
Operational
delay
Physical
environment
Staff
requirements
Patient
requirements
Public/
political
perception
Loss of
reputation
Figure 5: SMART model for healthcare risk management

cost-benefit prioritization
Figure 6 shows an example of use of PRIORITY for ranking various risk treatment
options in a hospital. In this instance ranking is by risk rating (RR). Note that the
cumulative year 1 cost column helps identify which investments can be authorized
given budgetary constraints. Proposed investments may also be ranked by risk
reduction potential (RRP either in terms of units of risk reduction, or as a percentage
risk reduction where 100% is equivalent to elimination of the risk), cost per unit risk
reduction (CR a measure of cost effectiveness), or year 1 cost.
Figure 7 shows another example using the same spreadsheet but this time ranked on
cost per unit benefit (CB), where benefit is expresses as the weighted sum of the
risk reduction potential plus all the additional benefits (see Figure 5). Risk treatments
can also be ranked (prioritized) by benefit rating (BR), net present value (NPV),
equivalent annual cost (EAC), and timescale for implementation (TS expressed in
anticipated weeks to implement the risk treatment). The latter ranking option is useful
when approaching an end of year with money to spend!
In UK hospitals, the methodology outlined above is used not just for prioritising
general risk treatments, but for prioritising specific risk areas such as medical
equipment purchase, backlog maintenance plans, audit plans, infection control, etc.
12
Figure 2: Sample attributes and value functions

Value function
Consequence/outcome/option
Attribute (weight)
value
(score)
Injury/Ill health (100)
1)
2)
3)
4)
5)
6)
7)
8)
9)
None/not applicable
Minor injury/ailment one person
Minor injury/ailment 2 or more people
Serious injury/ailment one person
Serious injury/ailment 2 or more people
Major injury/disease one person
Major injury/disease 2 or more people
Single fatality
Multiple fatalities
0
5
10
40
60
75
85
95
100
Civil claim/compensation (30)
1)
2)
3)
4)
5)
6)
7)
None/not applicable
Less than 1000
1000 5000
5000 10000
10000 50000
50000 100000
More than 100000
0
17
33
50
67
83
100
Enforcement action (50)
1)
2)
3)
4)
5)
None/not applicable
Letter
Improvement notice
Prohibition notice
Legal action
0
25
50
75
100
Property damage/loss (20)
1)
2)
3)
4)
5)
6)
7)
None/not applicable
Less than 1000
1000 5000
5000 10000
10000 50000
50000 100000
More than 100000
0
17
33
50
67
83
100
None/not applicable
Minor (hours)
Moderate (days)
Significant (weeks)
Lengthy (more than 1 month)
0
25
50
75
100
Operational delay (20)
8)
9)
10)
11)
12)
Loss of reputation (30)
1)
2)
3)
4)
5)
None/not applicable
Minor
Moderate
Significant
Major
0
25
50
80
100
Contract volumes/activity (40)
1)
2)
3)
4)
5)
Not applicable
Minor improvement
Moderate improvement
Significant improvement
Major improvement
0
25
50
75
100
Clinical care (80)
1)
2)
3)
4)
5)
Not applicable
Minor improvement
Moderate improvement
Significant improvement
Major improvement
0
25
50
75
100
Staff requirements (50)
6)
7)
8)
9)
10)
Not applicable
Minor issue
Moderate issue
Significant issue
Major issue
0
25
50
75
100
Public/political perception (30)
11)
12)
13)
14)
15)
Not applicable
Minor issue
Moderate issue
Significant issue
Hot potato
0
25
50
75
100
13
Figure 6: Example PRIORITY spreadsheet (1)
Figure 7: Example PRIORITY spreadsheet (2)
14
Conclusions
This paper has summarized developments in corporate and clinical governance,
controls assurance and risk management in the NHS in England. The use of the
European Foundation Quality Model as an over-arching quality improvement model
has been briefly discussed. The latest revision to the Australian/New Zealand Risk
Management Standard, AS/NZS 4360:1999, has been described and some of the work
ongoing in the NHS to map existing risk management activities to the Standard has
been identified. Much work remains to be done to improve governance and risk
management in the NHS. It is planned that the core of the NHSs risk management
approach will be based on AS/NZS 4360:1999. Readers are encouraged to visit the
controls assurance website in http://www.doh.gov.uk.riskman.htm to keep abreast of
developments (NB. this website is currently under construction, but will increasingly
be developed as the focal point for governance, controls assurance and risk
management in the NHS in England).
References
a
Committee on the Financial Aspects of Corporate Governance 1992, Report on the

financial aspects of corporate governance, Gee Publishing.
Clinical Governance: Quality in the new NHS, HSC(99)65.

http://tap.ccta.gov.uk/doh/coin4.nsf
Corporate governance and controls assurance, HSC(98)70.

NHS Executive 1993, Risk management in the NHS.
SAFECODEA health and safety management tool for the NHSImminent issue to the
NHS in England, EPL(94)34, September 1994.
Insurance in the NHSemployers'/public liability and miscellaneous risk pooling,

HSC(99)21.
Emslie, S. V. & Lowe, R. F. 1995, SAFECODE and successful management of

health and safety risk in the National Health Service, Journal of Health Informatics,
vol. 1.
h Emslie, S. V. 1997, A cost-benefit methodology for setting effective investment priorities for
safety in health care facilities, keynote paper, Northern California Healthcare Safety
Association, 4th Annual Conference, Sacramento, California, 1011 September.
i
SAFECODE Ltd, University of Strathclyde, 141 St James Road, Glasgow,

Scotland, G40LT.
http://www.safecode.co.uk.
Rowe. G., Setting safety prioritiesa social and technical process, Journal of
Occupational Accidents, vol. 12, pp. 3140.
Risk ranking, Health and Safety Executive contract research report CRR131, 1997,
ISBN 0 7176 1344 5.
Goodwin, P. & Wright, G. 1991, Decision analysis for management judgment,

John Wiley.
15
Personal accountability for clinical care in

the British NHS
Geoffrey Haynes1
Introduction
The whole question of Governance begs the question of the difference it should make
to basic good management practice. I would suggest that Governance involves
management plus, certainly in the British public services, five other factors. They are
A structured environment
Governance requires a management agenda that provides for a structured assessment
of performance. This makes seat of the pants management less appropriate although
there always needs to be a level of intuitive reaction to circumstances that face the
service.
Defined responsibilities
With the need to be able to give account, comes the requirement for defined
responsibilities that can be audited. In my view this agenda can only be taken forward
successfully if individual officers are completely clear about what is expected of them.
Only then can they give the assurances that governance requires.
Systematic checks
There is the inherent need to provide for a regular scrutiny of the management
environment so that assurances are backed up by knowledge of specific performance
at the time the assurance is given.
Public scrutiny
Within the British and most probably Australian health system, the manager must
assume that any or all of his/her actions will be subjected to public scrutiny. This will
take the form of accountability at public meetings but may often come via media
interest in a particular issue.
Personal accountability
Linked to all the above is the personal accountability of the Chief Executive of the
health body for the overall performance of the organization. As discussed below, this
now extends to accountability for clinical services, even where the CEO is not a
clinician. The British system describes that role as the accountable officer.
1. Chief Executive, Hastings and Rother NHS Trust, UK.
17
The British healthcare system of accountability

Under the current arrangements for healthcare in Great Britain (particularly, as far as
the detail is concerned, the English model) the way health resources are allocated and
the process of accountability for their use are dissimilar. Government money is
distributed to Health Authorities whose responsibility is to commission healthcare
for their population. They are not, primarily, providers of care although General
Practitioners performance is monitored by the Health Authority. Their primary task
is to place contracts, or agreements, with health providers, mostly NHS Trusts. NHS
Trusts, in their turn are accountable for the spending of the money, not to the Health
Authority but directly to the Government Health Department. This can introduce
conflict where, for example, a Health Authority contracts for a certain level of activity
with the Trust which is then difficult to achieve at the cost agreed. The accountability
for the financial balance of the Trust is to the Government direct and therefore that
may become the overriding priority for the Trust Chief Executive at the expense of
the activity figures, which would be the Health Authoritys first concern.
UK Government
Department of Health
MONEY
Regional Offices
Health Authorities
ACCOUNTABILITY
NHS Trusts
Chief
Executive
primary care
direct services
direct services
The NHS Trust Chief Executive

Chief Executives (CEOs) are held personally accountable to Parliament for both the
financial performance and the governance of their organizations. This year the
Secretary of State has extended the governance duties to include clinical quality. In
effect therefore the CEO is accountable for all the functions and outputs of the
organizations they manage. Via the Chief Executive of the NHS, Sir Alan Langlands,
they are also accountable for the day to day operations of the Trust. The combination
of these duties means that a heavy personal burden falls on the CEO.
18
Personal accountability for clinical care in the British NHS
NHS Trusts employ all their staff directly, including all doctors. They agree
disciplinary procedures and set up local arrangements to monitor quality in all its
manifestations; they are responsible to take action when standards slip. They are
legally independent bodies within a national Government healthcare system and their
legal duty is to do four things:
1) to balance revenue income and expenditure;
2) to live within an External Financing Limit (EFL) for capital expenditure;
3) to make a 6% return on capital assets; and
4) to deliver the clinical quality and governance agendas.
Some dilemmas
Carrying these responsibilities introduces dilemmas for the individual. Some
examples would be:
1) Personal accountability is held for objectives that politicians could stop
happening. An example would be the need to close a facility to contain costs
which a local politician successfully campaigns to keep open leaving the CEO no
other options.
2) A manager attempting to monitor clinical performance can find his freedom to
influence practice obstructed by the argument that doctors must have the clinical
freedom to decide how they wish to treat individual patients.
3) Professional bodies exert pressure to adhere to certain standards without offering
any funding route to achieve those standards. Failure to attain to some standards
thus set could result in the removal of recognition for training and hence the
inability to recruit junior doctors.
4) Politicians priorities may not reflect health priorities, leading to effort and
resources unwisely directed.
5) Seeking someone to hold to account can introduce a name and shame culture.
Good managers need to be careful to resist passing that on within their own
organizations.
6) Most clinical items for which the CEO is held accountableall in many cases
are outside the direct personal competence of the individual. Most CEOs are not
doctors.
Living with personal accountability

The position of the CEO is not all one of overwhelming difficulty in this area. The
accountability adds a very useful mandate to the manager that can even the balances
in discussions with eminent physicians. It does encourage a climate of mutual trust
and respect between professionals and it aids the process of setting priorities. The
position of the CEO within the organization is therefore clarified beyond doubt and
this is of considerable benefit when difficult personal agendas are being confronted.
It also, of course, gives the odd sleepless night!
In conclusion
Other than in very high profile cases, the general principle of accountability has yet to
be seriously tested in the UK. Will an otherwise competent CEO be removed from
office because of a clinical blunder in a minor specialty that, optimally, should have
19
been prevented? What will be held to be reasonable in terms of mitigation? One of the
reasons I have taken a close personal interest in the Controls Assurance programme in
the UK is because I believe it offers people in my position a defence against an
allegation of incompetence. In any organization problems will occur; the question is
whether that organization can demonstrate that it has dealt responsibly with potential
risk and has taken pragmatic steps where it can to mitigate that risk. The Controls
Assurance agenda in the UK offers that kind of reassurance.
The question for most of us is not will it happen but when will it happen and then,
how well can I defend what I have done and how I have protected the patients under
our care.
That done, we wait and see what accountability will bring.
20
Assurance for the Board

Geoffrey Haynes1
Introduction
One of the key requirements of the modern health service Board is to be reassured
that systems of control are properly in place so that risk can be seen to be minimized.
Not only is this good management practice but in the British healthcare system it is a
statutory requirement, reference to which has to be made in the formal annual report
of the body concerned. This article describes how one NHS Trust has approached the
question of assuring the Board.
The key task

Over the last decade there have been a number of governance initiatives both within
industry generallyparticularly in the financial sectorand in the public services.
They have arisen as a result of dramatic breaches in company systems that have led to
serious losses. The names of Polly Peck, Barings and BCCI say it all.
In the UK health service this has led to three specific initiatives, all linked. The first is
the response to the Cadbury report on corporate governance ensuring that health
business is conducted in an open and defensible way. The second is the clinical
governance initiative, designed to bring the same principles into the clinical treatment
area. The third, and the main topic of this chapter, is the Controls Assurance (CA)
project which attempts to systematize the process of checking that appropriate action
in all these areas is being taken. It may come as somewhat of a surprise to hear that
clinical governance is part of the CA agenda but my contention is that it must be
integral to the whole control process. More of that later.
Pri
ANY
SYSTEM
ctic
nci
p
les
Any process can be challenged in three ways; you can examine and deal with the
principles that underpin it, you can change the practices within it or you can look at
the verification process to see whether it works. The CA process chooses the latter
path as, with health systems which tend to be complex, this is the most straightforward
route.
Pra
A way in to any system
Verification
1. Chief Executive, Hastings and Rother NHS Trust, UK.
21
The verification element

CA deals with verificationthe checking to see whether a health system can
demonstrate that its processes are protecting the organization against undue risk. No
system is totally risk free and in a health environment there are inbuilt risks that
cannot be averted. Nevertheless sensible measure can, and should, be taken.
Using CA as the way into risk management has a number of advantages in the UK:
a) The NHS Executive have placed a time limit on its introduction. This takes away
the shall we, shant we issue. We have to do it; and we have to do it by a given date.
b) That element of requirement, with the detail that sits behind it, gives every chief
executive a mandate to take action in his or her organization.
c) The other advantage that the CA programme has is that it has an inherent logic
to it that is difficult to deny. That always helps!
A little local colour

It sometimes helps to know who it is that is describing an initiative. Is their
organization so straightforward, so different from mine that the lessons are not
transferable? Here therefore is a brief pen picture of Hastings and Rother NHS Trust.
We are an integrated NHS Trustthat is one that provides the whole range of acute,
community-based services and mental healthcare in a given area. We spend around
A$190m every year on health provision and we employ around 2600 people, including
over 60 consultant medical staff. We are based on the south coast of England, 60 miles
south of London. We have a new acute hospital and serve just under 200 000 people.
As well as the acute hospital site we have 5 other hospitals, 4 community clinics, 4 day
hospitals and 2 mental health resource centres. We are the major employer in our area,
over twice the size of the next largest organization, in a socially mixed area with high
unemployment and social deprivation. There is a sharp contrast between poor urban
and rich rural areas.
Maybe you relate to some of that.
What have we done?
In 1995 we were asked to consider trialling a commercial product from, then, Coopers
and Lybrand (now PriceWaterhouseCoopers) called In-Controls (an abbreviation of
internal controls). This had been used in the commercial sector with some success
and the Department of Health wanted to see whether it had a health application. That
pilot ran for a couple of years and it led to us developing our own control methodology
around a database called CONFHRM. The name is simply an acronym of CONtrol
Framework for Hastings and Rother Management. We ran the project out across the
organization during 1998, and are now using it to monitor the whole risk environment
of the Trust. Its prime function, unsurprisingly, is to confirm to the Trust Board that
processes are in place and working. It has a management utility function also however,
that makes it a useful tool for operational people.
22
How do we feel about Controls Assurance?

Firstly, we take this as a real management opportunity rather than just a necessary
chore. It is a very good discipline for managers and should reassure the good ones that
their competence can be recognized in a systematic way. It helps the less good to
structure their management agenda.
Actually doing it is a stimulating process if it is introduced correctly, although we
recognize that the initial work is quite demanding and, in the UK environment, the
timetable was tight.
The steps needed to deal with the potentialas I write!Millennium Bug are a good
demonstration of why such a process is needed. Any method that needs to be
thoroughly checked needs some sort of structured system to handle that process,
otherwise chaos ensues. No one would dream of not having a project plan for the Bug,
yet other risk management issues can be relegated to a much more laissez faire
approach.
To give the project its proper emphasis, we made its implementation one of the
organizations key corporate objectives for three consecutive years. As the
achievement of those objectives touches the pay packet, this was a useful incentive!
Current completed work

We carried out a high level assessment, with Coopers help, which resulted in an
organizational risk map being drawn. This was done by myself and other Executive
team membersa feature of our approach. We believe there is much strength in
seeking the views of junior staff but that the process must flow from the whole-system
view of senior management.
Each individual manager undertook workshops with their own people in order to take
the risk map and expand it to fit the necessary level of detail required by the database.
The CONFHRM database was written in-house in standard computer format and it
has since gone through a number of revisions and updates to meet operational
requirements. We envisage that it will keep evolving permanently. If you wish to see
it, visit our web site at www.harnhst.demon.co.uk and download a demonstration
version.
We held three Trust Board seminars to seek from the members a view of what they
want to be shown in terms of evidence of compliance. That resulted in CA being a
standard agenda item on each of our Board meetings now, with a tenth of the
organization surveyed each monthwe do not meet in August and the December
meeting tends to concentrate on mince pies (a Christmas delicacy here!).
We carried out an extensive communications exercise to explain to all our people what
it was we were doing and why. That formed part of the normal communications
programme within the Trust and the issue sat alongside updates on performance, staff
changes and finance etc.
Now the system is in use live and there is a real buzz around the way it is helping to
structure our work.
We already do that
A comment often made is that health organizations already have systems to check on
things like audit, health and safety, clinical governance etc., so why is another one
needed? We too had such systems, and still do. The point of our CONFHRM
approach is that you can integrate existing systems by cross referencing to them in the
23
database. So significant duplicationand the sense of implying that perfectly good

work has been supersededis avoided.
The Hastings control framework

Our approach is based on a top-down review around three key areasoperational,
financial and compliance. The first covers anything that moves (as well as most things
that dont!), the second is obvious and the third pertains to any issue with a regulatory
requirement attached to it. That can range from the common law to health service
formal procedures implemented locally or nationally.
I make executive directors personally accountable for an area of the database. The
reason for that will be explained later. The process can cover all risk typesincluding
clinical governance which, in essence, is about avoiding clinical risk. The whole
system revolves around the use of a central database to which everyone has access via
the local network.
The thinking behind the system

We have chosen to take a very top down approach for a number of pragmatic reasons.
Firstly only senior managers have the whole-system view that is essential if this
process is to be comprehensive. Those of us in senior management positions
sometimes forget how limited in understanding of the organization most other
employees areeven very senior, distinguished and influential ones. That is not a
criticism. If you have spent your career becoming a world expert in oncology or
engineering you are not likely to have a broad understanding of how a complex health
system like the UK NHS works. You may not even be aware of the workings of your
own hospital outside your own area. And why should you? The people who do know
those things are those with system responsibility and we chose to use that knowledge
as the basis for our approach.
Senior managers are also ultimately accountable and must therefore control the
processthey are the only ones who can make sure that the whole agenda does not
get out of hand in scope, and they can deliver significant corporate messages to other
staff. It is also necessary to ensure that the database remains fundamentally as the high
level tool it was designed to bealbeit useable by those lower in the organization as
subsets of the main records.
When the time comes to mandate managers with responsibilities, it is the senior
manager who must make sure that tasks are do-able and acceptable to the individual
concerned. And finally in this section, it is the senior person who must produce
reports that are meaningful and used by their recipients.
CONFHRM
The database consists of simple fields to capture risk information. It is designed so that
failure to complete key fields will mean that the record is not accepted so
completeness is ensured. It offers the option of creating sub-risks so that managers can
delegate component parts of their own responsibility to subordinates, requiring of
them the same discipline in completing compliance records. Initially I asked that all
entries to the database be made by executive directors who are the accountable officers
for each area. This ensured familiarity with the software and commitment to the
system. Latterly this has been relaxed although a close watch is kept on entries and the
executives, as part of the Steering Group, monitor each other at Group meetings when
the database is projected on to the wall for common critique. The Group also checks
for consistency and in particular vets the priority fields in this regard. The software
24
contains an historic change record that ensures users do not attempt to subvert the
database if a task is not to their liking! It has the capacity to generate routine or bespoke
reports, and, most significantly for us, it is accessible on the Trusts intranet and is
therefore available in real time to all users.
Using the database

To use it, simply identify a risk area and decide on a level that covers the basic risk
principle. This means that the database will not contain thousands of individual risks,
merely high level principle areas. For example we would have as a risk principle the
risk of employing unqualified staff by accident. The action associated with it would be
to have in place a system of checking qualifications on appointment. The HR Director
would therefore not need to detail such systemsthe Board is not interested in that
level of detailjust give me an assurance that such systems exist and are functioning.
The relevant fields are then completed and a decision is made on the levels of
likelihood and significance. That is, how likely is it to happen and, if it does, how
serious would that be for the Trust? Those are rated on a simple scale.
Then it is necessary to decide on a control option. The drop down menu offers you
4 alternatives:
controlput a procedure in place;
acceptaccept that little or nothing can be done;
transfermove the risk to a third party e.g. a supplier or insurer; and
terminatestop the activity as it is too risky.
Names are then addedvery important. This needs to be an identifiable persons

problem, not the title of a post.
Then a check frequency and any notes and the system will then add the record to the
database. For most risks, you only need to do all this once.
Finally the accountable people allocate subordinates for their own tasks by using the
sub-risk option, and the process continues. When the check date arrives, the
responsible person enters the database and completes the compliance field. At the
predetermined intervals a report is prepared to go to the Trust Board, hopefully
assuring them that all is well.
What are we trying to do?

We have two main objectivesone is to reinforce a climate of accountability without
creating unnecessary stress on individuals and, secondly, we are trying to help staff to
understand that to be held to account for actions is a sign of approbation and
confidence, not the reverse.
In summary
for us, it has to be done;
it can be very constructive;
it needs Board level commitment;
the process can be straightforward;
it should be led by senior management who can control it; and
it will lead to better risk control.
25
The introduction of clinical risk pooling and

clinical risk management standards within
the National Health Service
Steve Walker1
The 1990s was a period of massive change in the management of the National Health
Service and in the way the National Health Service managed its clinical negligence
liabilities.
Prior to 31 December 1989 most claims were dealt with by the Medical Defence
Organizations, the professional bodies to which individual clinicians belong, funded
by membership subscriptions.
Risk management, as with most defence organizations at that time, was largely on an
ad hoc basis and claim volumes were relatively low, but rising towards the end of the
period.
Because of the growth in claim numbers, and the effect of inflation, judicial and
otherwise, on claim values, the funds available to the MDOs were under some
pressure, and a deal was struck with the Department of Health, whereby, in exchange
for a one-off payment for 70 million, the Department of Health would provide an
indemnity against all outstanding claims and all future claims made against the
employees of the National Health Service.
Interestingly, almost all claims prior to 1 January 1990 had been dealt with by two
firms of solicitors, one each being the practice of choice for the two principal Medical
Defence organizations.
With the introduction of NHS indemnity, delivered through Health Authorities and
Regional Health Authorities, the number of legal practices spread so that the
Litigation Authority eventually inherited about one hundred in England alone.
On the 1 April 1991, a further major development occurred with the creation of NHS
Trusts, bodies created expressly to manage individual hospitals or groups of hospitals
in geographical proximity. This was the creation of the so-called Internal Market.
Trusts had a degree of financial independence, which their Boards and management
welcomed, but, in addition, an exposure to financial liabilities, something with which
they were less comfortable.
They did not inherit Health Authority existing liabilities, even if the liabilities arose
from events at the same hospital. Those liabilities remained and remain with the
Health Authority.
For the first time in the history of the National Health Service, Trusts were allowed
to purchase commercial insurance policies. They did this as many trading
organizations do, but there was no market for clinical negligence liability cover.
1. Chief Executive, NHS Litigation Authority, UK.
27
Directors of Finance recognized the potential risk of exposure, even of insolvency, and
sought assistance and guidance from the centre in finding a solution.
Throughout 1993 and 1994 there was considerable debate and consultation under a
Clinical Negligence Working Group, which heard evidence from many and varied
sources, from within and without the public sector. The almost unanimous
conclusion was that a risk pooling arrangement was the optimum solution funded by
member Trusts on a pay-as-you-go basis. This became the Clinical Negligence
Scheme for Trusts (CNST), a voluntary membership scheme to which 98% of Trusts
belong at present.
It was at this point that ideas about risk management began to cohere, not least because
it was at this point that it was first realized that there was an ability to record, manage
and analyse a comprehensive claims database for the first time in the history of the
National Health Service.
Almost everyone who had been consulted about the risk pooling scheme considered
the incorporation of a risk management programme to be an essential component.
Even slowing down the growth in costs, much less reducing it, made risk management
critical.
Further, when invitations to quote for the management of the proposed pool were put
out to tender, all serious contenders came forward with risk management
programmes associated with their bids.
The winning bid was a joint effort, incorporating claims management by the Medical
Protection Society, one of the MDOs mentioned earlier and risk management by
Willis Corroon, now Willis, the insurance brokers.
Partly because the concept was so new to the NHS it was generally agreed that risk
management should begin with the lowest common denominator, that is to say it
should be process driven in respect of basic ancillary activities, rather than focussing
on clinical practice. No doubt there were political influences at play in this decision,
too.
It was, however, always perceived that the initial standards would be progressively
developed, expanded in the light of the accumulating claims database and eventually
move into clinical practice.
The initial standards against which Trusts are assessed by clinically qualified
personnel are:
Standard No. 1
The Board has a written risk management strategy that makes their commitment
to managing clinical risk explicit.
Standard No. 2
An Executive Director of the Board is charged with responsibility for clinical risk
management throughout the Trust
Standard No. 3
The responsibility for management and co-ordination of clinical risk is clear.
Standard No. 4
A Clinical Incident Reporting System is operated in all medical specialities and
clinical support departments.
Standard No. 5
There is a policy for rapid follow-up of major clinical incidents.
28
The introduction of clinical risk pooling and clinical risk management standards within the National Health Service
Standard No. 6
An agreed system of managing complaints is in place.
Standard No. 7
Appropriate information is provided to patients on the risks and benefits of the
proposed treatment or investigation, and the alternatives available, before a signature on a Consent Form is sought.
Standard No. 8
A comprehensive system for the completion, use, storage and retrieval of medical
records is in place. Record-keeping standards are monitored through the clinical
audit process.
Standard No. 9
There is an induction/orientation programme for all new clinical staff.
Standard No. 10
A clinical risk management system is in place.
Standard No. 11
There is a clear documented system for management and communication
throughout the key stages of maternity care.
And we are currently completing a trial of three additional standards.
Standard No. 12
Clinical Care: There are clear procedures for the management of general clinical
care
Standard No. 13
Mental Health and Learning Disabilities: Management of care in Trusts providing Mental Health and Learning Disability Services.
Standard No. 14
Ambulance Service: There are clear procedures for the management of clinical
risk in Trusts providing ambulance services.
Later this year we will be, as it were, getting closer to clinical practice and consulting
on standards relating to:
Oncology
Neonates/Paediatrics
Pathology
Incident Reporting
Training
Implementation of CHI and NICE recommendations
Discounts against contributions are allowed as an incentive to compliance at various

levels.
The final piece of this jigsaw is the incorporation of CNST standards into the
Corporate Governance Programme of the NHS.
29
The Bristol Paediatric Cardiac Surgery

Inquiry
Dr Isabel Sanderson1
The purpose of Clinical Risk Management is to identify, analyse and set up systems
to contain the consequences of errors and adverse outcomes in medical practice. In
reality it is not possible to eliminate every unintended consequence of professional
practice, but the aim of an effective clinical risk programme, is to prevent avoidable
incidents which may cause harm to patients both physically and emotionally and
which may also result in the payment of damages by the professional provider. When
major errors occur and are publicized by the media, there is an understandable public
and political concern about issues of patient safety and it is instructive to look at
specific examples to see how such disasters may be avoided.
In June 1998, The General Medical Council (the UKs registration body for medical
practitioners) completed the longest (eight months) and most expensive
(>2.2 million or approx or A$5.5 million) disciplinary enquiry ever undertaken. As a
result of the disciplinary enquiry three doctors, one of whom acted purely in a
management capacity, were found guilty of serious professional misconduct and two
were suspended from the medical register. The third doctor, although he did not lose
his registration, was subsequently dismissed from his consultant post. The case against
the doctors arose from a series of disquieting observations that the results of Paediatric
Cardiac Surgery at Bristol Royal Infirmary, a major University centre in the south
west of England, were significantly worse in terms of morbidity and mortality than the
results of other centres. Concerns wee first expressed in 1988 by an anaesthetist who,
new to the unit, noticed that operations took longer than in other centres where he
had worked. In that year the DHSS (Department of Health and social Security)
undertook an audit that was never published but the conclusion was that Bristol
results were significantly worse than elsewhere. There was no inquiry following this
audit but the funding of the unit was increased. The anaesthetist who had made the
original observations remained concerned and between October 1991 and July 1992,
with another colleague, undertook a systematic review of outcomes. In 1992 the Royal
College of Surgeons of England, after an external investigation, unsuccessfully called
for the unit to be dedesignated. In 1994 an expert Cardiac surgeon in a report for the
DOH (Department of Health, successor to the DHSS) recommended that a
particular operation, the switch operation should be stopped and in 1995 a further
report identified the senior of the two surgeons involved as a higher risk surgeon.
This report was rejected by the hospital, which commissioned an internal study. In
1996 the internal report confirmed that two particular operations did not compare
well with the results at other hospitals. By June 1996 a number of parents of children
who had died or suffered morbidity from cardiac surgery had become aware of the
general concerns about the quality of care pro iced to their children and petitioned the
GMC demanding an inquiry. The registration body acquiesced and the inquiry
commenced in October 1997.
1. Independent Medico Legal Services, London, UK.
31
The cases against the three doctors were restricted to a consideration of two particular
operations, the repair of atrio-ventricular septal defects, in which 9 out of 15 patients
died, and switch operations for the congenital defect of transposition of the aorta and
pulmonary arteries in which 20 patients out of 38 died. In all, out of 53 operations, 29
patients died and 4 were brain damaged. The senior surgeon, who was also the medical
director of the hospital, was found guilty of serious professional misconduct on the
basis that he continued to perform operations to correct A-V septal defects despite
concerns expressed by colleagues about his high mortality rate, that he did not seek
retraining or advice and that he acted against the best interests of patients by
permitting his more junior colleague to perform the switch operations, he was struck
off the register. His junior consultant surgical colleague was also found to have failed
to analyse his own performance and to have failed to pay sufficient regard to the
patients best interests. He was found guilty but his name was not removed from the
register. The third doctor, not a surgeon, who was employed as the chief executive of
the hospital was found not to have taken action to stop the operations despite
colleagues concerns. He too was struck off the register. This is believed to be the first
case of a doctor being disciplined by the GMC whose involvement in patient care was
purely in a management capacity.
The case before the GMC was of great interest and concern to a wide range of opinion,
not only the involved witnesses but also the wider public, the profession, the media
and politicians. The GMC recognized the importance of the case by formally revising
its advice to doctors in its booklet Good medical practice. The most important changes in
its advice were to identify the importance of the individual doctors need to recognize
the limit of his own professional competence, the need to keep up to date with
advances in medical practice, the importance of working in teams and, in a complete
about turn of the classical advice not to disparage other doctors, to recognize the need
to protect the interests of patients by reporting concerns about a colleagues conduct
or practice to the employing or regulatory body.
The then Secretary of State for Health in a statement to parliament following the
result of the GMC deliberations announced his intention to hold a public inquiry and
intimated the governments plans:
a) to set up an Institute of Clinical Excellence to set national standards of clinical
care;
b) to require hospital doctors to participate in national external audit; and
c) to enable patients and general practitioners to obtain information on the treatment success rates of local hospitals. He expressed the hope that nothing like it
happens again.
Professor Ian Kennedy, Professor of Health Law, Ethics and Policy in the School of
Public Policy at University College, London was appointed Chairman of the Inquiry
with a supporting committee of experts and an advisory group of relevant clinical
experts who have reviewed a proportion of the clinical cases. The remit of the public
inquiry is far wider ranging than the GMCs. The terms of reference state the purpose
to be to inquire into the management of the care of children receiving complex
cardiac surgical services between 1984 and 1995 and relevant related issues, to make
findings as to the adequacy of the services provided, to establish what action was taken
both within and outside the hospital, to deal with concerns raised about the surgery
and to identify any failure to take appropriate action promptly, to reach conclusions
about the events and to make recommendations which could help secure high quality
care across the NHS.
32
The Bristol Paediatric Cardiac Surgery Inquiry
The first phase of the inquiry was completed at the end of 1999 and the preliminary
report is expected later in the Spring of 2000 with the final report due in the Autumn
2000. The inquiry is currently in the second phase of a series of seminars on such
topics as performance and leadership with the involvement of a wide range of
distinguished participants from the private and public sectors.
For a full appraisal of the extensive witness and expert evidence it will be necessary to
await the publication of the full report but already some disquieting information is
available which extends the concerns about the cases to matters other than the
individual competence of the doctors involved. Although the remit of the GMC
disciplinary committee is to establish the responsibility and culpability of individual
doctors the findings of the expert panel advising the public inquiry, who were asked
to undertake a detailed analysis of a selection of the nearly 2000 cases being
considered, shows that there were important factors at play other than the individual
competence of two doctors. The panels findings remind us of the importance of a full
root-cause analysis of major mishaps and the need to avoid the appearance of a witchhunt against individuals.
The inquiry panel commissioned clinical experts who worked in multi-disciplinary
teams, to review the cases of 80 children covering a total of 100 procedures of cardiac
surgery selected at random from the nearly 2000 cases undertaken between 1984 and
1995. The sample was deliberately weighted towards younger children undergoing
open-heart surgery and towards those who died.
Initial analysis showed that 50% of the children in the sample received adequate care.
A further 20% received care that was less than adequate but different management
would have made no difference to the outcome. In the remaining 24 cases (30% of the
total) it was concluded that different management might have made or could
reasonably be expected to have made a difference to outcome. In only 9 of the 100
procedures assessed was it considered that different conduct of the surgical procedure
might have or would probably have made a difference to outcome.
While it is important not to ignore the effect of less than optimal competence on the
part of the surgeons it is equally important to recognize the other factors involved
which the experts identified. Aspects of pre-operative care, surgical care and postoperative care were all mentioned as well as problems of communication and
difficulties arising from the way the Bristol service was organize.
All those of us working in the field of risk management would share the Secretary of
States wish that such a disaster would not be repeated but a recent statement of intent
from the President of the United States of America reminds us how difficult it is to
make effective systematic arrangements to ensure the prevention of harm to patients.
The USA has had about a twenty-year head start over the UK and Australasia in the
development of Clinical Risk programmes and yet in a recent New York Times report
an Administration official announced the Presidents intention shortly to order all
hospitals in the Unites States to take steps to reduce medical errors that kill tens of
thousands of people each year andto urge states to require the reporting of such
errors. The announcement follows a report on medical errors by the US National
Academy of Sciences.
Could Bristol have been avoided? Probably, if existing systems had worked well. Will
it happen again? Sadly, in spite of the best efforts of many well-intentioned people,
something similar possibly may occur again but probably not at Bristol where the
details of the distressing events and the complexities and raw emotions of the GMC
and public inquiries are likely to linger long in the memories of the professional and
management staff.
33
References
General Medical Council 1998, Good medical practice, London.
The New York Times, February 22, 2000.
Bristol Inquiry website: www.bristol-inquiry.org.uk.
34
Controls assurance
Involving the Board
Tim Crowley1
Background
The National Health Service is at the forefront of good governance in the public
sector. On the firm foundations of Audit Committees, Codes of Conduct, Model
Standing Orders etc., the principle of Boards making public statements on risk and
control has been set in train. Since 1997/98 statements have been made on internal
financial control; the recently issued HSC(99)123 outlines the wider organizational
control statements that take effect from 1999/2000; and the prospect of convergence
with the clinical governance agenda, resulting in an all controls statement has been
signposted.
The overarching initiative behind this work is the Controls Assurance Project which
can be defined as follows: With existing resources, used to best effect, what assurance
can be gained? This is supported by the following project principles:
involving people;
integrating functions;
consolidating and rationalizing frameworks.
At its simplest, controls assurance is a process designed to provide evidence that NHS
organizations are doing their reasonable best to manage themselves so as to meet
their objectives and protect patients, staff, the public and other stakeholders against
risks of all kinds. It is a basis for Chief Executives, as accountable officers, to discharge
their responsibilities. Similarly, it will support Sir Alan Langlands, as Accounting
Officer, in the provision of assurances to Parliament and the public.
Essentially, the Project is founded on the principle that assurance is built upon
systems and cultures that involve people. To that end much of the pilot work and
guidance has centred upon techniques to engage wider groups of NHS staff in
understanding and reporting upon risk within their areas of responsibility. Also, there
has been an emphasis on ensuring that there is top down commitment, which should
be initiated through a Board level consideration of key risks.
This chapter sets out one example of that pilot site work. It has been undertaken by
Mersey Internal Audit Agency and provides a practical insight into securing Board
level involvement.
1. Director of Audit Services, Merseyside Internal Audit Agency, NHS, UK.
35
An overall approach
Before focusing in upon a specific approach at Board level it may be helpful to step
back and consider the overall assurance cycle. The diagram below seeks to establish
the steps in such a process together with the range of tasks that an organization might
consider to move forward.
Communicate and discuss
assurance reporting
Conduct top level review linked
to objectives
Identify key risks on the basis of
probability and impact
Utilize risk checklists and other
guidance
Take stock and evaluate the
adequacy and effectiveness of
existing controls
Set out actions to manage risk
Conduct self assessment
workshops as part of risk
management
Board assessment
of key risks
and controls
Wider organizational
assessment of
risk and culture
Assurance
statement
Formally consider
output at Board and
Audit Committee
Cross reference to clinical
governance assurances
Monitoring
Establish sub-committee to
monitor the overall process
Define the role of Audit
Utilize model
documentation
Utilize survey tools

Link wider assessment to
board conclusions
Identification of
actions and
responsibilities
The Assurance cycle: An integrated approach

The steps contained within the above diagram can be described briefly as follows:
1) Board assessment of key risks and controls
If such a process is not already in place a top down diagnosis of key risks and
controls should be conducted. This can be structured in a number of ways
depending on the culture of the organization. An important feature is that results
focus on major risks across the full range of the Trusts/Authoritys objectives
and that consensus is reached. Also, this stage represents an opportunity to take
stock of all existing initiatives and controls to determine where there are gaps
and/or overlaps. Another common element of the process is the profiling of risk
following debate on potential impact and probability of occurrence. This can
then be linked to issues of accountability and monitoring. In overall terms the
process establishes an assurance action plan, which frames up any future work.
All these outputs will usually be generated through a facilitated session that may
use different emphases to arrive at the same outcome.
2) Wider organizational assessment of risk and culture
It is often useful to conduct a wider review of risk and attitudes by targeting lower
levels within the organization. In many Trusts and authorities there is not always
a matching of the Boards perception of risks and the opinions of different groups
of employees. This lack of congruence can be the root cause of subsequent control failures, which go on to take the Board by surprise. Also, certain risks in isolation may seem relatively insignificant but when they are attached to individuals
who feel very negative about the organization, perhaps because of poor training
or inadequate support, those risks become far more critical. Various tools, primarily survey based, have been developed to collect this information.
36
Controls assurance
3) Identification of actions and responsibilities

The results of the above establish a sensible and informed point from which to
attach action and responsibility to risks that require management attention. A
range of self assessment workshops may well be linked to issues where a multidisciplinary approach is needed and the relevant employees operate in a culture
that encourages openness. Not all issues match these circumstances.
4) Monitoring
Unless a framework is in place to monitor the progress and effectiveness of
planned actions then efforts will have been largely wasted. This reinforces the
principle of monitoring and corrective action set out earlier in this guidance under control elements.
5) Assurance statement
This stepped approach will contribute to a Trust or Authority making an assurance statement based on risk management principles that can be described simply
and sensibly to the public. The emphasis is upon reasonable assurance not absolute assurance and reflects the spirit of the Controls Assurance Project:
With existing resources, used to best effect, what assurance can be gained?
Such a process requires some form of underpinning software and documentation to

ensure that a record is maintained of risk and control decisions. If such records are not
maintained the process will become unmanageable and will not generate sufficient
information for the Board to conclude on assurance and accountability issues. Other
chapters provide detail on this aspect of the Project.
Top level risk assessment
The Mersey Internal Audit Agency (MIAA) approach follows the principles set out in
the generic process cycle. A range of techniques, that can translate the processes
described, into practical delivery and subsequent action have been developed.
However, for the purposes of this chapter emphasis is being given to the undertaking
of top level self assessment workshops utilizing a quality model (The Business
Excellence Model) rather than explanation of the more routine processes associated
with traditional self assessment workshops.
An important first element of much of MIAAs Controls Assurance work has been the
undertaking of a Top Level Review. The objective of this exercise is to facilitate senior
management in the production of a prioritized risk list that also maps out current
processes to mitigate risk. In summary, this is achieved through a workshop that
utilizes interactive technology. It provides an organization with a top down framing
up of risk that can act as a platform and focus for subsequent work. A key element of
the output is an action plan linking risk to accountability.
The background to developing such an approach has been driven by a range of debates
with Chief Executives, Directors and Audit Committees. The consistent message
from each of these groups has been that any process to address the assurance agenda
must:
recognize and build upon existing risk management and quality activities;
assess the current position;
be delivered within existing resources;
add value;
not be another initiative.

37
From that position a process was designed to secure top level commitment through
the conduct of a self assessment exercise with the following characteristics:
structured quality model approach;
takes stock of existing strengths;
produces consensus over risk profile;
low input/high output.
The decision to use the Business Excellence Model as a focus stemmed from the
recognition that the terms risk management, controls assurance and control self
assessment were not the common currency of NHS professionals and were unlikely
to engage interest. Quality has been a consistent premise for all healthcare workers and
support staff. Consequently the delivery of assurance through self assessment could
sensibly be presented as integral to the wider quality agenda. In many respects risk and
quality are two sides of the same coin. Quality measures and risk consequences
parallel each other but the focus on quality brings the added dimension of continuous
improvement. This is a very important point because there is a real concern that self
assessment which is centred upon risk generation and prioritization can lead an
organization into risk inertia. Individuals and groups of staff direct their energies to
logging and calibrating risk to the exclusion of the very necessary process of seeing and
taking opportunities. Quality unlocks the tendency to becoming submerged in the
bureaucracy of risk aversion.
Business excellence model

The model forms an ideal framework for assessing any organization. It consists of nine
criteria divided between Enablers (What we do) and Results (What we achieve).
Clinical and
managerial
leadership
Human
resources
Staff
satisfaction
Policy and
strategy
Patient/referrer/
Commissioner
satisfaction
Processes
Partnerships
and non-human
resources
Enablers
Improving the efficiency of health care delivery
Key performance
results
(Clinical,
organizational
and financial)
Additional
impact on
society
Results
Improving effectiveness
The nine criteria of the model are linked by the principle that Customer Satisfaction,
People (employee) Satisfaction and Impact on Society are achieved through
Leadership driving Policy & Strategy, People Management, Resources and Processes
leading ultimately to excellence in Business Results.
38
Controls assurance
The process
A top level workshop is conducted usually with 68 Executive Directors and Senior
Managers. The Board and Audit Committee are advised of the process but, generally,
non executives do not participate. The workshop takes 45 hours and prior to
attendance each attendee completes a Controls Assurance Resource Pack. The Pack
asks a series of questions under each of the Business Excellence Model criteria. An
extract from People Management is shown below:
PEOPLE MANAGEMENT
Questions
Examples of evidence and

potential risk
A.
Are the skills and abilities needed by your Trust known, recorded,
regularly updated and aligned to the business needs?
0
1
2
3
4
5
You keep and regularly review the skills and resources

needed to meet your objectives and plans. When
changes are made they are measured for effectiveness.
Undue pressure on management costs. Increasingly
complex personnel legislation.
B.
Are appraisal schemes employed to match the objectives and

aspirations of your Trust and the individual?
0
1
2
3
4
Manager/employee reviews or appraisals are a feature

of your Trust and are clearly and simply linked to its
objectives and plans. Inadequate time or funding for
training requirements
C. Do managers coach and support employees through realistically set

improvement targets, aligned to the business plan with progress
regularly reviewed?
0
1
2
3
4
5
Managers encourage teamwork, spend time developing

individuals, encourage and become involved in
improvement activity.
D. Is the full potential of all people being realised to achieve the Trusts
strategic direction?
0
1
2
3
4
5
You are aware of both the skills and aspirations of all

your staff and actively seek to utilise these to achieve
the Trusts goals.
E.
Does the Trust provide sufficient support and protection to

employees in relation to violence and other staff health matters?
0
1
2
3
4
5
F.
Is the Trust in a position to meet its recruitment needs now and in

the future?
0
1
2
3
4
5
Required numbers of staff, staff with required

qualifications and experience, appropriate medical
staff. Consider impact upon waiting list initiative
targets, delayed treatment, poor quality treatment,
costs of locums (with added risk of errors).
G. Is the Trust sufficiently protected from employing an individual who

might act fraudulently or negligently resulting in financial or
reputation loss?
0
1
2
3
4
5
Key:
0 : No - not on any occasion at any level.

1:
2:
3:
4:
5 : Yes - this happens on all occasions at all levels.
39
Following completion of the questions notes are then made under each section as
follows:
Notes on People Management:-
Strengths Identified
Evidence:-
Risks/Opportunities for improvement
The completed Resource Packs are then individually and anonymously returned to
MIAA and a consolidated report is prepared which becomes the agenda for the
workshop. The report is structured across each of the Business Excellence criteria and
sets out a graphical response of the group to each of the questions and summarizes the
views on strengths, weaknesses and risks. The facilitator presents the data back to the
group and a structured debate then ensues around diversity and consensus of
attitudes, existence and robustness of evidence etc. Because the Excellence Model
separates the debate into compartments it helps to focus direction. The facilitators
task is to arrive at an agreed list of key risks and then to vote on probability and impact.
Optionfinder technology is used to speed up the voting process. An example of one of
the graphs fed back to the workshop is as follows. The number above the bars
represents the number voting and the horizontal axis reflects 0 = poor and 5 = good
(this was a workshop with a small number in attendance).
40
Controls assurance
A A - Does the Executive team act as a team in taking and

communicating decisions?
Frequency
bus-ex
The facilitator would allow the group to explore the reasons for such voting to
determine whether risk issues were triggered. Once risks have been defined
probability and impact is polled resulting in a graph similar to that below. Each of the
letters represent a risk agreed by the group.
All list items
A
D
FCB
4
1
Average
Likelihood
Impact
So, in summary this process takes these steps:
executive briefing;
commitment to proceed;
completion of controls assurance resource pack;
results collated;
half-day session to review collated results and arrive at consensus;
risk profile report produced;
41
which leads to:
assessment of overlaps and gaps in control;
consensus on risk profile and related action;
analysis including probability and impact evaluation;
targeted investment of time to reach a sensible view on controls assurance.
Conclusion
Once the top level work has been delivered the results can then inform and direct
future assurance strategy. One outcome is that it can target workshops that engage a
wider range of staff. MIAA have conducted an extensive range of risk workshops with
multi-disciplinary groups of staff. These have been selected as a result of the top level
assessment. Examples of the work performed and in progress are: communication at
ward level; utilization of agency/bank nursing; staff mix; payroll; non pay expenditure.
All of this work has engaged front line staff in considering risks with substantial
results. The important distinction from other self assessment workshops, however, is
that they connect with a Board led framework and the results can, therefore, be linked
to any assurance statements provided by a Board of Directors. If workshops operate in
a vacuum, tackling isolated issues, they may well produce worthy results but they will
have little value in terms of an assurance agenda or in delivering sustained cultural
change.
42
Risk management
A journey, not a destination
Kevin Knight1
What are we up against?

Risk is an unsavoury topiclike incontinence, sewerage farms and colostomieswe
dont want to talk about it.
The following quotes come to mind:
People dont want the truth, they just want comforting.
Machiavelli
And beyond the hospital gate?, Mole asked Ratty.
Ratty replied, Beyond the hospital gate comes the wide world, and thats
something that doesnt matter either to you or to me. Dont ever refer to it again
please.
with apologies to The Wind in the Willows
We only think when we are confronted with a problem.
John Dewey
One little slip, Laura, thats all
Said right, meant left
One little word
John Cleese as Mr Stimpson in Clockwise
Evidently, part of the situation we need to deal with is common toall peoplethe
desire to avoid unpleasantnessif necessary, by burying our heads in the sand.
To laugh is to risk
To laugh is to risk appearing the fool
To weep is to risk appearing sentimental
To expose feelings is to risk exposing your true self
To reach out to another is to risk involvement
To place your ideas, your dreams before a crowd is to risk their loss
To love is to risk not being loved in return
To live is to risk dying
To hope is to risk despair
To try is to risk failure.
But risks must be taken because the greatest hazard in life is to risk nothing
The person who risks nothing, does nothing, has nothing, and is nothing.
1. Chairman of the ISO Working Group on Risk Management Terminology; Member of the Standards Australia Risk
Management Committee and Risk Management Coordinator of Education Queensland.
43
They may avoid suffering and sorrow but they cannot learn, feel, change, grow,
love, live.
Chained in by their attitudes, they are a slave, they have forfeited their freedom
Only the person who risks is free.
Anonymous
The risk management process
Identify risks
Analyse risks
Monitor and review
Communicate and consul t
Evaluate risks
Assess risks
Treat risks
Figure 1: Overview of the risk management process

(AS/NZS 4360:1999)
44
Risk management

strategic context
The organisational context
The risk management context
Develop criteria
Decide the structure
The
Identify risks
What
can happen?
How can it happen?
Determine existing controls

Determine
likelihood
Determine
consequences
Estimate level of risk
Monitor and review
Communicate and consult
Analyse risks
Evaluate risks
Compare against criteria
Set risk priorities
Accept
risks
Assess risks
Yes
No
Treat risks
Identify treatment options
Evaluate treatment options
Select treatment options
Prepare treatment plans
Implement plans
Figure 2: Details of the risk management process

(AS/NZS 4360:1999)
45
The risk management process within the corporate context

Governance
Accountability
Supervision
Potential greater
future role of
risk management
Traditional and current

risk management
application
Strategic
Strategic
management
management
Executive
management
Decision and control
operational management
Management
Boyd (1997) illustrates the relationship between management, risk management and
corporate governance above. Corporate Governance activities are represented as four
principal components: direction, executive action, supervision and accountability.
The need for risk management to be undertaken at the strategic level of an
organization is highlighted.2
This illustrates the current, and traditional, situation where risk management
techniques are more highly evolved at the operational and tactical levels of an
organization.
An integrated management system to ensure progress in

strategy implementation
Business strategies/plans
Review effectiveness
Board review
Management review
Individual team performance
(review and reward)
External audit
Risk management
Action
Underpinned by:
AS/NZS ISO 14000 Environmental management
AS/NZS ISO 9000 Quality management
AS/NZS 4360 Risk management
AS/NZS 3806 Compliance program
AS/NZS 4269 Compliance handling
Change management
Continuous improvement
Service development
Systems development
Risk management
Measurement
Audit
Client feedback
Benchmarking
Management information
Risk management
Implementation
People
Information technology
Process and infrastructure
Policies and procedures
Change and project management
Risk management
2. Boyd, J. 1997, Risk managements role in corporate governance, Corporate Risk, vol. 4, no. 8.
46
Risk management
Develop and implement an infrastructure or arrangements to ensure that

management of risk becomes an integral part of the planning and management
processes and general culture of the organization.
Responsibility and leadership
Policy
Management commitment
Stakeholder analysis and communication
Plan
Review and improve

External audit
Board review
Risk management
Communication
Measurement
Quality
Safety
Environment
Other risks
Monitoring
Audit
Client feedback
Benchmarking
Performance measurement
Risk management
Communication
Risk management
Identify needs
Objectives and targets
Define resources
Define strategies
Communication
Implementation
Risk management
Systems development
Define and implement procedures
Define performance measures
Documentation
Communication
Board of directors
Approves policy
Approves risk limits
Approves risk tolerance
Provides oversight
Risk management committee

Monitor
Coordinate
Teach
Measure
Benchmark
Report to board
Enforce
Line managers
Identify risk
Propose risk limits
Control
Report
Executive management
Establishes policy
Establishes risk limits
Establishes risk tolerances
Reports to board
Enforces
47
AS/NZS 4360:1999
2.3 Planning and resourcing

2.3.1 Management commitment
The organization should ensure that:

a) a risk management system is established, implemented and maintained in accordance with
this Standard; and
b) the performance of the risk management system is reported to the organizations
management for review and as a basis for improvement.
2.3.2 Responsibility and authority
The responsibility, authority and the interrelationship of personnel who perform and verify
work affecting risk management shall be defined and documented, particularly for people who
need the organizational freedom and authority to do one or more of the following a) initiate action to prevent or reduce the adverse effects of risk;
b) control further treatment of risks until the level of risk becomes acceptable;
c) identify and record any problems relating to the management of risk;
d) initiate, recommend or provide solutions through designated channels; and
e) verify the implementation of solutions.
2.3.3 Resources
The organization shall identify resource requirements and provide adequate resources,
including the assignment of trained personnel for management, performance of work and
verification activities including internal review.
Stakeholder identification
AS/NZS 4360:1999
4.1.2
Identify the internal and external stakeholders, and consider their objectives, take into
account their perceptions, and establish communication policies with these parties.
At the earliest opportunity, it is essential to identify the stakeholders involved in a

proposed risk management study. Stakeholders can include:
48
decision-makers;
individuals who are, or perceive themselves to be, directly affected by a decision

or activity;
individuals inside the organization, such as employees, management,
senior management, contractors, and volunteers;
union and/or staff representative groups;
partners in the decision, such as financial institutions and insurance agencies;
regulators and other government organizations that have authority over activities;
politicians (at all levels of government) who may have an electoral or portfolio
interest;
non-government organizations such as environment groups and public interest

groups;
customers;
suppliers and service providers;
the media, who are likely stakeholders as well as conduits of information to other
stakeholders; and
individuals or groups who are interested in issues related to the proposal.
Risk management
Throughout the study, the mix of stakeholders may change. New stakeholders may
join and wish to be included in any considerations, while others may drop out,
through no longer being involved in the process. (e.g. when the decision has been
taken to avoid an activity.) Consequently, the stakeholder consultation process should
be continuous and, as such, should be included as an integral part of the risk
management process.
Note that the level of stakeholder concern may change in response to new
information, either because the stakeholder's needs and concerns have been
addressed, or because new information has given rise to new needs, issues and/or
concerns. Note also that it is valid for different stakeholders to have different opinions
and different levels of knowledge regarding a particular issue. Care must be taken to
balance these legitimate interests while avoiding involvement of those who would use
the process as a forum for other purposes.
The purpose of a stakeholder analysis is to provide decision-makers with a
documented profile of stakeholders so as to better understand their needs, issues and/
or concerns. The stakeholder analysis also provides the basis for the development of
messages that decision-makers may wish to deliver to other stakeholders as part of the
communication and consultation process. Note that information captured through
stakeholder analysis may or may not be shared with other stakeholders, depending on
such issues as the uncertainty of the information at the time and/or the need to keep
certain information confidential for the time being.
Understanding stakeholders will assist in the development of marketing and
communication strategies.
Communication and consultation

Risk communication and consultation with stakeholders is an important
consideration at each step in the risk management process. This is illustrated in
Figure 2.
Risk communication and consultation can be defined as any two-way dialogue

between stakeholders about the existence, nature, form, severity, or acceptability of
risks.
At the earliest stages in the risk management process, it is important to develop a risk
communication strategy. Communication efforts must be focussed on consultation,
rather than a one-way flow of information from decision-makers to stakeholders,
especially those outside the immediate organization. To initiate the consultative
process, those responsible for developing the risk management proposal should
identify key stakeholders and where practicable institute a communication
programme.
Consultation between experts and lay-persons can be difficult for a number of
reasons. Experts and lay-persons will often have vastly different levels of knowledge
related to specific issues. There are often large uncertainties associated with estimating
future likelihoods or consequences, and concerns that technical experts may overlook
or fail to acknowledge legitimate community fears. When technical experts disagree
amongst themselves, they decrease the acceptability of the analysis in the eyes of the
lay-person.
Consequently, communication and consultation are critical to ensure that
stakeholders have access to relevant information. It is also critical that this information
be presented in a manner that the recipients understand.
49
Perceptions of risk
Perceptions of risk can vary significantly between technical experts, project team
members, decision-makers and stakeholders. For this reason, the need to effectively
communicate the level of risk involved in a treatment plan is essential if an informed,
valid decision is to be made.
Technical experts tend to emphasize factors in terms of the probability of an
occurrence or its likelihood and consequences, while a lay-person tends to emphasize
factors such as:
the degree of personal control that can be exercised over the activity;
the potential of an event to result in catastrophic consequences;
whether the consequences are dreaded;
the distribution of the risks and benefits;
the degree to which exposure to the risk is voluntary; and
the degree of familiarity with the activity.
Note that lay-persons are less accepting of risks over which they have little or no
control (e.g. public transport versus driving one's own car), where the consequences
are dreaded, or the activity is unfamiliar.
Stakeholder perception of risks may vary due to differences in assumptions,
conceptions, and the needs, issues and/or concerns as they relate to the risk or issue
under discussion. Stakeholders are likely therefore to make judgements of the
acceptability of a risk based on their perception of the risk. Since stakeholders have the
most impact on the decision-making process, it is important that their perceptions of
risks, as well as their perceptions of benefits, be identified, documented and the
underlying reasons for them understood.
Identify risks
AS/NZS 4360:1999
4.2 Risk identification

4.2.1 General
This step seeks to identify the risks to be managed. Comprehensive identification using a wellstructured systematic process is critical, because a potential risk not identified at this stage is
excluded from further analysis. Identification should include all risks whether or not they are
under the control of the organization.
This step requires identification of risks which arise from all aspects of the
environment identified in the previous step. Unidentified risks can pose a major
threat to the organization. It is important to ensure that the widest range of risks are
identified.
Risk identification involves examining all sources of risk and the perspective of all
stakeholders, both internal and external. It is important to identify each source so that
the analysis can consider the contribution each makes to the likelihood and the
consequences of the risk. A risk assessment may concentrate on one or many possible
areas of impact relevant to the organization or activity, but a standard methodology
should be applied across all functions.
Valid information is important in identifying risks and in understanding the
likelihood and the consequences of the risk. Although it is not always possible to have
the best, or all information, it should be as relevant, comprehensive, accurate and
50
Risk management
timely as resources will permit.

Existing information sources need to be accessed and, where necessary, new data
sources developed. Some risks will not lend themselves to objective analysis or
observation, and the cost of collecting all data might be too great for the benefits
provided.
It is essential that staff undertaking this step are knowledgeable about the policy,
program, process, or activity being reviewed. Where it is complex, there may be very
few people who understand all of its elements and it may be best to work with a group.
Possible methods of identifying risks
interview/focus group discussion;
personal experience or past organizational experience;
audits or physical inspections;
brainstorming;
survey, questionnaire, Delphi technique;
examination of local or overseas experience;
judgmental - consensus, speculative/conjectural, intuitive;
history, failure analysis;
scenario analysis;
decision trees;
strengths, weaknesses, opportunities and threats (swot) analysis;
flow charting, system design review, systems analysis, systems engineering techniques, e.g. Hazard and Operability (hazop) studies;
work breakdown structure analysis; and
operational modelling.
Checklist of the types of exposures managers may have to

manage
The purpose of this list is to provide a list of potential exposures that managers might
face. The list is not exhaustive, but it should give managers an indication of exposures
which may effect their business and therefore have to be managed.
Human resource management problems with own staff:
inadequate/inappropriate training;
inappropriate skills mixes;
insufficient technical skills;
cultural/religious conflicts;
criminal activity;
language difficulties;
Equal employment opportunity/anti-discrimination
disputes/litigation;
claims of sexual harassment;
occupational health and safety disputes;
loss of key staff;
industrial disputes;
unfair dismissals/litigation;
badly designed workplaces;
problems with outside contractors;
51
enterprise bargaining disputes;

over-reliance on a small number of staff;
Personnel loss of key personnel;

succession planning;
theft, misappropriation;
poor industrial relations;
skills, training;
wrongful acts;
Operational superseded equipment;
equipment:
breakdown;
unavailability of parts;
supply delays;
inexperienced personnel;
planning and scheduling conflicts;
contaminated raw materials;
contaminated or unsafe products;
poorly maintained equipment and/or infrastructure;
poor service leading to angry customers;
badly designed product;
breaches of Trade Practices and Fair Trading Acts;
Financial asset/liability management;

inadequate insurance;
business interruption:
interruption of supply;
record losses;
machine breakdown;
industrial action;
utilities interruption;
fraud;
inaccurate accounting and/or reporting systems;
poor cashflow;
cash/fund management shortfall;
inadequate costing systems (leading to unsustainable
pricing);
exchange rate movements;
bad debts;
over-reliance on a small number of customers
/suppliers;
audit risk;
inventory risk:
obsolescence;
stock losses;
negligence;
fines/judgement orders;
Disasters which affect accidents (e.g. vehicle, aeroplane, train);
senior and key staff key individual losses;
Natural and man-made disaster sabotage/vandalism;
power cuts;
electrical spikes;
water cuts;
flooding;
lightning strikes;
fire;
sabotage;
espionage;
52
Risk management
industrial accidents;
arson;
staff exposure to long-term hazards and pollution;
community exposure to pollution;
attack by deranged persons;
epidemic among staff;
Political changes in government;

legislative changes;
community expectations;
Technological change materials may be supplanted:
aluminium in warships replaced by high-grade
steel;
ceramics may supplant steel in car engines;
fibreglass and aluminium supplanted wood in small
boats;
processes may be made obsolete:
computer-aided manufacture supplanted;
conventional manufacturing;
whole industry might be wiped out:
artificially-produced wine may replace conventional
wine;
competitors may innovate successfully;
exogenous:
change in tariffs or levels of protection;
cheap PCs make word-processors and typewriters
almost obsolete;
synthetics affected wool and other natural fibres;
the oil shock of 1973 increased demand for small,
fuel-efficient cars;
Economic cycle/marketing limited range of products:

broaden product range, include some products
which are counter-cyclical;
undetected changes in market/customer demands;
loss of distribution rights or marketing channels;
defective/dangerous products;
import competition;
Contractual/legal breach of contract;
product liability;
public liability;
statutory breaches;
limitation of liability;
errors and omissions;
directors and officers liability;
Business activity by-products client service;
computer breakdown;
contingency planning/business resumption;
occupational injury, illness, physical security, property
loss;
Possible sources of risk
commercial/legal relationships;
socio-economic;
political/legal;
personnel/human behaviour;
53
financial/market;
management activities and controls;
technology/technical;
the activity itself/operational;
business interruption;
occupational health and safety;
property/assets;
security;
natural events;
public/professional/product liability; and
custody of information including the duty to provide and to withhold access.
Possible areas of risk effect
asset and resource base cost: both direct and indirect;
people;
community;
performance of activities: how well the activity is performed;
timeliness of activities: including start time, downstream or follow-up impacts;
organizational behaviour;
natural environment; and
intangibles.
Key questions in identifying risks
When, where, why, how are the risks likely to occur, and who might be involved?
What is the source of each risk?
What are the consequences of each risk?
What is the potential cost of each risk?
What controls presently exist to mitigate this risk?
What are the accountability mechanisms - internal and external?
What is the need for research into specific risks?
What is the scope of this research?
What resources are needed to carry out the research?
What is the reliability of the information?
What are the stakeholders expectations of the organizations performance?
Documentation of this step
54
For a small process this step may be documented by a simple tabulation.
More complex documentation may be required for a larger process.
List each risk, identify its source and consequences.
Risk management
Classify risks under functional groups if appropriate.
Identify each control process.
Identify areas of research if appropriate.
Analyse risk
AS/NZS 4360:1999
4.3.3 Likelihood and consequences
The likelihood of events occurring and the magnitude of their consequences, are assessed in
the context of the existing controls. Likelihood and consequences are combined to produce a
level of risk.
The level of risk is defined by the relationship between likelihood and consequence
applicable to the area of risk or program under review.
Qualitative analysis may be used where the level of risk does not justify the time and
resources needed to do a numerical analysis, where the numerical data are inadequate
for a more quantitative analysis, or to perform an initial screening of risks prior to
further, more detailed analysis.
The value of qualitative analysis is enhanced when the determination of risk is shared
across a range of people with varying backgrounds and interests. One person's view
may be different from another's and the contribution of many ideas may improve the
usefulness of the outcome.
A semi-quantitative approach allocates numbers to qualitative word rankings such as
high, medium and low, or to more detailed descriptions for likelihood and
consequence. These rankings are shown against an appropriate numerical scale for
calculating the level of risk. Information can then be processed for analysis using
arithmetic methods.
If using a semi-quantitative approach, it is important not to interpret the results to a
finer level of precision than is actually contained in the initial word rankings. Do not
use the numbers to give an appearance of precision where it does not exist.
The level of risk can be calculated using a quantitative method in situations where the
likelihood of occurrence and the consequences can be quantified. For example, fraud
risk assessments tend to be quantitative. This method is particularly valuable in
providing a ranking of residual risks to identify a prioritized list of action areas.
In many instances relatively straightforward methods are used effectively, although

some of the case studies indicate the use of more refined techniques, or the intention
to pursue these refined techniques in the future.
However, even sophisticated quantitative techniques may have their weaknesses and
these need to be kept in mind. (See AS/NZS 3931:1998).
Example of tables to determine the level of risk from the likelihood and consequences
is shown below.
55
Likelihood
Example 1
Almost certain
The event is expected to occur in most circumstances

The event will probably occur in most circumstances
Likely
Moderate
The event should occur at some time
Unlikely
The event could occur at some time

The event may occur only in exceptional circumstances
Rare
Example 2
Almost certain
The event will occur on an annual basis
Will occur once a year/or more

frequently
Likely
The event has occurred several times or

more in your career
Will occur once every three

years
Possible
The event could occur once in your

career or could occur at any time
Will occur once every ten years
Moderate
The event has not yet occurred but could

occur at some time
Will occur once every 30 years
Rare
Heard of something like this occurring

elsewhere
Will occur once every 100 years
Very rare
Have never heard of this happening
One in 300 years
Almost
incredible
One off event in exceptional

circumstances
One in 1000 years
Very rare and almost incredible are generally used as risk descriptors in engineering
risk assessment, i.e. flood mitigation or other similar disciplines
Consequences
Example
56
Extreme
The consequences would threaten the survival of not only the programme,
but also the Organization, possibly causing major problems for clients, the
administration of the programme or for a large part of the Public Sector.
Revenue loss greater than x% of total revenue being managed would have
extreme consequences for the Organization both financially and politically.
Very High
The consequences would threaten the survival or continued effective

function of the programme, or require the intervention of top level
management or by the Elected Representatives. Revenue loss greater than
y% of total revenue being managed would have very high consequences for
the Organization both financially and politically.
Medium
The consequences would not threaten the programme, but would mean
that the administration of the programme could be subject to significant
review or changed ways of operating. Revenue loss greater than z% of total
revenue being managed would have medium consequences for the
Organization both financially and politically.
Risk management
Low
The consequences would threaten the efficiency or effectiveness of some

aspects of the programme, but would be dealt with internally. A loss of
revenue below the tolerance level of 5% (Audit materiality) applied to
clients would be of low consequence.
Negligible
The consequences are dealt with by routine operations. A loss of revenue

below the programme tolerance level of w% (less than Audit materiality)
applied to clients would be of negligible consequence.
Table to determine the level of risk

The following table illustrates the descriptors that may be used combining example 1
from likelihood and the example from consequences.
Consequences
Likelihood
Neglibible
Low
Medium
Very high
Extreme
Almost certain
significant
major
high
severe
severe
Likely
moderate
significant
major
high
severe
Moderate
low
moderate
significant
major
high
Unlikely
trivial
low
moderate
significant
major
Rare
trivial
trivial
low
moderate
significant
Level of risk
Example 1
Severe risk
Almost certain to threaten the survival of the programme, its

administration and the Organization either financially or politically
High risk
Likely to threaten the survival or continued effective function of the

programme or the Organization financially or politically
Major risk
Likely to cause some damage, disruption or breach of controls
Significant
risk
Unlikely to cause much damage and/or threaten the efficiency and

effectiveness of the programme
Moderate risk
Unlikely to be a threat to the efficiency and effectiveness of the

programme
Low risk
Unlikely to threaten some aspects of the programme
Trivial risk
Risks have negligible impact on the programme
57
Example 2
Extreme risk
Must be managed by senior management with a detailed plan
Severe risk
Detailed research and management planning required at senior level
High risk
Senior management attention is required and management

responsibility specified
Moderate risk
Manage by specific monitoring or response procedures
Low risk
Manage by routine procedures
Trivial risk
Unlikely to need specific application of resources
Recognizing and exploiting opportunities

Many risk analyses are directed to the negative consequences of risks, and the
consequence scales reflect the losses or undesired outcomes that might arise.
However, the risk management approach can be used to identify and prioritize
opportunities (or positive risks) with little change to the process.
When considering opportunities, the likelihood scale need not change, as this reflects
the chance that a beneficial outcome will arise, but the consequence scale must be
adjusted. This can be done in two ways.
The simplest approach, when opportunities are being considered by themselves

(without negative impacts), is to use a consequence scale similar to that for risk
analysis, but with only positive outcomes. An example is shown in the table below, corresponding to Table E2 in the standard; as with Table E2, the measures
used should reflect the needs and nature of the organization and activity under
study.
Level
Descriptor
Example of detailed description for

positive consequences
Insignificant
Small benefit, low financial gain
Minor
Moderate
Major
Outstanding
Minor improvement to image, some financial gain

Some enhancement to reputation, high financial gain
Enhanced reputation, major financial gain
Significantly enhanced reputation, huge financial gain
A qualitative opportunity analysis matrix like that in Table E3 of the standard can be
used to determine the level of opportunity. All that need change is the legend, with
the focus of action being on capturing and exploiting the opportunity rather than
avoiding or mitigating the problems.
H = high opportunity; detailed planning required at senior levels to prepare for and
capture the opportunity;
S = significant opportunity; senior management attention needed;
M = moderate opportunity; management responsibility must be specified;
L = low opportunity; manage by routine procedures.
58
Risk management
When risks and opportunities are being considered together, a two-directional

scale of consequences may be appropriate, with 5 representing a catastrophic
risk and + 5 representing an outstanding opportunity. The analysis matrix must
be adjusted too. The matrix below shows an example, based on Table E3 of the
standard.
-H
-S
-S
A
Almost
certain
-H
-H
-S
-S
-M
B
Likely
-H
-H
-S
-M
-L
C
Moderate
-H
-S
-M
-L
-L
D
Unlikely
-S
-S
-M
-L
-L
E
Rare
-5
-4
-3
-2
-1
Likelihood
+1
+2
+3
+4
+5
Minor
Insignificant
Insignificant
Minor
Major
Outstanding
Moderate
-H
Catastrophic
-H
Moderate
POSITIVE CONSEQUENCES
Major
NEGATIVE CONSEQUENCES
If semi-quantitative or quantitative scales are used, individual risks and opportunities

can be plotted on the same graph to show their relative levels. The diagram shows an
example in which the horizontal consequence scale ranges from 5 (catastrophic
negative outcome) to + 5 (outstanding beneficial outcome), and the likelihoods are
shown on a vertical probability scale from 0 to 1.
1
Outstanding
Region
Likelihood
Catastrophic
Region
Low risks and opportunities

-5
+5
Consequences
59
Key questions in analysing risk
What are the current controls which mayprevent, detect or lower the consequences of potential or undesirable risks/events?
What is the potential likelihood of the risks happening?
What are the potential consequences of the risks if they do occur?
Rationale for initial screening of very low risks.
For all other risks:
existing control;
likelihood of occurrence (with or without the control);
severity of consequences (with or without the control); and
resulting level of risk.
Explanation of the method used, and the definitions of the terms used to analyse
the likelihood and consequences of each risk.
Documentation should fit the need for records in relation to the level of risk.
Evaluate risks
AS/NZS 4360:1999
4.4 Risk evaluation

Risk evaluation involves comparing the level of risk found during analysis with previously
established criteria. Risk analysis and the criteria against which risks are compared in risk
evaluation should be considered on the same basis. Thus qualitative evaluation involves
comparison of a qualitative level of risk against qualitative criteria, and quantitative evaluation
involves comparison of numerical level of risk against criteria which may be expressed as a
specific number, such as fatality, frequency or monetary value.
The output of a risk evaluation is a prioritised list of risks for further action.
This step is about deciding whether risks are acceptable or unacceptable. A risk is
called acceptable if it is not going to be treated in step 5. Defining a risk as acceptable
does not imply that the risk is insignificant.
The evaluation should take account of the degree of control over each risk and the cost
impact, benefits and opportunities presented by the risks. Also, the risks borne by
other stakeholders that benefit from the risk should be considered.
The significance of the risk and the importance of the policy, program, process or
activity need to be considered in deciding if a risk is acceptable.
Reasons why a risk may be accepted
60
The level of the risk is so low that specific treatment is not appropriate within
available resources.
The risk is such that there is no treatment available. For example, the risk that a
project might be terminated following a change of government is not within the
control of an organization.
The cost of treatment, including insurance costs, is so manifestly excessive compared to the benefit that acceptance is the only option. This applies particularly
to lower ranked risks.
The opportunities presented outweigh the threats to such a degree that the risk
is justified.
Risk management
One approach is to compare the level of each risk, from the analysis step, against the
level of acceptable risk assessed from Step 1 (Establishing the Context). A review of
the risk criteria from Step 1 may be needed to ensure that criteria have been identified
for all significant risks.
The risks not considered acceptable are those which will be treated in some way.
These are prioritized for subsequent management action as a component of the
organizations action plans.
As low as reasonably practicable

The as low as reasonably practical (alarp) concept is illustrated in Figure 3.
The width of the cone indicates the size of risk. In general two criteria can be defined.
A level where risk is negligible and can be accepted without specific treatment other
than monitoring and a level where risk is intolerable and the activity must cease,
except in exceptional circumstances, unless risk can be reduced. Between these levels
is a region where costs and benefits are taken into account. When risk is close to the
intolerable level the expectation is that risk will be reduced unless the cost of reducing
the risk is grossly disproportionate to the benefits gained. Where risks are close to the
negligible level then action may only be taken to reduce risk where benefits exceed
the costs of reduction.
Risk magnitude
Risk cannot be justified
in any circumstances
Interolerable
region
LEVEL
OF
RISK
Tolerable only if risk reduction

is impracticable or if its cost is
greatly disproportionate to the
improvement gained
As
Low
As
Reasonably
Practicable
Tolerable if cost of reduction would

exceed the improvements gained
Broadly acceptable region

de minimis risk
As
Low
As
Reasonably
Achievable
Necessary to maintain assurance

that the risk remains at this level
Figure 3: The ALARP Principle
61
Management response to the level of risk

The following table is an example to guide decisions on the allocation of
responsibilities for the treatment of risk
Severe Risk
must be managed by senior management with a detailed plan.
High Risk
detailed research and management planning required at senior levels.
Major Risk
senior management attention is needed.
Significant
Risk
management responsibility must be specified.
Moderate Risk
manage by specific monitoring or response procedures.
Low Risk
manage by routine procedures.
Trivial Risk
unlikely to need specific application of resources.
Key questions in assessing and ranking
What is the acceptable level of risk?
What is the priority of the risks (e.g. high, medium, low)?
62
Consideration of acceptability criteria if not done previously.
List acceptable risks with the reasons they are considered acceptable.
List unacceptable risks in priority order.
Risk management
Treat risks
AS/NZS 4360:1999
4.5 Risk treatment

Risk treatment involves identifying the range of options for treating risk, assessing those
options, preparing risk treatment plans and implementing them.
This step is about considering options for treating risks which were considered not
acceptable at the previous step. A combination of options may be appropriate in
treating risks:
Evaluated and ranked risk
Risk
acceptable
Yes
Accept
No
Reduce
likelihood
Reduce
consequences
Transfer in full
or in part
Avoid
Monitor and review (clause 4.6)
Identify
treatment
options
Consider feasibilty costs and benefits

Assess
treatment
options
Recommend treatment strategies
Select treatment strategy
Prepare
treatment
plans
Implement
treatment
plans
Prepare treatment plans
Reduce
likelihood
Reduce
consequences
Transfer in full
or in part
Part retained
Risk
acceptable
Yes
Avoid
Part transferred
Retain
No
Figure 4: Details of the risk tresatment process

(AS/NZS 4360:1999)
63
Identifying options for risk treatment

The criteria affecting the level of funding for treating risks should be established at the
outset of the risk management process within the framework of the strategic,
organizational and risk management context. (Section 4.1 of the standard).
From the assessed ranked risk priorities, the various treatment options available
should be identified. (Section 4.5.1 of the standard).
These may include:
Accepting the risk if the likelihood and consequence of that risk is consistent
with the established criteria. (Acceptance, in many instances, may follow the risk
reduction measures identified in Appendix H of the standard.) These criteria
should have established the threshold of what, for the organization, would constitute an unacceptable exposure. The ability of the organization to absorb an incident will, to a large degree, depend on the size and "financial health" of that
organization.
Avoiding the risk by deciding either not to proceed with the activity that contains an unacceptable risk, choosing an alternative more acceptable activity which
meets the objectives and goals of the organization, or choosing an alternative less
risky methodology or process within the activity.
The option of adopting an alternative work practice of lower risk reduces the
consequences and/or likelihood of harm or loss and therefore, is a treatment and
not necessarily avoidance of risk. Avoiding the risk is equivalent to refusing to accept the risk.
Reducing the likelihood or the consequences of the risk, or both. Note that
there is a trade off between the level of risk and the cost of reducing those risks
to an acceptable level. As already stated, the acceptable level should be consistent
with the established risk criteria. (The relationship between risk and the cost to
reduce a particular risk is shown in Figure 5).
Any one of several decision points may be chosen. These include:
a satisfactory (but not optimum) solution;
the most cost-effective solution;
the accepted practice (industrial norm, good business practice);
the best achievable result (given current technology); and
the absolute minimum.
Which criterion is considered to be the most acceptable, depends on the circumstances and the established risk context within which the decision has to be made.
With the right scenario, a valid argument can be made for any of the above options.
Where risk reduction is considered both feasible and cost effective, the required
funding will need to be budgeted, with the responsible person ensuring that the
risk reduction measures are carried out to the level determined.
64
Transferring the risk, in full or in part, to another party. From a Public Sector
perspective, this may mean transferring it to the public at large and, in many instances, this may be unacceptable for political, moral or constitutional reasons.
Again, the risk criteria should establish the level of acceptability of risk transfer
in each instance. For example, where goods and/or services are being acquired
from a contractor, and the contractor is in the best position to manage that particular risk, risk transfer would be acceptable.
Risk management
Retention of either residual risks, following completion of risk reduction measures, or of those risks which, for political, moral or constitutional reasons are required to be retained by Public Sector organizations.
Level of risk (Risk value)
Satisfactory
Most cost
effective
Accepted
practice
Best
achievable
Absolute
minimum
Cost of reducing risk ($)
Figure 5: The trade-off between level of risk and cost of reducing risk
Continually monitor and review
AS/NZS 4360:1999
4.6 Monitoring and review

It is necessary to monitor risks, the effectiveness of the risk treatment plan, strategies and the
management system which is set up to control implementation. Risks and the effectiveness of
control measures need to be monitored to ensure changing circumstances do not alter risk
priorities. Few risks remain static.
Ongoing review is essential to ensure that the management plan remains relevant. Factors
which may affect the likelihood and consequences of an outcome may change, as may the
factors which affect the suitability or cost of the various treatment options. It is therefore
necessary to regularly repeat the risk management cycle. Review is an integral part of the risk
management treatment plan.
Monitoring and review is an essential and integral step in the process for managing
risk. It is necessary to monitor risks, the effectiveness of the plan, strategies and
management system that have been set up to control implementation of the risk
treatments.
Risks need to be monitored periodically to ensure changing circumstances do not alter
the risk priorities. Few risks remain static.
Programs and processes change, as can the political, social and legal environment and
goals of an organization. Accordingly, it is necessary to re-examine the risk context to
ensure the way in which risks are managed remain valid.
65
The principles of risk management are quite general in nature, but their application
depends upon the context and environment from time to time. The process of review
and monitoring ensures that risk management strategies continue to be a vital part of
the organizations business processes. The presence of regular performance
information can assist with identifying likely trends, trouble spots and other changes
which have arisen.
Possible methods of review
internal check program;
internal audit;
external auditAuditor General, independent audit;
external scrutinyOmbudsman, parliamentary or council committee, appeal

tribunals; courts; commissions of inquiry;
physical inspections;
program evaluation; and
reviews of organizational policies, strategies and processes.
Key questions
Do the performance indicators address the key success elements?
Are the assumptions, including those made in relation to the environment, technology and resources, still valid?
Are the risk treatments effective in minimizing the risks?
Are risk treatments comparatively efficient/cost effective in minimizing risks?
Are the management and accounting controls adequate?
Do the risk treatments comply with legal requirements, government and organizational policies, including access, equity, ethics, accountability?
How can improvements be made?
66
Implementation review plan.
Review and evaluation plan.
Risk management
Further reading
Standards Australia/Standards New Zealand 1999, AS/NZS 4360:1999 Risk
Management, Standards Australia, Homebush NSW.
Standards Australia 1999, HB 1411999 Risk financing guidelines, Standards Australia,
Homebush NSW.
Standards Australia 1999, HB 1421999 A basic introduction to managing risk using the
Australian and New Zealand Risk Management Standard AS/NZS4360:1999,
Standards Australia, Homebush NSW.
Standards Australia/Standards New Zealand 1999, HB1431999 Guidelines for
managing risk in the Australian and New Zealand Public Sector, Standards
Australia, Homebush NSW.
Canadian Standards Association 1997, CAN/CSA-Q850-1997 Risk management:
guideline for decision-makers.
Japanese Standards Association 1997, JIS/TR-Z0001 Draft Risk Management System
Standard.
British Standards Institute, 99/402 000DC Draft guide to the management of business related
project risks
Institute of Chartered Accountants in England & Wales 1998, Financial reporting of risk
Proposals for a statement of business risk.
Canadian Institute of Chartered Accountants 1995, Guidance for directorsGovernance
processes for control
1998, Guidance for directorsThe Millennium Bug.
1998, Learning about risk: Choices, connections and competencies.
Bannister, J. 1997, How to manage risk, LLP London, 2nd edn, ISBN 1 85978 060 1.
Bernstein, P. L. 1997, Against the gods: The remarkable story of risk, ISBN 0-471-12104-5.
Boyd, J. 1997, Risk managements role in corporate governance, Corporate Risk,
vol. 4, no. 8.
Department of Administrative Services/Purchasing Australia 1996, Managing risk in
procurementA handbook.
1997, Applying risk management techniques to complex procurement.
Emergency Management Australia 1997, Non-stop service Continuity management

guidelines for Public Sector agencies, AGPS, Canberra.
McNamee, D. & Selim, G. 1998, Risk management: Changing the internal auditors
paradigm, The Institute of Internal Auditors Research Foundation, USA.
67
Professional associations
The Association of Risk and Insurance Managers of Australasia
PO Box 1263
CROWS NEST NSW 2065
Internet address: http://www.arima.com.au
E-mail address: arima@s054.aone.net.au
The Australian Institute of Risk Management
PO Box 6079
NORTH SYDNEY NSW 2060
Internet address: http://www/airm.org.au
E-mail address: airm@BlueSky.com.au
Risk Engineering Society

The Institute of Engineers, Australia
11 National Circuit
BARTON ACT 2600
68
The need for effective dynamic governance

in healthcare
Promoting accountability for quality
Dr Chris Brook1
Corporate governance issues include the way an organization is structured, operated

and controlled in order to achieve long term strategic goals and good customer and
employee relations. In the public sector, corporate governance is also about how the
Parliament, Government and boards relate to one another in stewardship matters.
Performance audit report: Corporate governance (1997)
Introduction
Today I am talking to you about the need for effective, dynamic governance in
healthcare: what is good governance and why we need it. It is not a speech about
Clinical Risk Management (CRM). However, the two are inherently related. For
CRM to truly work one must start with the right framework. Good governance sets
the right framework for good CRM.
Governance is an issue of increasing importance across all aspects of the public sector,
not just health. It will become even more significant as competition between public
and private providers proceeds. We must ask ourselves what is the optimum
governance for public agencies. Work in this area is occurring in all jurisdictions.
Both the question of governance and the expectations of Government have been paid
relatively little attention over recent years, particularly as we have emphasized the
arms-length nature of relations between the Victorian Department of Human
Services and public providers. It is now time to take a more mature approach and,
while clearly defining respective roles and responsibilities, move to a more
constructive strategic partnership approach. This involves recognizing that networks
and other public hospitals are public businesses. We must ensure that our expectations
are clear.
As the purchaser of public hospital services, and as the representative of the owner of
those services (the community), the Government encourages Boards to constantly
seek to improve their performance. This is essential if Boards are to ensure that the
corporate body for which they have ultimate responsibility is successful in meeting its
objectives.
1. Director, Acute Health Division, Department of Human Services, Victoria.
69
Duties of directors
What is the function of a Board of directors of a public hospital? In general terms, each
Board is responsible for overseeing the operations of the services which it governs.
Section 40D of the Victorian Health Services Act 1988 outlines the functions of the
Boards of metropolitan healthcare networks in more detail. The following details
were included in the Act in 1995, when the networks were established:
establishing the objects of the network;
overseeing the management of the network by the chief executive officer;
developing a business plan for the network;
developing plans, strategies and budgets to ensure the provision of health services
and long term financial viability of the network; and
monitoring the performance of the network and the chief executive officer.
Boards must be independent in the exercise of their functions. They operate in a

largely autonomous manner, subject to some statutory controls. With this
independence comes accountability. There are a number of levels to this. First, Board
members are individually accountable to the courts for the lawfulness with which they
carry out their duties as directors. Obligations of this nature apply to the directors of
all other corporations.
The general law requires directors of public hospitals, amongst other things, to:
act honestly and with reasonable care and diligence;
act in good faith to meet the objectives of the hospital in accordance with the
powers of the Board and the hospital;
give adequate consideration to matters for decision and be independent in judgement;
declare and avoid conflicts of interest; and
only exercise powers for proper purposes.
There are two other levels of accountability that also apply to Boards of public
hospitals. These stem from the peculiar nature of such hospitals as bodies which are
created under statute to carry out public purposes, and which are also funded by
Government. As such, directors of Boards of public hospitals are:
first, as the holders of a public office, accountable for the overall performance of
the hospital to the Government, which is in turn answerable to the community
for the performance of the public healthcare system;
second, responsible to the Parliament, through the annual reporting process.

This involves accounting for the financial aspects of the hospital and for the carrying out of its functions.
These forms of accountability are analogous to the accountability of the directors of

public companies to shareholders. We as the community need to be assured that our
public facilities are being well managed and meeting their objectives.
70
The need for effective dynamic governance in healthcare
What are the roles and responsibilities of Boards?

Whether a body is established for public or private purposes, the directors of a Board
must oversee the direction of the corporation.
For directors of Boards of public hospitals to do their jobs properly, a crucial element
is identifying the key responsibilities of their public hospital. These can be divined
from the Act, the objects of the hospital, and from the terms of health service
agreements between the Department and each hospital. They can be distilled down to
two main areas.
The first and primary task is to be clear about the purposes of the organization. In the
case of a private for profit body, this will be to maximise profits for shareholders. For
public bodies, the situation is far more complex.
In the case of a public hospital, the reason for its existence, its purpose,
unambiguously, is to provide quality care to patients. To achieve this it is necessary to
focus on patients, and to ensure the health of the corporation.
Focus on patients
A Board should therefore concentrate upon improving the health outcomes of the
consumers of the services of the hospital. The hospital must be responsive to the
needs of its customers. This will include striving to deliver health services in a timely
manner which are:
based upon informed decision making by the consumer;
accessible;
co-ordinated;
of a high quality; and
medically appropriate.
A Board should adopt strategies to ensure that the hospital achieves this set of
objectives.
State of the corporation

The second key responsibility of the Board relates to the state of the body corporate.
A hospital will only be able to effectively meet the needs of the community if the
organization as a whole is in a sound position. A healthy organization is a necessary
pre-condition for achieving the corporate purpose. This includes the following
aspects.
First, the financial viability of the organization and the prudent use of public
funds is essential. This includes the cost efficient delivery of care.
Second, as a public body and corporate citizen, the public hospital must act in
accordance with all relevant laws, and its by laws and objects.
Third, the Board must ensure that the public hospital functions well as an
organization. This includes effectively using the skills, commitment and other
strengths of its staff, and recognizing the fundamental importance of preserving
morale. It also includes fostering a climate within the organization that is
conducive to innovation and is responsive to consumers.
These subsidiary goals provide a more comprehensive measure of the health of the
corporation.
71
In summary, the directors of the Board of a public hospital must oversee the direction
of the hospital to ensure that the public hospital is able to, and does, fulfil its purpose
effectively. How can Boards best carry out this role?
What are the strategies for sound corporate governance?

Strategic planning and assessing performance
There has been discussion world-wide about the need to better educate directors
about their duties, particularly following the activities in the boom and bust period
of the 1980s. In Australia there have been a number of publications addressing the
nature of directors duties. For instance, the paper Corporate Practices and Conduct
published by a group of organizations known as the Bosch Committee, which
included the Australian Stock Exchange, the Business Council of Australia, and the
Australian Institute of Company Directors. The principles outlined in the paper are
designed to create an accountable corporate environment by encouraging the highest
standards of behaviour by directors and companies. The paper spells out the roles of
Boards, chief executive officers, and auditors. It outlines directors legal duties, and the
duty of Boards to meet their obligations to the company and shareholders to maximize
the performance of the company. It recommends that Boards do the following:
first, adopt and monitor progress of a strategic plan; and
second, institute adequate systems of internal controls, together with appropriate

monitoring of compliance activities.
Strategic planning and the use of a balanced scorecard

The literature generally supports the use of strategic planning to enhance the ability
of Boards to be responsible for overall direction of a corporation. This is especially
important in areas where a body is not operating successfully, or where there is room
for improvement. There are various reasons why Boards may experience difficulties
in satisfactorily addressing problem areas. In addition, a management teams primary
focus is usually by necessity on day to day management. It may not have adequate time
to assist the Board to focus on reviewing the ongoing appropriateness of corporate
strategies.
Whilst managers will be concerned with implementing a corporate plan, it is the task
of the Board to periodically review the strategic direction of the body, and to compare
its performance as against other possible strategies.
As l have already indicated, the Health Services Act currently provides for Boards of
metropolitan healthcare networks to engage in corporate planning, by providing that
the functions of the Board of such a hospital include:
developing a business plan; and
developing plans, strategies and budgets to ensure the provision of health services
by the hospital and the long term financial viability of the hospital.
A corporate planning process involves medium to long term planning. To be effective

the planning process must be based upon a sound understanding of the bodys
capabilities and will start from the premise of addressing those areas which are
necessary to enable the organization to achieve its objectives. Traditionally this
consists of two components: a business plan and a strategic plan.
72
The business plan covers financial and operational planning for a 12 month period. It
can only be prepared in the context of the strategic plan. The development of the
strategic component of the plan is where public hospitals can make great gains in the
future.
A recent innovation is the development of the balanced scorecard approach which is
propounded by Kaplan and Norton. It involves focusing on steps that are necessary to
achieve the corporate purpose. This will be those measures which will influence the
entire management process and organizational behaviour and enable the delivery of
high quality care to patients. It involves identifying and setting priorities, and then
aligning the activities of the organization. This can include the setting of targets and
other indicators to monitor performance.
Assessing performance
Much of the benefit of strategic planning is lost, if the extent to which the organization
has performed is not evaluated. There are various ways to conduct such an evaluation.
For instance, the introduction of annual strategic audits could be considered by
Boards to assess the performance of the organization. Independence is the key aspect
of audits.
Such a process would be analogous to a financial audit; it is a systematic review of the
effectiveness of the public hospital when measured against the purposes, targets and
other measures contained in the plan. For instance, if the plan contains valid and
reliable quality measures, then the extent to which treatment provided at the hospital
is of an adequate standard can be better assessed.
The balanced budget is replaced with the balanced scorecard. The Board is then in
a position to assess the performance of the hospital across the various performance
indicators, both financial and non-financial. This should give the Board the
information necessary for it to alter or maintain strategies and ensure continual
improvement.
This will also give the community, Government and Parliament a much better basis
for considering both the extent to which, and how well, a hospital is fulfilling its
purpose.
Where are we?
Currently the two major bodies of work on governance in healthcare are:

a) Best Practice Governance Booklet: Key players from the Victorian Healthcare
Association (VHA) and The Australian College of Health Service Executives
developed the framework for the Booklet which was then written up by Terry
Kilmister from Boardworks International.
b) NSW Corporate Governance in Health, Better Practice Guide (in final draft stage): The
Guide was a collaborative effort between the New South Wales Health
Department and the Health Services Association of New South Wales. The
development of the Guide was managed by a Steering Committee of experienced
health service personnel, including representation from Area Health Boards,
from management, and from within the NSW Health Department.
Limited progress has been achieved to date in identifying and reporting on indicators
of quality at the national level, despite funding for a number of resource intensive
projects and programs at the Commonwealth level. Some jurisdictions are currently
in progress of identifying and developing indicators for reporting at the state level.
Within Victoria, indicator development and implementation is a mainstay of current
73
quality policy within the acute sector.

A further body of work should be commissioned and co-ordinated by the
Commonwealth to advance progress in this area, either through existing structures
such as the National Health Ministers Benchmarking Working Group, or a reference
group with specific understanding and expertise in healthcare quality indicators.
Initially, a scoping exercise is required with the co-operation of the States as to what
information is currently being collected across the nation, for what purposes and use.
This would then inform the development of some system wide indicators for
reporting at different levels. It is envisaged that a framework for national indicators
would provide descriptors of the area of interest, a rationale or purpose for monitoring
the aspect of care or service delivery and identify consistent definitions. The
information could be utilized for a national system of reporting, against key priorities,
whilst being sufficiently flexible to enable adaptation and implementation at the state
or local levels to account for differing needs and infrastructures.
Defining the respective roles of the Board and the senior

management of a corporation
One theme that has emerged is the necessity for clarifying the respective roles of the
Board and the senior management of a corporation. The Board ought to focus upon
setting the overall strategic framework for operations. The CEO is to be responsible
to the Board for the day to day management of the corporation. A common mistake is
for Boards to become too involved in day to day management. Ideally the Board
should have its arms around the organization rather than its fingers in it (Carver,
1997). One way in which public companies attempt to ensure that Boards benefit
from the knowledge and expertise of the CEO, but still operate independently from
management, is to have the CEO on the Board, but not as the Chairperson. This is
the system that applies in relation to Victorian metropolitan healthcare networks.
Carver guides
There is much to be learnt from the very practical approaches adopted in the Carver
guides (1997). The Strategies for Board Leadership focus on the Boards role in
representing owners, developing group responsibility, nurturing diversity, investing
in Board capability, being proactive, obsessing about ends, controlling enough but not
too much, using words wisely, escaping conventional wisdom, and continually
improving the quality of governance.
The 10 strategies for Board leadership outlined in the Carver guides are as follows:
Strategy one: Represent the ownership

In particular, emphasis is given to the need for a Board to represent the ownership of
the organization. For a public hospital, the owner is described as the whole
community. However the obligation to the community is not simply to maximize
financial returns. Sound financial management is important, but it is not enough.
Public hospitals must meet the health needs of the community.
Strategy two: Developing group responsibility
The Board as a body has both the right and obligation to govern, but its constituent
members have none. The Board speaks as a group or not at all.
Strategy three: Seize and nurture diversity
Speaking with one voice does not require unanimous votesquite the contrary. The
Board must value, even crave, disagreement within its ranks if it expects to be
comfortable with the lively dissent outside. Strategic leadership is big enough to
embrace diversity and wise enough to be enriched by it.
74
Strategy four: Invest in your human capital

People make the difference. The Board should give greater priority to finding the right
people rather than filling vacancies. Indeed Boards would do well to tolerate a few
empty seats rather than rush to fill them. Five essential qualifications for Board
members include:
commitment to the ownership;
propensity to think in terms of systems and context;
ability and eagerness to deal with values, visions, and the long term;
ability to participate assertively and intelligently in deliberation; and
willingness to delegate, to allow others to make decisions.
Strategy five: Lead from the front of the parade

Boards have long seen them selves as the final authority. Policy governance
encourages them instead to be the initial authority. Instead of waiting until others have
studied and planned and then reacting, the Board should begin the process, lead from
the front of the parade and be masters of their own fate. For too long, most Board
meetings have been driven by agendas provided by the CEOs. Board meetings should
be the Boards meetings, not the CEOs meetings for the Board. In an entire
organization, no one waits for his or her subordinates to, in effect, design and manage
their supervisors job.
Strategy six: Be obsessed with effects for consumers
Be obsessed unapologetically! No Board meeting should go by without a debate or
presentation on some facet of the ends development process (ENDS: The Board
defines which human needs are to be met, for whom, and at what cost. Written with
a long term perspective, these mission-related policies embody the Boards long range
vision.)
Strategy seven: Control all you should, not all you can
The Board should clearly be in charge. The organization should definitely be Boarddriven, not management-driven. The Board bears the burden of owners trust, and
that trust demands that the Board fulfil its role of power. There is no choice; the Board
must control the organization. Yet controlling the organization need not mean
controlling every single aspect of it. The Board should control only as much as it needs
to control to fulfil its obligation to its trust.
Strategy eight: Use words wisely
When a Boards verbal product is voluminous, there is no way Board members can
fully embrace it. It is far better that a Board generate few words after much thought
than many words after little thought. Avoid duplication.
Strategy nine: Dont be shackled by convention
A Board must continually overcome regressive pressures from the expectations people
generally have of Boards, the requirements fostered by funders and authorities, and
even the well-intended advice of experts. The challenge to Boards is to take advantage
of accumulated knowledge yet reframe the wisdom so that it contributes to better
governance within a conceptually useful model.
Strategy ten: Perpetually redefine governance quality
The definition of quality never stands still. What constitutes quality governance grows
as we do, yet always remains a little beyond our grasp. All members must participate
in the discipline and productivity of the group. All members must be willing to
challenge and urge each other on to big dreams, lucid values and fidelity to their
75
trusteeship. All members must cherish diversity as well as an unambiguous, single

Board position derived from diversity. All members must strive for accountability in
the Boards job, confident that if quality dwells in the boardroom, the rest of the
organization will take care of itself.
Of all 10 strategies, I would like to return to the first and emphasize the need for a
Board to represent the ownership of the organization. For a public hospital, the
owner is the whole community. In the case of our healthcare system, the Boards
obligation is not simply to maximize financial returns, but to meet the health needs of
the community. To date a major focus has been on the financial performance of
hospitals. Boards should now also turn their attention to other ways to address
measures to improve the health of their corporations.
Australia, the UK and the USA have all revised their health policies in an attempt to
achieve a balance between the financial and non-financial imperatives. The intention
of all these nations is to adopt strategies to influence activity at all levels of the
organization so as to enable the corporate purpose to best be achieved.
Taking responsibility for quality of care

Much needs to be done to better manage quality of care throughout an organization.
In its April 1998 interim report on Commitment to quality enhancement, the National
Expert Advisory Group on Safety and Quality in Australian Health Care indicated that
Boards and senior management of healthcare organizations should take greater
responsibility for the quality and safety of care in their organizations. This
recommendation has been accepted by the State and the Commonwealth.
Governments must improve their frameworks for purchasing and promoting quality
and safety.
Boards have a separate obligation to look at their organizations and address these
issues. To quote from the report:
The parallel in other industries is of interest. It would be unheard of in many
industries to leave quality to professional groups and for the Board to not have a
direct role in the quality of the organizational product.
All people working in healthcare have a responsibility for quality and to practice in a
safe and ethical way. However, in recognition that safety and quality are systems
issues, Boards of Management should be accountable for performance. The
monitoring of safety and quality should not be intended to identify individuals and
apportion blame. The adoption of a systemic approach with top level accountability
should provide for freer exchange of information and learning through experience.
Mechanisms for ownership of quality and safety need to be actively pursued and
agreed indicators of performance regularly monitored and reported. The effectiveness
of such approaches will be dependant upon the preparedness of Boards of
Management and Administrators to adapt to change, which needs to be promoted and
facilitated through appropriate education strategies.
The UK
Leading by example, the UK, in the pursuit of quality, have completely overhauled the
NHS internal market to develop a framework for delivering a first class service.
76
The consultation document A first class service: Quality in the new NHS, sets out a
formidable agenda for change. An agenda which concentrates on what really
mattersimproving quality standards, efficiency, openness and accountability. The
UK Government has set out a 10 year modernization programme which will help the
NHS meet the challenges of the next century.
The US
The US has also moved to address the need for greater quality in healthcare.
In September 1996, the President created the Advisory Commission on Consumer
Protection and Quality in the Healthcare Industry. Its mission was to advise the
President on changes occurring in the healthcare system and recommend such
measures as may be necessary to promote and assure healthcare quality and value, and
protect consumers and workers in the healthcare system. The Commission issued its
final report in March 1998, entitled Quality first: Better healthcare for all Americans,
recommending steps to provide a national commitment to improving healthcare
quality.
Conclusion
In conclusion, directors who fully appreciate their role and adopt techniques designed
to improve the performance of the Board will be able to provide the best service to the
community. They will be better placed to make sound decisions and to put strategies
in place to ensure the viability of the hospital and to maintain and improve its
consumer focus. From the Departments perspective, clarification and ongoing
education about the roles and responsibilities of Board members is therefore of great
significance.
However, Boards do not develop strategies in a vacuum. Government is accountable
to the community for the operation of the public healthcare system and therefore
plays a crucial role in the planning to ensure that services are accessible.
Sustained improvement in the quality of healthcare requires recognition of the

current barriers to systemic approaches to quality and the necessity for cultural
change. The achievement of system wide improvements necessitates that
accountability for safety and quality rests with Boards of Management. Mechanisms
are therefore required which promote ownership of safety and quality issues and allow
for assessment and greater transparency of performance against pre-determined
indicators.
For in the long run, as surely as excellence ends with clients, patients, students,
or other customers, it begins with governance.
Carver (1997)
References
Audit Office of New South Wales 1997, Performance audit report: corporate governance.
Carver, J. 1997, Carver guide: Strategies for board leadership, Jossey-Bass Publishers,
San Francisco.
National Expert Advisory Group on Safety and Quality in Australian Health Care
1998, Commitment to quality enhancement: Interim report, Commonwealth Department of
Health and Aged Care, Australia.
77
Presidents Advisory Commission on Consumer Protection and Quality in the

Health Care Industry 1998, Quality first: Better health care for all Americans, USA.
(Internet site: http://www.hcqualitycommission.gov/final/)
National Health Service 1997, A first class service: Quality in the new NHS, White Paper,
UK. (Internet site: http://www.doh.gov.uk/newnhs/quality.htm)
78
The responsibility of hospital boards for

clinical governance
Michael George1, Tom Brennan2 and Dr Heather Wellington3
Clinical governance
Hospital Boards have traditionally concentrated on the higher level administration
and finance aspects of governance. They have not had systematic control of clinical
governance, a term used to describe:
The framework through which health organizations are accountable for
continuously improving the quality of their services and safeguarding high
standards of care by creating an environment in which excellence in clinical care
will flourish.4
This is the description which the New South Wales Health Department has adopted
in its recently released framework for health delivery Framework for managing the quality
of health services in NSW one part of an approach by the New South Wales Health
Department which embraces systems of both corporate and clinical governance. The
framework establishes a system intended to enable the monitoring, managing and
continual improvement of quality in the provision of health services. It imposes a great
deal of additional responsibility on CEOs of area health services, however, the
ultimate accountability will now lie with Area Health Boards.
The framework defines key elements of clinical governance as:
A recognition and acceptance by Boards and health service management that they
have a responsibility for the quality of care delivered by the service and that this
accountability is shared with the clinicians providing this care:
Action by Boards to ensure that an effective system is in place that:
provides an environment that fosters quality;
monitors the quality of care;
provides a regular report to the Board on the quality of care;
minimizes the risk of and identifies deficiencies in the quality of care;
effectively addresses these deficiencies and the quality of care; and
effectively addresses these deficiencies.5
The framework also mandates the components for clinical governance in area health
services. It establishes Area Quality Councils which are Board committees whose role
includes the provision of formal linkages and reporting lines to stakeholders including
1.
2.
3.
4.
5.
Corrs Chambers Westgarth.

Partner, Corrs Chambers Westgarth.
Corrs Chambers Westgarth.
New South Wales Health Department 1999, Framework for managing the quality of health services in NSW, p. 45.
Ibid. p. 47.
79
the Department, consumer groups, divisions of general practice and, of course,

Boards.
The trend to clinical governance

The New South Wales approach to clinical governance is comprehensive. Similar
approaches are evident throughout Australia, reflecting an increasingly explicit trend
towards the accountability of healthcare Boards for clinical governance. At a national
level, the National Expert Advisory Group on Safety and Quality in Australian Health
Care has provided leadership in this approach through its recommendations that:
health ministers take steps to specify performance standards in safety and quality
for Boards of management and senior managers of healthcare organizations; and
work be undertaken in all jurisdictions on adopting and applying systematic

organization-wide approaches to quality improvement within healthcare
organizations supported by appropriate information technology developments
including patient record linkages and privacy safeguards.
The Advisory Group further indicated that accreditation and certification of

healthcare organizations should be strongly encouraged with incentives or made
mandatory.
The rationale for these recommendations was that:
governments could begin by specifying what they expect of Boards and their
senior managers in relation to safety and quality enhancement A written
schedule of performance expectations in these areas with an accompanying
manual review process would be welcomed by many Boards.6
In other states, requirements for involvement by Boards in clinical quality vary, but
increasingly there is a mandated level of involvement in clinical governance systems
that carries the potential for liability on the part of hospital Boards and their members
as a result of litigation arising from adverse events. Issues such as safety, effectiveness
and appropriateness of care, competence of providers of care and even access to
services are all areas in which hospital Board members could, in certain circumstances,
be held to be among those liable for an adverse event.
Standard of corporate governance

In Australia, standards of corporate governance have dramatically improved following

the events of the 1980s. Contemporary approaches to directors duties are illustrated
in the recent decision of Daniels v. AWA Limited7 in which the New South Wales
Court of Appeal held that:
directors must place themselves in a position to guide and monitor the

management of a company;
a Board should meet as often as it deems necessary to carry out its functions
properly;
a director may not rely on the judgment of others where there is notice of
mismanagement or if the director knows or should know of facts which would
place a prudent person on guard; and
6. National Expert Advisory Group on Safety and Quality in Australian Health Care 1998, Commitment to quality
enhancement, p. 11.
7. Daniels (trading as Deloitte Haskins & Sells) v. AWA Ltd (1995) 16 ASCR 607.
80
The responsibility of hospital boards for clinical governance
directors owe a continuing obligation to keep themselves informed about the

activities of the corporation.
Public healthcare services in Victoria, New South Wales and Queensland are not
subject to the Corporations Law so that the improved standards of corporate
governance now imposed on company directors conceivably do not apply. Instead, the
responsibilities of hospital Board members are established by common law.
There are very few recent cases concerning directors duties of entities which are
exempt from the Corporations Law, therefore, older cases must be relied upon when
interpreting the common law. It is tempting to conclude from those older cases that
the duty of care imposed on hospital Board members is significantly less than that
currently imposed by the courts on company directors under the Corporations Law
as in Daniels v. AWA Limited. Yet, these duties are entirely consistent with the
expectations expressed in the various healthcare quality frameworks and because the
common law is a dynamic instrument, which is continually reinterpreted in the light
of contemporary attitudes and values, judges could reinterpret the common law to
impose standards on hospital Board members which reflect contemporary approaches
to directors duties.
Furthermore, if the duty of hospital Board members is less than that of company
directors, governments may decide to change the law to ensure that the administration
of public hospitals is on a par with the management of companies.
Standard of clinical governance
Clinical governance programs require health services to meet a standard of care and
responsibility which is analogous to that of company Boards. It is therefore
appropriate that health services consider the following issues:
training and development programs for Board members on quality issues;
composition of Boards to ensure adequate representation of clinical quality

professionals;
inclusion of clinical quality measures in CEO performance agreements and

appraisals;
reconsideration of the role of medical superintendents and directors of nursing

by analogy with the role of chief financial officers in corporations;
implementation, maintenance and audit of appropriate quality systems;
actively attend to the data generated by reporting systems; and
ascertain what directors and officers liability insurance is applicable or available.
In addition, Board members should be prepared to ask questions and be prepared to

resign if put in an untenable position by a Boards action or inaction.
81
Linking claims management with clinical risk

management
The NHS experience
E Jane Chapman1
Introduction
This paper will consider the impact of clinical claims and their management on the
development of arrangements for risk management in the NHS. It will describe, in
brief, the management of litigation within the NHS dealing with the role and function
of the NHS Litigation Authority and the impact on risk management of the Clinical
Negligence Scheme for Trusts. The paper will also reflect on recent changes in Civil
Law in England which have lead to greater opportunity for partnership between
clinical claims and clinical risk management through the development and
implementation of a Pre-Action protocol for the Management of Clinical Disputes.
Arrangement for the management of clinical claims
The NHS like other developed health care providers is experiencing unprecedented
growth with the number and range of claims of clinical negligence brought against it.
The rise of consumerism, and its associated patient empowerment, whilst of huge
value to many patients, through putting them in charge of their health and choice of
treatment has for the service providers brought with it a much greater chance of
patients questioning care and seeking answers and explanations. In the NHS we are
experiencing greatly increased numbers of both formal complaints and patients who
begin the process of litigation.
Since the introduction of Crown Indemnity in 1990 under NHS arrangements it is
the NHS Trusts and Health Authorities that are vicariously responsible for the acts
and omissions of their staff. The cost of defending and settling is a direct cost to the
NHS budget, taping both Trust and Health Authority budgets and central pooled
funds held by the NHS Litigation Authority (see below). Medical defence
organization protection is only relevant to clinical staff working in the private sector,
i.e. consultants and others who work in NHS hospitals and have their own private
practice and all general practitioners in the NHS who work in a self employed
capacity
As a move to manage the increasing legal burden on the hospital and ambulance
services in 1995 the NHS Litigation Authority (NHSLA) was established as a special
health authority. The NHSLA is charged with the overall management of clinical
claims against Trusts. It established two schemes: the Existing Liabilities Scheme
(ELS) covered all cases with a date of incident prior to 1 April 95 and a second optional
pay as you go scheme the Clinical Negligence Scheme for Trusts (CNST) which
1. Clinical Risk and Medico Legal Manager, North West London Hospitals NHS Trust, Northwick Park and St Marks
Hospitals, UK; Chairman ALARM (Association of Litigation and Risk Management), UK.
83
provided financial pooling for claims with an incident date after 1 April 1995. The
CNST operates as a mutual in-year pooling scheme, Trusts pay agreed annual
contributions calculated on size and case mix and in return the direct financial
exposure above the Trusts chosen excess is reduced, the scheme contributing 80% of
the costs, from the pool, the Trust being liable for 20% of costs above excess, to a
current maximum of 108 000. With cases involving permanent brain damage
(e.g. anaesthetic accidents, and brain damaged babies) settling for upwards of
2-3 million there are obvious financial advantages of scheme membership.
Rapid development of local clinical risk management

arrangements
Membership of the CNST is optional, however by 1999 almost all Trusts (i.e. all
health care sectors including Ambulance Service but excluding the Ambulance
Service had elected to join.
The CNST is made up of two separate but interrelated arms. The claims management
function is managed centrally by the NHSLA, and a separate risk management
function is managed by commercial insurers on behalf of the Authority. The CNST
risk managers published a range of risk management standards each with a series of
incremental criteria for assessment. Trusts are assessed for their compliance to the
standards by an on site visit from CNST risk assessors. The scheme currently offers
three levels of compliance and each level attracts with it a level of discount in respect
of contributions to the pooling scheme. The objective being to recognize the
contribution of good risk management systems can make towards managing and
reducing a Trusts exposure to clinical claims.
The CNST standards are currently being modified and updated to fully reflect the
NHSEs plans for governance assessment. It is intended that the CNST standard form
the core of risk assessment of clinical care delivery. The current standards are
reproduced in figure 1 below. It can be seen that in their current form the standards
are largely process in content, with only one clinical area, obstetrics, being singled out
for specific attention. This of course represent the specialty at highest risk of high
value claims.
Development of risk management arrangements in Trusts
A recent national survey of risk management arrangements in Trusts concluded that

the CNST has had a major impact on the Trust wide introduction of systems for
clinical risk management with heavy investment taking place within Trusts in the
establishment of posts for risk managers and the formulation of Trust wide strategies
and policies around clinical risk management.2
Prior to 1995 few Trusts had formal clinical risk management arrangements, risk
management investment being largely restricted to aspects of health and safety risk
management. Adverse incident reporting was largely limited to slips, trips and falls,
drug incidents and equipment failure. It was uncommon to have formalized
Trust-wide arrangements for the reporting and full investigation of adverse clinical
events. There were at the time however many examples of local arrangements built
around clinical audit and other routine speciality arrangements, particularly in
anaesthetics, and in some places maternity.
2. K. Walshe & M. Dineen 1998, Clinical risk management: Making a difference? NHS Confederation.
84
Linking claims management with clinical risk management
Figure 1: CNST risk management standards

1) The board has a written risk management strategy and makes their commitment to
risk management explicit.
2) An executive director of the board is charged with responsibility for clinical risk
management.
3) The responsibility for management and co-ordination of risk management is clear.
4) A clinical incident reporting system is operated in all medical specialities and clinical
support departments.
5) There is a policy for the rapid follow up of major incidents.
6) An agreed system of managing complaints is in place.
7) Appropriate information is provided to patients on the risks and benefits of the
proposed treatment or investigation, and alternatives, before signature on a consent
form is sought.
8) A comprehensive system for the completion, use, storage and retrieval of medical
records is on place; record keeping standards are monitored through the clinical audit
process.
9) There is an induction/orientation programme for all new clinical staff.
10) A clinical risk management system is in place.
11) (Obstetric units only) There is a clear documented system for the management and
communication throughout the key stages of maternity care.
The survey, which was NHS wide was conducted between January and May 1998.
The researchers found by 1998 of those Trusts responding (44% of all NHS Trusts):
99% responding had a named member of the Trust Board with lead responsibility for
risk issues; 75% had explicitly mentioned risk plans in their current annual business
plan, and 96% had some form of risk management committee. 85% of Trusts had
someone with day-to-day responsibility for risk management issues, and these
Clinical Risk Managers came from a variety of backgrounds with wide ranging
previous experiences. This survey revealed that that when a risk manager was in post
in most cases (89%) the role was combined with other responsibilities (e.g. claim
management, complaints management, or health and safety management). Many post
holders (72%) hold a clinical qualification (nurse or paramedic), but just (10%) hold
any qualification in risk management. This largely reflects the newness of the
speciality within the health service and the still very limited health care related training
or qualifications. One can hope that this will change markedly in the next few years.
The researchers concluded that whilst the NHS had seen a rapid growth in the
establishment of systems and post holders with risk responsibilities to date little
evidence is available as to the effectiveness of this effort, and resource allocation. With
the emergence of a more co-ordinated approach to governance there will hopefully be
an increase in evidence of effectiveness.
85
Contribution of changes in the civil law landscape

Alongside emerging clinical governance agendas within the NHS England has seen
the most radical changes to its legal landscape in more than one hundred. In 1995 Lord
Woolf was charged with reviewing the then current arrangements for Civil Litigation
in England and proposing alterations. In the early stages of his review, medical
negligence now styled clinical negligence was singled out for special attention and a
multi-disciplinary group of lawyers, claims managers, patient group representatives
and medico-legal experts worked together to draw up proposals for change.
Lord Woolf published his report Access to Justice in 1996 and in respect of clinical
negligence claims he found major delays and high costs, particularly at the pre-action
stage, i.e. before the issue of the statement of claim. He also criticized the parties for
taking an adversarial stance at the early stages, which was considered to be unhelpful,
and indeed disadvantageous to potentially injured patients, many of whom were not
only seeking compensation but also an explanation of what had occurred, an apology
and reassurance that lessons had been learned to prevent a recurrence. Lord Woolf
recommended changes that would encourage a closer working together of health
providers and damaged patients and their advisers.
In his conclusions to his report Access to Justice Lord Woolf proposed the development
of more streamlined systems for the conduct of legal cases and for cases where
litigation took place Court led timetables rather than party led timetables. Clinical
negligence along with Personal Injury were singled out for the development of
protocols to encourage the avoidance of litigation wherever possible. The Pre-Action
Protocol for clinical negligence was first launched in July 1998 and formally adopted
with the launch of the new Court rules on 26 April 1999 (as it happened, coinciding
with the Standards Australia Conference on Clinical Governance.)
The formulation of the protocol broke new ground in bringing together previous
opposing parties around a table to discuss together the most effective way to encourage
the early resolution of disputes. A small team comprising a plaintiff lawyer, a
defendant lawyer, a claims manager, a patient representative and a representative of
medical protection societies were steered by the Secretary of the Civil Litigation
Committee of the Law Society of England and Wales. Through a process of
positioning debate, negotiation and final consensus the Protocol was drafted and
following a period of very wide consultation amongst all recognized interested parties
the protocol was adopted by the Lord Chancellors department and became part of the
revised arrangements for Civil Law from April 1999. The author of this paper had the
privilege of representing the views of claim managers on this working group.
Following the Protocol at the pre-action stage is now a requirement for all new clinical
negligence claims. The detail of the legal process is not of direct relevance to this paper
however the introductory section of the Protocol has very clear relevance in this
context. The Protocol sets out good practice commitments both for claimants and
defendants these are reproduced in figures 2 and 3.
If one looks at these good practice commitments for defendants then one will see that
for the English Trust not only do we have directives from the NHSE, under their
requirements for Governance but in addition there are now clear expectations
damaged patients thorough their legal advisors and indeed from the Judiciary that
efforts will be made by health care providers to establish incident reporting systems,
to learn from clinical mistakes and that a climate openness and sharing both within the
organization and with patients and advisors will be created such that effective risk
management will operate in tandem with effective and just claims management. In
time the effect of these changes should be the reduction in repeat claims which so
characterises the claims profile both of individual institutions and indeed across the
NHS.
86
Linking claims management with clinical risk management
Figure 2: Good practice commitments: Health care providers
train key staff in civil litigation practice and procedure
develop an approach to clinical governance
set up adverse incident reporting systems
use results of adverse incidents and complaints positively as a guide to improve

services
ensure patients receive clear and comprehensible information on how to raise

complaints or concerns
establish efficient and effective methods for recording and storing patient records
advise patients of serious adverse outcomes and provide explanation, apology and
compensation of appropriate
source: Pre-action protocol for the resolution of clinical disputes, Lord Chancellors Department, April 1999
Figure 3: Good practice commitments: Patients and their advisers
report any concerns and dissatisfactions to health care provider as early as possible
consider full range of options available for resolving the concern
inform the healthcare provider when the patient is satisfied
source: Pre-action protocol for the resolution of clinical disputes, Lord Chancellors Department, April 1999
Conclusion
The NHS has seen unprecedented changes in arrangements for the management of
clinical claims in the past four years, both through the establishment of a Special
Health Authority, the NHSLA with responsibility for management of claims and
through the climate of change and the new protocols and court rules that have been
brought in as part of a radical shake up of legal management of civil actions following
Lord Woolfs report. With the frameworks that these changes offer individual health
institutions the climate is not set for effective governance in respect of poor clinical
outcomes and claims arising from these.
Under effective governance health care institutions need not only to react to
individual claims but to examine the reasons behind the claim, the full circumstance
of the event s leading up to the alleged damage and to risk manage or treat those
elements of process that require change, be it resources, training, changes in protocols
or the realization that protocols and custom and practice do not match.
The impact in time will it is hoped be a greater openness between health care
institutions and damaged patients, offering swift resolution to disputes, both in
financial terms and with reassurances of steps being taken to prevent recurrence. The
new approach will in time bring in more and more health professionals, hopefully
spreading the word about being risk aware in practice and ultimately one can hope
for a reduction in the number of adverse events that could give rise to claims.
Drawing together claims and risk management in the ways described above one step
towards a health care system that through governance offers patients safety and
reassurance and staff a more safe and secure environment in which to exercise their
skills.
87
Early detection of major risk

Adopting a control self assessment methodology to identify
risk and opportunity and enhance learning
G Randolph Just1
Based on material originally presented by Paul G. Makosz, President/CEO of PDK

Control Consulting International, Ltd to the National Health Service in Belfast,
Ireland, July 1998 and in part adapting descriptive materials available on
PDKs website at www.csa-pdk.com.
Control Self Assessment (CSA) is a dynamic, sustainable process that helps an

organization systematically engage the knowledge, expertise and awareness of its
personnel at all levels. Variously called control self assessment, control and risk self
assessment, or simply self assessment, the process aids in the identification of both risk
and opportunity, in the development of practical action plans to resolve issues,
mitigate risk and build upon organizational strengths, and in creating and maintaining
healthy organizational control.
Self assessment, in its various forms, is at the heart of the Controls Assurance project
currently being implemented by the National Health Service in England. Self
assessment unites the tools available to NHS entities accountable for carrying out and
complying with the Controls Assurance initiatives. This paper will discuss a specific
type of self assessment, which one might historically call classical or workteam-based
control self assessment. This is the self assessment method originated by Paul Makosz
and his colleagues at Gulf Canada Resources, Ltd, in the 1980s that has as its core
process interactive workshops with natural work teams.
Classical Control Self Assessment

We can define classical or workteam-based CSA as follows:
Teams getting together with the managers and a pair of expert facilitators to
analyze, within a chosen framework, the obstacles and strengths which affect
their ability to achieve the key objectives of the team and the organization, and to
decide upon appropriate action.
We will briefly examine each part of the CSA definition, the steps in the workshop
process, and the analysis and reporting of workshop results. First it may be helpful to
look at the concept of organizational control and its dynamic relationship to risk,
opportunity and learning.
1. Vice President, Healthcare Services, PDK Control Consulting International Ltd, Calgary, Canada.
89
Risks
Successes
Opportunity
Strengths
CHAOS
PARALYSIS
PDK Consulting International Ltd
Figure 1: A constant balancing act
Staying in control is a constant balancing act. Identifying and seizing opportunities,

setting and achieving objectives, building upon strengths, identifying and mitigating
risks that threaten the achievement of those objectives require continuing vigilance.
Control is a term that, unfortunately, evokes negative connotations. People may
think of control as something rigid, inflexible, manipulative or as something negative
that people do to each other.
However, in the context of an organization, control can be defined holistically and
constructively as:
those elements of an organization (including its resources, systems, culture, structure
and tasks) that, taken together, support people in the achievement of the
organizations objectives.
from Guidance on Control, Criteria of Control Committee, Canadian Institute of
Chartered Accountants.
Control, risk and opportunity

Control is a continual, dynamic process that encompasses both risk and opportunity:
An organization that is in a strong position to seize opportunity and manage risk

is in control.
Risk and opportunity are closely related:
an organizations failure to maintain the capacity to identify and exploit opportunities may be a fundamental risk to its success;
failure to identify a significant opportunity may become a risk if it results in existing objectives not being met or changed; and
pursuit of a new opportunity will carry with it some new risks.

both quotations from Learning about risk: Choices, Connections and Competencies, Criteria of
Control Board, Canadian Institute of Chartered Accountants.
Graphically we might portray the relationships among control, risk and opportunity
by adapting Abraham Maslows pyramid. On the individual level, the below the line
90
concerns for food, shelter and physical safety represent risks to be managed. The
above the line levels of association, self-esteem, and the process of self-actualization
represent opportunities to be seized. Control encompasses all levels of the pyramid,
from the more fearful, foundational concerns for physical safety to the higher
opportunities that can be seized when fundamental concerns are met.
In the relationship between the individual and the organization, it is worthwhile to
note that employees may be less likely or able to help an organization seize its
opportunities when they lack job security, i.e., when the employees fundamental risks
are not being well managed. Here individual risk is a factor in organizational risk, and
the individual is less likely to help the organization, seen as a living organism, in
adapting Maslows words againthe process of actualizing ones potentialities
SA
ort
un
ity
Self
asteem
Association
pp
ko
Ris
C
O
N
T
R
O
L
the best you can be
Physical safety
Food, shelter
Figure 2: Control and Maslow: Risk and opportunity
On the organizational level, CSA workshops address both risk and opportunity, and
the level of assessment and action may be individual, departmental, divisional or
corporate. It becomes helpful to think of organizations and living entities that are
capable of learning, identifying risk, and responding to challenges by engaging its cells
and organs intelligently.
Living organizations and change

Arie de Geus, in his work The Living Company, noted four characteristics common to
long-lived companies:
sensitivity to the environment (the ability to learn and adapt);
cohesion and identity (corporate persona and community);
tolerance and decentralization (understanding, valuing diversity); and
fiscal conservatism (frugality + careful spending = freedom).

91
The CSA process directly supports de Geus first three characteristics (and indirectly
supports the fourth through its overall support of risk and opportunity management).
In a control self-assessment methodology, we are focusing on the living interaction
within natural work-teams. In a sense, we are treating the organization as a living
organism that can grow, learn, and adaptthe sensitivity to the environment
capabilities emphasized by de Geus first characteristic of long-lived companies. CSA
provides a communication mechanism that the living organization can use to
identify and mitigate risks and to recognize and build upon strengths.
A system of CSA workshops at multiple levels of the organization functions as part of
a living organizations nervous system. Workshops conducted systematically
throughout the organization, and repeated periodically over time, with results rolled
up from local or departmental to divisional to corporate levels, allow communication,
analysis and action to take place broadly or with an in-depth focus as in appropriate in
each case. These workshops serve not only as a mechanism to enhance learning and
adaptation but, at the same time, as a vehicle to improve communication throughout
the organization.
Enhanced communication throughout the organizationwhen carried out in a
positive, constructive manner according to the foundational principles of CSA
(discussed below)can augment cohesion and identity throughout the organization,
thereby strengthening the corporate persona and the sense of community.
Extending the biological metaphor further, the workshops also serve as part of the
living organizations immune system. Internal detection of risk is like an immune
system function in that issues that would become critical matters can be early
identified and mitigated. But the immune system analogy is not complete. CSA
provides a highly effective and interactive tool for not only identifying and mitigating
risk but also for tapping into the knowledge present at every cell of the organization
and enlisting that knowledge and expertise, in a team setting, in identifying new
opportunities, building upon strengths, and perceiving opportunity within issues and
risks for creative problem solving.
Control self-assessment is inclusive, not intrusive. Rather than beating the patients
immune system into submission with drugs until it accepts the donor organ, Starzl
realized, the trick is to convince both the bodys defense mechanism and the new
organ that the intruder is really SELF, a recognized member of the host body. (Dr.
Thomas Starzl, first liver transplant surgeon, quoted in Time magazine). New ideas,
surfaced in CSA, are regarded as self, not things to be squashed or stifled as may
occur in corporations who do not subscribe to the type of affirming, supportive
foundational principles upon which CSA rests.
CSA supports tolerance and decentralization by strengthening understanding within

teams and among levels of the organization. CSA also supports the valuing of
diversity. One of its foundational principles is respect for the opinions and ideas of
everyone, and it provides a communication channel to bring forward diverse ideas that
might otherwise remain unidentified and unleveraged.
CSA is a mechanism for evolution, growth and adaptation of the living organization.
It is more than am aide to for survivalthough it certainly is that in a competitive
environment. It is a tool that helps to foster optimal performance by an organization.
It is not magic nor a panacea. It is simply an effective way to tap into and build upon
an organizations greatest resourcethe knowledge, expertise, discerning perception,
desire to achieve and creativity of its people.
92
His work was foundational to the development of the principles of the learning
organization, later articulated by Peter Senge. Senge, author of The Learning
Organisation, has observed that:
It is no longer sufficient to have one person learning for the organization, a Ford,
a Sloan or a Watson. Its just not possible any longer to figure it out from the top,
and have everyone following the orders of the grand strategist. The
organizations that will truly excel in the future will be the organizations that
discover how to tap peoples commitment and capacity to learn at all levels of an
organization.
Key events in CSA and organizational control models

The development of the comprehensive organizational control models used in CSA
traces its origin back to the post-Watergate investigation in the United States. Those
investigations disclosed that certain corporations had engaged in foreign bribes, and
that finding led ultimately to the passage of the Foreign Corrupt Practices Act in the
US in 1977. Then, in the 1980s, significant financial failures among US corporations,
including Savings and Loan Institutions, led to the appointment of the Treadway
Commission on Fraudulent Financial Reporting. The Treadway Commission,
reporting in 1987, noted that many of the corporations that suffered financial failures,
had unqualified external audit opinions. The external audit did not disclose major
weaknesses in the control environments of the firms. Treadway called for the
development of a comprehensive model of business controls, one that would
encompass all aspects of control and risk, not just those traditional accounting controls
directly bearing on financial statement preparation, and for a common language with
which to discuss business controls.
Internal ControlIntegrated Framework was issued in the US in 1992. Commonly

called COSO (after the Committee Of Sponsoring Organisations of the Treadway
Commission, which sponsored the frameworks development), the model was
heralded as the first comprehensive, practical framework for internal control and was
adopted by many US corporations. COSO especially emphasized what came to be
called the informal or soft controls present in the control environment, seen as the
foundation to the COSO control structure. These controls include the people
focused aspects of communication, vision, understanding of information, trust,
integrity, ethics, tone at the top, corporate culture etc., so important to a companys
success and yet generally outside the realm of the formal controls of a companys
accounting system.
Assessing these informal controls can be of critical importance in early detection of
major risk. In many cases, a clear assessment of the soft controls would have provided
warning of conditions that led to many of the corporate failures addressed by
Treadway. CSA was immediately seen as an effective tool to assess informal controls
systems and, among the other benefits CSA can provide, enhance a companys early
warning system:
CSA measures the fuzzy stuff that traditional audit techniques cannot: trust,
morale, corporate culture. Research for Treadway and COSO has shown that
these somewhat amorphous elements lie at the heart of so many control failures.
Paul Makosz
Following COSO, the Cadbury report was issued in the United Kingdom, drawing
reference to the COSO framework and highlighting the importance of a broader
understanding of business controls for UK corporations. The Cadbury report has
been further modified by Hampel (1997) and in particular by Turnbull (1999), which
93
emphasized the importance of a risk management function to a companys system of

controls and assurance. Control Criteria are currently under development in
Australia, an exposure draft having been issued in 1998.
The Canadian Institute of Chartered Accounts (CICA) Criteria of Control
Committee, chaired by Paul Makosz, used COSO as a starting point to develop
Guidance on Control, commonly called CoCo (after the committees name). CoCo
took the concepts present in COSO, built upon them to emphasize more of risk
assessment and change management, and translated the framework into a cycle, which
can be applied to any level of activity.
Purpose
knowing what to do
Learning
Commitment
to do it better
wanting to do it
Action
Commitment
wanting to do it
Figure 3: CoCo
The CICA Criteria of Control Board, as noted above, defines organizational control
as: those elements of an organization (including its resources, systems, culture,
structure and tasks) that, taken together, support people in the achievement of the
organizations objectives. Within the CoCo model, control is seen as a cycle
comprised of four major groups of interrelated elements:
Purpose (knowing what to do)

Vision, planning, objectives, leadership, expectation, goal congruence, risk assessment.
Commitment (wanting to do it)

Ethics, tone at the top, future expectations, fun, rewards, recognition, open communication, trust.
Capability (being able to do it)

Skilled people, enough people, information, tools, funds, work processes, teamwork, control activities.
94
Learning (to do it better)

Tracking results, measuring, benchmarking, constantly improving, new ideas,
self assessment, changes.
At the time Treadway was issued in 1987, Paul Makosz and his colleagues at Gulf
Canada Resources Ltd in Calgary, Alberta, were conducting the first CSA sessions,
using limited organizational control models existing before COSO.
Bruce McCuaig, my predecessor at Gulf Canada Resources, originated the CSA
idea. He had been studying Watergate-related issues at the parent company, Gulf
Corp. About the same time, a serious management fraud had been discovered in
a Gulf Canada subsidiary, although the internal auditors had been there only
recently. Bruce kept asking, Whats the point of auditing the little things if the
culture is wrong-headed? Gulf was going through some team productivity
exercises at the time, so Bruce wanted to teach teams about internal control and
have them self-assess their position. The rest is history.
Paul Makosz
Paul and his colleagues soon moved away from teaching employees about internal
control to learning from them what real control and risk were. When the first
exposure draft of CoCo was issued in the early 1990s, Paul and his colleagues
immediately adopted its almost biological cycle approach into the CSA workshops.
Monitoring and awareness

How can one seriously expect to assess a massive organization with the limited
resources of a risk management or other department? How can one do more with less?
By knowing when we need help and enlisting the help of the organization through
self-assessment teams.
Do you seriously expect to assess

this
with
Organisation
this?
Department
Figure 4: Doing more with lessknowing when you need help
95
Figure 5: Self assessmentenlisting the help of the organization
What happens in a Control Self Assessment workshop?

In team or corporate self-assessment workshops, work teams of 10 to 12 people openly
discuss the strengths and the obstacles which help or hinder them in achieving team
objectives. They also identify and discuss the actions that can be taken to mitigate the
obstacles and enhance achievement of objectives. Results are discussed openly to
facilitate a clear and shared understanding of the issues by everyone in the room.
CSA workshop principles

The workshops are founded upon several principles:
96
trust;
open communication;
respect;
the person performing a task understands it better than anyone else;
everyones input is regarded as important; and
group comments may be shared externally but individual anonymity is

preserved.
CSA beliefs
Several concomitant beliefs also inform and underpin the workshop process:
people are seen as more important than systems;
they can make bad systems work;
they can make good systems fail; and
people make the difference in the midst of change;
shared information in the team workshops leads to:
better change management;
lower risk;
faster improvement;
all through greater identification and utilization of opportunities and
resources.
The series of figures 69 illustrate the general approach of how one may use a series
of workshops conducted across a company to identify major corporate issues and
risks, assess their impact, and then drill down with other activities (which could
include focused workshops) to address the issues in detail.
Figure 6: First a broad surveyworkshops
Figure 7: Identify major corporate issues
97
Figure 8: Assess the extent of the impact
Figure 9: Then focus appropriate action in depths
In many ways the ideal approach is to apply CSA workshops across the company with
every work team, or at least with representative teams from each department. Short of
that goal, however, CSA may be effectively used with a smaller number of top down
workshops of management teams to assess key issues from the management level.
Also, one may conduct a series of workshops with functional teams representing key
transdepartmental processes that cross several company levels or departments.
Workshop structure
Workshops are conducted with teams of 8 to 12 people and two facilitators. Each
workshop lasts for five to seven hours and includes three parts.
In the first part, a local situation analysis, participants individually identify the major
obstacles and the major assets their team has in attempting to accomplish their
objectives. This identification is done through an interactive brainstorming session
using post-it notes. Team members vote on the relative significance of the issues and
define the consequences and any necessary remedial action. Voting is conducted
anonymously through either manual or electronic voting technology. Discussion is
captured on a computer and projected onto a large screen so all participants can see
and validate the workshop document as it is developed live by the team.
98
In the second part, the team members answer a series of specific questions. The
questions are generally drawn from CoCo or COSO and cover all aspects of what a
team needs to address in attempting to achieve objectives at any level. Other models
like Baldridge or the European Foundation for Quality Model (EFQM) may be used,
and the EFQM is gaining recognition in the NHS. The team assess itself on each of
the points using anonymous voting technology (manual or electronic), and then
discusses what is working well, what is not working well, and what they can do to
improve the situation.
The wording of each question has been developed and tested over many years and
hundreds of workshops and is adaptable to different cultural, corporate and industry
environments. When electronic voting technology is used, the results of the voting
appear instantaneously on screen, revealing the teams self assessment on each point
and serving to launch the discussion. (See figures 10 and 11.) (Use of the electronic
keypads is also genuinely fun for the participants.) Discussion in the second part is
integrated with issues raised in the opening brainstorming session.
Strongly agree
7
4
1
Strongly disagree
Figure 10: The information I need to do my job is easily

accessible to me
Votes 6
5
4
3
2
1
0
3
Disagree
Agree
Figure 11: A specific problem is knownto a few
99
Groups of questions specific to a teams specialty or function can be appended to the

models questions to add additional value to the workshop. This is especially
important in drilling down into detail in certain key areas or in addressing specific
regulatory requirements. Our client in the UKs National Health Service has
developed specific questions beyond the CoCo model to assess specific aspects of the
Controls Assurance project.
The third and shortest of the three parts addresses ethics and ethical awareness. In
periods of organizational turmoil and societal change, peoples values are often
threatened and a survival ethic may emerge. The risk to an organization from this
situation is immense because it can permeate the whole structure. Most people avoid
discussing their own ethics for the same reason that they avoid discussions of religion
and politics.
Unfortunately, in times of stress, deterioration of ethics can happen very quickly. If
no one talks about ethical issues, major problems can develop latently and then
emerge to impair the quality of the organizations products or service for years to
come. This phase of the workshop challenges the participants to confront dilemmas
and the risks associated with ethical diversity. Situations discussed are hypothetical to
allow participants to engage freely in the exploratory discussion. (This discussion is
intended to increase understanding of the complexity of ethical dilemmas before they
are encountered and is not captured on the computer.)
Reporting and analysis

The workshop document, containing the group discussion as typed on-screen during
the workshop, histograms (figure 11) showing the distribution of votes on each
questions, line graphs (figures 12 and 13) showing the average votes on each question,
and all the information presented on post-it notes during the brainstorming session.
The document opens with an executive summary that includes a radial graph
(figure 14, which is actually a composite graph for a whole company but can
summarize from one to any number of teams) showing the teams overall pattern of
strength and challenges plus an analysis of the results cast in light of the objectives the
team is trying to achieve.
In the workshops, team members take accountability for developing action plans and
improving the operations for which they are responsible. Areas can be compared
graphically across teams (figures 12 and 13) so that best practices are readily
identifiable and sharing of those practices across teams is encouraged. In figure 12 we
see a team that has outperformed the organization in all areas except in resources. This
team, an actual case, was a very successful team, critical to the organization. However,
their success had led to arrogance, or a perception of arrogance, that interfered with
their receiving help from other teams in the company. CSA workshops identified the
risk and rectified this situation, preventing the deterioration or loss of a critical team.
In figure 13 we also see several instances one team falling below or rising above other
teams in the company. Here they may be practices that can be shared with a lower
assessing team to help them rise, and a team rising above all others may have identified
a best practice that can be communicated to the rest of the organization. A team can
also compare against itself over time, using both the line and radial graphs, noting
areas of change as action plans are carried out and the team develops.
A global picture emerges when workshops are conducted and aggregated across an
organization. Top management can see in one graph (figure 13 or 14) the current
strengths and weaknesses of the organization. Some may be the result of recent events,
others are deeply rooted cultural issues. A few are solitary issues. For example, in
figures 13 and 14 we see teams across the company noting disaster recovery as a major
100
Team objectives
Resolve conflict
Vision
Acceptable risk
Risk assessment
Benchmarks
Planning/risk
Overall capability
Quality
Job fits
Congruent objective
Figure 12: Impact on a team
Skills
Meet objectives
Resource planning
Adequate resources
Effective structure
Effective structure
Estimate resources
Resources
Enough resources
101
Figure 13: Same organism, different genes
Aligned objective
Accurate info
Recovery plans
Setting objective
Helpful systems
Secure info
Common object
Accessible info
nd
sio
iti
bl e
pta r isk
e
c
f
Ac el o
lev
mp
on
sure
Vi
Re
co
so
al
l ve
rn
Mea
ts
co
nf
ge
te
Co
TM
lic
an
e ch
Co
m
ob pat
j e c i bl
tiv e
es
Purpose
A
obj ligne
ect d
i ve s
ctiv
Ex
ge ns
en
all ptio
Ch sum
as
Se
o b je c t t in g
t iv e s
E f fe
C o nt in uo us t
im p rove m en
Learning
Co m m on
ob jec tiv es
are
valu
pr
ac
tic
es
asse
Risk
ssm
ent
ce
r man
Pe r f o t a r g e t s
R es ul ts an al
ys is
M ee t ob jec tiv es
7
Effe ctiv e tea m
Eff ect ive

str uct ure
Te a m sk
il ls
ate
Adequ ces
resour
r e s p oR o le s a n d
n s ib il
it ie s
Emp
owe
E f fe
red
cts
on
oth
er s
En
j oy
wo
M
rk
Te
an
am
ag
n
em
ew
en
s
tn
ew
s
ills
sk
te
in
te
Ac ces sib le
inf orm ati on
io n
H e lp fu
in fo r m l
at
Sa
i n f fe g u
or ard
ma
tio
n
Sec
info ure
rm
atio
n
Accu
infor r ate
mati
on
Ad
eq
ua
Jo
e
Va l u
th e
E q u it y in la c e
wo r k p
Val ues and eth ics
ar ticu late d
Capability
ip
sh le
er p
ad xam
ce
Le e
an s
d
r m ar
rfo nd
y
Pe s t a
tar
ne ion
Mo at
s
en
n
mp
itio
co
ogn
Rec
liefs
d be
s an
n
M is s io
r- r
el
at
rk
wo
nt s
e
i
c
y
E f fi c e s s e
ilit
pro
ab
p
a
ll c
ty
er a
ali
Ov
qu
e
at
qu
e
Ad
es
ate
E s t i mu r c e
o
s
e
r
Commitment
Figure 14: ControlA birds eye view
102
risk. In this instance, everyone knew that the company, highly dependent on
computer mainframes, had not taken appropriate steps to develop a business
contingency plan. As a result of the CSA workshops, this issue that everybody knew
about was finally addressed and disaster recovery was outsourced.
Most issues, however, are interrelated and often we find that a narrow emphasis on
preferred cultural strengths has led to the emergence of symptomatic weaknesses
elsewhere.
The results
The results of any workshop are immediately visible. The team and their management
have undergone a comprehensive discovery of their own effectiveness. For most
teams this leads to immediate team actions taken to address specific issues which are
within their sphere of influence. For most teams and managers, the effect is uplifting
and enjoyable because, although problems are revealed, at last the issues have been
acknowledged and the team discovers it does have resources and help to deal with
them.
The best time to get commitment to address these problems is at the moment when
their significance is first recognized. When management and grass roots discover the
problem simultaneously in a workshop through their own observations (not those of
a third party), action tends to be taken immediately.
An organizational picture
In addition to immediate action by the team participating in the workshop, however,
there can also be results of long-term significance for the entire organization. When
workshops are conducted across an organization, the numerical and analytical data
from the workshops can be accumulated in a database based on the comprehensive
organizational model. This can be used to develop a global analysis of team
effectiveness at multiple levels throughout the entire organization.
Areas where teams are consistently more effective can be researched to identify and
provide answers to other areas. Major organizational risks surface very quickly and can
be addressed by management before the problems become widespread and critical.
Teams and managers have benchmarks to compare with their own previous ratings as
well as those of other teams. Experience shows that no team is at the top or bottom in
every category, and the best usage of the data is in finding enlightened approaches to
problem solving and identification of opportunities.
Conclusion
CSA gets at the essence of managing risks, at what gets in the way of getting the job
done (Makosz). By applying a comprehensive organizational model and tapping the
knowledge of the people doing the work, it can assess both strengths and obstacles/
risks across an organization and aid in early detection of major risk. When the CSA
principles are followed and the beliefs are honoured, the CSA workshop process itself
can enhance team empowerment, communication and accountability and can serve as
a learning mechanism and a self-repairing mechanism for teams and companies, and
a potent tool to help achieve future goals.
103
References
CICA Criteria of Control Board 1995, Guidance on control, Canadian Institute of
Chartered Accountants, Toronto.
CICA Criteria of Control Board 1998, Learning about risk: Choices, connections and
competencies, Canadian Institute of Chartered Accountants, Toronto.
De Geus, Arie 1997, The living company: Habits for survival in a turbulent business
environment, Longview Publishing Limited and Harvard Business School Press,
Boston.
Makosz, Paul 1997, Serious about CSA, CSA Sentinel, The Institute of Internal
Auditors, Florida, no. 1.
Maslow, Abraham 1971, The farther reaches of human nature, Viking Press, New York.
Senge, Peter 1990, The fifth discipline: The art and practice of the learning organization,
Currency Doubleday, New York.
104
Risk management in the healthcare setting

Judith Napier1
A proactive, ongoing process of identifying and assessing risk, with the objective of
improved prevention, control and containment of all types of risk.
Risk management definition
Most industries, whether it be aviation, shipping or car manufacturing, are deeply

committed to the active practice of risk managementinvesting considerable time,
money and resources. Aviation risk management typically focuses on clear and
defined proactive checks of personnel and equipment, and in-depth review of adverse
events and even near misses. In most other industries a similar importance is now
placed on learning from mistakes.
While some countries have now developed equally sophisticated approaches to the
management of risk in healthcare, the disciplined management of healthcare risk
remains uncommon.
Clinical risk management is the systematic approach to developing strategies that
enable healthcare organizations to learn from past events in order to minimize future
risk.
The proactive application of lessons learned occurs in a somewhat ad hoc manner in

most healthcare organizations. While complaints are investigated, reports written and
individuals soothed, and incident forms are completed and often rigorously
investigated, do we really learn from our past mistakes? Are we able to look at the
information from a near miss and ask ourselves how we can avoid this situation in the
future?
In the US, and more recently in the UK, clinical risk management as a formalized
process has become part of the healthcare landscape. Recent reforms in the UK have
mandated the presence of a risk management program within the NHS Trusts. These
evolved out of the Resource Management initiatives of the early 90s and the medical
audit/clinical audit activities supported by NHS Management Executive in the
mid-90s. A recent report reveals how new clinical risk management initiatives have
made progress in improving quality and patient safety within the NHS. (reference)
While clinical risk management is not incorporated into an overall organizational
strategy, many of the components of a formal program exist within Australian
healthcare organizationspaving the way for development of a true, proactive clinical
risk management program.
The diagram below illustrates the relationships between some of the key components
of a clinical risk management program. The elements sitting above the care delivery
process influence how care is delivered (inputs). All these components will have an
1. Executive Director of HRRI, Australia and Senior Vice President of MMI Companies Inc., USA. This article is
reprinted from the HRRI Newsletter, April 1999. This article reprinted with the permission of HRRI.
105
effect on the risk to the patient undertaking care. For example, the quality of staff
employed, the availability and efficacy of resources, and the standards and policies by
which care is given will all affect the overall risk picture.
Doctors, nurses, allied health ancilliary
Evidence-based
practice
Improvements
in practice
Care paths
PATIENT
Credentialling/
privileging
OHS
Policies/procedures/
standards
Contracts
management
Resources
PATIENT
CONTINUUM OF CARE
Variances
Outcomes
Adverse
elements
Risk
indicators
Complaints
Medical record
review
What can we learn?

How can we do it better/safer?
Risk management
in a
healthcare setting
HRRI
The results of care delivery (outputs)sit below the continuum of careoutcomes,

care path variances, incidents or adverse events, complaints, risk or clinical indicators.
These are equally important components of a clinical risk management program.
Regular review of data generated through analysis of variances and outcomes fed back
to staff for comment and review, can assist in the development of a culture where data
is translated into information that is valued and utilized by staff.
As shown in the diagram, this data can assist in completing a feedback loop by
prompting discussions about lessons that can be learned, which can trigger ideas for
improving the delivery of care.
A clinical risk management program considers both the inputs and outputs of care in
a systematic way. Most importantly, it seeks to implement system-based changes to
improve practice.
This process links clinical risk management to quality improvement. In fact, risk
management is a key component of any quality improvement program.
Risk management is definable, measurable and tangible to staff, which assists them in
learning from their own clinical experience how they can improve the quality of care
they seek to deliver.
A clinical risk management program not only assists in the reduction of clinical risk,
improved patient outcomes and improved safety, but also minimizes the financial,
business and insurable risk within a healthcare organization.
106
Risk management in the healthcare setting
Too many errors, too many claims, untoward publicity or costly legal battles can be
disastrous to the financial well-being of an organization. The cost of re-work,
unplanned returns to the operating room or unplanned time spent in ICU can create
undesirable business risks for an organization that a well-planned risk management
program may have prevented.
Reference
Walshe, K. & Dineen, M. 1998, Clinical risk management: Making a difference?, NHS
Confederation.
107
Role of clinical pathways and variance

analysis in risk management and quality
improvement
Dr Elizabeth Mullins1
Introduction
Process, not people, make a system breakdown is one of the foundations of contemporary
Japanese car industry management theory.
Evidence in health care suggests that this maxim may be valid in health care, too. We
know that when serious events in health care are reviewed, the causes are due to one
of; system, people or equipment.
In a presentation to the European Healthcare Management Association Conference in
Dublin in 1998, Professor John Ovretveit noted that error in health care was due to
system failure, equipment failure or human failure.2
By far the most common of these is system failure or breakdown.
If we accept this premise, as we look to ways of improving quality and managing risk
in health care, then we need to consider a system-based approach rather than the
traditional method of finding the bad apple. In his paper, Professor Ovretveit further
demonstrated that, while system based errors are cited as contributing to 85% of
overall adverse events, only 2% of resources are actually expended in dealing with
those system issues. In contrast, the more typical 98% of resources spent in dealing
with people based issues, which account for less than 15% of errors. This mismatch of
investigative resources with probable cause may help to explain why significant
inroads into preventing or reducing adverse events and improved patient outcomes
has not been more successful.
The Medical Director of HRRIs US parent company, MMI Companies Inc., USA,
Dr Eric Knox, wrote recently,
the paradox that administrators try to cut costs but clinicians make the decisions
which incur most costs in the system, at the same time, clinicians try to improve
quality, most of which is determined by the systems and organizational structures
put in place by administrators.3
1. Risk Management Consultant, HRRI, Melbourne, Australia. This article reprinted with the permission of HRRI.
2. J. Ovretveit 1998, proceedings from European Healthcare Management Association, Dublin.
3. MMI Companies Inc., 1999, Market-driven healthcare systems: Creating solutions to the challenges of transformation, USA.
109
Clinical pathways
Clinical pathways are an effective risk management tool as they support a planned,
systematic, controlled environment of care. They are a tool to decrease variability in
outcomes, provide reproducible results and contribute to quality management.
Clinical pathways also contribute to overall quality and risk management because
they:
establish the intended plan of care;
clarify roles and responsibilities of staff;
clarify and consider resource use; and
are a framework for evidence based practice.
Variances from the intended plan of care highlight risk potential and assist in
identifying practices that may contribute to untoward events. Importantly, variances
reflect an individuals response to care. They also reflect an individual clinicians
response to a patients needs. Variances are a useful prompt to ensure that potential adverse
events are recognizid early and managed effectively.
Variances reflect the reality of care delivered. Unfortunately, many facilities that utilizi
clinical pathways do not review the variances that are recorded. This is disappointing.
Particularly because facilities are missing such an opportunity if they do not review
their variance and consider the patterns that emerge.
Just as the Quality Improvement cycle is effective because it is a cycle (figure 1)
Figure 1: Quality improvement cycle
Plan
Act
Do
Check
so, too, the pathways paradigm can be similarly described (figure 2).
Figure 2: Pathways cycle
Pathway
Writing
Change in
Practice
Collecting
Cases
Variance
Analysis
The optimal value of clinical pathways comes in completing the quality cycle, learning
the lessons and making the change.
110
Role of clinical pathways and variance analysis in risk management and quality improvement
Reviewing variances and outcomes from care assist in:
valuable feedback to staff about the care delivery system;
improved quality of documentation;
recognizing good work done by staff;
targeting areas for additional review; and
understanding some system-based problems in delivering efficient health care.
Consumers and purchasers of care can also benefit from better understanding of
quality of care that a health care facility can provide when a limited amount of variance
data is shared with them.
For example, the percentage of patients comfortable on the evening of their operation,
mobility expectations following a total hip joint replacement and other important
outcome targets.
Variance analysis
Variance analysis needs to be done promptly to maintain the momentum of clinical
pathway development. Much good work done in developing pathways is often lost
when projects run out of steam. One of the most common reasons for this loss of
momentum is a lack of variance data that feeds back to staff about how they have
achieved against their stated aims.
Variance analysis considers the factors behind outcomes and variances. In this way,
staff are encouraged to be more thoughtful around local factors and also to consider
what system-based factors may be at play in the overall care delivery system. For
example: What are the reasons for delay in discharge? What might be the cause of low
HO in a certain group? What assessments were not done to acute mental health
patients on admission?
At this time, additional data can be considered. This might include incident,
complaint or clinical indicator data pertinent to the clinical area. This data plus the
variance can then be discussed in a learning environment so that staff see this as an
opportunity to see what it is telling the clinicians in a broader way about the
effectiveness of their care. In this way, the process becomes a powerful clinical risk
management tool.
Variance analysis assists in making clinical risk management and quality improvement
more meaningful and relevant to staff. Staff can then go and review areas of particular
interest and broaden its relevance beyond the clinical area.
Benefits of variance analysis do not simply apply to clinical staff. Management can
start to understand and measure the effect of their policies and decisions on patient
care and outcomes. Staff can be assured that when LOS targets are defined or reduced,
it will be the regular review of variance that will ensure that quality is not lost because
of potentially conflicting financial or non-clinical targets.
Planning and development of care can be more fine-tuned to reflect a known risk than
a theoretical notion of reality. Resources such as education can be more accurately
targeted to areas known to be common or known to be of concern as a result of review
of variances. Contracts can be written with improved knowledge of what a facility can
actually deliver and progressive dialogue can take place between the facility and payer
to optimizi care for the patient. Effective quality improvement and risk management
comes from a process of clarifying the care to be delivered and a process of reviewing
and learning from the outcomes and results of that care.
111
Credentialling of hospital medical staff

Dr Lionel Wilson1
Summary
This article is a brief account of what is meant by credentialling and what hospitals
have to do to make credentialling and effective rather than a token exercise.
Credentialling as a key element in reducing the risk of litigation for hospitals and the
doctors who work in them is stressed. The article provides a history of this initiative
in Australia and describes the context in which many hospitals find themselves from
time to time. The relationship between appointing doctors and credentialling them is
discussed and emphasis is placed on the structured process that is essential if
difficulties, including legal difficulties are to be avoided. A brief account of the various
methods used in credentialling is given.
Introduction and background
In common with their colleagues in other industrialized countries, doctors in

Australia have been increasingly concerned about the risk of medical malpractice
litigation. Similarly, hospitals as corporate bodies have faced an unrelenting assault in
recent years in terms of malpractice litigation. Neither hospitals nor doctors have done
very much to alleviate this situation, although doctors through their medical
insurance bodies have made attempts at educating their colleagues how to avoid some
of the risk. Also, doctors through their various organizations, have made strenuous
efforts to have changes made to the legal system in a somewhat misguided attempt to
mitigate the problem.
Credentialling of medical staff of hospitals is not only a key element of quality
management (QM), but also is one of the most effective risk management initiatives
that doctors or hospitals can undertake to minimize the risk of malpractice litigation.
Quality management and credentialling have a back to back relationship. QM cannot
be effective without credentialling and credentialling cannot be appropriately applied
without an effective QM program.
History
The New South Wales Branch of the Australian Medical Association developed,
de novo, a system for credentialling hospital medical staff in the early 1970s. This was
in response to a series of events involving medical practitioners undertaking work in
hospitals that was far beyond their training, experience and competence. The
outcomes were disastrous and led to wide public outrage. The AMA found to its
surprise that credentialling of medical staff had been an intrinsic part of hospital
practice in North America for most of this Century. For a range of reasons,
credentialling of medical staff, as designed by the AMA, was never implemented
1. Lecturer in Quality Management, Member of Faculty School of Health System Sciences, La Trobe University,
Melbourne, Australia.
113
although many hospitals claim that they do conduct credentialling.
Definition
Credentialling or the delineation of clinical privileges is the process whereby the
medical staff itself, on behalf of the Board, determines precisely what any individual
medical practitioner can or cannot do in the hospital at any one point in time.
The nature of credentialling

The credentialling concept is an extremely flexible tool by which a hospital through
its medical staff, is able to match medical staff's clinical competence with the hospital's
mission and resources. Credentialling may also be appropriate for other professionals
such as independent nurse midwives and nurses working in intensive care units. Any
mechanism for credentialling or delineating of privileges for medical staff, must also
include mechanisms to ensure that adherence to privileges granted is assured
prospectively, if possible, and that appropriate sanctions are brought to bear in cases
where practitioners deliberately undertake practices for which they have not been
granted privileges.
Credentialling may be categorized into three types based on the stage of its
implementation as follows:
in association with the initial or new appointment;
annual (routine), including the circumstances of a reappointment;
non routine, which in turn can be described as:
locums (including emergencies);
upgrading (when new training has been completed during the yearly cycle);
and
downgrading e.g. as a result of an investigation into a complaint or problem of

patient care.
Contrary to the usual practice in Australia, credentialling is a process that should be

distinct from the appointment process, and should occur annually, as a routine for all
medical staff. The process should allow for emergency credentialling, for example
when, an unannounced locum appears and requires authority to work in the hospital.
Context
All too commonly in Australian hospitals, particularly, but by no means exclusively,

in the private sector, the hospital or its medical staff attempt to curtail a member of the
visiting medical staff from conducting a specific clinical activity. This action comes
out of the blue, usually in response to a situation of incompetence, mishap or illness.
More often than not, no precise method of delineating clinical privileges exists. The
practitioner in question immediately defends himself or herself by making a charge of
bias. You haven't dealt with any of my colleagues like this, why all of a sudden pick
on me? It is then very easy for him or her to justify in their own mind that bias exists
by a competitor in a powerful position and the next step is the threat if not the actuality
of legal action against the hospital, and some of its medical staff, or both.
Often in such cases, while members of the medical staff have been talking about the
situation informally, sometimes among a wide circle of people, perhaps for weeks or
months, the first time that the affected practitioner learns about the concern is when
he/she is suddenly, without warning, prohibited. Inadvertently, therefore, not only
may the doctor have been defamed but also natural justice has been denied. In the end,
114
because a proper process was not followed, the practitioner wins the ensuing legal
battle even though a curtailment of some of his/her clinical activities would have been
in the best interests of patient care. The hospital is, as a result, left with a worse
situation than the one in which it started. A properly conducted credentialling process
can avoid such problems.
While most doctors determine their own capacity to conduct procedures and other
clinical activity with great responsibility, a small number, like any other member of
the community may become psychotic, alcoholic, or suffer any number of disabling
diseases. The doctor under such circumstances who was perfectly competent some
months previously, may suddenly become quite dangerous, without in any way
recognizing this fact.
A very much smaller percentage of medical staff, it seems, has an inborn inability to
recognize their own lack of competence. In the absence of an effective credentialling
program, dealing with this group in any hospital, public or private can probably be a
hospital administration's greatest nightmare.
Relationship between credentialling and appointing

The interface between the appointment process and credentialling is usually not well
understood in Australia. There is a common misunderstanding that credentialling
merely refers to the sighting of a doctor's qualifications during the process of
appointment. This means in practice, that the possession of a higher qualification,
together with a doctor's claim to be proficient in a speciality or subspeciality will result
in privileges being granted automatically for whatever the doctor wishes to do within
that speciality.
Credentialling is the formal matching of what the doctor wishes to do in the hospital
at any one time and his or her competence to do it. While certain aspects of a
practitioners suitability for appointment may remain unchanged from the time of
first appointment, their competence to undertake certain clinical activity may not.
Good-for-life qualifications are no longer an adequate measure of competence.
Credentialling and appointing functions should be seen as separate functions. The
credentialling process comes first followed by the appointment process, but both
processes should be managed as a functional whole.
A systematic process
The credentialling and appointment processes must be formal and carefully
structured. Legal protection for all concerned depends on a routine process that is
formalized and carefully documented. Such a process for appointments already exists
in most large hospitals, but in many small public hospitals and many private hospitals
it does not. Given the traditional open nature of many private hospitals where medical
staff establishments generally do not apply, it becomes of even greater importance to
ensure that the appointment process is successful in fulfilling its proper function of
carefully screening those practitioners permitted to work in the hospital.
Credentialling of medical staff depends heavily on other key elements of a quality
management program if it is to be effective, successful and, above all, credible. The
administrative process to ensure a smooth and efficient operation must be in place
before any effort is made to commence credentialling. This administrative process is
part of the organizational structure so essential for a quality management program.2
2. L. L. Wilson & P. G. Goldschmidt 1995, Quality management in healthcare, McGraw-Hill, Sydney, pp. 457535.
115
Further, the capacity to reduce or limit a provider's privileges depends, in turn, on the
capacity to measure a provider's performance. Assessing the quality of a provider's care
and being able to measure the provider's performance is an essential prerequisite to
effective credentialling. To be able to fairly, and, in a way that can withstand legal
challenge, reduce a doctor's privileges, demands an objective measure of his/her
performance. The process of structured quality review or its manual equivalent must
be in place. Failure to have these other elements of a quality management program in
places will mean that the credentialling process, often established only after
considerable negotiation and discussion with medical staff, becomes discredited
before it even commences.3
Need for policies

Every hospital will have attitudes and rules which have developed over time in relation
to appointments and which impinge on the question of delineation of clinical
privileges. Such matters should not be passed on by word of mouth but should be
carefully developed and agreed upon, documented policies. Examples of such policies
are the frequency of credentialling and appointments, those pertaining to such
questions as an appeal mechanism, and the appointment of medical practitioners who
have reached the age of 65 years and over. Further, hospitals need to develop policies
regarding both the enhancement and reduction of clinical privileges; the situation
regarding locums; and the question of emergencies. Many other issues warrant an
explicit policy; we have included some of these issues in this paper.
Whatever policies are finally developed, they should be clearly documented and
available so that all concerned understand what the rules are under a range of
circumstances. Policies should not be communicated by word of mouth. Policies
regarding the credentialling and appointment of medical staff should be included in
the hospital by-laws, and even in terms and conditions of appointment. Medical staff
must be informed at the earliest possible stage concerning the hospital's policies on
credentialling and all the issues related thereto. The medical staff are not the only ones
to be kept informed about aspects of credentialling. In the case of surgical or obstetric
procedures, theatre staff must also be informed about any member of the staff whose
privileges have been downgraded or upgraded.
From time to time, a need to change, amend or develop new policies, will become
necessary. Such changes can originate from the Medical Staff Council, the Credentials
Committee, the Medical Appointments Advisory Committee or the Board of
Directors. In all cases, however, the Board of Directors must approve any policy
change.
Need to establish and follow procedures

Effective credentialling requires the existence of:
A parallel medical staff appointment system
A properly organized medical staff, which assumes a medical staff association,

and an executive appointed by the medical staff with authority to act on behalf of
the medical staff.
3. L. L. Wilson & P. G. Goldschmidt 1995, Quality management in healthcare, McGraw-Hill, Sydney, pp. 589-631.
116
To be effective and to prevent or at least minimize the possibility of a successful legal

action against medical staff or the hospital as a result of the credentialling program,
certain basic rules and proper process must be adhered to. The following summarizes
the rules and process of a successful credentialling program:
1) A properly constituted committee must be established and this should be in
addition to a medical appointments advisory committee;
2) This committee, known as a credentials committee, must have carefully prepared
terms of reference that must be strictly observed;
3) ;The minutes of this committee must be carefully prepared. It is the responsibility of hospital administration to ensure that the person responsible for the minutes fully understands how to undertake this task. In some hospitals the minutes
are checked prior to distribution by a second person to ensure that potentially defamatory statements have not been inadvertently made;
4) The members of this committee must observe absolute confidentiality;
5) The process followed must observe the rules of natural justice;
6) The application for privileges, the decisions of the committee and the advice to
doctors must be done with a carefully designed and structured formality;
7) All medical staff using the hospital must be subjected to the same process;
8) All decisions of the committee must be in the form of recommendations to the
Board of the hospital or to the appropriate appointments committee, which
would need to see any recommendations regarding privileges, before reaching
their conclusions in relation to their recommendations concerning an
appointment.
Managing credentialling and appointments
Significant management support is required for credentialling and appointing. A

structured turnkey process will not only minimize this load, but will also add to the
protection for both hospital and medical staff against legal actions by aggrieved
practitioners. The quality management department (QMD), or its equivalent, should
provide the administrative support required. Such support includes:
Checking qualifications of medical staff
Checking insurance status of medical staff
Checking registration of medical staff
Keeping profiles on medical staff
Tracking any malpractice claims history
Supporting the credentials committee
The quality manager is responsible for administering the credentialling and

appointment system. In a moderate to large sized hospital, coping with this load
annually is a considerable task and the QMD should develop a systematized approach
to it.
Many Australian hospitals do check the qualifications of medical staff prior to
appointments, and some may even check the registration. Registration of hospital
medical staff should be checked annually, as should the insurance status of medical
staff. In the case of registration, the hospital should check with the Medical Board in
each State to ensure that the registration is valid and current. At very least, the hospital
should require each applicant to produce a valid current receipt for registration and
legal indemnity insurance.
117
Timing of credentialling
Credentialling aims to ensure that all activity in the hospital is carried out within limits
of the doctor's training, competence and experience. For most medical practitioners
an annual credentialling process is purely perfunctory, in that most doctors limit their
practices instinctively. However, for legal and other reasons it is essential that all staff
are routinely submitted to the same formal process annually.
Where complaints arise, or evidence of incompetence appears, or unsuitable
procedures are carried out, and documented, objective evidence of a less than
acceptable standard of care can be demonstrated, a special review of privileges may be
considered necessary.
All medical practitioners wishing to practice at the hospital shall make application to
the manager, setting out their qualifications, training and experience. In addition they
must define the details of the clinical activity which they wish to perform.
This application for granting of clinical privileges will be made annually, and will as
described above be combined, initially, with an application for appointment and every
three years with the application for reappointment.
Emergencies
In cases of life threatening emergencies and no other medical assistance is available,
regardless of privileges granted, any medical practitioner is expected to do whatever he
or she considers to be necessary to save life. In such a situation, however, the
practitioner involved must be able to demonstrate subsequently that no other more
qualified medical practitioner could have been called upon under the circumstances.
The credentials committee's role and function

The credentials committee is the instrument for determining the privileges of
members of the medical staff. The role of the credentials committee is to ascertain and
certify that the medical practitioner is, at any one time, competent to carry out the
requested services in the hospital. It is the role of the credentials committee to evaluate
any matter relating to the privileges of a medical practitioner referred to it by the
manager or the medical staff association. The credentials committee is responsible to
the hospital manager and through the manager to the Board.
Methods of delineating privileges

There are a number of methods for delineating a doctor's clinical privileges, however,
in the case of procedures, one method has clear advantages over the others. This
method consists of the granting of privileges for the precise procedures any doctor
wishes to perform and all procedures should be included in this process.
For all procedural disciplines, quintessentially surgeons, and for those procedural
activities carried out by the cognitive disciplines, a detailed listing of those procedures
which the practitioner wishes to be permitted to carry out in the hospital is the only
effective method of delineating clinical privileges. When appropriate, applicants
should be prepared to demonstrate competence to a designated member of the
medical staff.
118
Credentialling cognitive disciplines

To an increasing degree, the cognitive domains, such as internal medicine, paediatrics,
psychiatry, and dermatology are carrying out their own range of procedures, thus
lending themselves to the system of precise delineation described here. Nevertheless,
much of the work of these domains remains cognitive and not procedural and is not
amenable to this mechanism of credentialling. The credentialling of such disciplines
is assisted by means of well defined practice policies, which would state, in general,
when a consultation is required; how speciality specific the care of certain clinical
conditions should be, etc. These policies should be determined by the medical staff
and adopted by the Board.
Credentialling general practitioners

Transgressions by medical staff, when they occur, are not limited by speciality, and
moreover, transgressions when they are committed by specialists tend to be more
serious because their activity involves more complex procedures. Accordingly,
limiting general practitioners to a specified list of procedures while no restriction is
placed on specialists, is an inadequate response to the problem.
General practitioners should be subjected to exactly the same provisions as their
specialist colleagues. In general, blanket provisions concerning general practitioners is
highly discriminatory and each applicant for privileges should be treated individually
with regard to his training, experience and if need be demonstrated competence.
When any policy matter that is likely to affect general practitioners is under
consideration, general practitioner representatives should be included in the
discussions.
Early efforts to determine what procedures should be undertaken by general
practitioners, in the absence of effective credentialling, saw the grouping of clinical
activity, particularly procedures, into major and minor groupings. This approach
merely begged the question as to the definition of what was major and what was
minor. Quite frequently it became merely the perception of the medical practitioner
involved. With such systems, an arrangement for dispute resolution becomes
necessary to adjudicate the arguments that result from such a system, and it rarely
satisfies either party.
Conclusion
Effective credentialling of medical staff is a large and complex issue that can be dealt
with only superficially in an article such as this. Increasingly, it is becoming realized,
some 20 years after the Australian Medical Association first developed the concept,
that credentialling of medical staff is one of the key elements necessary to minimize
hospitals and hospital doctors risk of litigation. Even in North America, where
credentialling of medical staff has been an intrinsic element in hospital practice for
most of this Century, there is a recognized need to render credentialling more robust.4
4. S. Weagly 1996, Making the case for robust provider credentialling, Health Care Innovations, May/June, pp. 2939.
119
A framework for managing the quality of

health services in NSW
Maureen Robinson1
Introduction
The quality of care provided in the NSW health system is of vital interest to many
groups and individuals, including consumers, policy makers, clinicians, and
managers. In recent times, there has been an increasing recognition both of the
progress made in system-wide quality improvement, and of the concerted effort
needed to improve quality of care further.
The development of an overarching, coherent framework for managing the quality of
healthcare in a systematic way in New South Wales was recommended by the NSW
Ministerial Advisory Committee on Quality in Health Care in the committees first
report to the NSW Minister for Health in 1997. The framework described in this
document was developed following wide consultation and has been endorsed for state
wide implementation by NSW Health. The Framework consists of an Area Health
Service wide committee structure, a performance frame and reporting frame, the
development and operation of which are supported by a robust set of principles for
monitoring and managing the quality of health services, as represented in Figure 1.
Clinical governance
The Framework for Managing the Quality of Health Services in NSW is the means
by which clinical governance is to be introduced in NSW. The key elements of clinical
governance are:
recognition and acceptance by Boards and Health Service management that they
have a responsibility for the quality of care delivered by the service and that this
accountability is shared with the clinicians providing this care;
action by Boards to ensure that an effective system is in place that:
provides an environment that fosters quality;
monitors the quality of care;
provides a regular report to the Board on the quality of care;
minimizes the risk of and identifies deficiencies in the quality of care;
effectively addresses these deficiencies.
Area Health Services will have the discretion to implement the Framework in the
manner most suited to the environment, people and needs identified in that Area.
However, to enable coordination and consistency of the Framework, certain elements
1. Project Manager, Private Health Care Branch, NSW Health Department.
121
will be common across all Area Health Services.
The framework
The Framework for Managing the Quality of Health Services in NSW:
focuses on the quality of clinical care;
provides explicit accountability for the quality of healthcare with a systemic orientation;
provides the principles for managing the quality of health services;
provides an organizational focus for quality activities and reporting, while recognizing the essential role played by healthcare professionals and healthcare teams
in quality improvement;
is aimed at the level of the NSW Area Health Services but is applicable also at the
facility or service level and in the private sector;
describes the infrastructure needed to facilitate the state wide coordination,

monitoring, evaluation, reporting and feedback on healthcare quality and which
builds on and supports local health service quality processes;
establishes a means by which lessons learned can be shared with other parts of
the health system;
provides a stable framework for the necessary ongoing development and maturing of quality indicators and processes;
recognizes the essential cultural requirement of continuous quality

improvement;
The Framework consists of an Area Health Service wide committee structure, a

performance frame and a reporting frame, the development and operation of which
are supported by a robust set of principles for monitoring and managing the quality o
Principles for managing the quality of

health services
f health services, as represented in Figure 1.
Performance
frame
Committee
structure
Reporting
frame
Figure 1
122
Quality health
services
A framework for managing the quality of health services in NSW
The principles
As a quality healthcare service the NSW health system embraces the following
principles:
the health consumer as the primary focus of any model of healthcare quality
management;
consumers being enabled and encouraged to participate effectively both in their

own care and treatment, and in the planning, delivery and evaluation of health
services;
consumers having ready access to effective systems of complaint and compliment;
the Area Health Service Board accepting responsibility for the quality of the
healthcare provided to the consumers of its services;
an Area Health Service Executive taking responsibility for creating and maintaining a structure and policies for managing the quality of healthcare;
those practising within the system taking responsibility for the standard of their
own practice and sharing responsibility for creating and maintaining a system
which provides safe, high quality healthcare;
health treatment and care being based on the best available evidence with Area
Health Services facilitating and monitoring the application and evaluation of best
practice;
a systematic and system-wide approach to continuous improvement of the quality of care delivered;
a robust advisory and reporting structure designed to promote the quality improvement of health services and to provide regular information to the Area
Health Service Board on the quality of services provided;
an emphasis on preventing adverse outcomes through simplifying and improving the processes of care;
the quality of healthcare being measured systematically with a focus on the minimization of inappropriate variation in practice;
a system driven by performance in the six primary dimensions of quality of

healthcare;
useful information relating to the above mentioned performance areas being

readily available to all those who want it;
all healthcare providers having access to systems which produce information

about the outcomes of the care they provide;
quality information being used in planning and resource allocation decisions

within health services;
an emphasis on the development of partnerships of care most especially with

health workers in the community including general practitioners;
the quality framework being supported by high quality organizational structures

that have been evaluated by a recognized external accrediting body.
123
The performance frame

The performance frame is the measurement arm of the quality framework. It
describes the six dimensions of quality, and the five issues which cross those
dimensions, and how performance is measured and therefore able to be managed in
each of these eleven areas.
The six dimensions of quality are:
SAFETY of healthcare: A major objective of any healthcare system should be the

safe progress of consumers through all parts of the system. Harm from their care,
by omission or commission, as well as from the environment in which it is carried out, must be avoided and risk minimized in care delivery processes.
EFFECTIVENESS of healthcare: Consumers of health services should be able to

expect that the treatment they receive will produce measurable benefit. The effectiveness of healthcare relates to the extent to which a treatment, intervention
or service achieves the desired outcome.
APPROPRIATENESS of care: It is essential that the interventions that are performed for the treatment of a particular condition are selected based on the likelihood that the intervention will produce the desired outcome. Appropriateness
of healthcare is about using evidence to do the right thing to the right person,
in a timely fashion.
CONSUMER PARTICIPATION in healthcare: Not only do consumers have a

fundamental right to participate in healthcare delivery, but such input will also
have considerable benefit.
Opportunities must be provided for health consumers to participate collaboratively with health organizations and service providers in health service planning,
delivery, monitoring and evaluation at all levels in a dynamic and responsive way.
Consumer participation will enhance the level of acceptability of services, that is
the degree to which a service meets or exceeds the expectations of informed consumers.
ACCESS to services: Area Health Services should offer equitable access to health
services on the basis of patient need, irrespective of geography, socio-economic
group, ethnicity, age or sex.
EFFICIENCY of service provision: Health services must ensure that resources are
utilized to gain value for money. This can be achieved both by focussing on
minimizing the cost of production of services and by the allocation of resources
to provide the greatest benefit to consumers.
The five cross-dimensional issues related to the quality of healthcare are:
124
competence of providers, multidisciplinary teams and healthcare organizations;
continuity of care;
information management to support effective decision-making;
education and training for quality;
accreditation of health services.
A framework for managing the quality of health services in NSW
The committee structure and reporting frame

An essential component of the Quality Framework is an appropriate committee
structure to monitor and manage the quality of healthcare being delivered in an Area
Health Service. The committee structure includes an Area level, peak quality
committee (henceforth referred to as the Area Quality Council or the Council) and
the various quality committees within the health services in that Area. The health
service quality committees will inform and support the function and purpose of the
Area Quality Council. The Framework recommends objectives, activities and
membership for the Quality Council and linkages with consumer groups, the
Divisions of General Practice and all health services within the Area.
The way in which performance data are reported and disseminated plays a major role
in the way in which the information is used (or not used) to effect change. As part of
the Quality Framework, effective reporting strategies should be established in each
Area to enable quality improvement to occur. Each Area should adopt a consistent
approach for reporting across the Area which will address the specific needs of the
Area.
The committee structure for the Area Health Service and the reporting lines which
should be adopted by the Area Health Services are represented in Figure 2.
Minister
Area
Health Service
Board
Area
Quality
Council
Consumer
groups
Divisions of
General
Practice
Health
service 1
QHCC
Health
service 2
QHCC
Health
service 3
QHCC
Health
service 4
QHCC
Health
service 4
QHCC
Clinicians
and
Managers
Clinicians
and
Managers
Clinicians
and
Managers
Clinicians
and
Managers
Clinicians
and
Managers
QHCC is the peak Quality Health Care Committee for that

health service
Health Services may include hospitals, polyclinics, community health
services, arewa wide radiology and pathology services
and rehabilitation services
direct reporting lines
opportunity for comparisons
Figure 2
125
A change in culture
The development of structures for managing the quality of care in NSW is not a
difficult task. However, if the governance of clinical care in NSW is to result in
improved outcomes for health consumers, far more than structural change is
required. A change in the culture of healthcare delivery and management is essential.
Such a culture change will mean:
viewing quality and budget performance as equal partners in health;
a genuine commitment to quality from senior management;
leadership for quality being developed at all levels of healthcare organizations;
a commitment to multi-disciplinary care teams;
the development of an encouraging climate for clinical review;
transparent mechanisms of accountability;
a commitment by all clinicians to examine the validity of their practice and to be

involved in life-long learning;
improved communication;
the development of partnerships between clinicians and managers;
a commitment by managers to act upon the reasonable suggestions of clinicians

for change;
a population as well as an individual approach to health;
valuing the input of consumers and general practitioners;
local and system-wide quality initiatives.
The essence of clinical practice is continually striving to provide the best care so as to
improve the health of individual consumers and the population. Clinicians, both
through their decisions regarding the care to be provided and the provision of that
care, are essential participants in ensuring the quality of healthcare.
The Framework for Managing the Quality of Health Services in NSW provides an
overarching, coherent framework for managing the quality of healthcare in NSW.
The application of the framework at the clinical level cannot succeed without the
active involvement of clinicians.
This framework provides the opportunity for cliniciansboth internal and external
to health facilitiesto inform and to become involved in shaping the system in which
their patients are treated. It identifies a valuable, practical starting point in a process
which will be continually evaluated and, with the benefit of experience and continued
consultation, will be further developed and improved.
Quality is everyones responsibility.
Quality in health is doing the right thing, the first time, in the right way, at the right
time.
126
Iatrogenic injury in Australia

Dr Bill Runciman1
It has long been recognized that medical care itself has the potential to cause harm.
However, general acknowledgement that much iatrogenic injury may be due to
preventable human error or system failure appears to have been slow in coming.
Factors contributing to this late recognition include difficulties in accessing medical
records (compounded by the tort system and fear of litigation), difficulties in
attributing problems to healthcare management rather than disease processes, and a
general reluctance to openly acknowledge and record system failures and human
errors when patients have been harmed. Objective information about the relative risks
and benefits of diagnostic and therapeutic options is often not available, and, where it
is, ways of conveying this to patients, so that they can make properly informed
decisions, are not well developed.
Healthcare is a risky business. Simply being a patient in an acute care hospital in
Australia carries, on average, a 200-fold greater risk of dying from the care process than
being in traffic, and a 2000-fold greater risk than working in the chemical industry.
Iatrogenic injury is costly; at least 10% of admissions to acute-care hospitals in

Australia are associated with a potentially preventable adverse event. It may be
estimated that the total direct medical costs of these events exceeds $2 billion per year
and that the total life-time cost of such preventable injury exceeds $6 billion per year;
there is also a heavy toll in human costs on both those who are harmed and those who
care for them. Furthermore, medical misadventure consumes over half the amount
spent on compensation and insurance by State Treasury Departments.
There are ethical, humanitarian and financial imperatives to find out what is going
wrong, collate and analyse the information and devise and implement strategies to
better detect, manage and prevent these problems. Evidence from the literature
suggests that as much as half of this burden to society may be removed within 510
years if the necessary investments are made in a systematic approach to this problem.
Failure to do this will result in escalating costs, as the factors contributing to iatrogenic
injury will become more prevalent, not less, in the coming years.
It is also necessary to treat healthcare as the complex system it is, to apply
classifications and approaches to system failure and human error which have been
developed and used in other complex human endeavours (eg nuclear power stations,
off-shore drilling rigs, aviation) and to avail ourselves of the considerable expertise
that has accrued in these areas in other disciplines.
Patient safety is an essential component of risk management, quality improvement
and clinical governance. The new Risk Management Standard (AS/NZS 4360)
provides an explicit framework for addressing iatrogenic injury (see Figure 1).
First, this requires that the context be understood. This involves an understanding of
1. President, Australian Patient Safety Foundation; Head, Department of Anaethesia and Intensive Care, Royal
Adelaide Hospital and University of South Australia.
127
healthcare as a complex system, of human error and system failure, of issues such as
privacy, consent, litigation, risk-benefit ratios and evidence-based medicine, and of
the human and economic costs of things that go wrong.
Second, the risks need to be identified. There are only three ways in which we can find
out what happened when things go wrong: those that are involved either in delivering
or receiving healthcare can report details; trained reviewers can extract information
from medical and other records; and teams of people can be employed to undertake
additional observations or measurements. This last option is too expensive to be used
"across the board", and must be reserved for studying specific problems identified by
one of the first two more generally applicable methods.
Identify risks
Analyse risks
Monitor and review
Communicate and consult
Evaluate risks
Assess risks
Treat risks
Figure 1: The framework for the new Risk Management Standard

AS/NZS 4360
Incident monitoring is one tried and tested way of finding out what is going wrong. A
standardized reporting system has been developed for the Australian Incident
Monitoring Study (AIMS), which is suitable for use throughout the Australian
healthcare system. It is currently in use in all South Australian public hospitals, in four
networks in Victoria, and the Northern Territory; plans are underway for its
introduction to the ACT and parts of New South Wales, Queensland and Western
Australia. It is being used, or has been trialed, by twelve medical specialties. A new,
simpler, more comprehensive version, with the option of reporting electronically via
the web, AIMS+, is to be trialed and introduced in the year 2000.
The second way of finding out what has gone wrong is to extract information from
128
medical and other records. The Australian Institute of Health and Welfare collates
information about morbidity and mortality from the various State collections of ICD
(International Classification of Disease) codes generated at the time of patient
separation, and from the Australian Bureau of Statistics Register of Deaths, and may,
in the near future, be able to link these with PBS and MBS data. However, the primary
emphasis in these collections has been on the underlying disease rather than
complications and co-morbidities, and they are currently not reliable or effective for
collecting information about most types of iatrogenic injury. It is proposed to
progressively improve the capture of iatrogenic injury information using these
established processes.
Standard methods for extracting information specifically about iatrogenic injury using
retrospective medical record review were developed in the Californian medical
litigation crisis in the early 1970s, were used for the Harvard Medical Practice study
in the 1980s and, in the 1990s, for the Quality in Australian Healthcare (QAHCS) and
Utah-Colorado studies. Re-analysis of the data in the latter two studies has indicated
that at least 10% of admissions are associated with a potentially preventable adverse
event, and that such adverse events are associated with as many as 50 000 permanent
disabilities and 14 000 deaths each year in Australia.
A collaborative project is underway with the Harvard School of Public Health to
refine the definitions and methodology used and a new streamlined software-based
process has been developedthe Australian Medical Record Analysis System
(AMRAS). It is proposed that a randomized sample of all hospitals be studied each
year and that strata of hospitals in each state be compared between jurisdictions and
over time with respect to a composite indicator, representing a basket of adverse
events, analogous to the consumer price index.
Third, it is necessary to collate and analyse the risks. Up until 1995, none of the
available systems had the capacity to do this. A Generic Occurrence Classification
(GOC) was therefore developed specifically for things that go wrong in healthcare. It
comprises a multi-axial framework into which all iatrogenic events may be classified
and is designed to elicit their salient features, place them in context and record their
contributing factors, be these system- or human-based. The GOC can be used to
classify incidents or events identified by incident reporting, medical record review,
complaints, morbidity and mortality studies, medico-legal files and coronial
recommendations. An expanded version of the GOC (GOC+) will have been
completed by the year 2000; this will have been built from over 50 000 incidents and
events from all of these sources. It will be made up of over 20 000 categories in a new
structure designed to facilitate flexible, comprehensive, cost-efficient reporting and
data analysis.
The mechanisms exist, therefore, to have a single repository for all things which go
wrong in healthcare in Australia. Data from the QAHCS has already shown why State
and national databases are necessary; first, even in large teaching hospitals most types
of adverse events occur so infrequently that they cannot be prospectively tracked or
sufficiently characterized at a local level to devise remedial strategies; and second,
having data from all available sources in a common repository allows the strengths of
each data source to be exploited. AMRAS will provide information about the
frequency and, with further work, the costs of adverse events, allowing evidencebased priorities to be set and progress to be tracked. AIMS provides vital
complementary information, as it elicits the underlying human-error and systembased causes of incidents which are not provided in the medical record. These details
are essential to obtain the information necessary for devising effective corrective
strategies. AIMS+ is being set up so as to provide both an easy-to-use tool to manage
129
risk and improve quality and safety at a local level, as well as to capture details about
the nature and underlying causes of the majority of events which, individually, occur
too infrequently to be characterized at a local level. AIMS+ also has built-in quality
assurance mechanisms so as to allow comparisons of patterns over time and between
healthcare units and jurisdictions.
Fourth, once problems have been identified and characterized, they must be
addressed - this involves coming up with cost- and risk-effective corrective strategies
which can be implemented in the context of Australian healthcare. The ways of
identifying problems and the types of responses at personal, local, and national levels
must be understood, together with the roles of the various existing means for effecting
change such as regulatory mechanisms for drugs, devices and procedures and
accreditation, recertification, credentialing, informed consent and registration.
However, as the manner in which these currently operate has been shown to be
associated with the current rate of adverse events and rapidly escalating litigation costs
(a one thousand-fold increase over 20 years for some specialties), it is clear that a new,
integrated more effective and responsive approach is required for dealing with these
problems.
The discipline of anaesthesia has taken such an approach and has demonstrated that,
once problems have been properly characterized, system-wide changes can be devised
and implemented which can be shown to be effective. AIMS-Anaesthesia was started
in 1988, ten national think-tanks and consensus conferences have been held, some
50 discussion papers have been produced, and major changes have been instituted and
supported by the profession. The mortality attributable to anaesthesia fell five-fold
between the mid-1980s, before comprehensive national data were available about
what was going wrong, and the mid-1990s, by when a number of corrective strategies
had been put into place across both the public and private systems.
The scope and cost of the problem of iatrogenic injury across the whole of the
healthcare system was revealed by the QAHCS in 1995. It has taken 4 years and
$2 million to develop and trial the tools for characterizing the adverse events making
up this problem; this process is now nearly complete.
By the end of the year 2000 the top 1000 events will have been identified by
combining data from medical record review, incident monitoring and other sources
of information. The new integrated approach which is proposed comprises
characterizing the nature of these problems, estimating their prevalence and cost
Australia-wide, identifying and choosing corrective strategies, evaluating them and
proving their worth in the Australian context, and, finally, implementing them
throughout the system. This will require substantial investment and a concerted,
nationally co-ordinated effort.
A start has been made with two national meetings addressing issues which have been
shown to be important across the whole spectrum of healthcarenosocomial
infection, adverse drug events, thromboembolism, informed consent and falls.
National multi-disciplinary working parties have been set up to develop proposals for
multi-centre studies to be undertaken. It is vital, although the work will have to be
carried out at a local level, that there be both State and National co-ordination of
research in this area, as, to date, many small, often poorly designed projects have
consumed the available resources without producing results which are sufficiently
convincing to be applied across the system.
The establishment of a National Council for Safety and Quality in Health Care and
of a National Institute for Clinical Studies provides the opportunity for these activities
to be co-ordinated. It is proposed that a National Iatrogenic Injury Surveillance Unit,
analogous to the National Injury Surveillance Unit, be established as a Collaborating
130
Unit of the Australian Institute of Health and Welfare, to co-ordinate the ongoing
collation and analysis of information at a national level.
Healthcare is undergoing enormous change and as new systems and procedures
evolve, new problems will emerge and will need to be dealt with. Mechanisms must
be put into place to rapidly identify and characterize these problems, and processes
must be refined for identifying corrective strategies, demonstrating their cost- and
risk-effectiveness in the context of Australian healthcare, and then implementing
them.
It is vital that all stakeholders (including government, the professions, healthcare
administrators, industry and consumers) be involved at all stages of these processes
and that mechanisms for ongoing, effective consultation and communication be
provided at local, State and Commonwealth levels.
Australia is the first country in the world to be able to set evidence-based priorities for
addressing the very substantial problem of preventable iatrogenic injury. Appropriate
tools, suitable for application at a national level, have been developed to allow
benchmarking and to fund the necessary systemic changes. National bodies have been
established for co-ordinating the efforts of all with interest and expertise in this area.
A pro-active approach of investing in long term gains, such as has been taken in areas
such as road and industrial safety, must replace the current ineffective local reactions
to individual problems.
The challenge now is to apply what we have learnt and developed both to the existing
problems that have been identified and to the new ones which are emerging all the
time.
Debate can continue indefinitely about the theoretical relative merits and demerits of
various approaches. The fact is that the methods that have been used to identify and
deal with the problems that cause deaths in road accidents and in anaesthesia are not
perfect. However, by applying them death rates have been dramatically reduced in
both of these areas. The overall impact of iatrogenic injury in human and economic
terms is too great to address only selected areas which are amenable to traditional
research methods. We must act now using existing data and methods, whilst
continuing to strive to develop new scientifically rigorous population-based research
methods with the aim of ensuring that iatrogenic injury will not be allowed to exact
in the future as great a toll on society as it has so far.
131
Understanding clinical risk

In the absence of appropriate, local data what can we learn
from a single incident?
Stephen McAndrew1
Despite the best efforts of many healthcare organizations the historic information
poverty of healthcare systems outside the US means that our efforts to manage clinical
risk are hampered by a lack of reliable, robust, local clinical risk data to support
decision making and priority setting. Proxy data from the US or other non-native
sources is of considerable value and in many cases supports the first hand experience
of clinicians and risk managers.
However it lacks the authority of locally collected data without which local support
for the conclusions drawn is difficult to win. Where good data exists it is often in
isolated islands within organizations, only rarely across whole organizations and
hardly at all shared between organizations to provide reliable benchmarks. Regulatory
issues concerning data protection in many territories limit the scope of data sharing
and the relative newness of many dedicated risk information systems means that
databases are often small and lack the vital longitudinal (time) component.
Accepting that we will have to work within these limitations, at least for the time
being, how can we capitalize on the learning opportunity provided by single clinical
incidents while ensuring the best possible outcome for all the directly affected parties
(patient, relatives, staff, etc.) and the wider group of stakeholders (all patients, all staff,
management, Trustees/Board members, funders/insurers)?
Before looking at the issues we need to be clear as to what we mean by incident, in

particular that it refers to an unplanned occurrence whether or not it resulted in an
adverse outcome for the patient (or others) or not. An incident without an adverse
outcome is referred to as a near miss.
A model to facilitate the analysis of accidents and incidents

A tool exists for precisely this purpose and has been successfully applied to a variety of
clinical incidents with different healthcare organizations in the UK and Europe by the
HRRI professional team and other healthcare risk managers. Based on the work of
Professor James Reason of the University of Manchester, UK, the organizational
accident causation model can be applied forensically to an incident whether or not a
bad outcome has occurred and whether or not the incident related to a single event or
series or general concern regarding performance or outcomes.
1. Managing Director, HRRI, London, UK. This article reprinted with the permission of HRRI.
133
Corporate
culture
Management
decisions and
organizational
processes
Local
climate
Situation
task
Error-producing
conditions
Errors
Violation-producing
conditions
Violations
Defence
barriers
Statisitical
failures in
defences
Accidents
Incidents
Latent failures in defences
Figure 1: Organizational Accident Causation Model
(After J Reason, 1994)
The model is best understood if read right to left starting with the incident in question
and a recognition that most incident investigations focus on the event, the time, the
place, the people, the technology and the outcome without enough emphasis on the
situation and rarely any consideration of climatic and cultural issues.
Defences
If we are to see beyond these narrow considerations we have to start with the fact that
there are many more incidents than there are bad outcomes and many near misses go
unrecognized or at least unreported. The difference is accounted for by the existence
of multiple defences, formal and informal, which tend to prevent bad outcomes.
Formal defences include procedures and protocols designed to pro-actively manage
risk.
Examples include drug administration policies, which require a second member of

staff to check and sign off the dosage prepared by a colleague or privileging by
procedure for doctors. Informal defences are often reactions to risks which are not
otherwise managed, such as the insightful manager who rosters staff to compensate
for any deficiencies in the skill-set or experience of one team member with the skills
and experience of another.
Sometimes defences fail as a result of accidental co-incidence. This is particularly the
case with informal defences which are not subject to formal controls or oversight and
often rely on one individual who knows the problem but in whos absence the
defence is ineffective. Formal defences may also fail, although more commonly as
unintended consequences of apparently unrelated decisions made elsewhere in the
organization. An example would be any defence which depended on redundancy
such as two people checking a drug dosagewhere high level decisions about staffing
budgets (e.g. approving a pay increase without providing additional budget to fund it)
may impact on staffing levels and make this defence impractical. This puts the
clinician in the uncomfortable position of deciding between delivering timely care to
the patient or breaking the rules for lack of an available colleague to do the check. For
many, rule breaking in these circumstances will seem to be an acceptable risk and of
course it usually will be, unless a dosage error has actually occurred.
134
The task and situation

Having identified which defences should have applied and how they failed (or how
some did and others could have failed if we are investigating a near miss) we can turn
again to the task which precipitated the incident. The easy part is to characterize the
actions of those involved as errors or rule breaking and a number of taxonomies exist
describing various types of error but a more fruitful question to ask is:
What was it about the circumstances or situation in which the task was carried out
which precipitated, facilitated or caused the error or violation to occur?
From this question we can describe the local climatic factors which are a precondition of erroneous or rule breaking behaviour.
The culture and the climate

From an understanding of the local climate of risk we can work backward to identify
the underlying corporate and cultural issues which create, or at least permit, a climate
of risk to prevail. Here we also find the factors which have undermined the defences
which may otherwise have avoided an adverse outcome.
Applying the model in a healthcare environment

One criticism of a generic model such as that developed by Professor Reason is that it
is too general for specific contexts such as clinical medicine. It can also be argued that
it cannot be properly applied by those without first hand knowledge of clinical
medicine. A plausible counter-argument is that healthcare is much like any other
complex, high-risk system while the very generality of the model.
Its successful application in a wide variety of non-healthcare contexts makes it
universally applicable. By the same token, first hand experience of clinical medicine
may hinder as much as it helps the process, being equally likely to speed things up as
it is to blinker the investigator with pre-conceptions. An ideal compliment may be
relevant experience combined with an ability to think laterally, and well beyond the
frame of reference of the parties to the incident.
With these issues in mind HRRI felt that it was important to validate the Reason
model for healthcare application and in 1998 and 1999 Dr Sally Taylor-Adams, HRRI
Lecturer in Clinical Risk at the Clinical Risk Unit (CRU) of the Department of
Psychology, University College London, undertook such a project. The findings were
that the specifics of healthcare actually allow the model to be somewhat streamlined.
In conjunction with the UKs Association of Litigation and Risk Managers the CRU
have produced a general purpose toolkit for clinical incident investigation A Protocol
for the Investigation and Analysis of Clinical Incidents, Royal Society of Medicine Press,
September 1999. This has been successfully applied to several specific incidents and
enhanced with the development of templates for high-risk clinical specialities.
Training in the application of the toolkit can be provided by HRRI.
Dr Taylor-Adams approach focuses on four issues which are key to the incidents
investigated:
active failures
latent failures
performance influencing factors
failures of defences
135
Recognizing and cataloguing these factors at each step of the model gives us a rigorous
and repeatable method, the results of which can be compared from incident to
incident, within or between organizations. While this obviously has the potential to
produce a body of knowledge over time, we have to hope that, for any one
organization, the relative infrequency of adverse outcomes warranting investigation
would make this too inefficient as a means of collecting risk data. It would also mean
that our risk database would be biased towards incidents with adverse outcomes, to the
exclusion of near misses, which are a plentiful source of learning opportunities.
The nature of the findings is also significant and the pilots undertaken by Dr TaylorAdams and subsequent applications by HRRI have strongly affirmed that individual
error or rule breaking constitutes 15% or less of the causal factors while 85% are
organizational factors. The most common of these organizational factors are:
communication
documentation
education and training
responsibility and accountability/chain of command
policies and procedures (existence, appropriateness and compliance)
appropriateness of staffing and resources
openness of culture
management and monitoring of clinical performance
supervision and scope of practice
human resources policies and support for professionals
Extending what we learn beyond a single incident

The great difficulty with any findings from a single incident investigation is the
earnest desire that any incident resulting in an adverse outcome is a one-off
happenstance, which will never recur. In many cases this view is not unreasonable, as,
although the causal factors may be common, the specifics of an adverse income may
appear to be unrelated. For example, if communication is at the root of the problem,
apparently unrelated incidents and accidents can ensue across the organization. If we
dont look too deeply we could lull ourselves into a false sense of security, believing
that specific incidents are random accidents or Acts of God beyond our control.
The solution is to use the findings of the incident investigation to create a template to
help us take that deeper look. Using the summary findings of the incident review and
a statistically appropriate, random sample of clinical notes, can we find evidence of the
same causal factors in the care of other patients, whether or not it lead to an adverse
outcome?
The selection of notes within or beyond the clinical speciality of the original incident
is a matter of judgement, but should be guided by:
136
the breadth of the causal factors (which are unlikely to be narrowly confined to
the clinical speciality)
the remit of the investigator
the readiness of the organization to take a broad look at clinical risk
A detailed report on the prevalence (or otherwise) of the factors and the number of
potential incidents and unrecognized near misses, supported with appropriate
statistical analysis, is key to setting the right priorities and securing the necessary
resources to make a real difference.
Incident report
Investigation
Active failures
Specify
Latent failures
person
Performance
task
influencing factors
speciality
Failures in defences
department
organization
Individual factors
Organizational failures
Incident
Risk management
report
Incidence and co-incidence of:
Active failures
Latent failures
Performance influencing factors
Failures in defences
Proposals regarding:
Critical defences
Potential for further incidents
Statistical predictions and cost
consequences
Priorities and action plan
Resource requirements and budget
Design
Sample
Chart review
Chart
review
template
Clinical
records
Figure 2: Systematic risk management analysis based on

a single incident report
Through maximizing the learning opportunity provided by a single incident we are

not only averting the likelihood of a repeat of incident but also addressing the
fundamental issues which potentially undermine the safety and effectiveness of the
whole organization. Most of all we are answering the plea of every victim (patient,
relative or staff member) who asks us, if we do nothing else, to at least learn the lesson.
137
Clinical risk management

A model for hospitals and divisions of general practice
Dr Allan Wolff1, Jo Bourke2, Dr Rob Grenfell3
The Wimmera clinical risk management program began at the Wimmera Base
Hospital in June 1989 and in 1994, the West Victorian Division of General Practices
Inter Hospital Peer Review Program commenced. Both programs began with a
modified version of adverse event screening developed in the United States. The
model involved retrospective screening of medical records using eight general patient
outcome criteria and subsequent medical review if records are screened positive.
Active and passive methods are used to monitor the quality of clinical activity on a
daily basis. Methods included: inpatient and emergency department adverse
occurrence screening and review, clinical incident reporting, general practitioner
adverse occurrence reporting and clinical indicator monitoring. Each organization
utilizes a combination of methods which is dependant on local need and resource
availability.
Data from these sources are reviewed and analysed to determine if an adverse event
has occurred. Adverse events detected are then analysed to determine if the event was
caused by healthcare management or was a natural consequence of the patients
condition or disease process. The possible causes of adverse events are determined and
recommended actions to improve clinical care are made to both clinicians and
administrative staff. The effect of actions taken is automatically evaluated by
continuously monitoring ongoing clinical activity.
In addition, adverse events occurring at other hospitals that have been highlighted by
coronial inquests, insurers, statutory bodies and media are analysed using the same
process.
The programs based in the Wimmera have developed effective and efficient methods
of managing clinical risk and created a valuable source of data about organizational and
regional adverse events.
Clinical risk management strategies have previously focused on litigation
management. This model offers a unique opportunity to proactively manage clinical
risk within a quality system as part of day to day hospital activity.
The model is patient focused and based on continuous improvement in the delivery
of safe service. It assumes that an organization that is highly educated in professional
practice, technical skills and system management, will maximize opportunities to
learn from errors and that the focus of quality of activities will be on systems analysis
and improvement rather than individual deficiencies. The conceptual framework of
the model is transferable to other hospitals.
1. Director, Medical Services, Wimmera Healthcare Group.

2. Clinical Risk Manager, Wimmera Healthcare Group.
3. Chair, General Practice Division, Wimmera Healthcare Group.
139
Clinical activity
Active
In-patient program
Emergency Department APO program
Screening/reporting
Passive
Clinical incident monitoring
General practitioner APO feedback
Clinical pathway/variance analysis
Clinical review
Adverse event
Issues raised by
Individual patient risk assessment
Empirical analysis
Coroner reports
Media reports
Consultative committees
Patient satisfaction/complaints
Clinical indicators
APSF National database
Medical/nursing journals
Insurers
Detect risk
Analyse risk
probability
consequences
rate risk
Prioritise risk
Accept risk
(Aim to eliminate
or reduce risk)
Minor changes
(monitor)
System changes
Evaluate/monitor
1999 Wimmera Health Care Group
Wimmera clinical risk management system
140
Using radar logic to develop standards-based

management systems that work
Michael Paskavitz1
Depending on where you sit, healthcare standards are either at their height or the
depth of their popularity. On one hand, healthcare leaders everywhere recognize that
agreed standards are essential to consistent, systematic, and measurable performance.
On the other hand, the healthcare community has absolutely no tolerance for
ill-conceived, unrealistic standards that waste time and money and deliver no evidence
of anything.
The most significant healthcare standards in the United States are those required by
the Joint Commission on Accreditation of Healthcare Organizations (JCAHO) to
achieve accreditation, which is critical for receiving reimbursement from the federal
Medicare program. Starting in 1994, the JCAHO introduced new standards and a new
audit verification process that intended to transform accreditation from a reactive,
one-off, punitive, tick-box exercise that took place once every three years to a process
of continuous improvement in which the standards influenced organizational
behaviour, improved quality, reduced risk, and performance against the standards was
measured over time.
Unfortunately, most hospital executives still saw, and see, the JCAHO process as an
event they just need to get through to ensure that 5070% of their income stream is
intact; they have no desire for accreditation to dictate their organization's daily life.
However, many of their line managers began treating the JCAHO process as the
single event that validated their professional existence. Therein lies a problem.
For example, one of the largest healthcare organizations in the U.S. found that many
of their hospitals who scored the highest against the standards (e.g. 95% or higher) also
had the highest levels of adverse patient incidents, complaints, and claims. When the
corporate office went in to sort out the problem, the managers believed they had
already been validated by the JCAHO and simply would not deal with real-life risk
management problems. As a result, that organization's corporate leaders now perceive
accreditation to be a barrier to successfully protecting patients.
Where did this go wrong? Did the standards fail to deliver? Was it the healthcare
organizations fault? Their managers? The JCAHOs? Or was it a combination of
factors that produced the perception that accreditation had failed this particular
organization? Although anecdotal, hindsight being 20/20, it was likely that all of the
components of accreditation, not just the standards, had some sort of design flaw.
1. President, the Health Care Safety Institute, Boston, Massachusetts, USA.
141
What is radar logic?

Given the increased pressure placed on standards to deliver tangible results, radar logic
is merely the notion of building a standards-based initiative backwards by starting at
the desired outcome(s) and determining what it will take to get there.
The standards which underpin the new Controls Assurance Project of the National
Health Service (NHS) in England were designed using radar logic. The Project began
in earnest last June, when the NHS Executive officially took on board the Australia/
New Zealand Risk Management Standard AS/NZS 4360:1999 as their core standard,
and began to produce internal control standards that represented areas of significant
risk in healthcare, ranging from health & safety to infection control to equipment
management. These are systems which underpin the safe delivery of patient care.
To ensure that the whole of Controls Assurance was constructed properly and hung
together, the NHS Corporate Governance Group was asked what they ultimately
wanted Controls Assurance to deliver. The desire was first stated to be providing
assurance to the public that risk was being managed in the NHS. But in reality,
Controls Assurance is also expected to ensure proper governance by boards, facilitate
compliance with laws and regulations, provide a methodology for allocating resources
based on risk, help set priorities, measure and benchmark performance nationally,
change organizational behaviour, improve safety and quality, enhance public
confidence, and so on. That is a tall order.
Each desired outcome related to a standards-based initiative raises the stakes for how
carefully and expertly the components of the initiative must be constructed. For
example, standards which must deliver improved safety will be written one way, but
if you also want them to be cost-effective, they must be written another way. The
longer the list of desired outcomes the more narrow the margin for error becomes for
the entire initiative, starting with the standards.
Embrace a management theory

Whether it's total quality management, risk management, business process reengineering, or robust design, standards must be embedded with a management
theory. In the case of NHS Controls Assurance, that theory is risk management, as
defined by AS/NZS 4360.
The NHS views Controls Assurance and risk management as a proactive system of
management to protect the assets of the organization. Those assets are patients, staff,
technology, physical infrastructure, finances, and reputation. Thus, the Controls
Assurance standards had to be written to help reveal risk for those who assess against
them. If the standards fail to highlight potential risks to their users, they will have
failed in their purpose.
For example, an assessment against a health and safety standard may have found that
an organization was 80% compliance with a given requirement. Quality would care
about that 80%, while risk cares about the 20% because it represents a potential risk.
It's not about compliance, its about what non-compliance represents: risk.
Had the NHS embraced quality or BPR as its management theory, the standards
would have been written, and the initiative constructed, in a different way.
142
Using radar logic to develop standards-based management systems that work
Develop a management model

Healthcare people love acronyms. If you cannot recognize what an acronym is, you
are not considered credible, one of the brethren. For standards to achieve their desired
outcome, they should be cast within a management model, whether that's ISO, the
European Foundation for Quality Model (EFQM), PDCA (Plan-Do-Check-Act),
the Canadian CoCo model, the JCAHOs PDMAI (Plan-Design-Measure-AssessImprove) framework or a customized model.
For NHS Controls Assurance, that overarching model is Accountability Structures
(leadership, people, policies, committees), Process (the work processes in that risk
area), Capability (knowledge, information, resources), and Outcomes (performance
measurement, benchmarking). Each of the 17 control standards were written within
the framework of this model.
One of the reasons why Controls Assurance developed its own model, as opposed to
embracing ISO or EFQM or CoCo, is because there is an ultimate desire to apply
Controls Assurance to clinical medicine in the NHS, and this model is conducive to
doing so within the NHS culture.
Determine a compliance assessment process

The factor that may have more to do with how standards are written than any other is
how they will be assessed and enforced. Historically and in reality, most standards are
written for their auditors and inspectorsnot for the users or implementersbecause
the auditor must ultimately assess against them and make clear judgements of
compliance.
But there is new thinking about auditing and enforcement. Most auditors are not
technical experts in the areas they audit, so their ability to drill down into substantive
areas and make credible judgements is limited. In addition, there typically are not
enough auditors to do more than a periodic, retrospective review of past performance.
For instance, it would take the U.S. Occupational Safety and Health Administration
(OSHA) 75 years to inspect every American workplace just once.
More contemporary thinking is that the best way to ensure continuous attention is
paid to standards, and that credible judgements of compliance are made, is to convert
to a self-assessment model. This is happening in various parts of the world, such as in
U.S. regulatory schemes and in the NHS Controls Assurance Project.
By stating that self-assessment is the primary means of auditing compliance, the role
of auditors (internal or external) will change dramatically, as will the relationship
between the organization that is self-assessing and the auditors who are verifying that
the self-assessment was done accurately, properly, and honestly. In the NHS, it was
critical that the standards be written for self-assessors, not auditors.
There are issues related to a self-assessment model. For instance, auditing and
enforcement has always been a cat-and-mouse game, so many users ignore standards
because their likelihood of getting caught was low. Thus, many users of standards
believe that self-assessment means self-incrimination, and poor results from a selfassessment could get them fired.
If the airline industry serves as any barometer, their pilots and staff are given immunity
and are actually rewarded for not identifying problems, and they can be fired for not
reporting problems. Similar comfort and measures must be given to self-assessors
who are being asked to disclose shortcomings.
143
Beware of psycholinguistics
One of the more interesting new fields of study is psycholinguistics, which looks at
the power of words and how they influence behaviour based on the psychology of
perception. As we transition from the Information Age to the Knowledge Age, united
by the Internet, the ability of words to positively or negatively influence perception
and behaviour will be profound. Standards are a good example of this.
Any group writing standards must appreciate that the users of the standards should
have little confusion over what the standards is asking for, especially if self-assessment
is being utilized. Again, poorly strung together words could send users down the
wrong path altogether, and they'll lose faith in the standards.
In addition, it must be decided whether and to what extent standards should be
prescriptive. In theory, the best way for a standard-setter, such as the NHS, to get what
they want is to be very prescriptivetell users exactly what you want and set targets.
But in practice, users ultimately reject prescriptive standards because they are too
confining, considered not universally applicable, and become outdated fairly quickly
as practice changes in the field.
For Controls Assurance, it was decided that the requirements (individual criterion
within the 17 standards) should be non-prescriptive but very clear in what they are
asking self-assessors to make a judgement against. The substance needed to help make
judgements is captured in the guidance. That is, if you make standards or criterion
non-prescriptive, you must provide users with substantive guidance to help them
make good judgements. Conversely, if you provide prescriptive standards, the
guidance is not as important.
The other point of consideration is whether standards should be input or output
standards. An input standard is something like Suitable arrangements are in place for
the proper disposal of waste, according to policy. This is an input standard because it
is concerned with the arrangements to dispose of waste, not the actual disposal of
waste. This standard would be very difficult to self-assess against and verify through
audit, and it doesn't appear to have anything to do with risk.
An output standard would be All waste is disposed of properly, according to policy.

This requirement is concerned with waste itself, and can be self-assessed and audited
without much debate. The self-assessor may find that only 65% of the waste stream is
properly disposed of. That's important because the other 35% represents a risk of
some magnitude. Thus, the standard has revealed risk through self-assessment, and
the self-assessor is now prepared to manage risk.
Provide the components to make it work

There are more to good standards than nicely constructed words. Standard setters
must also provide an infrastructure in which the standards can achieve their desired
benefits.
For example:
144
If one desired benefit of the standards is measured performance against them, especially through self-assessment, provide an information platform (e.g. software)
when the standards are launched.
If standards are expected to change practice and behaviour, be prepared to invest

significantly in proper training.
Using radar logic to develop standards-based management systems that work
If standards are expected to remain relevant, ensure that there is a dedicated entity to monitor and modify them as needed to reflect changing practice.
If standards are expected to help users make decisions, be prepared to provide

decision-support tools.
If standards are expected to address real issues and not lofty processes, be sure to
have indicators which are directly related to the standards.
If standards are expected to slowly reduce risk and improve quality over time, as
in the NHS, be sure there is a reactive mechanism to acute problems to ensure
that stakeholders aren't seen as fiddling with lofty standards as Rome burns.
In summary, the proliferation of standards in healthcare has a great deal to offer the
industry at a time when it greatly needs help, providing the standards are done the
right way for the right reasons at the right time. If not, they could be an expensive and
potentially harmful distraction for busy healthcare providers.
145
Integrated risk management within the

health industry
Sue Williams1
Introduction
In August 1998, the Metropolitan Health Service Board appointed a risk management
coordinator to develop a strategic risk management plan for the Metropolitan Health
Service in Western Australia. In the first instance, research was undertaken to identify
existing risk management systems within the Australian health industry. As no
strategic risk management plan was identified, a project was therefore initiated to
develop a comprehensive plan to assist the Metropolitan Health Service to achieve its
objectives. This paper briefly discusses some of the key learnings from the risk
management project.
The catalysts for change

The legal requirement
A systematic and inclusive risk management process that is fully integrated into
all phases of program design, implementation and evaluation is not only a means
of maximizing program effectiveness but also a very good defence against public
and parliamentary censures.
Les Scott, MHR, 1995
The legal requirement to implement risk management in Western Australia is driven

by the Financial Administration and Audit Act, specifically Treasurers Instruction
109 (TI109). This Instruction states that the risk management process is designed to
protect both the government and the community from unnecessary costs and losses
and that accountable officers are to ensure that risk management policies and practices
are established. TI109 prescribes no set methodology to implement a risk
management system and refers to the AS/NZS 4360:1999 Risk Management Standard
as an implementation guide. The Office of Auditor General (OAG) audits
government agencies to determine compliance with TI109. OAG have stated that
audits will take a whole of business approach by assessing risk management systems
to determine the effectiveness of controls. Audits will also assess whether risk
management has been integrated into the organizational culture.
1. Health Department of Western Australia.
147
Strategic risk management

A growing volume of research reveals that people yield to inconsistencies, myopia
and other forms of distortion throughout the process of decision makingthe
evidence indicates that these flaws are even more apparent in areas where the
consequences are more serious.
Bernstein, P. L. 1997, Against the gods: The remarkable story of risk
Strategic risk management is a key component of corporate and clinical governance.

Boards and mangers have a duty of care to protect their organizations, staff, patients
and visitors. Risk management must be integrated into strategic plans and business
activities to enhance the longer-term financial viability of health services. Some of the
most significant governance risks facing the health industry include that the health
services:
do not meet public expectations;
have not developed the capacity to learn from failures;
waste resources by developing mutually exclusive programs;
have not systematically responded to medicolegal and workers compensation

claims that have adversely impacted upon medium and long term operational
budgets;
have no corporate or clinical standards to pursue performance and resource management;
have no assurance that clinical consultants or visiting medical practitioners consistently meet clinical policies, guidelines or pathways, where they exist;
have accumulated extensive maintenance exposures to facilities, amenities and

equipment;
do not methodically establish or review contracts to ensure that only reasonable

risks are accepted and that those risks are transferred to and accepted by insurance
underwriters;
Adverse events and medicolegal claims
The Quality in Australian Health Care Study (QAHCS), published in 1995, found
that 16.6% of hospital admissions were associated with an adverse event and that 51%
of these were potentially preventable. The National adverse event rate (based on 3.6M
separations) may be estimated at 304 776 per year, 5 861 per week or 837 per day
(13.7% of which result in permanent disability and 4.9% in death). Although the
QAHCS has been criticized, even if adverse events were halved, the findings should
prompt immediate risk management treatment.
Comparisons between the number of claims being filed and the number of
preventable adverse events depict that the current claims lodged represent less than
one half of one percent of the potential medico/legal exposure. The Medical Defence
Union (MDU) Report (1998) stated that in NSW the average cost of settling claims
increased by 250% between 1992 and 1997 and there had been an increase of 200% in
the number of indemnity files opened at their offices between 19901997. The
Australian Patient Safety Foundation (APSF) has established that the direct medical
costs of adverse events exceed 2 billion dollars annually and that current medicolegal
exposures directly cost a further 400 million dollars annually (or 5% and 1%
respectively of health budgets). An upward trend in medicolegal claims would
severely impact upon the capacity of the health services to provide core services and
may increase by up to 500% within the next six years.
148
Integrated risk management within the health industry
Systemic failures
Risk is inherent in everything we do whether it is riding a bicycle, managing a
project, dealing with clients, determining work priorities, purchasing new
systems and equipment, taking decisions about the future or deciding not to take
any action at all. We manage risks continuously, sometimes consciously and
sometimes without realizing it, but rarely systematically. The need to manage risk
systemically applies to all organizations and to all functions and activities within
an organization. It should be recognized as being of fundamental importance by
all public sector managers and staff.
Guidelines for managing risk in the Australian and New Zealand public sector HB143: 1999
Systemic failures are repeated within the government health industry without
modification to practices and procedures. Systems must be designed to reduce the
likelihood of failures occurring. The aim of developing an integrated management
system is to provide a comprehensive response to AS/NZS 4360:1999 that adds value
to health services and hospitals and is not an administrative liability. The Interim
Report of the National Expert Advisory Group on Safety and Quality in Australian
Health Care (28 April 1998) recommended That further work be undertaken within
all jurisdictions on adapting and applying systematic, organization-wide approaches to
quality improvement within Australian healthcare organizations. The Implementing
Safety and Quality Enhancement in Health Care Report (July 1999) from the
National Expert Advisory Group recommended that health services in Australia seek
to improve the development and implementation of risk management strategies
within their organization.
The risk management strategy

Risk indicators
Substantial resources are leached daily from operational budgets by exposures that
disrupt the working environment, increase operating costs and reduce efficiency.
Typically resources are allocated to reactive indicators with little commitment or
attention afforded to proactive management. This focus must shift to achieve longterm sustainable improvement as shown below:
Proactive Indicators
Reactive Indicators
Near miss reporting

Case and file reviews
Informed consent
Preventive maintenance
Self-assessments/benchmarking
Patient satisfaction
Controls assurance
Observation/consultation
Mishap Investigations
Workers Compensation
Adverse events
Medicolegal claims
Equipment failure
Investigative audits
Complaints
Public outrage/ministerials
Process failure
Systemic failure
149
An integrated management system

A management system can be defined as the organizational structure, procedures,
processes and resources needed to implement objectives and monitor performance.
The aim of developing a management system is to ensure that strategic and
organizational objectives are achieved by providing the baseline for performance and
resource management. The fundamental features of risk management, occupational
health and safety and quality improvement overlap in many key processes. Rather than
developing three separate systems, it is more productive (and cost efficient) to develop
a seamless integrated management system. Many large corporations invested millions
of dollars to develop quality assurance, environmental and safety systems throughout
the 1990s. They are now investing funds to integrate these systems. Integration
releases the considerable resources required to maintain separate systems, thus
increasing productivity and reducing waste. A seamless system enhances performance
and resource management. An Integrated Health Industry Management Model
(Annex One) was developed to show that integration is a viable option where
processes share common features such as incident management, contract
management and change management. Currently Risk Management is the best placed
discipline to provide a basis for integrating a seamless approach to corporate and
clinical governance.
Risk management plan

The Metropolitan Health Service Risk Management Plan is a five-year strategy with
many milestones and tasks. The aim and objectives of the Plan are as follows:
Aim
Develop and implement an integrated management system to assist the Metropolitan
Health Service to meet its objectives.
Objectives
150
develop a seamless approach to corporate and clinical governance;
develop and implement a controls assurance program;
develop the capacity to learn from failures;
ensure that risk management is an integral part of the organizational culture;
ensure that management and employees are accountable for risk management
through individual and team based performance management objectives;
develop and implement integrated health industry risk management standards;
re-engineer and improve processes through client focused patient care;
foster an environment of continuous improvement through self-assessment;
develop the capacity to identify and prioritize risks, as well as implement

treatments in a decisive and timely manner;
encourage employee involvement and team building;
identify, acknowledge and harness pockets of excellence;
mobilize existing risk management resources.
Risk management policy

The Risk Management Policy (model attached as Annex Two) is a one-page
document signed by the most senior executive. This is a concise document that
contains 10 managing principles that directly interface with the 10 Risk Management
Standards. The Policy is a vision statement, the pre-determined organizational
destination. The Policy alone is not enough to complete the journey. Management
standards are required to provide organizations with a verifiable road map.
Risk management standards

The most visible component of the Risk Management System is the integrated Risk
Management Standards. The framework for Standards was developed by reviewing
AS/NZS 4360:1999 Risk management, AS/NZS ISO 9001:1994 Quality systems, the
Australian Council on Health Care Standards, the National Mental Health Standards,
the Community Health Accreditation and Standards Program (CHASP) and the Aged
Care Accreditation Agency and Standards. The development of the Standards will
facilitate a review of existing policies, operational instructions and guidelines. New
standards will only be developed where high-risk processes or environments do not
have existing procedures. The review process will be undertaken by the users, for the
users. This will recognize, network and acknowledge pockets of excellence and
enhance employee consultation. Education workshops will be conducted to assist
organizations to meet the Standards, which will become the baseline for performance
management and will be accessible on the Intranet.
National Health Service

Clinical Governance is a framework through which NHS organizations are
accountable for continuously improving the quality of their services and
safeguarding high standards of care by creating an environment in which
excellence in clinical care will flourish.
National Health Service Executive
The National Health Service (NHSUK) recently embarked on a five-year risk

management strategy entitled Controls Assurance which focuses on both corporate
and clinical governance. The NHS developed 15 Organizational Risk Management
Standards, which closely match the 10 Risk Management Standards being developed
by the Metropolitan Health Service (comparison attached as Annex Three). This
concordance became more clearly understood when it was discovered that both Risk
Management Strategies had been based on the risk process outlined in
AS/NZS 4360:1999.
Australian Council on Healthcare Standards (ACHS)

The Australian Council on Healthcare Standards has provided significant input into
the development of the Risk Management Standards. The Standards have been
designed to interface with the EQuIP Action Plan so those surveyors can accredit
hospitals using the Risk Register/Action Plan. This will secure resource savings and
enhance management oversight at the organizational level. Risk, quality and
occupational health safety exposures and opportunities can now be integrated for
review at regular management meetings.
Baselines checklists and risk registers

Baseline reviews and internal checklists have been developed for International and
Australian/New Zealand Standards that effect disciplines which are intrinsic
throughout health services such as Risk Management, Occupational Health and
Safety, Quality and Environmental Management. An Integrated Risk Register/Action
151
Plan has been developed to provide an efficient and simplified resource management
tool for boards and managers.
The Register integrates hazard registers, business continuity plans, continuous
improvement action plans, complaints and can track corrective actions from audits,
surveys, incidents, adverse events and claims (diagrammatic representation attached as
Annex Four). The Register provides substantial resource savings by collating all risks
and opportunities for improvement on a prioritized and cost benefited oversight tool.
Incident management
A meaningful facilitywide system that identifies and initiates response to adverse
patient occurrences is the backbone of an effective risk management program. It
is essential that the risk manager work on the design and implementation of an
effective data-gathering system.
Risk management handbook for healthcare organizations, 2nd edn.
Management standards and information management are the structural building

blocks for risk management. A critical component of information management is
incident reporting. Incident management systems should identify corporate and
clinical risks and categorize incidents by their potential consequences. Health services
should investigate incidents using root cause analysis to determine system failures,
without assigning blame. Confidentiality is a mandatory requirement of a health
industry incident system, as clinicians will not report adverse events if legal retribution
is a consequence. The following risk selection criterion was developed to evaluate
existing incident management systems:
Gazetted as a Commonwealth Quality Activity to ensure that information provided by clinicians can not be used in litigation against organizations or clinicians
and to encourage participation.
Largest possible (preferably national) database to collate contributing factors and

provide evidence based treatments (corrective actions).
Quality testing to ensure validity and reliability of data.
Based on accepted industry models for complex system failures and human error.
User friendly and flexible reporting mechanisms.
Integration potential for all non-conformances.
Capable of linking treatments with the Risk Register/Action Plan.
Proven track record in the health industry.
Available for implementation within a reasonable timeframe.
Minimal design costs for organizations.
Australian Incident Monitoring System (AIMS)

The Australian Incident Monitoring System (AIMS) was developed by the Australian
Patient Safety Foundation (APSF) for the health industry, as a Commonwealth
quality improvement initiative. The AIMS is gazetted as a Commonwealth quality
assurance activity and is the only national database that provides protection against
FOI litigation. The System is currently being reviewed to incorporate all nonconformances and to assist organizations to convert incident data into information
that can be readily assessed.
152
Cost benefits
An integrated management system is a cost effective, long-term investment that will
provide recurrent savings in efficiency as well as mitigate future medico/legal and
workers compensation exposures. The Foley Report of 1987 (Commonwealth
Review of Quality within Australian Industry), concluded that up to 25% of
operational budgets within the manufacturing industry were absorbed by waste. The
service industry revealed that up to 40% of budgets were absorbed by waste, 85% of
which could be attributed to system failures. More recent surveys show that
corporations that have implemented comprehensive management systems have
minimized the types of waste identified within the Foley Report.
The QAHCS showed that 16.6% of admissions were associated with adverse events
and that 51% of these were deemed potentially preventable. Comparisons between the
number of preventable adverse events and the number of claims filed show that health
services are experiencing less than one half of one percent of their potential medico/
legal exposure. Insurance costs are increasing in line with the alarming rise in both
workers compensation and medicolegal claims. The latter of which, if left untreated,
may increase by up to 500% within the next 6 years. The APSF has estimated that over
6% of the health budgets ($2.4 billion of $43 billion each year) is wasted on direct
medical and medico/legal costs of adverse events. The cost to resource the five-year
Risk Management Plan represents a small percentage of annual health budgets (less
than one tenth of 1% of a single budget). Risk Management provides objective and
evidence based recommendations which, if applied systematically can maximize
opportunities and minimize exposures within the health industry.
Conclusions
Systemic failure can only be minimized by allocating resources to achieve long-term

sustainable improvements. The Risk Management Plan has been linked with the
National Health Service Controls Assurance Project to ensure that health services are
doing their reasonable best to achieve their objectives. The Risk Management
Standards will provide the baseline for measuring strategic and organizational
performance. The Integrated Risk Register/Action Plan is a streamlined resource
management oversight tool that prioritizes both risks and opportunities to provide
cost effective corrective actions. AS/NZS 4360: 1999 defines risk management as the
culture, processes and structure which come together to optimize the management of
potential opportunities and adverse effects. Health services should embrace risk
management to address the foreseeable systemic failures that are facing the industry,
preferably before these exposures decrease operational budgets to the extent that core
services have to be redefined.
Note:
Additional information in regards to the Metropolitan Health Service Risk Strategy
can be obtained on the following website address: http://www/health.wa.gov.au/warm
153
Professional colleges and associations

Clinical outcomes and indicators
Clinical practice guidelines
Adverse events and medicolegal
Patient support services
Medical records
Ethics and research
Peer review
Professional development
Annex One
Leadership and commitment

Management oversight
Management standards
Incident management
Contract management
Information management
Change management
Influencing behaviour
Employee development
Clinical governance
This model is underpinned by controls assurance and continuous improvement.
Business plans and public accountability

Performance objectives and indicators
Business policies and work instructions
Workers' compensation and
rehabilitation
Financial and asset management
Information technology management
Organizational development and review
Recruitment selection and performance
review
Training needs analysis and inductions
Integration opportunities
Integrated management system health industry model
154
Corporate governance
Annex Two
Model health industry risk management policy

Risk management policy
The Board/Health Service/Hospital is dedicated to establishing an organizational
philosophy that ensures risk management is an integral part of corporate objectives,
plans and management systems. Compliance with legislative requirements is only a
minimum standard. The core function of risk management is to assist organizations
to meet their objectives. The following ten key principles are considered essential for
the successful implementation of the Risk Management Strategy:
1) Management commitment to, and leadership of, the total risk management
function.
2) The establishment of a Clinical Governance framework to include the formal application of the risk management process to clinical practices.
3) Employee participation and consultation in risk management processes.
4) Formal mechanisms to measure the effectiveness of risk management strategies,
plans and processes against industry best practice.
5) A mechanism should be in place for all incidents to be immediately reported, categorized by their potential consequences and investigated to determine system
failures, without assigning blame.
6) Preventive maintenance risk management processes must be applied to the management of facilities, amenities and equipment.
7) Management systems must be in place that provide safe practices, premises and
equipment in the working environment. Systems of work must be designed to
reduce the likelihood of human error occurring.
8) Risk Management processes must be applied to contract management especially
when acquiring, expanding or outsourcing services, equipment or facilities.
Contracts must be reviewed and written to ensure that only reasonable risks are
accepted and that those risks are transferred to and accepted by the insurance underwriter
9) Safe systems of work must be in place to protect patients, visitors and staff.
10) The establishment and implementation of emergency preparedness, emergency
response and contingency plans.
155
Annex Three
Comparison of management standards between the

Metropolitan Health Service and National Health Service
Metropolitan Health Service (10)
National Health Service (18)
1) Management Commitment
Professional, Public, Product Liability
Human Resources
1) Professional & Product Liability

2) Human Resources
2) Clinical Management
Medicines Management
3) Medicines Management
3) Employee Participation
4) Incident and Information Management
Records Management
4) Information Management &Technology

5) Records Management
5) Improvement Action Strategies

6) Facilities, Amenities & Equipment
Medical Equipment
7) Working Environment
Infection Control
Catering and Food Hygiene
Transport and Travel
Environmental Management
Waste Management
(note 2)
8)
9)
10)
11)
12)
13)
8) Contract Management
14) Contracts and Contractor Control
9) Security
15) Security
10) Emergency Management

Emergency Preparedness
Fire and Evacuation Plans
(note 2)
6) Buildings, Land, Plant, NonMedical

Equipment
7) Medical Equipment and Devices
Infection Control
Catering and Food Hygiene
Transport
Environmental Management
Waste Management
Health & Safety
16) Emergency Preparedness

17) Fire Safety
18) Risk Management
Notes:
1) The National Health Service (NHS) has developed financial and clinical
standards. The Standards listed above are the NHS Organizational Risk
Management Standards.
2) The Metropolitan Health Service Management System is integrated therefore
Risk Management, Occupational Safety and Health and Quality Improvement
are seamless throughout all of the 10 Standards and 61 Elements.
156
Annex Four
Diagrammatic representation of a health industry integrated

risk management register/action plan
Incident and non-conformance reports
Task/process analysis
Consultation and observation
Confined spaces
Hazardous substances
Ministerials/complaints
Hazards
Surveys, inspections,
assessments and audits
Mishap investigations
Integrated Health Industry

Risk Register/Action Plan
Contingency plans
and disaster recovery
Equipment purchase/
modification
Critical processes
and critical equipment
Adverse events
Coronial inquiries
Medical record
and file reviews
Risk assessment
cost benefit analysis
Project management
Medicolegal claims
Workers compensation claims
157
Annex Five
Draft risk management plan

Report to the Metropolitan Health Service Board
The risk management process is objective because it brings a scientific approach to the
making of risk management decisions, requiring the compilation and analysis of data
as the basis for decisions reached.
The risk management handbook for healthcare organisations, 2nd edn.
This Risk Management Plan has been developed to address the deficiencies and risks
facing the Board, which were highlighted in the above references. A five-year
implementation Gantt chart was developed in January 1999 and lists milestones, tasks,
resources and time-lines and is attached at Annex 1. The Gantt Chart has not been
updated since January. A list of Definitions is attached to assist the Board at Annex 2.
Am
Develop and implement an integrated risk management system to assist the MHS to
meet its objectives.
Objectives
develop a seamless approach to corporate and clinical governance;
develop and implement a controls assurance program;
develop the capacity to learn from failures;
ensure that risk management is an integral part of the organizational culture;
ensure that management and employees are accountable for risk management
through individual and team based performance management objectives;
develop and implement integrated health industry risk management standards;
re-engineer and improve processes through client focused patient care;
foster an environment of continuous improvement through self-assessment;
develop the capacity to identify and prioritize risks, as well as implement

treatments in a decisive and timely manner;
encourage employee involvement and team building;
identify, acknowledge and harness pockets of excellence;
mobilize existing risk management resources.
Key tasks
The five-year Risk Management Implementation Plan (Gantt Chart) contains a
comprehensive list of key tasks. Although not complete, some of the key tasks are
listed below under the relevant risk management objectives:
158
Develop a seamless approach to corporate and clinical governance
develop the Risk Management Policy and an Integrated Risk Management

Model.
appoint an experienced risk management coordinator;
establish the strategic and organizational context with Sub-Committee Chairs;
establish the risk management structure for the MHS detailing the relationship
between the Board, the CEO, the Audit Committee, the Clinical Advisory
Committee, the Risk Management Support Team, Hospitals and Health
Services;
develop a seamless approach to reviewing and modifying patient processes in

primary, secondary and tertiary care;
develop a seamless approach to prioritizing capital funding requirements for

corporate and clinical governance.
Develop and implement a controls assurance program
adapt and implement the NHS Controls Assurance Program;
conduct Controls Assurance workshops.
Develop the capacity to learn from failures
review, adapt and pilot the Australian Incident Monitoring System identify the
contributing factors and collate the corrective actions of all non-conformances;
link the contributing factors and corrective actions from incidents and adverse
events to the Risk Register and Action Plan;
develop a Mishap Investigation Standard and conduct the Mishap Investigation

Workshops. Appoint a multi-disciplinary mishap investigation team to review
critical incidents and conduct regular training exercises for this team. Conduct
the Management Oversight Risk Tree, Failure Modes Effect Analysis and
Operational Readiness/Critical System Analysis Workshops;
develop and implement the adverse event review process and standard. Review
past adverse events to identify contributing factors and system failures (case
notes, coronial inquiries, incidents, complaints and claims). Review contributing
factors and system failures to determine corrective actions. Link failures and
corrective actions to the Risk Register/Action Plan. Develop and conduct
workshops to minimize adverse events. Review and implement the Stewart/
SCGH Medico/Legal Database to determine the liability (probability factor) of
outstanding claims.
Ensure that risk management is an integral part of the organizational

culture
develop and conduct Risk Leadership Workshops;
implement Healthcare Risk Management Workshops for Board Members, Chief

Executives and General Managers;
develop and conduct Healthcare Risk Management Workshops for senior

management and employees;
insert risk management into annual performance reviews, job descriptions and
recruitment selection criteria;
develop and implement a Healthcare Risk Management Induction/Orientation

Pamphlet.
159
Ensure that management and employees are accountable for risk

management through individual and team based performance
management objectives
develop reporting mechanisms from the Board to the CEO and from the CEO
to CEs/GMs;
make risk management a priority agenda item at all Board and executive
meetings;
ensure that the executive committees regularly review hospital and health service
risk registers;
develop and insert risk management objectives and performance indicators into
strategic and business plans;
develop and implement mechanisms that promote evidence based

recommendations, decisions, processes and outcomes;
minimize the potential for motions going to the Board without supporting
evidence;
ensure the all Board members are conversant with and fully understand the
consequences of proposed motions. Ensure that Chairs of sub-committees
provide a clear statement of cause and effect (to affected sub-committees), prior
to minutes and motions being forwarded to the Board;
ensure that sub-committees communicate their activities to CEs/GMs and that

terms of reference do not expand until existing activities are completed in a
timely manner.
Develop and implement integrated health industry risk management

standards
160
appoint an experienced systems coordinator;
develop and implement the Health Industry Risk Management Standards.

Develop the template for the Standards. Prioritize the development of the
standards;
develop and implement the Informed Consent Process and Standard. Conduct
Informed Consent Workshops;
develop a process and standard to apply Health Technology Assessment Principles (evidence based recommendations). Link this process with the Risk Register/Action Plan, develop and conduct Health Technology Assessment
Workshops;
establish a process and standard for reviewing contracts to ensure that only
reasonable risks are accepted and that those risks are transferred to and accepted
by RiskCover;
develop and implement a Contract Management Standard and Workshop;
develop and implement a Preventive Maintenance Process, Plan and Standard;
develop and implement an Environmental Policy and Standard.
Re-engineer and improve processes through client focused patient care
develop clinical (patient care) standards that redefine and coordinate core
services;
develop and implement evidence based care through clinical based guidelines;
develop a discharge planning strategy, process and standard.
Foster an environment of continuous improvement through selfassessment
develop and implement risk management, occupational safety and health, quality
and environmental baselines and checklists to measure the performance of
hospitals and health services;
conduct an internal baseline audit to determine compliance with TI109 at

hospitals and health services.
Develop the capacity to identify and prioritize risks, as well as implement

treatments in a decisive and timely manner
develop risk management tools to identify, analyse, evaluate, monitor risks and
to communicate and consult those risks with stakeholders.
Encourage employee involvement and team building
develop and conduct interactive workshops to monitor and improve team based
clinical services.
Identify, acknowledge and harness pockets of excellence
appoint champions to identify and review existing policies, procedures and

operational instructions. Develop and conduct workshops on developing
standards;
identify processes and practices that are best practice and nominate authors to
develop elements of the Standards. Allocate adequate resources to organizations
that participate in the development of the Standards and acknowledge the
authors;
mobilize existing risk management resources;
appoint a Risk Management Support Team to oversee the development of the

risk management standards and network risk management strategies.

Standard 1: Leadership and management
1 Strategic management and oversight
Corporate governance
Controls assurance
Mission statement, vision and values
Strategic and business plans
Risk policy
Objectives, key performance indicators and targets
Board management (Evidence based recommendations and decisions)
Resource management
Due diligence
161
2 Leadership
Change management
Building commitment/influencing behaviour
Building business teams
Code of ethics/conduct
3 Human resources
Performance management
Public sector standards in human resources management
Recruitment, selection and appointment
Criminal records screening/pre-employment medicals
Key staff continuity/recruitment program/job description forms
Visiting medical practitioners (VMP)/consultant agreements
Individual accountabilities and responsibilities
Corporate credentialling
Transfer/secondment
Redeployment
Termination
Discipline
Temporary deployment
Grievance resolution
Staff satisfactionreward/retain
Industrial relations
Equal employment opportunity/working conditions/equal access policies
Workplace agreements, awards/enterprise bargaining agreements
Diversity of employment policy/prevention of harassment policies
Flexible work practices policies
Employee assistance policy
Alcohol and other drugs policy
Industrial disputes and resolution
Human resource information system (HRIS)
4 Financial management
Financial ledgers (Oracle 10.7/HCARe)
Patient management
Charts of accounts
Trendstar costing
Accounting policy and manual
Budget program
Reporting
Monitoring providers
5 Legal services and public relations
Legal guide for public health hospitals
Public image/public expectations
Political considerations
Public/media relations
Freedom of information
162
6 Consumer participation and community involvement

Patient advocacy
Complaints management
Consumer rights and responsibilities
Customer satisfaction
Cultural considerations and interpreters
Aboriginal liaison
Board membership
Fundraising activities
Volunteers and auxiliaries
Standard 2: Clinical management

1 Clinical governance
2 Clinical services
Professional colleges and associations
Clinical handbooks and guidelines
Clinical credentialling
Adverse event management
Clinical indicators and outcomes
Evidenced based practice
Assessment planning and coordination of care
Process re-engineering for client focused patient care
Patient care liaison and services/evaluation and separation
Access to services
Discharge planning
GP liaison
Informed consent
Communicating patient information
Multi-disciplinary clinical pathways
Strategic teams and peer review groups
Standard 3: Employee participation

1 Employee involvement strategy
Employee consultation and communication program
Cross-functional problem solving teams
Team based rewards
Acknowledging pockets of excellence
2 Psycho-social management
Stress management
Aggression management
Employee assistance program
Alcohol and other drugs program
Critical incident trauma support
Conflict resolution
Shiftwork and rosters/working alone
3 Health promotion and monitoring
163
4 Workforce skill needs and development

Vocational education and training authorities
National training reforms
National competency standards
Quality assurance in education and training
Strategic analysis of workforce skill requirements
Education and training pathways/career pathways
Monitoring/outcomes of skill development programs
5 Professional development
Staff development programs
Professional mentors and buddy program
Infection control
National mental health standards (NMHS)
Aged Care Standards and Accreditation Agency (ACSAA)
Community Health Accreditation Standards Program (CHASP)
Australian Council on Healthcare Standards (ACHS)
Clinical risk management
Informed consent
Australian Incident Monitoring System (AIMS)
Training needs analysis
Inductions and orientations
Controls assurance
Management oversight risk tree analysis
Failure modes effects analysis/energy barrier target analysis
Operational readiness/critical systems analysis
Risk leadership/healthcare risk management
Informed consent
Healthcare and project risk management
Mishap investigation
Self-assessment checklists and baselines
Hazard/hazardous substances management
Manual handling train the trainer/office ergonomics
Aggression and stress management
Purchase and modification control
Maintenance and contract management
Food safety and hygiene
6 Representatives and committees
Standard 4: Incident and information management

1 Incident management
First aid and casualty evacuation
Risk management process
Non-conformance reporting
Exposure identification
Risk assessment/task analysis/process observation
164
Evaluate alternatives
Implement treatments
2 Investigations and reporting mechanisms

Mishap Investigations
Management Oversight Risk Tree Analysis (MORT)
Reporting of Defective or Unsatisfactory Products/Materials
Notifiable Incidents
Significant Incident Networking and Reports
Incident Rates and Statistics
3 Critical systems and process control
4 Information management
Information technology
Security access
Records management
Millennium bug/Y2K project
Staff records
Data access, timeliness, relevance and accuracy
Dlinical coding
Record keeping and case notes
Medical records
Standard 5: Improvement action strategies

1 Risk register/continuous improvement action plan
2 Self assessment baselines, inspections and checklists
3 Internal and external audit
4 Accreditation (ACHS/QIC/ACS/CHASP)
Standard 6: Facilities, amenities and equipment management

1 Maintenance management
Permits, isolations and tagging of equipment
Reliability Centre Maintenance (RCM)
Maintenance planning and control
Health technology assessment principles
Registered equipment
Fleet management
2 Access, egress and outdoor areas
Access and egress
Stairwells and ramps
Lifts and elevators
Ambulance bays and cleaning stations
Delivery bays and vehicle parking
Outdoor structures and horticulture
Floor and paved surfaces
Wet areas
Emergency lighting and warning systems
165
3 Amenities and childcare facilities

4 General equipment management
5 Medical equipment management
6 Sign posting, exit signs and colour coding
7 Design, construction and renovation
8 Purchase and modification control
Supply continuity and inventory control
Employee consultation
Human/working environment factors
Register of approved products
Review of incidents/mishap (non-conformance) reports
Design and modification control
Obsolete equipment
9 Engineering
Mechanical safety
Hand air tools
Machine guarding
Lifting equipment
Machine shop equipment
Blasting and painting
Electrical safety
Hot work
House keeping
Standard 7: Working environment
1 Manual handling
Patient handling
Identification, assessment and control
Competency based training
Work capacity assessments
Ambulance transfers
Non-patient handling
Storage and stacking
Work area design/office ergonomics
2 Hazardous substances/dangerous goods/ppec
3 Infection control
4 Confined spaces
5 Indoor air quality, thermal, lighting and radiation
6 Noise and vibration
7 Working at heights
8 Travel and driver safety
9 Food safety and hygiene
166
10 Environmental management
Environmental Plan
Waste Management
Standard 8: Contract management

1 Selection and supervision
Tenders and contracts
Engaging a contractor (subcontractor)
Safety management plan
Pre-employee medical screening
Contractor incident reports
OSH selection checklist
Induction and training of contractors
Auditing contractor safety
Record keeping
2 Procurement of goods, services and assets
3 Inventory management and supply
4 Outsourcing and privatization
5 Breach of contract
Standard 9: Liability and treatment

1 Liability and exposures
Public liability
Professional negligence
Product liability
Medico/legal claims
Workers' compensation claims
Property and business interruptions
Theft, loss and damage (motor vehicle damage and liability)
Personal accident and travel
Discrimination, harassment and industrial claims
Fraud/inappropriate use of resources
Fair trade
Intellectual property
Equal employment opportunity
2 Treatment
General liability cover
Professional liability and medical malpractice cover/medical
Informed consent
Workers compensation deposit/vocational rehabilitation program
Property and business interruptions cover
Motor vehicle cover
Personal accident and travel cover
Fidelity cover
Intellectual property and copyright
Employee practices liability cover
167
Standard 10: Emergency management

1 Emergency preparedness
State health emergency management support plan
State human epidemic emergency management plan
Crisis management/contingency planning
Disaster recovery/business continuity plans
Fire and evacuation plans
Bomb threats
2 Emergency response
Emergency exercises and drills
Emergency equipment and training
Fire wardens and muster points
Fire suppression equipment
3 Security
168
Annex Six
Glossary of terms
Adverse event is any event or circumstance leading to unintended harm or
suffering which results in admission to hospital, prolonged hospital stay, significant
disability at discharge or death.
A complaint is considered to have been made when a patient or client of a
healthcare facility, or his or her agent, lodges a complaint about an iatrogenic problem
Controls assurance is a process designed to provide evidence that the NHS in total
and in its constituent parts is doing its reasonable best to manage, direct and control
itself so as to meet is objectives in an optimal fashion and also to protect itself, its
employees, patients and stakeholders safety and interests against risks of all kinds.
Incident is any unplanned event or circumstance resulting in, or having a potential
for injury, ill health, complaint, damages or loss.
Management system the organizational structure, procedures, processes and
resources needed to implement objectives and monitor performance.
Mishap is anything that causes actual or potential loss to an organization. A mishap
can involve systems, quality, reputation, equipment or personnel.
Mishap investigation is a structured process to identify the root causes of mishaps,
for the purposes of appropriately managing exposures.
Negligent adverse event is an adverse event in which it is considered that there is
evidence in the medical record of significant harm, of causation of that harm by a
problem with the healthcare process, and of a failure of duty of care.
Risk the chance of something happening that will have an impact upon objectives. It
is measured in the terms of consequences and likelihood.
Risk assessment the overall process of risk analysis and risk evaluation.
Risk management the culture, processes and structures which come together to
optimize the management of potential opportunities and adverse effects.
Risk treatment is the selection and implementation of appropriate options for
dealing with risk.
Root cause analysis is a complete identification of influences that have contributed

to a failure.
System failure is a non-conformance, or aberration, of a defined management
system. A system failure may be deemed as inadequate performance or application, of
a defined management system or processes.
169
Annex Seven
References
MHSB, Risk management overview report 1998, September.
MHSB, Risk management progress report 1999, January.
MHSB, Risk management report 1999, January.
MHSB, Risk management plan 1999, January.
MHSB, Risk management briefing paper 1999, May.
170
ISBN 0-7337-3352-2
S t a n d a r d s
A u s t r a l i a

MP91-2000 Healthcare Risk Management

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MP91-2000 Healthcare Risk Management

Uploaded by

Copyright:

Available Formats

MP912000

Accessed by Clough Engineering on 07 Sep 2001

Selected proceedings from

Accessed by Clough Engineering on 07 Sep 2001

Accessed by Clough Engineering on 07 Sep 2001

ISBN 0 7337 3352 2

Dynamic approaches to healthcare risk management

3 Governance and risk management in the National

17 Personal accountability for clinical care in the British

21 Assurance for the Board

27 The introduction of clinical risk pooling and clinical

Accessed by Clough Engineering on 07 Sep 2001

31 The Bristol Paediatric Cardiac Surgery Inquiry

Dynamic approaches to healthcare risk management

69 The need for effective dynamic governance in

79 The responsibility of hospital boards for clinical

83 Linking claims management with clinical risk

89 Early detection of major risk

105 Risk management in the healthcare setting

109 Role of clinical pathways and variance analysis in risk

113 Credentialling of hospital medical staff

Accessed by Clough Engineering on 07 Sep 2001

121 A framework for managing the quality of health

127 Iatrogenic injury in Australia

133 Understanding clinical risk

Dynamic approaches to healthcare risk management

139 Clinical risk management

141 Using radar logic to develop standards-based

147 Integrated risk management within the health

Accessed by Clough Engineering on 07 Sep 2001

Healthcare is undergoing enormous change. On one hand, greater medical

Accessed by Clough Engineering on 07 Sep 2001

Dynamic approaches to healthcare risk management

Accessed by Clough Engineering on 07 Sep 2001

Governance and risk management in the

Part AGovernance and risk management in the NHS in

Development of governance in the NHS in England

Accessed by Clough Engineering on 07 Sep 2001

The Cadbury Committee reported on the financial aspects of corporate governance in

internal financial controls;

efficient and effective operations; and

compliance with applicable laws and regulations.

Dynamic approaches to healthcare risk management

development of a framework of corporate accountability;

improvements in the organization and staffing of internal audit; and

development of controls assurance, an innovative NHS Executive-conceived

Clinical Governance is the lynchpin of the UK Governments strategy for ensuring

Accessed by Clough Engineering on 07 Sep 2001

Governance and risk management in the National Health Service in England

Controls assurance and clinical governance

The development of risk management in the NHS in England

Accessed by Clough Engineering on 07 Sep 2001

The development of risk management in the NHS in England is a relatively recent

Dynamic approaches to healthcare risk management

risk management to meet Clinical Governance requirements, will ultimately ensure

Figure 2: Risk management framework

Risk management in the NHS as part of a wider quality

Accessed by Clough Engineering on 07 Sep 2001

Governance and risk management in the National Health Service in England

Figure 3: European Foundation Quality model

Part BThe application of AS/NZS 4360:1999 to risk

Accessed by Clough Engineering on 07 Sep 2001

and defines the risk management process as:

An overview of the risk management process, as defined in the Standard, is presented